feat(RELEASE-2031): use pubtools-sign to sign in blob-signing-pipeline

Also removed sig_key_ids as they are not actively used by radas
and unused pyxis attributes

Signed-off-by: Jindrich Luza <jluza@redhat.com>

Author: midnightercz

pipelines/internal/blob-signing-pipeline/blob-signing-pipeline.yaml

@@ -51,26 +51,25 @@ spec:
         - name: config_map_name
           value: $(params.config_map_name)
     - name: request-signature
+      retries: 5
       taskRef:
-        resolver: "bundles"
+        resolver: "git"
         params:
-          - name: bundle
-            value: quay.io/redhat-isv/tkn-signing-bundle:7059415075
-          - name: name
-            value: request-signature-blob
-          - name: kind
-            value: task
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: tasks/internal/request-blob-signature/request-blob-signature.yaml
       params:
         - name: pipeline_image
           value: "$(params.pipeline_image)"
         - name: blob
           value: "$(params.blob)"
         - name: requester
           value: $(params.requester)
-        - name: sig_key_id
-          value: $(tasks.collect-blob-signing-params.results.sig_key_id)
-        - name: sig_key_name
-          value: $(tasks.collect-blob-signing-params.results.sig_key_name)
+        - name: sig_key_names
+          value: $(tasks.collect-blob-signing-params.results.sig_key_names)
         - name: umb_ssl_secret_name
           value: $(tasks.collect-blob-signing-params.results.umb_ssl_cert_secret_name)
         - name: umb_ssl_cert_secret_key

tasks/internal/collect-blob-signing-params/collect-blob-signing-params.yaml

@@ -13,11 +13,7 @@ spec:
       description: Name of a configmap with pipeline configuration
       type: string
   results:
-    - name: pyxis_url
-      description: Container API URL based for selected environment
-    - name: sig_key_id
-      description: The signing key id that index image claims are signed with
-    - name: sig_key_name
+    - name: sig_key_names
       description: The signing key name that index image claims are signed with
     - name: umb_url
       description: umb host to connect to for messaging, e.g. for signing
@@ -27,12 +23,6 @@ spec:
       description: umb topic which is used for publishing
     - name: umb_client_name
       description: Client name to connect to umb, usually a service account name
-    - name: pyxis_ssl_cert_secret_name
-      description: Pyxis SSL secret name
-    - name: pyxis_ssl_cert_file_name
-      description: Pyxis SSL certificate file name
-    - name: pyxis_ssl_key_file_name
-      description: Pyxis SSL key file name
     - name: umb_ssl_cert_secret_name
       description: UMB SSL secret name
     - name: umb_ssl_cert_file_name
@@ -59,12 +49,9 @@ spec:
         set -ex
 
         configMapJson=$(kubectl get "cm/${config_map_name:?}" -ojson)
-        PYXIS_URL=$(jq -er '.data.PYXIS_URL' <<< "${configMapJson}")
-        SIG_KEY_ID=$(jq -er '.data.SIG_KEY_ID' <<< "${configMapJson}")
-        SIG_KEY_NAME=$(jq -er '.data.SIG_KEY_NAME' <<< "${configMapJson}")
-        PYXIS_SSL_CERT_FILE_NAME=$(jq -er '.data.PYXIS_SSL_CERT_FILE_NAME' <<< "${configMapJson}")
-        PYXIS_SSL_CERT_SECRET_NAME=$(jq -er '.data.PYXIS_SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
-        PYXIS_SSL_KEY_FILE_NAME=$(jq -er '.data.PYXIS_SSL_KEY_FILE_NAME' <<< "${configMapJson}")
+        jqquery='.data|if has ("SIG_KEY_NAMES")
+        then (.SIG_KEY_NAMES|split(",")|.[]|gsub("^\\s+|\\s+$";"")) else .SIG_KEY_NAME end'
+        SIG_KEY_NAMES=$(jq -er "$jqquery" <<< "${configMapJson}")
         UMB_CLIENT_NAME=$(jq -er '.data.UMB_CLIENT_NAME' <<< "${configMapJson}")
         UMB_LISTEN_TOPIC=$(jq -er '.data.UMB_LISTEN_TOPIC' <<< "${configMapJson}")
         UMB_PUBLISH_TOPIC=$(jq -er '.data.UMB_PUBLISH_TOPIC' <<< "${configMapJson}")
@@ -73,12 +60,7 @@ spec:
         UMB_SSL_CERT_SECRET_NAME=$(jq -er '.data.UMB_SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
         UMB_SSL_KEY_FILE_NAME=$(jq -er '.data.UMB_SSL_KEY_FILE_NAME' <<< "${configMapJson}")
 
-        echo -n "$PYXIS_URL" | tee "$(results.pyxis_url.path)"
-        echo -n "$SIG_KEY_ID" | tee "$(results.sig_key_id.path)"
-        echo -n "$SIG_KEY_NAME" | tee "$(results.sig_key_name.path)"
-        echo -n "$PYXIS_SSL_CERT_FILE_NAME" | tee "$(results.pyxis_ssl_cert_file_name.path)"
-        echo -n "$PYXIS_SSL_CERT_SECRET_NAME" | tee "$(results.pyxis_ssl_cert_secret_name.path)"
-        echo -n "$PYXIS_SSL_KEY_FILE_NAME" | tee "$(results.pyxis_ssl_key_file_name.path)"
+        echo -n "$SIG_KEY_NAMES" | tee "$(results.sig_key_names.path)"
         echo -n "$UMB_CLIENT_NAME" | tee "$(results.umb_client_name.path)"
         echo -n "$UMB_LISTEN_TOPIC" | tee "$(results.umb_listen_topic.path)"
         echo -n "$UMB_PUBLISH_TOPIC" | tee "$(results.umb_publish_topic.path)"

tasks/internal/collect-blob-signing-params/tests/test-collect-blob-signing-params.yaml

@@ -50,18 +50,8 @@ spec:
         - setup
     - name: check-result
       params:
-        - name: sig_key_name
-          value: $(tasks.run-task.results.sig_key_name)
-        - name: sig_key_ids
-          value: $(tasks.run-task.results.sig_key_id)
-        - name: pyxis_url
-          value: $(tasks.run-task.results.pyxis_url)
-        - name: pyxis_ssl_cert_file_name
-          value: $(tasks.run-task.results.pyxis_ssl_cert_file_name)
-        - name: pyxis_ssl_cert_secret_name
-          value: $(tasks.run-task.results.pyxis_ssl_cert_secret_name)
-        - name: pyxis_ssl_key_file_name
-          value: $(tasks.run-task.results.pyxis_ssl_key_file_name)
+        - name: sig_key_names
+          value: $(tasks.run-task.results.sig_key_names)
         - name: umb_client_name
           value: $(tasks.run-task.results.umb_client_name)
         - name: umb_listen_topic
@@ -78,17 +68,7 @@ spec:
           value: $(tasks.run-task.results.umb_ssl_key_file_name)
       taskSpec:
         params:
-          - name: sig_key_name
-            type: string
-          - name: sig_key_ids
-            type: string
-          - name: pyxis_url
-            type: string
-          - name: pyxis_ssl_cert_file_name
-            type: string
-          - name: pyxis_ssl_cert_secret_name
-            type: string
-          - name: pyxis_ssl_key_file_name
+          - name: sig_key_names
             type: string
           - name: umb_client_name
             type: string
@@ -108,18 +88,8 @@ spec:
           - name: check-result
             image: quay.io/konflux-ci/release-service-utils:82012e03002128f2a226acb23dc5c6fc1c37f5b6
             env:
-              - name: "sig_key_name"
-                value: '$(params.sig_key_name)'
-              - name: "sig_key_ids"
-                value: '$(params.sig_key_ids)'
-              - name: "pyxis_url"
-                value: '$(params.pyxis_url)'
-              - name: "pyxis_ssl_cert_file_name"
-                value: '$(params.pyxis_ssl_cert_file_name)'
-              - name: "pyxis_ssl_cert_secret_name"
-                value: '$(params.pyxis_ssl_cert_secret_name)'
-              - name: "pyxis_ssl_key_file_name"
-                value: '$(params.pyxis_ssl_key_file_name)'
+              - name: "sig_key_names"
+                value: '$(params.sig_key_names)'
               - name: "umb_client_name"
                 value: '$(params.umb_client_name)'
               - name: "umb_listen_topic"
@@ -138,12 +108,7 @@ spec:
               #!/usr/bin/env sh
               set -eux
 
-              test "${sig_key_name:?}" = "redhate2etesting"
-              test "${sig_key_ids:?}" = "4096R/37036783 SHA-256"
-              test "${pyxis_url:?}" = "https://pyxis.stage.engineering.redhat.com"
-              test "${pyxis_ssl_cert_file_name:?}" = "hacbs-signing-pipeline.pem"
-              test "${pyxis_ssl_cert_secret_name:?}" = "hacbs-signing-pipeline-certs"
-              test "${pyxis_ssl_key_file_name:?}" = "hacbs-signing-pipeline.key"
+              test "${sig_key_names:?}" = "redhate2etesting"
               test "${umb_client_name:?}" = "hacbs-signing-pipeline-nonprod"
               test "${umb_listen_topic:?}" = "VirtualTopic.eng.robosignatory.hacbs.sign"
               test "${umb_publish_topic:?}" = "VirtualTopic.eng.hacbs-signing-pipeline.hacbs.sign"

tasks/internal/request-blob-signature/README.md

@@ -0,0 +1,26 @@
+# request-blob-signature
+
+Tekton task to request a simple signature.
+- This task is meant to be used in an internal pipeline that can be triggered frequently
+  and is expected to complete as quickly as possible.
+
+## Parameters
+
+| Name                     | Description                                                           | Optional | Default value                                                                     |
+|--------------------------|-----------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------|
+| pipeline_image           | A docker image of operator-pipeline-images for the steps to run in    | Yes      | quay.io/konflux-ci/release-service-utils:9d57cd95e60f0c61a118fe9261f5941815d33469 |
+| requester                | Name of the user that requested the signing, for auditing purposes    | No       | -                                                                                 |
+| blob                     | Blob content to be signed, base64 encoded                             | No       | -                                                                                 |
+| sig_key_names            | NL separated signing key names that the content is signed with        | Yes      | containerisvsign                                                                  |
+| umb_client_name          | Client name to connect to umb, usually a service account name         | Yes      | operatorpipelines                                                                 |
+| umb_listen_topic         | umb topic to listen to for responses with signed content              | Yes      | VirtualTopic.eng.robosignatory.isv.sign                                           |
+| umb_batch_listen_topic   | batch signer umb topic to listen to for responses with signed content | Yes      | VirtualTopic.eng.robosignatory.konflux.sign                                       |
+| umb_publish_topic        | umb topic to publish to for requesting signing                        | Yes      | VirtualTopic.eng.operatorpipelines.isv.sign                                       |
+| umb_batch_publish_topic  | batch signer umb topic to publish to for requesting signing           | Yes      | VirtualTopic.eng.hacbs-signing-pipeline.konflux.sign                              |
+| umb_url                  | umb host to connect to for messaging                                  | Yes      | umb.api.redhat.com                                                                |
+| umb_ssl_cert_secret_name | Kubernetes secret name that contains the umb SSL files                | No       | -                                                                                 |
+| umb_ssl_cert_file_name   | The key within the Kubernetes secret that contains the umb SSL cert   | No       | -                                                                                 |
+| umb_ssl_key_file_name    | The key within the Kubernetes secret that contains the umb SSL key    | No       | -                                                                                 |
+| signature_data_file      | The file where the signing response should be placed                  | Yes      | signing_response.json                                                             |
+| caTrustConfigMapName     | The name of the ConfigMap to read CA bundle data from                 | Yes      | trusted-ca                                                                        |
+| caTrustConfigMapKey      | The name of the key in the ConfigMap that contains the CA bundle data | Yes      | ca-bundle.crt                                                                     |