Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload SBOMs in the promotion pipeline #28

Merged
merged 7 commits into from
Nov 16, 2024
Merged

Upload SBOMs in the promotion pipeline #28

merged 7 commits into from
Nov 16, 2024

Conversation

chmeliik
Copy link
Member

@chmeliik chmeliik commented Nov 1, 2024
edited
Loading

Builds on #23

Instructions for testing are in the README update

Haven't tested in Jenkins yet

@chmeliik chmeliik force-pushed the upload-sbom-to-tpa branch 2 times, most recently from 8d529b4 to d864632 Compare November 5, 2024 09:23
@chmeliik chmeliik mentioned this pull request Nov 6, 2024
Merged
@chmeliik
Copy link
Member Author

chmeliik commented Nov 6, 2024

Haven't tested in Jenkins yet

Have tested it now, appears to work! 🎉

@chmeliik
Copy link
Member Author

chmeliik commented Nov 6, 2024

Fixed formatting

@chmeliik chmeliik marked this pull request as ready for review November 11, 2024 08:33
@chmeliik
Copy link
Member Author

chmeliik commented Nov 11, 2024
edited
Loading

Rebased on main. I noticed that adding the gitops secrets to templates/data.yaml only updated the Jenkins promote pipeline, not the other CIs. I'll look into that, but this PR should be ready for review anyway

@chmeliik chmeliik force-pushed the upload-sbom-to-tpa branch 2 times, most recently from bea17de to f80f65c Compare November 12, 2024 12:38
@chmeliik
Copy link
Member Author

chmeliik commented Nov 12, 2024
edited
Loading

Rebased on main. I noticed that adding the gitops secrets to templates/data.yaml only updated the Jenkins promote pipeline, not the other CIs. I'll look into that, but this PR should be ready for review anyway

This lead to / will lead to some more changes, so I opened a separate PR for that #56

@chmeliik
Add upload-sbom-to-trustification.sh script
5da739f 
It is completely broken at the moment - it is just all the scripts from
the Tekton task [1] concatenated together.

[1]: https://github.com/konflux-ci/build-definitions/blob/main/task/upload-sbom-to-trustification/0.1/upload-sbom-to-trustification.yaml

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
upload-sbom: add remaining parts from the Task
079e3b8 
Add the description.

Add the env vars that would be set from the stepTemplate in the Tekton
task.

For the WORKDIR, use a tmpdir (the Tekton task uses a pod-local dir).

To replace the 'trustification-secret' that contains Trustification
config and auth, use 'TRUSTIFICATION_*' env vars instead.

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
upload-sbom: adapt for ancient curl versions
2c166a8 
curl got the --fail-with-body option in version 7.76.0 (31. 3. 2021)

Some users - for example the QE Jenkins agent [1] - may have an older
version of curl. Use --fail-with-body only if the curl version is new
enough.

[1]: https://github.com/redhat-appstudio/rhtap-utils/blob/8ade9d1336da38fcb26725f71b566378fcc61ee7/jenkins/jenkins-agent/Dockerfile

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
upload-sbom: integrate with RHTAP
61304fc 
Source the common.sh script to do the common RHTAP setup (most
importantly, to source the rhtap/env.sh in the user's repository).

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
Integrate upload-sbom into promotion pipeline
28bf7ee 
Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
Copy link
Member Author

Rebased on main

@chmeliik
Make it easier to set TRUSTIFICATION_* vars
b6478e5 
* Add a helper script that generates the vars
* In the Jenkins pipelines, read the vars from secrets
* Update the hack/*-set-* scripts to create the secrets

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
show-image-ref: fix result path
26ba217 
The result of the build pipelines are now in ./tmp/build

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
Copy link
Member Author

Also updated the hack/ghub-set-{org,}-vars and hack/glab-set-vars scripts with the TRUSTIFICATION_ vars

@jduimovich
Copy link
Member

jduimovich commented Nov 13, 2024
edited
Loading

@chmeliik
Tried this on github actions without REKOR or TUFs so no transparency log (which is supported via IGNORE_REKOR and setting the REKOR and TUFs

export REKOR_HOST=
export TUF_MIRROR=

Testing was done via checkout of this pr git pull upstream/28/head and thenrunning ci-test.sh so should be repeatable.
You may be able to see https://github.com/jduimovich/tssc-dev-gitops/actions/runs/11822582856 but the error is below
Will retry with a REKOR_HOST and TUF_MIRROR when my install comes up

Step: download-sbom-from-url-in-attestation
Results: /__w/tssc-dev-gitops/tssc-dev-gitops/results/download-sbom-from-url-in-attestation
Getting attestation for ***/bootstrap:github-be414ecb8ddf3ef706b5f4cad0[42](https://github.com/jduimovich/tssc-dev-gitops/actions/runs/11822582856/job/32939936770#step:7:43)8194cdf634ce
Failed to verify any attestation type. Errors:
  
  Command: cosign verify-attestation --type=slsaprovenance02 --key /tmp/download-sbom-workdir.xQGJOs/cosign.pub ***/bootstrap:github-be414ecb8ddf3ef706b5f4cad0428194cdf634ce
  
  Error: no matching attestations: signature not found in transparency log
  main.go:74: error during command execution: no matching attestations: signature not found in transparency log

Command: cosign verify-attestation --type=slsaprovenance1 --key /tmp/download-sbom-workdir.xQGJOs/cosign.pub ***/bootstrap:github-be414ecb8ddf3ef706b5f4cad0428194cdf634ce

Error: no matching attestations: signature not found in transparency log
main.go:74: error during command execution: no matching attestations: signature not found in transparency log
Error: Process completed with exit code 1.

@chmeliik
Copy link
Member Author

@jduimovich are you setting IGNORE_REKOR somewhere other than here? It defaults to false https://github.com/jduimovich/tssc-dev-gitops/blob/dccd3599ed97ec5cba6cc779f3a5287be328dddc/rhtap/env.sh#L44

@jduimovich
Copy link
Member

It works with a proper REKOR_HOST and TUFS_MIRROR
It also works with the FAIL_IF_TRUSTIFICATION_NOT_CONFIGURED set to false so QE will not be blocked

@jduimovich jduimovich merged commit 7630f7b into redhat-appstudio:main Nov 16, 2024
2 checks passed
@chmeliik chmeliik deleted the upload-sbom-to-tpa branch November 18, 2024 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jduimovich jduimovich jduimovich left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chmeliik @jduimovich