From 7ca55eb07a2e339a048cd0f97ae7d0fd3513c10d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 12 Dec 2024 10:52:16 +0100 Subject: [PATCH] coverity-availability-check: remove workspace It was required but not used for anything. Also the parameters set in the build template were not used by the coverity-availability-check task. Related: https://github.com/konflux-ci/build-definitions/pull/1653 --- pipelines/template-build/template-build.yaml | 10 +-- .../coverity-availability-check/0.2/README.md | 26 ++++++ .../0.2/coverity-availability-check.yaml | 88 +++++++++++++++++++ 3 files changed, 115 insertions(+), 9 deletions(-) create mode 100644 task/coverity-availability-check/0.2/README.md create mode 100644 task/coverity-availability-check/0.2/coverity-availability-check.yaml diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 096f330785..a208bb6e0c 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -268,15 +268,7 @@ spec: - build-image-index taskRef: name: coverity-availability-check - version: "0.1" - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - workspaces: - - name: workspace - workspace: workspace + version: "0.2" - name: sast-shell-check when: - input: $(params.skip-checks) diff --git a/task/coverity-availability-check/0.2/README.md b/task/coverity-availability-check/0.2/README.md new file mode 100644 index 0000000000..9565f411b1 --- /dev/null +++ b/task/coverity-availability-check/0.2/README.md @@ -0,0 +1,26 @@ +# coverity-availability-check task + +## Description: + +This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. + +The characteristics of these tasks are: + +- It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled. +- It will check for a secret called "cov-license" where the Coverity license is stored. + +> NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license. + +## Params: + +| name | description | default value | required | +|-----------------------------|----------------------------------------------------------------------------------------|----------------------------|----------| +| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | yes | +| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | yes | + +## Results: + +| name | description | +|-------------|-----------------------------------------------------------------------------------| +| STATUS | Tekton task simple status to be later checked by the sast-coverity-check task | +| TEST_OUTPUT | Tekton task test output. | diff --git a/task/coverity-availability-check/0.2/coverity-availability-check.yaml b/task/coverity-availability-check/0.2/coverity-availability-check.yaml new file mode 100644 index 0000000000..c0b2ea81ec --- /dev/null +++ b/task/coverity-availability-check/0.2/coverity-availability-check.yaml @@ -0,0 +1,88 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: coverity-availability-check +spec: + description: >- + This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. + results: + - description: Tekton task result output. + name: TEST_OUTPUT + - description: Tekton task simple status to be later checked + name: STATUS + params: + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + default: cov-license + - name: AUTH_TOKEN_COVERITY_IMAGE + description: Name of secret which contains the authentication token for pulling the Coverity image. + default: "auth-token-coverity-image" + volumes: + - name: cov-license + secret: + secretName: $(params.COV_LICENSE) + optional: true + - name: auth-token-coverity-image + secret: + secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE) + optional: true + steps: + - name: coverity-availability-check + image: quay.io/konflux-ci/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + volumeMounts: + - name: cov-license + mountPath: "/etc/secrets/cov" + readOnly: true + - name: auth-token-coverity-image + mountPath: "/etc/secrets/auth/config.json" + subPath: .dockerconfigjson + env: + - name: COV_LICENSE + value: $(params.COV_LICENSE) + - name: AUTH_TOKEN_COVERITY_IMAGE + value: $(params.AUTH_TOKEN_COVERITY_IMAGE) + script: | + #!/usr/bin/env bash + set -eo pipefail + # shellcheck source=/dev/null + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + # Checking Coverity license + COV_LICENSE_PATH=/etc/secrets/cov/cov-license + if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then + echo "Coverity license detected!" + else + echo 'No license file for Coverity was detected. Coverity scan will not be executed...' + echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license' + note="Task $(context.task.name) failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + # Checking authentication token for downloading coverity image + AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json + if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then + echo "Authentication token detected!" + else + echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...' + echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image' + note="Task $(context.task.name) failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + note="Task $(context.task.name) completed: Coverity availability checks finished succesfully." + # shellcheck disable=SC2034 + TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note") + echo -n "success" | tee "$(results.STATUS.path)" + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)"