Skip to content

Commit e0cc396

Browse files
committed
feat(ISV-7320): add direct-sign-index-image task
New Tekton task for signing FBC index images via the container-signing pipeline. The task has similar functionality to old sign-index-image task, but it uses direct container signing instead of Radas/UMB solution. Also, it outsources all the existing core logic from bash to a new python util it invokes - direct_sign_index_image.py, passing all parameters as CLI arguments. - Passes signing params (pyxis-server, pipeline, pipeline-image, requester, batch-max-size, etc.) as CLI arguments to Python - Pyxis secret mounted at /etc/secrets, paths set via env vars - Includes Tekton integration test using Python mock pattern - Generated README from task YAML Assisted-by: Claude Opus 4.6 Signed-off-by: Jakub Durkac <jdurkac@redhat.com>
1 parent 36ebe75 commit e0cc396

6 files changed

Lines changed: 481 additions & 0 deletions

File tree

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
# direct-sign-index-image
2+
3+
Creates InternalRequests to sign FBC index images via the container-signing pipeline
4+
5+
## Parameters
6+
7+
| Name | Description | Optional | Default value |
8+
|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------------------------------------------------|
9+
| dataPath | Path to the JSON string of the merged data to use in the data workspace | No | - |
10+
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
11+
| requestTimeout | InternalRequest timeout | Yes | 1800 |
12+
| pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - |
13+
| fbcResultsPath | Path to the JSON file in the data workspace containing fbc results | No | - |
14+
| concurrentLimit | The maximum number of concurrent signing requests | Yes | 8 |
15+
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | empty |
16+
| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire | Yes | 1d |
17+
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable | Yes | "" |
18+
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
19+
| sourceDataArtifact | Location of trusted artifacts to be used to populate data directory | Yes | "" |
20+
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
21+
| taskGitUrl | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored | No | - |
22+
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
23+
| pyxisServer | The server type to use. Options are 'production','production-internal','stage-internal' and 'stage' | Yes | production |
24+
| pyxisSecret | The kubernetes secret to use to authenticate to Pyxis. It needs to contain two keys: key and cert | No | - |
25+
| batchLimit | Maximum size in bytes of each base64-encoded signing_requests batch sent via InternalRequest | Yes | 15000 |
26+
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
27+
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
28+
| failOnSignatureLookupError | Fail the task when any Pyxis find_signatures lookup fails; when set to "false", log a warning and submit every planned image row for signing without skipping already-signed references | Yes | true |
29+
| signingRepo | Git repository URL containing the signing tasks | Yes | https://gitlab.cee.redhat.com/signing/signing.git |
30+
| signingRevision | Git revision (branch, tag, or commit) in the signing repository | Yes | main |
31+
| signPipeline | Name of the internal pipeline to use for container signing | Yes | container-signing |
32+
| signPipelineServiceAccount | Service account to use for the signing pipeline | Yes | signing-pipeline-sa |
33+
| pipelineImage | The image to use for the signing pipeline | Yes | quay.io/konflux-ci/signing:latest |
Lines changed: 242 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,242 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Task
4+
metadata:
5+
name: direct-sign-index-image
6+
annotations:
7+
tekton.dev/pipelines.minVersion: "0.12.1"
8+
tekton.dev/tags: release
9+
spec:
10+
description: |-
11+
Creates InternalRequests to sign FBC index images via the container-signing pipeline
12+
params:
13+
- name: dataPath
14+
description: Path to the JSON string of the merged data to use in the data workspace
15+
type: string
16+
- name: requester
17+
type: string
18+
description: Name of the user that requested the signing, for auditing purposes
19+
- name: requestTimeout
20+
type: string
21+
default: "1800"
22+
description: InternalRequest timeout
23+
- name: pipelineRunUid
24+
type: string
25+
description: The uid of the current pipelineRun. Used as a label value when creating internal requests
26+
- name: fbcResultsPath
27+
type: string
28+
description: Path to the JSON file in the data workspace containing fbc results
29+
- name: concurrentLimit
30+
type: string
31+
description: The maximum number of concurrent signing requests
32+
default: 8
33+
- name: ociStorage
34+
description: The OCI repository where the Trusted Artifacts are stored
35+
type: string
36+
default: "empty"
37+
- name: ociArtifactExpiresAfter
38+
description: Expiration date for the trusted artifacts created in the
39+
OCI repository. An empty string means the artifacts do not expire
40+
type: string
41+
default: "1d"
42+
- name: trustedArtifactsDebug
43+
description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable
44+
type: string
45+
default: ""
46+
- name: orasOptions
47+
description: oras options to pass to Trusted Artifacts calls
48+
type: string
49+
default: ""
50+
- name: sourceDataArtifact
51+
type: string
52+
description: Location of trusted artifacts to be used to populate data directory
53+
default: ""
54+
- name: dataDir
55+
description: The location where data will be stored
56+
type: string
57+
default: /var/workdir/release
58+
- name: taskGitUrl
59+
type: string
60+
description: The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored
61+
- name: taskGitRevision
62+
type: string
63+
description: The revision in the taskGitUrl repo to be used
64+
- name: pyxisServer
65+
type: string
66+
description: >-
67+
The server type to use. Options are 'production','production-internal','stage-internal' and 'stage'
68+
default: production
69+
- name: pyxisSecret
70+
type: string
71+
description: |
72+
The kubernetes secret to use to authenticate to Pyxis. It needs to contain two keys: key and cert
73+
- name: batchLimit
74+
type: string
75+
description: |
76+
Maximum size in bytes of each base64-encoded signing_requests batch sent via InternalRequest
77+
default: 15000
78+
- name: caTrustConfigMapName
79+
type: string
80+
description: The name of the ConfigMap to read CA bundle data from
81+
default: trusted-ca
82+
- name: caTrustConfigMapKey
83+
type: string
84+
description: The name of the key in the ConfigMap that contains the CA bundle data
85+
default: ca-bundle.crt
86+
- name: failOnSignatureLookupError
87+
type: string
88+
default: "true"
89+
description: |
90+
Fail the task when any Pyxis find_signatures lookup fails; when set to "false", log a warning
91+
and submit every planned image row for signing without skipping already-signed references
92+
- name: signingRepo
93+
type: string
94+
description: Git repository URL containing the signing tasks
95+
default: "https://gitlab.cee.redhat.com/signing/signing.git"
96+
- name: signingRevision
97+
type: string
98+
description: Git revision (branch, tag, or commit) in the signing repository
99+
default: "main"
100+
- name: signPipeline
101+
type: string
102+
description: Name of the internal pipeline to use for container signing
103+
default: "container-signing"
104+
- name: signPipelineServiceAccount
105+
type: string
106+
description: Service account to use for the signing pipeline
107+
default: "signing-pipeline-sa"
108+
- name: pipelineImage
109+
type: string
110+
description: The image to use for the signing pipeline
111+
default: quay.io/konflux-ci/signing:latest
112+
results:
113+
- name: sourceDataArtifact
114+
type: string
115+
description: Produced trusted data artifact
116+
volumes:
117+
- name: workdir
118+
emptyDir: {}
119+
- name: pyxis-secret-vol
120+
secret:
121+
secretName: $(params.pyxisSecret)
122+
defaultMode: 0444
123+
- name: trusted-ca
124+
configMap:
125+
name: $(params.caTrustConfigMapName)
126+
items:
127+
- key: $(params.caTrustConfigMapKey)
128+
path: ca-bundle.crt
129+
optional: true
130+
131+
stepTemplate:
132+
volumeMounts:
133+
- mountPath: /var/workdir
134+
name: workdir
135+
- name: trusted-ca
136+
mountPath: /mnt/trusted-ca
137+
readOnly: true
138+
securityContext:
139+
runAsUser: 1001
140+
env:
141+
- name: IMAGE_EXPIRES_AFTER
142+
value: $(params.ociArtifactExpiresAfter)
143+
- name: "ORAS_OPTIONS"
144+
value: "$(params.orasOptions)"
145+
- name: "DEBUG"
146+
value: "$(params.trustedArtifactsDebug)"
147+
steps:
148+
- name: use-trusted-artifact
149+
computeResources:
150+
limits:
151+
memory: 64Mi
152+
requests:
153+
memory: 64Mi
154+
cpu: 30m
155+
ref:
156+
resolver: "git"
157+
params:
158+
- name: url
159+
value: $(params.taskGitUrl)
160+
- name: revision
161+
value: $(params.taskGitRevision)
162+
- name: pathInRepo
163+
value: stepactions/use-trusted-artifact/use-trusted-artifact.yaml
164+
params:
165+
- name: workDir
166+
value: $(params.dataDir)
167+
- name: sourceDataArtifact
168+
value: $(params.sourceDataArtifact)
169+
- name: direct-sign-index-image
170+
# TODO: Change the image once the CLI is available in quay.io/konflux-ci/release-service-utils
171+
image: quay.io/konflux-ci/release-service-utils@sha256:3cb03b14ac9d90ff27070036ce2b50712e65aa285daeb28852254a745bb25dfc
172+
computeResources:
173+
limits:
174+
memory: 1Gi
175+
requests:
176+
memory: 1Gi
177+
cpu: 250m
178+
volumeMounts:
179+
- name: pyxis-secret-vol
180+
mountPath: "/etc/secrets"
181+
env:
182+
- name: PYXIS_CERT_PATH
183+
value: /etc/secrets/cert
184+
- name: PYXIS_KEY_PATH
185+
value: /etc/secrets/key
186+
command:
187+
- direct_sign_index_image.py
188+
args:
189+
- "--pyxis-server"
190+
- "$(params.pyxisServer)"
191+
- "--fbc-results"
192+
- "$(params.dataDir)/$(params.fbcResultsPath)"
193+
- "--data-file"
194+
- "$(params.dataDir)/$(params.dataPath)"
195+
- "--batch-max-size"
196+
- "$(params.batchLimit)"
197+
- "--fail-on-lookup-error"
198+
- "$(params.failOnSignatureLookupError)"
199+
- "--requester"
200+
- "$(params.requester)"
201+
- "--pipeline"
202+
- "$(params.signPipeline)"
203+
- "--pipeline-image"
204+
- "$(params.pipelineImage)"
205+
- "--service-account"
206+
- "$(params.signPipelineServiceAccount)"
207+
- "--request-timeout"
208+
- "$(params.requestTimeout)"
209+
- "--task-id"
210+
- "$(context.taskRun.uid)"
211+
- "--pipelinerun-uid"
212+
- "$(params.pipelineRunUid)"
213+
- "--signing-repo"
214+
- "$(params.signingRepo)"
215+
- "--signing-revision"
216+
- "$(params.signingRevision)"
217+
- "--concurrent-limit"
218+
- "$(params.concurrentLimit)"
219+
220+
- name: create-trusted-artifact
221+
computeResources:
222+
limits:
223+
memory: 128Mi
224+
requests:
225+
memory: 128Mi
226+
cpu: 250m
227+
ref:
228+
resolver: "git"
229+
params:
230+
- name: url
231+
value: $(params.taskGitUrl)
232+
- name: revision
233+
value: $(params.taskGitRevision)
234+
- name: pathInRepo
235+
value: stepactions/create-trusted-artifact/create-trusted-artifact.yaml
236+
params:
237+
- name: ociStorage
238+
value: $(params.ociStorage)
239+
- name: workDir
240+
value: $(params.dataDir)
241+
- name: sourceDataArtifact
242+
value: $(results.sourceDataArtifact.path)
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
# Declarative mocks for Tekton tests of this task (Python entrypoint). Rendered
3+
# by .github/scripts/render_python_task_mocks_from_yaml.py when
4+
# test_tekton_tasks.sh runs.
5+
version: 1
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
#!/usr/bin/env bash
2+
set -eux
3+
echo "Mock direct_sign_index_image.py called with: $*"
4+
echo "$*" >> "$(params.dataDir)/mock_direct_sign_index_image.txt"
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
#!/usr/bin/env bash
2+
set -euo pipefail
3+
4+
# Create a dummy pyxis secret (and delete it first if it exists)
5+
kubectl delete secret test-pyxis-image-cert --ignore-not-found
6+
kubectl create secret generic test-pyxis-image-cert --from-literal=cert=mycert --from-literal=key=mykey

0 commit comments

Comments
 (0)