Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion integration-tests/rh-advisories-idempotent/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ This test validates idempotent re-release behavior for the `rh-advisories` pipel
## Acceptance Criteria

- Second release: all major tasks (`create-advisory`, `push-snapshot`, `verify-conforma`,
`rh-sign-image`, etc.) appear in `skippedTasks`
`rh-direct-sign-image`, etc.) appear in `skippedTasks`
- `advisory.url` present in second release `status.artifacts` (written by
`update-cr-status-skipped` from filter result, not `create-advisory`)

Expand Down
2 changes: 1 addition & 1 deletion integration-tests/rh-advisories-idempotent/test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -276,7 +276,7 @@ verify_release_contents() {
"populate-release-notes"
"embargo-check"
"set-advisory-severity"
"rh-sign-image"
"rh-direct-sign-image"
"rh-sign-image-cosign"
"push-snapshot"
"create-pyxis-image"
Expand Down
2 changes: 1 addition & 1 deletion integration-tests/rh-advisories-large-snapshot/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ The `test-report` finally task always runs and actively diagnoses failures:

- **Pre-pipeline failures** (e.g. `generate-large-snapshot.sh` errors): the
failed component, step, command, and exit code are shown.
- **Managed pipeline failures** (e.g. `apply-mapping`, `rh-sign-image`): the
- **Managed pipeline failures** (e.g. `apply-mapping`, `rh-direct-sign-image`): the
`test-report` task queries the cluster directly and shows the failed task
name, TaskRun name, Tekton condition message, and — if the pod has not yet
been garbage-collected — the last matching error lines from the pod log
Expand Down
12 changes: 4 additions & 8 deletions pipelines/managed/rh-advisories/rh-advisories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -593,8 +593,8 @@ spec:
- name: taskGitRevision
value: "$(params.taskGitRevision)"
runAfter:
- rh-sign-image
- name: rh-sign-image
- rh-direct-sign-image
- name: rh-direct-sign-image
timeout: "6h00m0s"
when:
- input: "$(tasks.filter-already-released-advisory-images.results.skip_release)"
Expand All @@ -609,19 +609,15 @@ spec:
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/managed/rh-sign-image/rh-sign-image.yaml
value: tasks/managed/rh-direct-sign-image/rh-direct-sign-image.yaml
params:
- name: snapshotPath
value: "$(tasks.collect-data.results.snapshotSpec)"
- name: dataPath
value: "$(tasks.collect-data.results.data)"
- name: releasePlanAdmissionPath
value: "$(tasks.collect-data.results.releasePlanAdmission)"
- name: requester
value: $(tasks.extract-requester-from-release.results.output-result)
- name: requestTimeout
# The RADAS timeout when it fails to receive a response is 5 mins.
# Give RADAS enough time to retry its request.
value: 1800
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
Expand Down Expand Up @@ -1054,7 +1050,7 @@ spec:
- embargo-check
- push-rpm-data-to-pyxis
- run-file-updates
- rh-sign-image
- rh-direct-sign-image
- rh-sign-image-cosign
- set-advisory-severity
- name: close-advisory-issues
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -426,8 +426,8 @@ spec:
- name: taskGitRevision
value: "$(params.taskGitRevision)"
runAfter:
- rh-sign-image
- name: rh-sign-image
- rh-direct-sign-image
- name: rh-direct-sign-image
timeout: "6h00m0s"
retries: 3
taskRef:
Expand All @@ -438,19 +438,15 @@ spec:
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/managed/rh-sign-image/rh-sign-image.yaml
value: tasks/managed/rh-direct-sign-image/rh-direct-sign-image.yaml
params:
- name: snapshotPath
value: "$(tasks.collect-data.results.snapshotSpec)"
- name: dataPath
value: "$(tasks.collect-data.results.data)"
- name: releasePlanAdmissionPath
value: "$(tasks.collect-data.results.releasePlanAdmission)"
- name: requester
value: $(tasks.extract-requester-from-release.results.output-result)
- name: requestTimeout
# The RADAS timeout when it fails to receive a response is 5 mins.
# Give RADAS enough time to retry its request.
value: 1800
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -397,8 +397,8 @@ spec:
- name: taskGitRevision
value: "$(params.taskGitRevision)"
runAfter:
- rh-sign-image
- name: rh-sign-image
- rh-direct-sign-image
- name: rh-direct-sign-image
timeout: "6h00m0s"
retries: 3
taskRef:
Expand All @@ -409,19 +409,15 @@ spec:
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/managed/rh-sign-image/rh-sign-image.yaml
value: tasks/managed/rh-direct-sign-image/rh-direct-sign-image.yaml
params:
- name: snapshotPath
value: "$(tasks.collect-data.results.snapshotSpec)"
- name: dataPath
value: "$(tasks.collect-data.results.data)"
- name: releasePlanAdmissionPath
value: "$(tasks.collect-data.results.releasePlanAdmission)"
- name: requester
value: $(tasks.extract-requester-from-release.results.output-result)
- name: requestTimeout
# The RADAS timeout when it fails to receive a response is 5 mins.
# Give RADAS enough time to retry its request.
value: 1800
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
Expand Down
2 changes: 1 addition & 1 deletion tasks/managed/publish-pyxis-repository/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ requires_terms=true), one repository string per line, e.g. "rhtas/cosign-rhel9".
Only standard (non-flatpak) repositories are included; flatpak repos are never added.

Note: This task runs quite early on in the pipeline, because we need the result it produces
for the signing tasks (and `rh-sign-image` runs quite early to begin with). So this means
for the signing tasks (and `rh-direct-sign-image` runs quite early to begin with). So this means
that if you're releasing to a repo for the first time, the repository might get published
even before the actual image is pushed and published. But we checked with RHEC team and this
shouldn't cause any problems, because RHEC will ignore repos with no published images.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ spec:
Only standard (non-flatpak) repositories are included; flatpak repos are never added.

Note: This task runs quite early on in the pipeline, because we need the result it produces
for the signing tasks (and `rh-sign-image` runs quite early to begin with). So this means
for the signing tasks (and `rh-direct-sign-image` runs quite early to begin with). So this means
that if you're releasing to a repo for the first time, the repository might get published
even before the actual image is pushed and published. But we checked with RHEC team and this
shouldn't cause any problems, because RHEC will ignore repos with no published images.
Expand Down
33 changes: 33 additions & 0 deletions tasks/managed/rh-direct-sign-image/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# rh-direct-sign-image

Task to create internalrequests to directly sign snapshot components

## Parameters

| Name | Description | Optional | Default value |
|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------------------------------------------------|
| snapshotPath | Path to the JSON string of the mapped Snapshot spec in the data workspace | No | - |
| dataPath | Path to the JSON string of the merged data to use in the data workspace | No | - |
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
| requestTimeout | InternalRequest timeout | Yes | 1800 |
| concurrentLimit | The maximum number of signing requests to run in parallel | Yes | 8 |
| pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - |
| pyxisServer | The server type to use. Options are 'production','production-internal','stage-internal' and 'stage' | Yes | production |
| pyxisSecret | The kubernetes secret to use to authenticate to Pyxis. It needs to contain two keys: key and cert | No | - |
| batchLimit | size of batch attributes to send to internal-request. As internal request arguments are need to be strings, size here represent maximal string length of `references` and `manifest_digests` sent to internal request | Yes | 15000 |
| signRegistryAccessPath | The relative path in the workspace to a text file that contains a list of repositories that needs registry.access.redhat.com image references to be signed (i.e. requires_terms=true), one repository string per line, e.g. "rhtas/cosign-rhel9" | No | - |
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | empty |
| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire | Yes | 1d |
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable | Yes | "" |
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
| sourceDataArtifact | Location of trusted artifacts to be used to populate data directory | Yes | "" |
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored | No | - |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
| signingRepo | Git repository URL containing the signing tasks | Yes | https://gitlab.cee.redhat.com/signing/signing.git |
| signingRevision | Git revision (branch, tag, or commit) in the signing repository | Yes | main |
| signPipeline | Name of the internal pipeline to use for container signing | Yes | container-signing |
| signPipelineServiceAccount | Service account to use for the signing pipeline | Yes | signing-pipeline-sa |
| pipelineImage | The image to use for the signing pipeline | Yes | quay.io/konflux-ci/signing:latest |
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
Loading
Loading