diff --git a/renovate.json b/renovate.json index 4426b2f42c..c1769a4a0d 100644 --- a/renovate.json +++ b/renovate.json @@ -25,7 +25,6 @@ "quay.io/redhat-appstudio/buildah", "quay.io/redhat-appstudio/hacbs-jvm-build-request-processor", "quay.io/redhat-appstudio/build-definitions-source-image-build-utils", - "quay.io/redhat-appstudio/cosign", "quay.io/redhat-appstudio/cachi2", "quay.io/redhat-appstudio/sbom-utility-scripts-image", "registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9" diff --git a/ta-generator/golden/buildah/ta.yaml b/ta-generator/golden/buildah/ta.yaml index 7d22285bd8..0cfb516e87 100644 --- a/ta-generator/golden/buildah/ta.yaml +++ b/ta-generator/golden/buildah/ta.yaml @@ -439,22 +439,29 @@ spec: workingDir: /var/workdir - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: /var/workdir + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumes: - name: varlibcontainers emptyDir: {} - name: workdir emptyDir: {} + - name: trusted-ca + emptyDir: {} - name: etc-pki-entitlement secret: secretName: $(params.ENTITLEMENT_SECRET) diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 1db84462ea..230ba95b46 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -573,13 +573,18 @@ spec: - SETFCAP runAsUser: 0 - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: /var/workdir + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 515d160ec2..662dba5d91 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -664,17 +664,22 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: /var/workdir - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - computeResources: {} - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 + - computeResources: {} + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true workingDir: /var/workdir volumes: - name: activation-key diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index c58694416d..bbd5de9d47 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -661,17 +661,22 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: $(workspaces.source.path) - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - computeResources: {} - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 + - computeResources: {} + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true workingDir: $(workspaces.source.path) volumes: - emptyDir: {} diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 39e4d90562..8ba9ebaf09 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -543,16 +543,21 @@ spec: workingDir: $(workspaces.source.path) - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: $(workspaces.source.path) + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumes: - name: varlibcontainers emptyDir: {} diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 778bbca8b7..fde3176887 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -51,6 +51,8 @@ spec: - name: SBOM_BLOB_URL description: Link to the SBOM blob pushed to the registry. volumes: + - name: trusted-ca + emptyDir: {} - name: varlibcontainers emptyDir: {} - name: workdir @@ -318,16 +320,21 @@ spec: yq -oj -i '.components += [ {"purl": "'$purl'", "type": "file", "name": "'$OCI_FILENAME'", "hashes": [{"alg": "SHA-256", "content": "'$OCI_ARTIFACT_DIGEST'"}], "externalReferences": [{"type": "distribution", "url": "'$OCI_SOURCE'"}]} ]' sbom-cyclonedx.json done - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: /var/workdir + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" - name: report-sbom-url image: quay.io/konflux-ci/yq:latest@sha256:8524b4f190dba0974242d5b91aef6f89cacb9ee6a38fadbed7fff53524b533f6 workingDir: /var/workdir diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 712ec3aa7d..97f4192c58 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -297,16 +297,21 @@ spec: done workingDir: $(workspaces.source.path) - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: $(workspaces.source.path) + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" - name: report-sbom-url image: quay.io/konflux-ci/yq:latest@sha256:8524b4f190dba0974242d5b91aef6f89cacb9ee6a38fadbed7fff53524b533f6 script: | @@ -322,6 +327,8 @@ spec: name: varlibcontainers - emptyDir: {} name: workdir + - name: trusted-ca + emptyDir: {} workspaces: - description: Workspace containing the source artifacts to copy name: source diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index 34c65c2635..fa74d28e5f 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -281,23 +281,27 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: $(workspaces.source.path) - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - name: upload-sbom - computeResources: {} + - name: upload-sbom + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: $(workspaces.source.path) + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumes: - emptyDir: {} name: varlibcontainers + - emptyDir: {} + name: trusted-ca - name: ssh secret: optional: false diff --git a/task/rpm-ostree/0.2/rpm-ostree.yaml b/task/rpm-ostree/0.2/rpm-ostree.yaml index d82ddd6ad7..61cd930105 100644 --- a/task/rpm-ostree/0.2/rpm-ostree.yaml +++ b/task/rpm-ostree/0.2/rpm-ostree.yaml @@ -276,23 +276,27 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: $(workspaces.source.path) - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - name: upload-sbom - computeResources: {} + - name: upload-sbom + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: $(workspaces.source.path) + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumes: - emptyDir: {} name: varlibcontainers + - emptyDir: {} + name: trusted-ca - name: ssh secret: optional: false diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index 7f1d1d3cd0..620641aff4 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -273,17 +273,19 @@ spec: workingDir: $(workspaces.source.path) - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true workingDir: $(workspaces.source.path) volumes: @@ -291,6 +293,8 @@ spec: name: varlibcontainers - emptyDir: {} name: gen-source + - emptyDir: {} + name: trusted-ca workspaces: - mountPath: /workspace/source name: source diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index b526432be6..8a345647bf 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -240,24 +240,29 @@ spec: workingDir: $(workspaces.source.path) - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: $(workspaces.source.path) + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumes: - emptyDir: {} name: varlibcontainers - emptyDir: {} name: gen-source + - emptyDir: {} + name: trusted-ca workspaces: - mountPath: /workspace/source name: source