Skip to content

Commit f134666

Browse files
simonbairdclaude
andcommitted
dnm: Scripts to help seed trusted task denys
Ref: https://redhat.atlassian.net/browse/EC-1539 Co-authored-by: Claude Code <noreply@anthropic.com>
1 parent 0b9f418 commit f134666

2 files changed

Lines changed: 138 additions & 0 deletions

File tree

hack/manage-trusted-tasks.sh

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
#!/usr/bin/env bash
2+
3+
set -o errexit
4+
set -o pipefail
5+
set -o nounset
6+
7+
cd "$(git rev-parse --show-toplevel)"
8+
9+
# Pull down a list of all repos in a quay org
10+
list_quay_repos() {
11+
local quay_org="$1"
12+
local next_page=""
13+
while true; do
14+
local url="https://quay.io/api/v1/repository?namespace=${quay_org}&public=true&limit=100"
15+
if [[ -n "${next_page}" ]]; then
16+
url="${url}&next_page=${next_page}"
17+
fi
18+
local response
19+
response="$(curl -s "${url}")"
20+
echo "${response}" | jq -r '.repositories[].name'
21+
next_page="$(echo "${response}" | jq -r '.next_page // empty')"
22+
if [[ -z "${next_page}" ]]; then
23+
break
24+
fi
25+
done
26+
}
27+
28+
# List tags for a quay repo, newest first
29+
list_repo_tags() {
30+
local quay_org="$1"
31+
local repo="$2"
32+
local page=1
33+
while true; do
34+
local response
35+
response="$(curl -s "https://quay.io/api/v1/repository/${quay_org}/${repo}/tag/?limit=100&page=${page}")"
36+
echo "${response}" | jq -r '.tags[] | select(.end_ts == null) | select(.name | test("^[0-9]+\\.[0-9]+$")) | .name'
37+
if [[ "$(echo "${response}" | jq -r '.has_additional')" != "true" ]]; then
38+
break
39+
fi
40+
page=$((page + 1))
41+
done
42+
}
43+
44+
deny_rule() {
45+
local task_name="$1"
46+
local repo_ref="$2"
47+
local version="$3"
48+
cat <<EOF
49+
- name: Expire old versions of ${task_name}
50+
pattern: oci://${repo_ref}
51+
versions:
52+
- '<${version}'
53+
EOF
54+
}
55+
56+
KNOWN_TASK_CATALOGS=(
57+
quay.io/konflux-ci/tekton-catalog
58+
quay.io/konflux-ci/integration-service-catalog
59+
quay.io/konflux-ci/konflux-test-tasks
60+
quay.io/konflux-ci/konflux-vanguard
61+
# Todo: Are there more?
62+
)
63+
64+
for c in "${KNOWN_TASK_CATALOGS[@]}"; do
65+
IFS='/' read -r _ quay_org repo_prefix <<< "${c}"
66+
67+
# Assume task repos begin with "task-"
68+
task_repos=$(list_quay_repos "${quay_org}" | grep "^${repo_prefix}/task-" | sort || true)
69+
70+
# Generate deny rules for versions below the current version
71+
for task_repo in ${task_repos}; do
72+
repo_ref="quay.io/${quay_org}/${task_repo}"
73+
list_repo_tags "${quay_org}" "${task_repo}" | while read -r tag; do
74+
bundle_ref="${repo_ref}:${tag}"
75+
version=$(tkn bundle list "${bundle_ref}" -o yaml 2>/dev/null | yq '.metadata.labels["app.kubernetes.io/version"]' || true)
76+
if [[ -n "${version}" && "${version}" != "null" ]]; then
77+
deny_rule "${task_repo##*/}" "${repo_ref}" "${version}"
78+
fi
79+
done
80+
done
81+
done
82+

hack/seed-trusted-tasks.sh

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
#!/usr/bin/env bash
2+
3+
set -o errexit
4+
set -o pipefail
5+
set -o nounset
6+
7+
cd "$(git rev-parse --show-toplevel)"
8+
9+
KNOWN_TASK_CATALOGS=(
10+
#quay.io/konflux-ci/tekton-catalog
11+
quay.io/konflux-ci/integration-service-catalog
12+
#quay.io/konflux-ci/konflux-vanguard
13+
#quay.io/konflux-ci/konflux-test-tasks
14+
# Todo: Are there more?
15+
)
16+
17+
function fetch-acceptable-bundles() {
18+
for c in "${KNOWN_TASK_CATALOGS[@]}"; do
19+
local quay_org
20+
local repo_prefix
21+
IFS='/' read -r _ quay_org repo_prefix <<< "${c}"
22+
23+
# Assume the acceptable bundles data is here:
24+
local acceptable_bundle_ref="quay.io/${quay_org}/${repo_prefix}/data-acceptable-bundles:latest"
25+
26+
# We'll download it and put it here:
27+
local local_data_file="${repo_prefix}-acceptable-bundle-data.json"
28+
29+
# Convert to yaml just to make it easier to look at
30+
ec inspect policy-data --source "${acceptable_bundle_ref}" | jq > "${local_data_file}"
31+
32+
echo "Created $local_data_file from $acceptable_bundle_ref"
33+
done
34+
}
35+
36+
# Because Conforma can't use the tag from the bundle ref it has to get the version from the
37+
# task metadata. We'll do the same here:
38+
function metadata-version() {
39+
local bundle_ref="$1"
40+
tkn bundle list "$bundle_ref" -o json 2>/dev/null | jq -r '.metadata.labels["app.kubernetes.io/version"]'
41+
}
42+
43+
# Comment out while hacking to save a little time
44+
#fetch-acceptable-bundles
45+
46+
for d in *-acceptable-bundle-data.json; do
47+
all_refs=$(
48+
jq -r '.trusted_tasks|keys[]|select(test(":[^-]+$"))|select(test(":unknown$")|not)' $d | sed 's!oci://!!'
49+
)
50+
51+
for ref in $all_refs; do
52+
echo "Inspecting $ref"
53+
echo "Found version $(metadata-version "$ref")"
54+
echo ""
55+
done
56+
done

0 commit comments

Comments
 (0)