diff --git a/.dockerignore b/.dockerignore index 6aebc625d..979bcdc89 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,5 @@ * +!certs/* !images/* !cli/target/* -!service/target/* \ No newline at end of file +!service/target/* diff --git a/.github/workflows/build-code.yml b/.github/workflows/build-code.yml new file mode 100644 index 000000000..a7de33807 --- /dev/null +++ b/.github/workflows/build-code.yml @@ -0,0 +1,43 @@ +name: Build and verify source code + +on: + workflow_call: + +jobs: + build-image: + runs-on: ubuntu-latest + name: "Build and Verify" + steps: + - uses: actions/checkout@v4 + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: "17" + distribution: "temurin" + cache: maven + + - name: Build with Maven + run: mvn --batch-mode -V -U verify -Dsurefire.useFile=false + + - name: Test Report + uses: dorny/test-reporter@v1 + if: success() || failure() + with: + name: Test Results + path: "**/target/surefire-reports/**/*.xml" + reporter: java-junit + + - name: Download Service + uses: actions/upload-artifact@v4 + with: + name: dist-service + path: | + service/target/quarkus-app + + - name: Download CLI + uses: actions/upload-artifact@v4 + with: + name: dist-cli + path: | + cli/target/quarkus-app diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml new file mode 100644 index 000000000..8005d0224 --- /dev/null +++ b/.github/workflows/build-image.yml @@ -0,0 +1,68 @@ +name: Build container image + +on: + workflow_call: + inputs: + image: + required: true + type: string + artifact: + type: string + default: false + push: + type: boolean + default: false + +jobs: + build-image: + runs-on: ubuntu-latest + name: "Build ${{ inputs.image }} image" + steps: + - uses: actions/checkout@v4 + + - name: Set vars + id: vars + run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + - name: Populate certificates + env: + IT_ROOT_CA_2022: ${{ secrets.IT_ROOT_CA_2022 }} + IT_ROOT_CA_2015: ${{ secrets.IT_ROOT_CA_2015 }} + CA_CHAIN: ${{ secrets.CA_CHAIN }} + run: | + mkdir certs + echo "$IT_ROOT_CA_2022" > certs/2022-IT-Root-CA.pem + echo "$IT_ROOT_CA_2015" > certs/2015-IT-Root-CA.pem + echo "$CA_CHAIN" > certs/rhcs-ca-chain-2022-cross-signed-2015.crt + + openssl x509 -in certs/2015-IT-Root-CA.pem -text > /dev/null + openssl x509 -in certs/2022-IT-Root-CA.pem -text > /dev/null + openssl x509 -in certs/rhcs-ca-chain-2022-cross-signed-2015.crt -text > /dev/null + + - name: Download ${{ inputs.artifact }} + if: "${{ inputs.artifact != 'false' }}" + uses: actions/download-artifact@v4 + with: + name: dist-${{ inputs.artifact }} + path: ${{ inputs.artifact }}/target/quarkus-app + + - name: Build ${{ inputs.image }} image + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ inputs.image }} + layers: true + tags: latest ${{ vars.outputs.sha_sort }} + containerfiles: | + ./images/${{ inputs.image }}/Containerfile + + - name: Push to Quay + id: push-to-quay + if: ${{ inputs.push }} + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ secrets.REGISTRY_ORG }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_PASSWORD }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 000000000..3d03b77a6 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,38 @@ +name: Build + +on: + push: + branches: ["main"] + +jobs: + build: + name: "Code" + uses: ./.github/workflows/build-code.yml + + image-service: + name: "Image / Service" + needs: build + uses: ./.github/workflows/build-image.yml + with: + image: sbomer-service + artifact: service + push: true + secrets: inherit + + image-cache: + name: "Image / Cache" + uses: ./.github/workflows/build-image.yml + with: + image: sbomer-cache + push: true + secrets: inherit + + image-generator: + name: "Image / Generator" + needs: build + uses: ./.github/workflows/build-image.yml + with: + image: sbomer-generator + artifact: cli + push: true + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 000000000..f3420a852 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,35 @@ +name: Pull Request + +on: + pull_request: + branches: ["main"] + +jobs: + build: + name: "Code" + uses: ./.github/workflows/build-code.yml + + image-service: + name: "Image / Service" + needs: build + uses: ./.github/workflows/build-image.yml + with: + image: sbomer-service + artifact: service + secrets: inherit + + image-cache: + name: "Image / Cache" + uses: ./.github/workflows/build-image.yml + with: + image: sbomer-cache + secrets: inherit + + image-generator: + name: "Image / Generator" + needs: build + uses: ./.github/workflows/build-image.yml + with: + image: sbomer-generator + artifact: cli + secrets: inherit diff --git a/.gitignore b/.gitignore index 92eae6d5c..b1caac1b5 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,8 @@ build node_modules +certs + #Maven target/ pom.xml.tag diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 000000000..a7ef3b2f7 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,133 @@ +.job-deploy-default-scripts: &job-deploy-default-scripts + - curl -L "https://${INTERNAL_CERTS_HOST}/certs/2022-IT-Root-CA.pem" -o /usr/local/share/ca-certificates/2022-IT-Root-CA.pem + - curl -L "https://${INTERNAL_CERTS_HOST}/certs/2015-IT-Root-CA.pem" -o /usr/local/share/ca-certificates/2015-IT-Root-CA.pem + - curl -L "https://${INTERNAL_CERTS_HOST}/chains/rhcs-ca-chain-2022-cross-signed-2015.crt" -o /usr/local/share/ca-certificates/rhcs-ca-chain-2022-cross-signed-2015.crt + - update-ca-certificates + +.job-deploy: &job-deploy + stage: deploy + image: + name: alpine/helm:3.14.0 + entrypoint: [""] + artifacts: + name: manifests + when: always + paths: + - manifest-prev.yaml + - manifest.yaml + +default: + tags: [docker] + +ensure-images: + image: + name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398 + entrypoint: [""] + stage: .pre + resource_group: deploy + timeout: 10m + script: + - dnf install -y --setopt=tsflags=nodocs skopeo + - | + function wait_for_image() { + if ! skopeo inspect --creds "${QUAY_CREDS_STAGE}" "docker://${IMAGE_REGISTRY_STAGE}/${1}:${CI_COMMIT_SHORT_SHA}" > "image-manifest-${1}.json"; then + sleep 30 + fi + } + + for image in "sbomer-service" "sbomer-cache" "sbomer-generator"; do + wait_for_image "${image}" + done + artifacts: + name: image-manifests + paths: + - image-manifest-*.json + +deploy-stage: + <<: *job-deploy + script: + - *job-deploy-default-scripts + - helm --kubeconfig $KUBECONFIG --kube-context sbomer-stage get manifest sbomer > manifest-prev.yaml || true + - helm --kube-context sbomer-stage upgrade --install --wait --timeout 5m0s --set generator.image.tag=${CI_COMMIT_SHORT_SHA} --set cache.image.tag=${CI_COMMIT_SHORT_SHA} --set service.image.tag=${CI_COMMIT_SHORT_SHA} --values "https://${INTERNAL_GITLAB_HOST}/project-ncl/sbomer-support/-/raw/main/helm/stage.yaml" --values ./helm/env/stage.yaml sbomer ./helm + - helm --kubeconfig $KUBECONFIG --kube-context sbomer-stage get manifest sbomer > manifest.yaml || true + needs: + - job: ensure-images + only: [main] + +e2e-stage: + image: + name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398 + entrypoint: [""] + stage: deploy + cache: + paths: + - .m2/repository + resource_group: deploy + timeout: 20m + variables: + MAVEN_OPTS: >- + -Dhttps.protocols=TLSv1.2 + -Dmaven.repo.local=.m2/repository + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN + -Dorg.slf4j.simpleLogger.showDateTime=true + -Djava.awt.headless=true + script: + - curl -s "https://get.sdkman.io" | bash + - source "$HOME/.sdkman/bin/sdkman-init.sh" + - sdk install java 17.0.9 + - sdk install maven 3.9.5 + - ./hack/run-test-e2e.sh -P e2e-stage -DsbomerStageUri="https://${SBOMER_STAGE_HOST}" -DdatagrepperStageUri="https://${DATAGREPPER_STAGE_HOST}" + artifacts: + reports: + junit: + - "e2e/target/surefire-reports/**/*.xml" + needs: + - job: deploy-stage + only: [main] + +promote: + image: + name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398 + entrypoint: [""] + stage: deploy + when: manual + resource_group: deploy + script: + - dnf install -y --setopt=tsflags=nodocs skopeo + - skopeo copy --src-creds "${QUAY_CREDS_STAGE}" --dest-creds "${QUAY_CREDS_PROD}" "docker://${IMAGE_REGISTRY_STAGE}/sbomer-cache:${CI_COMMIT_SHORT_SHA}" "docker://${IMAGE_REGISTRY_PROD}/sbomer-cache:${CI_COMMIT_SHORT_SHA}" + - skopeo copy --src-creds "${QUAY_CREDS_STAGE}" --dest-creds "${QUAY_CREDS_PROD}" "docker://${IMAGE_REGISTRY_STAGE}/sbomer-service:${CI_COMMIT_SHORT_SHA}" "docker://${IMAGE_REGISTRY_PROD}/sbomer-service:${CI_COMMIT_SHORT_SHA}" + - skopeo copy --src-creds "${QUAY_CREDS_STAGE}" --dest-creds "${QUAY_CREDS_PROD}" "docker://${IMAGE_REGISTRY_STAGE}/sbomer-generator:${CI_COMMIT_SHORT_SHA}" "docker://${IMAGE_REGISTRY_PROD}/sbomer-generator:${CI_COMMIT_SHORT_SHA}" + needs: + - job: e2e-stage + only: [main] + +deploy-prod: + <<: *job-deploy + script: + - *job-deploy-default-scripts + - helm --kubeconfig $KUBECONFIG --kube-context sbomer-prod get manifest sbomer > manifest-prev.yaml || true + - helm --kube-context sbomer-prod upgrade --install --wait --timeout 5m0s --set generator.image.tag=${CI_COMMIT_SHORT_SHA} --set cache.image.tag=${CI_COMMIT_SHORT_SHA} --set service.image.tag=${CI_COMMIT_SHORT_SHA} --values "https://${INTERNAL_GITLAB_HOST}/project-ncl/sbomer-support/-/raw/main/helm/prod.yaml" --values ./helm/env/prod.yaml sbomer ./helm + - helm --kubeconfig $KUBECONFIG --kube-context sbomer-prod get manifest sbomer > manifest.yaml || true + needs: + - job: promote + only: [main] + +pages: + image: + name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398 + entrypoint: [""] + stage: deploy + script: + - dnf install -y --setopt=tsflags=nodocs make gcc-c++ + - curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash + - export NVM_DIR="$HOME/.nvm" && . "$NVM_DIR/nvm.sh" --no-use + - nvm install v18 + - npm install --global yarn + - yarn install --frozen-lockfile --no-progress + - > + NODE_TLS_REJECT_UNAUTHORIZED=0 + npx antora --fetch --to-dir public antora-playbook.yml + artifacts: + paths: + - public + only: [main] diff --git a/hack/internal/build-image.sh b/hack/internal/build-image.sh index 1eedd9f7a..ec165f575 100755 --- a/hack/internal/build-image.sh +++ b/hack/internal/build-image.sh @@ -89,6 +89,12 @@ else CONTAINERFILE="Containerfile" fi +mkdir -p certs + +curl -L https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem -o certs/2022-IT-Root-CA.pem +curl -L https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem -o certs/2015-IT-Root-CA.pem +curl -L https://certs.corp.redhat.com/chains/rhcs-ca-chain-2022-cross-signed-2015.crt -o certs/rhcs-ca-chain-2022-cross-signed-2015.crt + "${BUILD_SCRIPT[@]}" build -t "$IMAGE_TAG_LATEST" -f "images/${IMAGE_SLUG}/${CONTAINERFILE}" . if [ "$PUSH" = "yes" ]; then diff --git a/images/sbomer-cache/Containerfile b/images/sbomer-cache/Containerfile index 224e4cbff..408da6afa 100644 --- a/images/sbomer-cache/Containerfile +++ b/images/sbomer-cache/Containerfile @@ -4,7 +4,7 @@ FROM registry.access.redhat.com/ubi9/nginx-120@sha256:ff18b7501cb56d411daace3909 USER root -RUN curl -L https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem -o /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem +COPY certs/2022-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem RUN update-ca-trust COPY images/sbomer-cache/nginx.conf.template /etc/nginx/nginx.conf.template diff --git a/images/sbomer-generator/Containerfile b/images/sbomer-generator/Containerfile index ba47f6c47..76d56bac0 100644 --- a/images/sbomer-generator/Containerfile +++ b/images/sbomer-generator/Containerfile @@ -15,8 +15,11 @@ ENV HOME=/workdir RUN chown -R 65532:0 /workdir && \ chmod -R g=u /workdir -COPY --chown=65532:0 images/sbomer-generator/install_cert.sh /workdir/ -RUN sh -c ./install_cert.sh +COPY certs/2022-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem +COPY certs/2015-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/2015-IT-Root-CA.pem +COPY certs/rhcs-ca-chain-2022-cross-signed-2015.crt /etc/pki/ca-trust/source/anchors/rhcs-ca-chain-2022-cross-signed-2015.crt + +RUN update-ca-trust USER 65532 diff --git a/images/sbomer-generator/install_cert.sh b/images/sbomer-generator/install_cert.sh deleted file mode 100755 index d6643be2f..000000000 --- a/images/sbomer-generator/install_cert.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# -# JBoss, Home of Professional Open Source. -# Copyright 2023 Red Hat, Inc., and individual contributors -# as indicated by the @author tags. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -e - - -function install_cert() { - curl -L https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem -o /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem - curl -L https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem -o /etc/pki/ca-trust/source/anchors/2015-IT-Root-CA.pem - curl -L https://certs.corp.redhat.com/chains/rhcs-ca-chain-2022-cross-signed-2015.crt -o /etc/pki/ca-trust/source/anchors/rhcs-ca-chain-2022-cross-signed-2015.crt - update-ca-trust -} - -install_cert diff --git a/pom.xml b/pom.xml index af2fcdffe..3735316a8 100644 --- a/pom.xml +++ b/pom.xml @@ -192,6 +192,8 @@
${maven.multiModuleProjectDirectory}/.license-header.txt
+ .ci/** + .gitlab-ci.yml .github/** .license-header.txt .sdkmanrc diff --git a/service/src/main/resources/META-INF/resources/index.html b/service/src/main/resources/META-INF/resources/index.html index 1fdc2ba05..7e074fd9c 100644 --- a/service/src/main/resources/META-INF/resources/index.html +++ b/service/src/main/resources/META-INF/resources/index.html @@ -24,25 +24,34 @@ SBOMer
-
- - +
+ + + + Welcome!
- \ No newline at end of file +