diff --git a/k8s/stage/osh-client-tekton/task/osh-scan-scm-task.yaml b/k8s/stage/osh-client-tekton/task/osh-scan-scm-task.yaml new file mode 100644 index 0000000..9009cef --- /dev/null +++ b/k8s/stage/osh-client-tekton/task/osh-scan-scm-task.yaml @@ -0,0 +1,103 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: osh-scan-scm-task +spec: + stepTemplate: + env: + - name: "HOME" + value: "/tekton/home" + + params: + - name: repo-url + type: string + description: The SCMURL + + - name: revision + type: string + description: The revision or tag + + - name: mock-build-params + type: string + description: Parameters pushed to mock build + default: "-p snyk-only-unstable --tarball-build-script=:" + + - name: archive-name + type: string + description: The name of the git archive file + default: $(context.taskRun.uid).tar.gz + + - name: tarball-storage-dir + type: string + description: What directory the scan tar gz will be put into + default: /workspace/source-tars/$(context.taskRun.name) + + - name: working-dir + type: string + description: Working directory for the task + default: /home/covscan + + workspaces: + - name: source-tars + description: This workspace contains our source tar gzips for covscan and is semi-persistant + - name: ssl-ca-directory + description: Location of CA bundle for ssl verification with internal services + + + volumes: + - name: osh-client-kerb-vol + secret: + defaultMode: 384 + optional: false + secretName: kerberos-keytab-osh + + - name: osh-client-kerb-config-vol + configMap: + name: kerberos-config-osh-client + items: + - key: linux-krb5.conf + path: linux-krb5.conf + defaultMode: 384 + optional: false + + - name: osh-client-config-vol + configMap: + name: osh-client-config + items: + - key: client.conf + path: client.conf + optional: false + + steps: + - name: perform-osh-scm-scan + image: quay.io/pct-security/osh-wrapper-client:latest + workingDir: $(params.working-dir) + + volumeMounts: + - name: osh-client-kerb-vol + mountPath: /kerberos + readOnly: true + + - name: osh-client-config-vol + mountPath: /etc/osh/client.conf + readOnly: true + subPath: client.conf + + - name: osh-client-kerb-config-vol + mountPath: /etc/krb5.conf + readOnly: true + subPath: linux-krb5.conf + + script: | + #!/bin/bash + echo $(params.working-dir) + echo $(params.repo-url) + echo $(params.revision) + echo $(params.mock-build-params) + echo $(params.archive-name) + git clone -v $(params.repo-url) -b $(params.revision) + git --git-dir=$(basename $(params.repo-url) .git)/.git archive --format=tar.gz HEAD -o $(params.working-dir)/$(params.archive-name) + mkdir $(params.tarball-storage-dir) + cp $(params.working-dir)/$(params.archive-name) $(params.tarball-storage-dir)/ + + covscan mock-build $(params.mock-build-params) $(params.working-dir)/$(params.archive-name) \ No newline at end of file diff --git a/src/main/java/com/redhat/pctsec/tekton/TaskHandler.java b/src/main/java/com/redhat/pctsec/tekton/TaskHandler.java index 8a26960..8a61bdc 100644 --- a/src/main/java/com/redhat/pctsec/tekton/TaskHandler.java +++ b/src/main/java/com/redhat/pctsec/tekton/TaskHandler.java @@ -1,14 +1,8 @@ package com.redhat.pctsec.tekton; -import com.redhat.pctsec.model.RequestType; import com.redhat.pctsec.model.ScanTask; import com.redhat.pctsec.model.ScanTaskState; import io.fabric8.kubernetes.api.model.ConfigMapVolumeSource; import io.fabric8.kubernetes.api.model.PersistentVolumeClaimVolumeSource; -import io.fabric8.kubernetes.api.model.PodSecurityContext; -import io.fabric8.kubernetes.api.model.PodSecurityContextBuilder; -import io.fabric8.tekton.client.DefaultTektonClient; -import io.fabric8.tekton.client.TektonClient; -import io.fabric8.tekton.client.DefaultTektonClient; import io.fabric8.tekton.client.TektonClient; import io.fabric8.tekton.pipeline.v1beta1.*; @@ -17,9 +11,10 @@ import io.quarkus.vertx.ConsumeEvent; import io.smallrye.common.annotation.Blocking; import jakarta.inject.Inject; -import org.apache.commons.lang3.RandomStringUtils; import org.eclipse.microprofile.config.inject.ConfigProperty; +import org.apache.commons.compress.utils.FileNameUtils; + import java.util.ArrayList; import java.util.List; @@ -27,13 +22,13 @@ public class TaskHandler { @ConfigProperty(name = "quarkus.openshift.namespace") String NAMESPACE; - @ConfigProperty(name = "tekton.pipeline.ref") - String PIPELINE_REFERENCE; + @ConfigProperty(name = "tekton.scmscan.task.ref") + String SCM_SCAN_REFERENCE; @ConfigProperty(name = "tekton.service-account") String SERVICE_ACCOUNT; - @ConfigProperty(name = "tekton.task.ref") - String TASK_REFERENCE; + @ConfigProperty(name = "tekton.brewscan.task.ref") + String BREW_SCAN_TASK_REFERENCE; @Inject TektonClient tektonClient; @@ -71,12 +66,14 @@ public class TaskHandler { String scanProfile = "snyk-only-unstable"; // random taskrun name generating for now - TaskRun taskRun = new TaskRunBuilder().withNewMetadata().withName("osh-scan-taskrun-" + RandomStringUtils.randomAlphanumeric(8).toLowerCase()) + TaskRun taskRun = new TaskRunBuilder() + .withNewMetadata() + .withGenerateName("osh-brew-scan-taskrun-") .endMetadata() .withNewSpec() .withServiceAccountName(SERVICE_ACCOUNT) .withNewTaskRef() - .withName(TASK_REFERENCE) + .withName(BREW_SCAN_TASK_REFERENCE) .endTaskRef() .withParams( new Param("buildId", new ArrayOrString(buildId)), @@ -91,49 +88,40 @@ public class TaskHandler { public String invokeOshScmScanPipeline(String repo, String ref, String mockBuildArgs) { - PodSecurityContext securityContext = new PodSecurityContextBuilder() - .withRunAsNonRoot(true) - .withRunAsUser(65532L) - .build(); - - WorkspaceBinding sourcesWorkspaceBinding = new WorkspaceBindingBuilder() - .withName("sources") - .withPersistentVolumeClaim(new PersistentVolumeClaimVolumeSource("osh-client-sources", null)) - .build(); - WorkspaceBinding sourceTarsWorkspaceBinding = new WorkspaceBindingBuilder() - .withName("source-tars") - .withPersistentVolumeClaim(new PersistentVolumeClaimVolumeSource("osh-client-source-tars", null)) - .build(); + .withName("source-tars") + .withPersistentVolumeClaim(new PersistentVolumeClaimVolumeSource("osh-client-source-tars", null)) + .build(); WorkspaceBinding sslCaDirectoryWorkspaceBinding = new WorkspaceBindingBuilder() - .withName("ssl-ca-directory") - .withConfigMap(new ConfigMapVolumeSource(null, null, "config-trusted-cabundle", null)) - .build(); - + .withName("ssl-ca-directory") + .withConfigMap(new ConfigMapVolumeSource(null, null, "config-trusted-cabundle", null)) + .build(); + List workspaceBindings = new ArrayList<>(); - workspaceBindings.add(sourcesWorkspaceBinding); workspaceBindings.add(sourceTarsWorkspaceBinding); workspaceBindings.add(sslCaDirectoryWorkspaceBinding); - PipelineRun pipelineRun = new PipelineRunBuilder() - .withNewMetadata().withName("osh-scm-scan-" + RandomStringUtils.randomAlphanumeric(8).toLowerCase()).endMetadata() - .withNewSpec() - .withNewPodTemplate() - .withSecurityContext(securityContext) - .endPodTemplate() - .withServiceAccountName(SERVICE_ACCOUNT) - .withNewPipelineRef().withName(PIPELINE_REFERENCE).endPipelineRef() - .addNewParam().withName("repo-url").withNewValue(repo).endParam() - .addNewParam().withName("revision").withNewValue(ref).endParam() - .addNewParam().withName("mock-build-params").withNewValue(mockBuildArgs).endParam() - .withWorkspaces(workspaceBindings) - .endSpec() - .build(); + TaskRun taskRun = new TaskRunBuilder() + .withNewMetadata() + .withGenerateName("osh-scm-scan-taskrun-") + .endMetadata() + .withNewSpec() + .withServiceAccountName(SERVICE_ACCOUNT) + .withNewTaskRef() + .withName(SCM_SCAN_REFERENCE) + .endTaskRef() + .addNewParam().withName("repo-url").withNewValue(repo).endParam() + .addNewParam().withName("revision").withNewValue(ref).endParam() + .addNewParam().withName("mock-build-params").withNewValue(mockBuildArgs).endParam() + .addNewParam().withName("archive-name").withNewValue(FileNameUtils.getBaseName(repo) + "-" + ref + ".tar.gz").endParam() + .withWorkspaces(workspaceBindings) + .endSpec() + .build(); - tektonClient.v1beta1().pipelineRuns().inNamespace(NAMESPACE).resource(pipelineRun).create(); + tektonClient.v1beta1().taskRuns().inNamespace(NAMESPACE).resource(taskRun).create(); - return pipelineRun.getMetadata().getName(); + return taskRun.getMetadata().getName(); } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index c3b2dcb..fa430cf 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -128,8 +128,8 @@ quarkus.arc.remove-unused-beans=false ########################################## # Tekton Specifics (Used in app) # ########################################## -tekton.pipeline.ref=osh-client-from-source -tekton.task.ref=osh-scan-task +tekton.scmscan.task.ref=osh-scan-scm-task +tekton.brewscan.task.ref=osh-scan-task tekton.service-account=${quarkus.openshift.service-account} ##########################################