Skip to content

Commit 502b9fa

Browse files
committed
fix(RELEASE-2237): add version verification before publishing
this PR adds checks to make sure the version of the image to be published matches with the intended one, using two methods: - checks if the source index verson matches the ocpTargetVersion (for all builds - regular, pre-GA and hotfix); - checks if the sourceIndex and targetIndex matches (regular builds) Signed-off-by: Leandro Mendes <lmendes@redhat.com>
1 parent 4564336 commit 502b9fa

12 files changed

Lines changed: 128 additions & 3 deletions

pipelines/internal/publish-index-image-pipeline/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ Tekton pipeline to publish a built FBC index image using skopeo
88
|-----------------------|---------------------------------------------------------------------------------------|----------|-----------------------------------------------------------|
99
| sourceIndex | sourceIndex signing image | No | - |
1010
| targetIndex | targetIndex signing image | No | - |
11+
| targetOcpVersion | target OCP Version of the index image | Yes | "" |
1112
| retries | Number of skopeo retries | Yes | 0 |
1213
| publishingCredentials | The credentials used to access the registries | No | - |
1314
| requestUpdateTimeout | Max seconds waiting for the status update | Yes | 360 |

pipelines/internal/publish-index-image-pipeline/publish-index-image-pipeline.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,10 @@ spec:
1616
- name: targetIndex
1717
type: string
1818
description: targetIndex signing image
19+
- name: targetOcpVersion
20+
type: string
21+
default: ""
22+
description: target OCP Version of the index image
1923
- name: retries
2024
type: string
2125
default: "0"
@@ -50,6 +54,8 @@ spec:
5054
value: $(params.sourceIndex)
5155
- name: targetIndex
5256
value: $(params.targetIndex)
57+
- name: targetOcpVersion
58+
value: $(params.targetOcpVersion)
5359
- name: retries
5460
value: $(params.retries)
5561
- name: publishingCredentials

tasks/internal/publish-index-image-task/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ Tekton task to publish a built FBC index image using skopeo
88
|-----------------------|-----------------------------------------------------------------------|----------|----------------------------|
99
| sourceIndex | sourceIndex signing image | No | - |
1010
| targetIndex | targetIndex signing image | No | - |
11+
| targetOcpVersion | OCP Version this image was built to | Yes | "" |
1112
| retries | Number of skopeo retries | Yes | 0 |
1213
| publishingCredentials | The credentials used to access the registries | Yes | fbc-publishing-credentials |
1314
| requestUpdateTimeout | Max seconds waiting for the status update | Yes | 360 |

tasks/internal/publish-index-image-task/publish-index-image-task.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,10 @@ spec:
1616
- name: targetIndex
1717
type: string
1818
description: targetIndex signing image
19+
- name: targetOcpVersion
20+
description: OCP Version this image was built to
21+
type: string
22+
default: ""
1923
- name: retries
2024
type: string
2125
default: "0"
@@ -75,6 +79,21 @@ spec:
7579
#!/usr/bin/env bash
7680
set -euo pipefail
7781
82+
function getIndexVersion() {
83+
# if dest- and src- string is given, remove them from the auth param
84+
if [[ "$#" -gt 1 ]]; then
85+
shift
86+
indexVersion="$(skopeo inspect --config --creds "$@" \
87+
| jq -r '.config.Labels."com.redhat.index.delivery.version"')"
88+
else
89+
# no auth given
90+
indexVersion="$(skopeo inspect --config "$@" \
91+
| jq -r '.config.Labels."com.redhat.index.delivery.version"')"
92+
fi
93+
94+
echo "$indexVersion"
95+
}
96+
7897
SOURCE_INDEX_CREDENTIAL="$(cat /mnt/publishingCredentials/sourceIndexCredential)"
7998
TARGET_INDEX_CREDENTIAL="$(cat /mnt/publishingCredentials/targetIndexCredential)"
8099
@@ -111,6 +130,27 @@ spec:
111130
echo "Target image does not exist. Proceeding to copy the image."
112131
fi
113132
133+
# check to make sure the image to be published is for the intended ocpVersion
134+
targetOcpVersion="$(params.targetOcpVersion)"
135+
sourceVer=$(getIndexVersion "${SOURCE_AUTH_ARGS[@]}" "docker://$(params.sourceIndex)")
136+
if [[ "${sourceVer}" != "${targetOcpVersion}" ]]; then
137+
echo -n "The source index does not match its targetOcpVersion ($sourceVer != $targetOcpVersion)" \
138+
| tee "$(results.requestMessage.path)"
139+
exit 0
140+
fi
141+
142+
# hotfix and pre-ga targetIndex should be skip the next check, as they don't exist in the upstream quay
143+
# until skopeo copy runs.
144+
if [[ "$(params.targetIndex)" =~ .*\:v[0-9]{1}\.[0-9]{2}$ ]]; then
145+
targetVer=$(getIndexVersion "${TARGET_AUTH_ARGS[@]}" "docker://$(params.targetIndex)")
146+
# check if both indexes are of the same OCP version and exit in case they mismatch.
147+
if [ "${sourceVer}" != "${targetVer}" ]; then
148+
echo -n "The indexes versions does not match ($sourceVer != $targetVer)" \
149+
| tee "$(results.requestMessage.path)"
150+
exit 0
151+
fi
152+
fi
153+
114154
# Proceed with copying the image
115155
echo "Copying image from $(params.sourceIndex) to $(params.targetIndex)"
116156
(skopeo copy \

tasks/internal/publish-index-image-task/tests/mocks.sh

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,15 @@ function skopeo() {
77
echo Mock skopeo called with: $* >&2
88

99
if [[ "$1" == "inspect" ]]; then
10+
if [[ "$*" == *"config"* ]]; then
11+
if [[ "$*" == *"quay.io/mismatch-ver-target-digest"* ]]; then
12+
echo '{ "config": { "Labels": { "com.redhat.index.delivery.version": "v4.13"} } }'
13+
else
14+
echo '{ "config": { "Labels": { "com.redhat.index.delivery.version": "v4.12"} } }'
15+
fi
16+
return 0
1017
# Handle `skopeo inspect`
11-
if [[ "$*" == *"docker://quay.io/match-target-digest"* ]]; then
18+
elif [[ "$*" == *"docker://quay.io/match-target-digest"* ]]; then
1219
echo "sha256:match1234567890" # Mock target digest for idempotency check
1320
return 0
1421
elif [[ "$*" == *"docker://quay.io/target"* ]]; then
@@ -22,6 +29,12 @@ function skopeo() {
2229
return 0
2330
elif [[ "$*" == *"--tls-verify=false docker://registry-proxy.engineering.redhat.com/fail"* ]]; then
2431
return 1
32+
elif [[ "$*" == *"registry-proxy.engineering.redhat.com/mismatchver@sha256:1234567890"* ]]; then
33+
echo "sha256:target1234567890"
34+
return 0
35+
elif [[ "$*" == *"quay.io/mismatch-ver-target-digest"* ]]; then
36+
echo "sha256:0987654321fedcba"
37+
return 0
2538
else
2639
echo "Error: Unexpected inspect call"
2740
exit 1

tasks/internal/publish-index-image-task/tests/test-publish-index-image-digest-match.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ spec:
1515
value: "registry-proxy.engineering.redhat.com/match@sha256:match1234567890"
1616
- name: targetIndex
1717
value: "quay.io/match-target-digest"
18+
- name: targetOcpVersion
19+
value: "v4.12"
1820
- name: publishingCredentials
1921
value: "publish-index-image-secret"
2022
- name: check-result
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Pipeline
4+
metadata:
5+
name: test-publish-index-image-fail-mismatch-ver
6+
spec:
7+
description: |
8+
Run the publish-index-image task where source and target images versions mismatch
9+
tasks:
10+
- name: run-task
11+
taskRef:
12+
name: publish-index-image-task
13+
params:
14+
- name: sourceIndex
15+
value: "registry-proxy.engineering.redhat.com/mismatchver@sha256:1234567890"
16+
- name: targetIndex
17+
value: "quay.io/mismatch-ver-target-digest:v4.20"
18+
- name: targetOcpVersion
19+
value: "v4.12"
20+
- name: publishingCredentials
21+
value: "publish-index-image-secret"
22+
- name: check-result
23+
runAfter:
24+
- run-task
25+
params:
26+
- name: requestMessage
27+
value: $(tasks.run-task.results.requestMessage)
28+
taskSpec:
29+
params:
30+
- name: requestMessage
31+
type: string
32+
steps:
33+
- name: check-result
34+
image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
35+
script: |
36+
#!/usr/bin/env bash
37+
set -ex
38+
39+
ACTUAL_RESULT="$(echo -n "$(params.requestMessage)" | tr -d '\n' | xargs)"
40+
EXPECTED_RESULT="The indexes versions does not match (v4.12 != v4.13)"
41+
42+
if [[ "$ACTUAL_RESULT" != "$EXPECTED_RESULT" ]]; then
43+
echo "Error: requestMessage task result is not correct"
44+
echo "Expected: '$EXPECTED_RESULT'"
45+
echo "Got: '$ACTUAL_RESULT'"
46+
exit 1
47+
fi

tasks/internal/publish-index-image-task/tests/test-publish-index-image-fail.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ spec:
1616
value: "registry-proxy.engineering.redhat.com/fail@sha256:0987654321fedcba"
1717
- name: targetIndex
1818
value: "quay.io/target"
19+
- name: targetOcpVersion
20+
value: "v4.12"
1921
- name: publishingCredentials
2022
value: "publish-index-image-secret"
2123
- name: check-result

tasks/internal/publish-index-image-task/tests/test-publish-index-image-registry-proxy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ spec:
1616
value: "registry-proxy.engineering.redhat.com/foo@sha256:0987654321fedcba"
1717
- name: targetIndex
1818
value: "quay.io/target"
19+
- name: targetOcpVersion
20+
value: "v4.12"
1921
- name: publishingCredentials
2022
value: "publish-index-image-secret"
2123
- name: check-result

tasks/internal/publish-index-image-task/tests/test-publish-index-image.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ spec:
1515
value: "quay.io/source@sha256:abcdef1234567890"
1616
- name: targetIndex
1717
value: "quay.io/target"
18+
- name: targetOcpVersion
19+
value: "v4.12"
1820
- name: publishingCredentials
1921
value: "publish-index-image-secret"
2022
- name: check-result

0 commit comments

Comments
 (0)