Skip to content

Commit

Permalink
add notary signing to rebased images
Browse files Browse the repository at this point in the history
  • Loading branch information
Danny Joyce authored and Tyler Phelan committed Jan 4, 2021
1 parent 3eef4b0 commit e501d31
Show file tree
Hide file tree
Showing 3 changed files with 123 additions and 29 deletions.
22 changes: 20 additions & 2 deletions cmd/rebase/main.go
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,18 @@
package main

import (
"bytes"
"flag"
"log"
"os"
"path/filepath"

"github.com/BurntSushi/toml"
"github.com/buildpacks/imgutil/remote"
"github.com/buildpacks/lifecycle"
"github.com/buildpacks/lifecycle/cmd"
"github.com/pkg/errors"
"github.com/shurcooL/go/ioutil"

"github.com/pivotal/kpack/pkg/buildchange"
"github.com/pivotal/kpack/pkg/dockercreds"
Expand All @@ -24,6 +27,7 @@ var (
runImage = flag.String("run-image", os.Getenv("RUN_IMAGE"), "The new run image to rebase")
lastBuiltImage = flag.String("last-built-image", os.Getenv("LAST_BUILT_IMAGE"), "The previous image to rebase")
buildChanges = flag.String("build-changes", os.Getenv("BUILD_CHANGES"), "JSON string of build changes and their reason")
reportFilePath = flag.String("report", os.Getenv("REPORT_FILE_PATH"), "The location at which to write the report.toml")

dockerCredentials flaghelpers.CredentialsFlags
dockerCfgCredentials flaghelpers.CredentialsFlags
Expand Down Expand Up @@ -97,6 +101,20 @@ func rebase(tags []string, logger *log.Logger) error {
rebaser := lifecycle.Rebaser{
Logger: cmd.DefaultLogger,
}
_, err = rebaser.Rebase(appImage, newBaseImage, tags[1:])
return err
report, err := rebaser.Rebase(appImage, newBaseImage, tags[1:])
if err != nil {
return err
}

if *reportFilePath == "" {
return nil
}

buf := &bytes.Buffer{}
err = toml.NewEncoder(buf).Encode(report)
if err != nil {
return err
}

return ioutil.WriteFile(*reportFilePath, buf)
}
29 changes: 18 additions & 11 deletions pkg/apis/build/v1alpha1/build_pod.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ const (
imagePullSecretsDirName = "image-pull-secrets-dir"
builderPullSecretsDirName = "builder-pull-secrets-dir"

notaryDirName = "notary-dir"
reportDirName = "report-dir"
notaryDirName = "notary-dir"
reportDirName = "report-dir"

envVarBuildChanges = "BUILD_CHANGES"
)
Expand Down Expand Up @@ -456,15 +456,19 @@ func (b *Build) rebasePod(secrets []corev1.Secret, config BuildPodImages, buildP
NodeSelector: map[string]string{
"kubernetes.io/os": "linux",
},
Volumes: secretVolumes,
Volumes: append(
secretVolumes,
corev1.Volume{
Name: reportDirName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
b.notarySecretVolume(),
),
RestartPolicy: corev1.RestartPolicyNever,
Containers: []corev1.Container{
{
Name: "completion",
Image: config.CompletionImage,
ImagePullPolicy: corev1.PullIfNotPresent,
Resources: b.Spec.Resources,
},
b.completionContainer(config, secretArgs, secretVolumeMounts),
},
InitContainers: []corev1.Container{
{
Expand All @@ -476,7 +480,10 @@ func (b *Build) rebasePod(secrets []corev1.Secret, config BuildPodImages, buildP
"--run-image",
buildPodBuilderConfig.RunImage,
"--last-built-image",
b.Spec.LastBuild.Image),
b.Spec.LastBuild.Image,
"--report",
"/var/report/report.toml",
),
secretArgs,
b.Spec.Tags,
),
Expand All @@ -488,7 +495,7 @@ func (b *Build) rebasePod(secrets []corev1.Secret, config BuildPodImages, buildP
},
ImagePullPolicy: corev1.PullIfNotPresent,
WorkingDir: "/workspace",
VolumeMounts: secretVolumeMounts,
VolumeMounts: append(secretVolumeMounts, reportVolume),
},
},
},
Expand Down
101 changes: 85 additions & 16 deletions pkg/apis/build/v1alpha1/build_pod_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -744,13 +744,13 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
})

when("creating a rebase pod", func() {
it("creates a pod just to rebase", func() {
build.Annotations = map[string]string{
v1alpha1.BuildReasonAnnotation: v1alpha1.BuildReasonStack,
v1alpha1.BuildChangesAnnotation: "some-stack-change",
"some/annotation": "to-pass-through",
}
build.Annotations = map[string]string{
v1alpha1.BuildReasonAnnotation: v1alpha1.BuildReasonStack,
v1alpha1.BuildChangesAnnotation: "some-stack-change",
"some/annotation": "to-pass-through",
}

it("creates a pod just to rebase", func() {
pod, err := build.BuildPod(config, secrets, buildPodBuilderConfig)
require.NoError(t, err)

Expand Down Expand Up @@ -801,6 +801,18 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
},
},
},
{
Name: "report-dir",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Name: "notary-dir",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
},
RestartPolicy: corev1.RestartPolicyNever,
Containers: []corev1.Container{
Expand All @@ -822,6 +834,8 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
"builderregistry.io/run",
"--last-built-image",
build.Spec.LastBuild.Image,
"--report",
"/var/report/report.toml",
"-basic-docker=docker-secret-1=acr.io",
"-dockerconfig=docker-secret-2",
"-dockercfg=docker-secret-3",
Expand All @@ -848,11 +862,63 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
Name: "secret-volume-docker-secret-3",
MountPath: "/var/build-secrets/docker-secret-3",
},
{
Name: "report-dir",
MountPath: "/var/report",
},
},
},
},
}, pod.Spec)
})

when("a notary config is present on the build", func() {
it("sets up the completion image to sign the image", func() {
build.Spec.Notary = &v1alpha1.NotaryConfig{
V1: &v1alpha1.NotaryV1Config{
URL: "some-notary-url",
SecretRef: v1alpha1.NotarySecretRef{
Name: "some-notary-secret",
},
},
}

pod, err := build.BuildPod(config, secrets, buildPodBuilderConfig)
require.NoError(t, err)

require.Equal(t,
[]string{
directExecute,
"completion",
"-notary-v1-url=some-notary-url",
"-basic-docker=docker-secret-1=acr.io",
"-dockerconfig=docker-secret-2",
"-dockercfg=docker-secret-3",
},
pod.Spec.Containers[0].Args,
)

require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
Name: "notary-dir",
ReadOnly: true,
MountPath: "/var/notary/v1",
})
require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
Name: "report-dir",
ReadOnly: false,
MountPath: "/var/report",
})

require.Contains(t, pod.Spec.Volumes, corev1.Volume{
Name: "notary-dir",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "some-notary-secret",
},
},
})
})
})
})

when("a notary config is present on the build", func() {
Expand All @@ -869,16 +935,19 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
pod, err := build.BuildPod(config, secrets, buildPodBuilderConfig)
require.NoError(t, err)

require.Equal(t, pod.Spec.Containers[0].Args, []string{
directExecute,
"completion",
"-notary-v1-url=some-notary-url",
"-basic-git=git-secret-1=https://github.com",
"-ssh-git=git-secret-2=https://bitbucket.com",
"-basic-docker=docker-secret-1=acr.io",
"-dockerconfig=docker-secret-2",
"-dockercfg=docker-secret-3",
})
require.Equal(t,
[]string{
directExecute,
"completion",
"-notary-v1-url=some-notary-url",
"-basic-git=git-secret-1=https://github.com",
"-ssh-git=git-secret-2=https://bitbucket.com",
"-basic-docker=docker-secret-1=acr.io",
"-dockerconfig=docker-secret-2",
"-dockercfg=docker-secret-3",
},
pod.Spec.Containers[0].Args,
)

require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
Name: "notary-dir",
Expand Down

0 comments on commit e501d31

Please sign in to comment.