[ISV-2398] Implement process to check image signature before release.

This splits up the IIB process of adding bundle images to index and
copying the images to the published repo into two separate steps, so
that images will not be published before they're signed.

Author: wcheang

ansible/roles/operator-pipeline/templates/openshift/pipelines/operator-release-pipeline.yml

@@ -438,8 +438,8 @@ spec:
         - name: connect_registry
           value: "$(tasks.set-env.results.connect_registry)"
 
-    # call IIB to publish the bundle
-    - name: publish-bundle
+    # call IIB to add the bundle to index
+    - name: add-bundle-to-index
       runAfter:
         - publish-resources
         - get-supported-versions
@@ -449,16 +449,14 @@ spec:
           values:
             - undistributed
       taskRef:
-        name: publish-bundle
+        name: add-bundle-to-index
       params:
         - name: pipeline_image
           value: "$(params.pipeline_image)"
         - name: index_images
           value: "$(tasks.get-supported-versions.results.indices)"
         - name: bundle_pullspec
           value: "$(tasks.publish-to-ocp-registry.results.image_pullspec)"
-        - name: operator_distribution_method
-          value: *operatorDistribution
         - name: iib_url
           value: "$(tasks.set-env.results.iib_url)"
         - name: environment
@@ -471,20 +469,17 @@ spec:
     # use manifest list digests from IIB output and get the manifest digests from registry
     - name: get-manifest-digests
       runAfter:
-        - publish-bundle
+        - add-bundle-to-index
       when: *whenNotUndistributed
       taskRef:
         name: get-manifest-digests
       params:
         - name: pipeline_image
           value: "$(params.pipeline_image)"
-        - name: manifest_list_digests
-          value: "$(tasks.publish-bundle.results.manifest_list_digests)"
+        - name: index_image_paths
+          value: "$(tasks.add-bundle-to-index.results.index_image_paths)"
         - name: environment
           value: "$(params.env)"
-      workspaces:
-        - name: registry-credentials
-          workspace: registry-pull-credentials
 
     # send UMB message for RADAS to sign the container image
     - name: request-signature
@@ -551,6 +546,22 @@ spec:
           workspace: repository
           subPath: signing
 
+    - name: publish-to-index
+      runAfter:
+        - upload-signature
+      when: *whenNotUndistributed
+      taskRef:
+        name: publish-to-index
+      params:
+        - name: pipeline_image
+          value: "$(params.pipeline_image)"
+        - name: index_image_paths
+          value: "$(tasks.add-bundle-to-index.results.index_image_paths)"
+        - name: environment
+          value: "$(params.env)"
+        - name: operator_distribution_method
+          value: *operatorDistribution
+
 
   finally:
 

ansible/roles/operator-pipeline/templates/openshift/tasks/add-bundle-to-index.yml

@@ -0,0 +1,72 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: add-bundle-to-index
+spec:
+  params:
+    - name: pipeline_image
+    - name: bundle_pullspec
+      description: Bundle pullspec
+    - name: index_images
+      description: All known supported index image pull specs (space separated)
+    - name: iib_url
+      description: IIB API url
+      default: https://iib.engineering.redhat.com
+    - name: kerberos_keytab_secret_name
+      description: >-
+        The name of the Kubernetes Secret that contains the kerberos keytab for submitting IIB builds.
+    - name: kerberos_keytab_secret_key
+      description: >-
+        The key within the Kubernetes Secret that contains the kerberos keytab for submitting IIB builds.
+    - name: environment
+      description: |
+        Which environment the pipeline is running in. Can be one of [dev, qa, stage, prod]
+  results:
+    - name: index_image_paths
+      description: Comma-separated list of index reference + temporary location of the unpublished images generated by IIB builds
+    - name: status
+      description: Indicates a status of adding a bundle to an index
+  volumes:
+    - name: kerberos-volume
+      secret:
+        secretName: "$(params.kerberos_keytab_secret_name)"
+  steps:
+    - name: add-bundle-to-index
+      image: "$(params.pipeline_image)"
+      env:
+        - name: KRB_KEYTAB_FILE
+          value: "/etc/kerberos/$(params.kerberos_keytab_secret_key)"
+      volumeMounts:
+        - name: kerberos-volume
+          readOnly: true
+          mountPath: "/etc/kerberos"
+      script: |
+        #! /usr/bin/env bash
+        set -xe
+
+        ENV=$(params.environment)
+        INDEX_IMAGES="$(params.index_images)"
+        if [[ $ENV == "dev" || $ENV == "qa" ]]; then
+            echo "Adding bundle to an index is a NOOP for dev and qa environments at this time."
+            echo -n "success" | tee "$(results.status.path)"
+            # output dummy/test values for following tasks
+            echo -n "$(params.bundle_pullspec)" | tee "$(results.index_image_paths.path)"
+            exit 0
+        fi
+
+        if [[ $ENV != "prod" ]]; then
+            # Replace registry urls with stage urls when in preprod
+            INDEX_IMAGES=${INDEX_IMAGES//registry.redhat.io/registry.stage.redhat.io}
+        fi
+
+        # DO NOT use `--verbose` to avoid auth headers appearing in logs
+        index \
+          --iib-url "$(params.iib_url)" \
+          --indices $INDEX_IMAGES \
+          --bundle-pullspec "$(params.bundle_pullspec)" \
+          --image-output index-image-paths.txt
+
+
+        echo -n "success" | tee "$(results.status.path)"
+        cat index-image-paths.txt | tee "$(results.index_image_paths.path)"

ansible/roles/operator-pipeline/templates/openshift/tasks/get-manifest-digests.yml

@@ -5,10 +5,11 @@ metadata:
   name: get-manifest-digests
 spec:
   params:
-    - name: manifest_list_digests
+    - name: index_image_paths
       description: |
-        Comma-separated list of manifest list digests generated by the IIB builds, in the
-        format of registry.redhat.io/redhat/test-index@sha256:123
+        Comma-separated list of index reference + manifest list digests generated by IIB
+        builds, in the format of <from_index>+<temp_index_image>, example:
+        registry.redhat.io/redhat/test-index:v4.6+registry-proxy.engineering.redhat.com/rh-osbs/iib@sha256:123
     - name: environment
       description: |
         Which environment the pipeline is running in. Can be one of [dev, qa, stage, prod]
@@ -18,9 +19,6 @@ spec:
       description: Comma-separated list of indices
     - name: manifest_digests
       description: Comma-separated list of manifest digests retrieved from registry
-  workspaces:
-    - name: registry-credentials
-      description: Docker config for retrieving the bundle image
   steps:
     - name: podman-manifest-inspect
       image: "$(params.pipeline_image)"
@@ -33,35 +31,20 @@ spec:
         # output dummy/test values for signing purposes
         if [[ $ENV == "dev" || $ENV == "qa" ]]; then
           echo -n "registry.redhat.io/redhat/test-operator-index:v4.9" | tee "$(results.docker_references.path)"
-          echo "$(params.manifest_list_digests)" | awk -F '@' '{print $2}' | tee "$(results.manifest_list_digests.path)"
+          echo "$(params.index_image_paths)" | awk -F '+' '{print $2}' | tee "$(results.manifest_digests.path)"
           echo "Getting manifest digests is a NOOP for dev and qa environments at this time."
           exit 0
         fi
 
-        DIGEST_LIST=$(echo $(params.manifest_list_digests) | tr "," " ")
-
-        if [[ $ENV != "prod" ]]; then
-          export HTTP_PROXY="http://squid.corp.redhat.com:3128"
-          export HTTPS_PROXY="http://squid.corp.redhat.com:3128"
-
-          # TODO find a better way to set registry based on env
-          # Replace registry urls with stage urls when in preprod
-          DIGEST_LIST=${DIGEST_LIST//registry.redhat.io/registry.stage.redhat.io}
-        fi
-
-        # podman manifest inspect doesn't support any of the authfile options, this is the only way
-        cp $(workspaces.registry-credentials.path)/.dockerconfigjson $HOME/.docker/config.json
+        DIGEST_LIST=$(echo $(params.index_image_paths) | tr "," " ")
 
         DOCKER_REFERENCES=""
         MANIFEST_DIGESTS=""
         for i in $DIGEST_LIST
         do
-            REFERENCE=$(echo $i | awk -F '@' '{print $1}')
-
-            # remove version from reference before combining with sha
-            DIGEST=$(echo $REFERENCE | awk -F ':' '{print $1}')
-            DIGEST+=@$(echo $i | awk -F '@' '{print $2}')
+            REFERENCE=$(echo $i | awk -F '+' '{print $1}')
 
+            DIGEST=$(echo $i | awk -F '+' '{print $2}')
 
             MANIFEST_LIST=$(podman manifest inspect $DIGEST)
             MANIFEST_LIST=$(echo $MANIFEST_LIST | jq -r '.manifests[].digest')

ansible/roles/operator-pipeline/templates/openshift/tasks/publish-bundle.yml renamed to ansible/roles/operator-pipeline/templates/openshift/tasks/publish-to-index.yml

@@ -2,39 +2,23 @@
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
-  name: publish-bundle
+  name: publish-to-index
 spec:
   params:
     - name: pipeline_image
-    - name: bundle_pullspec
-      description: Bundle pullspec
-    - name: index_images
-      description: All known supported index image pull specs (space separated)
-    - name: iib_url
-      description: IIB API url
-      default: https://iib.engineering.redhat.com
-    - name: kerberos_keytab_secret_name
-      description: >-
-        The name of the Kubernetes Secret that contains the kerberos keytab for submitting IIB builds.
-    - name: kerberos_keytab_secret_key
-      description: >-
-        The key within the Kubernetes Secret that contains the kerberos keytab for submitting IIB builds.
-    - name: operator_distribution_method
-      description: Operator distribution method. Can be one of [connect, marketplace]
+    - name: index_image_paths
+      description: |
+        Comma-separated list of index reference + manifest list digests generated by IIB
+        builds, in the format of <from_index>+<temp_index_image>, example:
+        registry.redhat.io/redhat/test-index:v4.6+registry-proxy.engineering.redhat.com/rh-osbs/iib@sha256:123
     - name: environment
       description: |
         Which environment the pipeline is running in. Can be one of [dev, qa, stage, prod]
-  results:
-    - name: manifest_list_digests
-      description: Comma-separated list of image name + manifest list digests generated by the IIB builds
-    - name: status
-      description: Indicates a status of publishing a bundle to an index
-  volumes:
-    - name: kerberos-volume
-      secret:
-        secretName: "$(params.kerberos_keytab_secret_name)"
+    - name: operator_distribution_method
+      description: Operator distribution method. Can be one of [connect, marketplace]
   steps:
-    - name: publish-bundle
+    - name: skopeo-copy
+      # Pipeline image is needed for Red Hat internal SSL cert
       image: "$(params.pipeline_image)"
       env:
         - name: QUAY_USER
@@ -47,20 +31,14 @@ spec:
             secretKeyRef:
               name: iib-quay-credentials
               key: password
-        - name: KRB_KEYTAB_FILE
-          value: "/etc/kerberos/$(params.kerberos_keytab_secret_key)"
         - name: DIST_METHOD
           value: "$(params.operator_distribution_method)"
-      volumeMounts:
-        - name: kerberos-volume
-          readOnly: true
-          mountPath: "/etc/kerberos"
       script: |
         #! /usr/bin/env bash
-        set -xe
+        # DO NOT USE `set -x`, to avoid revealing the quay token in logs!
+        set -e
 
         # select the correct index
-
         case "$(params.environment)" in
             prod)
                 case $DIST_METHOD in
@@ -93,20 +71,28 @@ spec:
             *)
                 echo "Publishing bundle to an index is a NOOP for dev and qa environments at this time."
                 echo -n "success" | tee "$(results.status.path)"
-                # output dummy/test values for signing purposes
-                echo -n "$(params.bundle_pullspec)" | tee "$(results.manifest_list_digests.path)"
                 exit 0
             ;;
         esac
 
-        # DO NOT use `--verbose` to avoid auth headers appearing in logs
-        index \
-          --iib-url "$(params.iib_url)" \
-          --from-index $FROM_INDEX \
-          --indices $(params.index_images) \
-          --bundle-pullspec "$(params.bundle_pullspec)" \
-          --output manifest-list-digests.txt
+        echo "FROM_INDEX: $FROM_INDEX"
+        echo "Copying index images to published repos..."
+
+        TEMP_IMAGES=$(echo $(params.index_image_paths) | tr "," " ")
 
+        for i in $TEMP_IMAGES
+        do
+          SRC_IMAGE=$(echo $i | awk -F '+' '{print $2}')
+          echo "Source image: $SRC_IMAGE"
+          VERSION=$(echo $i | awk -F '+' '{print $1}' | awk -F ':' '{print $2}')
+          DEST_IMAGE="${FROM_INDEX}:${VERSION}"
+          echo "Dest image: $DEST_IMAGE"
 
-        echo -n "success" | tee "$(results.status.path)"
-        cat manifest-list-digests.txt | tee "$(results.manifest_list_digests.path)"
+          skopeo \
+            --command-timeout 300s copy \
+            --format v2s2 --all \
+            --src-no-creds \
+            --dest-creds $QUAY_USER:$QUAY_TOKEN \
+            docker://$SRC_IMAGE \
+            docker://$DEST_IMAGE
+        done

operator-pipeline-images/Dockerfile

@@ -38,7 +38,8 @@ RUN dnf update -y && \
     pinentry \
     pip \
     podman \
-    python3-devel && \
+    python3-devel \
+    skopeo && \
     dnf clean all
 
 COPY operator-pipeline-images/config/krb5.conf /etc/krb5.conf