Skip to content

Commit 892a3a3

Browse files
authored
Merge pull request #199 from redhat-appstudio/RHTAP-4858
Remove COSIGN_PUBLIC_KEY from Jenkins secrets
2 parents d3b8e4b + 7f65514 commit 892a3a3

File tree

5 files changed

+51
-19
lines changed

5 files changed

+51
-19
lines changed

generated/gitops-template/jenkins/Jenkinsfile

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,13 @@ pipeline {
1111
COSIGN_SECRET_PASSWORD = 'dummy'
1212
COSIGN_SECRET_KEY = 'dummy'
1313
/* Used to verify the image signature and attestation */
14-
COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
14+
/* COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY') */
1515
/* URL of the BOMbastic api host (e.g. https://sbom.trustification.dev) */
16-
TRUSTIFICATION_BOMBASTIC_API_URL = credentials('TRUSTIFICATION_BOMBASTIC_API_URL')
16+
/* TRUSTIFICATION_BOMBASTIC_API_URL = credentials('TRUSTIFICATION_BOMBASTIC_API_URL') */
1717
/* URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken) */
18-
TRUSTIFICATION_OIDC_ISSUER_URL = credentials('TRUSTIFICATION_OIDC_ISSUER_URL')
19-
TRUSTIFICATION_OIDC_CLIENT_ID = credentials('TRUSTIFICATION_OIDC_CLIENT_ID')
20-
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION = credentials('TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION')
18+
/* TRUSTIFICATION_OIDC_ISSUER_URL = credentials('TRUSTIFICATION_OIDC_ISSUER_URL') */
19+
/* TRUSTIFICATION_OIDC_CLIENT_ID = credentials('TRUSTIFICATION_OIDC_CLIENT_ID') */
20+
/* TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION = credentials('TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION') */
2121
/* Set when using Jenkins on non-local cluster and using an external Rekor instance */
2222
/* REKOR_HOST = credentials('REKOR_HOST') */
2323
/* Set when using Jenkins on non-local cluster and using an external TUF instance */

generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ env:
2626
# QUAY_IO_CREDS_USR: ${{ vars.QUAY_IO_CREDS_USR }}
2727
# ARTIFACTORY_IO_CREDS_USR: ${{ vars.ARTIFACTORY_IO_CREDS_USR }}
2828
# NEXUS_IO_CREDS_USR: ${{ vars.NEXUS_IO_CREDS_USR }}
29+
# Used to verify the image signature and attestation
2930
COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
3031
# Secrets
3132
ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }}
@@ -84,6 +85,7 @@ jobs:
8485
/*QUAY_IO_CREDS_USR: `${{ vars.QUAY_IO_CREDS_USR }}`, */
8586
/*ARTIFACTORY_IO_CREDS_USR: `${{ vars.ARTIFACTORY_IO_CREDS_USR }}`, */
8687
/*NEXUS_IO_CREDS_USR: `${{ vars.NEXUS_IO_CREDS_USR }}`, */
88+
/* Used to verify the image signature and attestation */
8789
COSIGN_PUBLIC_KEY: `${{ vars.COSIGN_PUBLIC_KEY }}`,
8890
};
8991

hack/jenkins-get-secrets

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,3 @@ bash $SCRIPTDIR/jenkins-get-credentials GITOPS_AUTH_PASSWORD
1111
bash $SCRIPTDIR/jenkins-get-credentials QUAY_IO_CREDS
1212
bash $SCRIPTDIR/jenkins-get-credentials COSIGN_SECRET_PASSWORD
1313
bash $SCRIPTDIR/jenkins-get-credentials COSIGN_SECRET_KEY
14-
bash $SCRIPTDIR/jenkins-get-credentials COSIGN_PUBLIC_KEY

hack/jenkins-set-secrets

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ set -euo pipefail
33

44
SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
55

6-
ENV="MY_JENKINS_SERVER MY_JENKINS_USER MY_JENKINS_TOKEN COSIGN_SECRET_PASSWORD COSIGN_SECRET_KEY COSIGN_PUBLIC_KEY "
6+
ENV="MY_JENKINS_SERVER MY_JENKINS_USER MY_JENKINS_TOKEN COSIGN_SECRET_PASSWORD COSIGN_SECRET_KEY "
77

88
ENV+=" ACS__API_TOKEN ACS__CENTRAL_ENDPOINT GITOPS_AUTH_PASSWORD "
99
source $SCRIPTDIR/../rhtap/verify-deps-exist "$ENV" "curl"
@@ -13,7 +13,6 @@ bash $SCRIPTDIR/jenkins-create-secret ROX_CENTRAL_ENDPOINT "${ACS__CENTRAL_ENDPO
1313
bash $SCRIPTDIR/jenkins-create-secret GITOPS_AUTH_PASSWORD "${GITOPS_AUTH_PASSWORD}"
1414
bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_PASSWORD "${COSIGN_SECRET_PASSWORD}"
1515
bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_KEY "${COSIGN_SECRET_KEY}"
16-
bash $SCRIPTDIR/jenkins-create-secret COSIGN_PUBLIC_KEY "${COSIGN_PUBLIC_KEY}"
1716
if [[ -n "${TRUSTIFICATION_BOMBASTIC_API_URL:-}" ]]; then
1817
bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_BOMBASTIC_API_URL "${TRUSTIFICATION_BOMBASTIC_API_URL}"
1918
fi

templates/data.yaml

Lines changed: 43 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,12 @@ build_variables:
6464
commented_out: true
6565

6666
- name: COSIGN_PUBLIC_KEY
67+
if: 'isGitHub || isAzure'
68+
comment: Used to verify the image signature and attestation
69+
- name: COSIGN_PUBLIC_KEY
70+
if: '!isGitHub && !isAzure'
71+
commented_out: true
72+
comment: Used to verify the image signature and attestation
6773

6874
build_secrets:
6975
- name: ROX_API_TOKEN
@@ -81,27 +87,27 @@ build_secrets:
8187
- name: IMAGE_REGISTRY_PASSWORD
8288
if: '!isGitHub && !isAzure'
8389
commented_out: true
84-
comment: "Set this password for your specific registry"
90+
comment: "Set this password for your specific registry"
8591

8692
- name: QUAY_IO_CREDS
8793
if: isJenkins
8894
comment: "Default registry is set to quay.io"
8995
- name: QUAY_IO_CREDS_PSW
90-
if: '!isJenkins'
96+
if: '!isJenkins'
9197
commented_out: true
9298

9399
- name: ARTIFACTORY_IO_CREDS
94100
if: isJenkins
95101
commented_out: true
96102
- name: ARTIFACTORY_IO_CREDS_PSW
97-
if: '!isJenkins'
103+
if: '!isJenkins'
98104
commented_out: true
99105

100106
- name: NEXUS_IO_CREDS
101107
if: isJenkins
102108
commented_out: true
103109
- name: NEXUS_IO_CREDS_PSW
104-
if: '!isJenkins'
110+
if: '!isJenkins'
105111
commented_out: true
106112

107113
- name: COSIGN_SECRET_PASSWORD
@@ -115,14 +121,40 @@ gitops_steps:
115121

116122
gitops_variables:
117123
- name: COSIGN_PUBLIC_KEY
124+
if: 'isGitHub || isAzure'
125+
comment: Used to verify the image signature and attestation
126+
- name: COSIGN_PUBLIC_KEY
127+
if: '!isGitHub && !isAzure'
128+
commented_out: true
118129
comment: Used to verify the image signature and attestation
119130

120131
- name: TRUSTIFICATION_BOMBASTIC_API_URL
132+
if: 'isGitHub || isAzure'
133+
comment: URL of the BOMbastic api host (e.g. https://sbom.trustification.dev)
134+
- name: TRUSTIFICATION_BOMBASTIC_API_URL
135+
if: '!isGitHub && !isAzure'
136+
commented_out: true
121137
comment: URL of the BOMbastic api host (e.g. https://sbom.trustification.dev)
138+
122139
- name: TRUSTIFICATION_OIDC_ISSUER_URL
140+
if: 'isGitHub || isAzure'
141+
comment: URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken)
142+
- name: TRUSTIFICATION_OIDC_ISSUER_URL
143+
if: '!isGitHub && !isAzure'
144+
commented_out: true
123145
comment: URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken)
146+
124147
- name: TRUSTIFICATION_OIDC_CLIENT_ID
148+
if: 'isGitHub || isAzure'
149+
- name: TRUSTIFICATION_OIDC_CLIENT_ID
150+
if: '!isGitHub && !isAzure'
151+
commented_out: true
152+
125153
- name: TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION
154+
if: 'isGitHub || isAzure'
155+
- name: TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION
156+
if: '!isGitHub && !isAzure'
157+
commented_out: true
126158

127159
# If the OCI registry is not public then ec needs some credentials so it can see the attestations.
128160
# Todo: Use different credentials here so we provide read access only instead of read/write access.
@@ -174,24 +206,24 @@ gitops_secrets:
174206
- name: IMAGE_REGISTRY_PASSWORD
175207
if: '!isGitHub && !isAzure'
176208
commented_out: true
177-
comment: "Set this password for your specific registry"
209+
comment: "Set this password for your specific registry"
178210
# show all the values options in the jenkins file and other CIs
179211
# this gives users a way to know what to set. Not perfect but better
180-
# to be documented
212+
# to be documented
181213
- name: QUAY_IO_CREDS
182214
if: isJenkins
183215
- name: QUAY_IO_CREDS_PSW
184-
if: '!isJenkins'
185-
commented_out: true
216+
if: '!isJenkins'
217+
commented_out: true
186218
- name: ARTIFACTORY_IO_CREDS
187219
if: isJenkins
188220
commented_out: true
189221
- name: ARTIFACTORY_IO_CREDS_PSW
190-
if: '!isJenkins'
191-
commented_out: true
222+
if: '!isJenkins'
223+
commented_out: true
192224
- name: NEXUS_IO_CREDS
193225
if: isJenkins
194226
commented_out: true
195227
- name: NEXUS_IO_CREDS_PSW
196-
if: '!isJenkins'
228+
if: '!isJenkins'
197229
commented_out: true

0 commit comments

Comments
 (0)