Generate SRP source provenance file in CI #5177
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
✅ Deploy Preview for kubeapps-dev canceled.
|
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
Signed-off-by: Antonio Gamez Diaz <[email protected]>
antgamdia
commented
Aug 24, 2022
| sudo mv ./srp /usr/local/bin/ | ||
| srp --version | ||
| srp config --srp-endpoint << pipeline.parameters.SRP_ENDPOINT >> | ||
| srp config auth --client-id $KUBEAPPS_SRP_CLIENT_ID --client-secret $KUBEAPPS_SRP_CLIENT_SECRET |
There was a problem hiding this comment.
Already set and properly stored in our corporate tool
| srp config --srp-endpoint << pipeline.parameters.SRP_ENDPOINT >> | ||
| srp config auth --client-id $KUBEAPPS_SRP_CLIENT_ID --client-secret $KUBEAPPS_SRP_CLIENT_SECRET | ||
| # - run: | ||
| # name: Install and configure the SRP observer tool |
There was a problem hiding this comment.
It isn't working yet, but the team is working on providing a public endpoint for it. I'll send another PR once we have it.
| path: source-provenance.json | ||
| # TODO(agamez): we will need to create the "network provenance" file soon. | ||
| # - run: | ||
| # name: Generate the "network provenance" file |
There was a problem hiding this comment.
We may have to ask for a reporter for Rust, I haven't been able to make it work. However, it is not a priority right now. The provenance file is enough.
| - run: | ||
| name: Validate and submit the provenance files to the SRP Metadata service | ||
| command: | | ||
| srp uid validate "uid.mtd.provenance_2_5.fragment(obj_uid=uid.obj.build.circleci(instance='circleci.com',type='<< pipeline.project.type >>',namespace='${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}',branch='${CIRCLE_BRANCH}',commit_id='${CIRCLE_SHA1}',build_id='<< pipeline.number >>/${CIRCLE_WORKFLOW_ID}/${CIRCLE_BUILD_NUM}'),revision='')" |
There was a problem hiding this comment.
If there is an upstream issue or the format for CircleCI happens to change, this will throw an error.
| @@ -108,6 +108,12 @@ parameters: | |||
| README_GENERATOR_REPO: | |||
| type: "string" | |||
| default: "bitnami-labs/readme-generator-for-helm" | |||
| SRP_ENDPOINT: | |||
| type: "string" | |||
| default: "https://apigw.vmware.com/v1/s1/api/helix-beta" | |||
There was a problem hiding this comment.
Required for working outside the corporate network
Signed-off-by: Antonio Gamez Diaz <[email protected]>
|
It's finally working now!
|
castelblanque
approved these changes
Aug 24, 2022
There was a problem hiding this comment.
Great! Thanks for the effort.
One task for the future will be to move all the logic into a container, so that:
- CircleCI spec is simpler
- Migration to e.g. GitHub actions is easier
But we can consider this as something for the eventual migration to GitHub actions.
30 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
This PR is adding an additional step in the CI (after pushing the images) to report the provenance file to our corporate endpoint. This is solely an internal requirement, not affecting the rest of the components whatsoever.
Benefits
We will comply with the SRP checkpoint.
Possible drawbacks
N/A
Applicable issues
Additional information
It is not working as the UID must be registered in advance in our systems (which is an ongoing task pending validation), therefore, the PR is marked as a draft as the CI step is currently failing.
Remember to add the credentials to our system.