diff --git a/.claude/commands/test.md b/.claude/commands/test.md index c58a17f0..d10af524 100644 --- a/.claude/commands/test.md +++ b/.claude/commands/test.md @@ -36,7 +36,11 @@ If any required variable is missing, use AskUserQuestion to ask the user to prov Before running the tests, the release infrastructure must be set up on the cluster. Run `setup-release.sh` to create the managed namespace, EnterpriseContractPolicy, ImageRepositories, ReleasePlanAdmission, and ReleasePlan: ``` -bash scripts/setup-release.sh \ +kubectl get configmap setup-release \ + -n konflux-cli \ + -o jsonpath='{.data.setup-release\.sh}' > setup-release.sh +chmod +x setup-release.sh +./setup-release.sh \ -t "${E2E_APPLICATIONS_NAMESPACE}" \ -m "${TSF_MANAGED_NAMESPACE}" \ -a "${TSF_APPLICATION_NAME}" \ diff --git a/Containerfile b/Containerfile index 6af54e45..a705ad35 100644 --- a/Containerfile +++ b/Containerfile @@ -65,7 +65,7 @@ COPY LICENSE.txt . WORKDIR /tsf -COPY --from=ose-tools /usr/bin/jq /usr/bin/kubectl /usr/bin/oc /usr/bin/vi /usr/bin/ +COPY --from=ose-tools /usr/bin/jq /usr/bin/kubectl /usr/bin/oc /usr/bin/vi /usr/bin/watch /usr/bin/ # jq libraries COPY --from=ose-tools /usr/lib64/libjq.so.1 /usr/lib64/libonig.so.5 /usr/lib64/ # vi libraries @@ -75,9 +75,6 @@ COPY --from=builder /workdir/tsf/installer/charts ./charts COPY --from=builder /workdir/tsf/installer/config.yaml ./ COPY --from=builder /workdir/tsf/bin/tsf /usr/local/bin/tsf -COPY scripts ./scripts -RUN chmod +x ./scripts/*.sh - RUN groupadd --gid 9999 -r tsf && \ useradd -r -d /tsf -g tsf -s /sbin/nologin --uid 9999 tsf && \ chown -R tsf:tsf . diff --git a/docs/modules/ROOT/pages/getting-started.adoc b/docs/modules/ROOT/pages/getting-started.adoc index 7409e310..441edf0f 100644 --- a/docs/modules/ROOT/pages/getting-started.adoc +++ b/docs/modules/ROOT/pages/getting-started.adoc @@ -93,7 +93,8 @@ Log in to the {OCPShortName} cluster as the Platform Engineer (cluster admin) an + [source,bash] ---- -oc get configmap setup-release -n konflux-cli \ +oc get configmap setup-release \ + -n konflux-cli \ -o jsonpath='{.data.setup-release\.sh}' > setup-release.sh chmod +x setup-release.sh ---- @@ -143,6 +144,15 @@ After the build and release complete, verify the security artifacts that {TSFSho * The UI displays vulnerability reports and license information. . **Signature verification:** +Download `cosign` from the cluster: ++ +[source,bash] +---- +tas_host=$(oc get route -A -l "app.kubernetes.io/part-of=trusted-artifact-signer,app.kubernetes.io/component=client-server" -o jsonpath='{.items[0].spec.host}') +curl -sSLo cosign.gz https://${tas_host}/clients/linux/cosign-${ARCH}.gz +gunzip cosign.gz +chmod +x cosign +---- + Download `cosign` from the {OCPShortName} cluster to your local machine. The `cosign` binary is not included in the installer container. For download and setup instructions, see link:https://docs.redhat.com/en/documentation/red_hat_trusted_artifact_signer/{RHTASVersion}/html-single/deployment_guide/index#signing-and-verifying-containers-by-using-cosign-from-the-command-line-interface-for-openshift_deploy[Signing and verifying containers by using Cosign from the command-line interface]. + @@ -150,7 +160,7 @@ Verify the image signature: + [source,bash] ---- -cosign tree +./cosign tree ---- + View the Rekor transparency log entry for the signing event. diff --git a/integration-tests/tasks/tsf-e2e-run.yaml b/integration-tests/tasks/tsf-e2e-run.yaml index 24916620..e02c9116 100644 --- a/integration-tests/tasks/tsf-e2e-run.yaml +++ b/integration-tests/tasks/tsf-e2e-run.yaml @@ -93,7 +93,11 @@ spec: # Set up release resources before running the tests echo "--- Setting up release resources ---" - bash scripts/setup-release.sh \ + kubectl get configmap setup-release \ + -n konflux-cli \ + -o jsonpath='{.data.setup-release\.sh}' > setup-release.sh + chmod +x setup-release.sh + ./setup-release.sh \ -t "${E2E_APPLICATIONS_NAMESPACE}" \ -m "${TSF_MANAGED_NAMESPACE}" \ -a "${TSF_APPLICATION_NAME}" \ diff --git a/scripts/setup-release.sh b/scripts/setup-release.sh deleted file mode 100755 index a6a319e9..00000000 --- a/scripts/setup-release.sh +++ /dev/null @@ -1,464 +0,0 @@ -#!/bin/bash -e - -# Script to set up release resources for a Konflux application. -# Creates a managed namespace with all required resources (EnterpriseContractPolicy, -# ImageRepositories, ReleasePlanAdmission) and a ReleasePlan in the tenant namespace. - -set -o pipefail -set -eu - -WAIT_TIMEOUT=120 # seconds to wait for ImageRepositories to become ready -POLL_INTERVAL=5 # seconds between polls - -usage() { - cat </dev/null || true) - if [[ "${state}" == "ready" ]]; then - return 0 - fi - sleep "${POLL_INTERVAL}" - elapsed=$((elapsed + POLL_INTERVAL)) - done - echo "Error: ImageRepository '${name}' did not become ready within ${WAIT_TIMEOUT}s" - echo " Current state: $(kubectl get imagerepository "${name}" -n "${MANAGED_NS}" -o jsonpath='{.status.state}' 2>/dev/null || echo 'unknown')" - echo " Message: $(kubectl get imagerepository "${name}" -n "${MANAGED_NS}" -o jsonpath='{.status.message}' 2>/dev/null || echo 'none')" - return 1 -} - -# Parse arguments -TENANT_NS="default-tenant" -MANAGED_NS="default-managed-tenant" -APPLICATION="sample-component" -PRODUCT_VERSION="0.1" -CONFORMA_POLICY="default" -RELEASE_NAME="local-release" -CATALOG_REVISION="production" -IMAGE_NAME_PREFIX="" -COMPONENTS=() - -while [[ $# -gt 0 ]]; do - case $1 in - -t|--tenant-namespace) - TENANT_NS="$2" - shift 2 - ;; - -m|--managed-namespace) - MANAGED_NS="$2" - shift 2 - ;; - -a|--application) - APPLICATION="$2" - shift 2 - ;; - -p|--product-name) - PRODUCT_NAME="$2" - shift 2 - ;; - -v|--product-version) - PRODUCT_VERSION="$2" - shift 2 - ;; - -c|--component) - COMPONENTS+=("$2") - shift 2 - ;; - -e|--conforma-policy) - CONFORMA_POLICY="$2" - shift 2 - ;; - -r|--release-name) - RELEASE_NAME="$2" - shift 2 - ;; - -R|--catalog-revision) - CATALOG_REVISION="$2" - shift 2 - ;; - -I|--image-name-prefix) - IMAGE_NAME_PREFIX="$2" - shift 2 - ;; - -h|--help) - usage - ;; - *) - echo "Unknown option: $1" - usage - ;; - esac -done - -# Parse PRODUCT_NAME default value based on APPLICATION value (after args parsing) -PRODUCT_NAME=${PRODUCT_NAME:-$APPLICATION} - -# Generate a unique image name prefix to avoid credential collisions between -# concurrent CI runs that share the same Quay organization. -if [[ -z "${IMAGE_NAME_PREFIX}" ]]; then - RANDOM_SUFFIX=$(od -An -tx1 -N3 /dev/urandom | tr -d ' ') - IMAGE_NAME_PREFIX="${MANAGED_NS}-${RANDOM_SUFFIX}" -fi - -IS_OPENSHIFT=false -if kubectl api-resources --api-group=config.openshift.io &>/dev/null; then - IS_OPENSHIFT=true -fi - -# Auto-detect components if none specified -if [[ ${#COMPONENTS[@]} -eq 0 ]]; then - echo "🔍 No components specified, auto-detecting from application '${APPLICATION}' in namespace '${TENANT_NS}'..." - mapfile -t COMPONENTS < <(kubectl get components -n "${TENANT_NS}" \ - -o jsonpath="{range .items[?(@.spec.application==\"${APPLICATION}\")]}{.metadata.name}{\"\n\"}{end}" \ - 2>/dev/null | grep -v '^$') - - if [[ ${#COMPONENTS[@]} -eq 0 ]]; then - echo "Error: No components found for application '${APPLICATION}' in namespace '${TENANT_NS}'." - echo "Make sure the application and its components exist, or specify components explicitly with -c." - exit 1 - fi - echo " Found ${#COMPONENTS[@]} component(s): ${COMPONENTS[*]}" -fi - -echo "" -echo "🏗️ Setting up release resources" -echo " Tenant namespace: ${TENANT_NS}" -echo " Managed namespace: ${MANAGED_NS}" -echo " Application: ${APPLICATION}" -echo " Product Name: ${PRODUCT_NAME}" -echo " Product Version: ${PRODUCT_VERSION}" -echo " EC policy: ${CONFORMA_POLICY}" -echo " Release name: ${RELEASE_NAME}" -echo " Catalog revision: ${CATALOG_REVISION}" -echo " Image name prefix: ${IMAGE_NAME_PREFIX}" -echo " Components: ${COMPONENTS[*]}" -echo "" - -# Step 1: Create managed namespace -echo "📦 Creating managed namespace '${MANAGED_NS}'..." -kubectl apply -f - < ClusterRole/konflux-viewer-user-actions" -echo " - ImageRepository: trusted-artifacts" -for COMPONENT in "${COMPONENTS[@]}"; do - echo " - ImageRepository: ${COMPONENT}" -done -echo " - ServiceAccount: release-pipeline (with push secrets)" -echo " - RoleBinding: release-pipeline-resource-role-binding -> ClusterRole/release-pipeline-resource-role" -if [[ "${SSO_SECRET_CREATED}" == "true" ]]; then - echo " - Secret: release-sso-secret (SSO credentials from 'tpa-realm-clients')" -else - echo " - Secret: release-sso-secret (SKIPPED - Secret 'tpa-realm-client' in 'tsf' not found)" -fi -echo " - ReleasePlanAdmission: ${RELEASE_NAME}" -echo "" -echo "Resources created in tenant namespace '${TENANT_NS}':" -echo " - ReleasePlan: ${RELEASE_NAME} -> ${MANAGED_NS}" \ No newline at end of file