project-ncl · goldmann · Jan 29, 2024 · Jan 27, 2024 · Jan 28, 2024 · Jan 28, 2024
diff --git a/.dockerignore b/.dockerignore
@@ -1,4 +1,5 @@
 *
+!certs/*
 !images/*
 !cli/target/*
-!service/target/*
+!service/target/*
diff --git a/.github/workflows/build-code.yml b/.github/workflows/build-code.yml
@@ -0,0 +1,43 @@
+name: Build and verify source code
+
+on:
+  workflow_call:
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+    name: "Build and Verify"
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: "17"
+          distribution: "temurin"
+          cache: maven
+
+      - name: Build with Maven
+        run: mvn --batch-mode -V -U verify -Dsurefire.useFile=false
+
+      - name: Test Report
+        uses: dorny/test-reporter@v1
+        if: success() || failure()
+        with:
+          name: Test Results
+          path: "**/target/surefire-reports/**/*.xml"
+          reporter: java-junit
+
+      - name: Download Service
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-service
+          path: |
+            service/target/quarkus-app
+
+      - name: Download CLI
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-cli
+          path: |
+            cli/target/quarkus-app
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -0,0 +1,68 @@
+name: Build container image
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        required: true
+        type: string
+      artifact:
+        type: string
+        default: false
+      push:
+        type: boolean
+        default: false
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+    name: "Build ${{ inputs.image }} image"
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set vars
+        id: vars
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Populate certificates
+        env:
+          IT_ROOT_CA_2022: ${{ secrets.IT_ROOT_CA_2022 }}
+          IT_ROOT_CA_2015: ${{ secrets.IT_ROOT_CA_2015 }}
+          CA_CHAIN: ${{ secrets.CA_CHAIN }}
+        run: |
+          mkdir certs
+          echo "$IT_ROOT_CA_2022" > certs/2022-IT-Root-CA.pem
+          echo "$IT_ROOT_CA_2015" > certs/2015-IT-Root-CA.pem
+          echo "$CA_CHAIN" > certs/rhcs-ca-chain-2022-cross-signed-2015.crt
+
+          openssl x509 -in certs/2015-IT-Root-CA.pem -text > /dev/null
+          openssl x509 -in certs/2022-IT-Root-CA.pem -text > /dev/null
+          openssl x509 -in certs/rhcs-ca-chain-2022-cross-signed-2015.crt -text > /dev/null
+
+      - name: Download ${{ inputs.artifact }}
+        if: "${{ inputs.artifact != 'false' }}"
+        uses: actions/download-artifact@v4
+        with:
+          name: dist-${{ inputs.artifact }}
+          path: ${{ inputs.artifact }}/target/quarkus-app
+
+      - name: Build ${{ inputs.image }} image
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: ${{ inputs.image }}
+          layers: true
+          tags: latest ${{ vars.outputs.sha_sort }}
+          containerfiles: |
+            ./images/${{ inputs.image }}/Containerfile
+
+      - name: Push to Quay
+        id: push-to-quay
+        if: ${{ inputs.push }}
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: ${{ secrets.REGISTRY_ORG }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,38 @@
+name: Build
+
+on:
+  push:
+    branches: ["main"]
+
+jobs:
+  build:
+    name: "Code"
+    uses: ./.github/workflows/build-code.yml
+
+  image-service:
+    name: "Image / Service"
+    needs: build
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image: sbomer-service
+      artifact: service
+      push: true
+    secrets: inherit
+
+  image-cache:
+    name: "Image / Cache"
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image: sbomer-cache
+      push: true
+    secrets: inherit
+
+  image-generator:
+    name: "Image / Generator"
+    needs: build
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image: sbomer-generator
+      artifact: cli
+      push: true
+    secrets: inherit
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -0,0 +1,35 @@
+name: Pull Request
+
+on:
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  build:
+    name: "Code"
+    uses: ./.github/workflows/build-code.yml
+
+  image-service:
+    name: "Image / Service"
+    needs: build
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image: sbomer-service
+      artifact: service
+    secrets: inherit
+
+  image-cache:
+    name: "Image / Cache"
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image: sbomer-cache
+    secrets: inherit
+
+  image-generator:
+    name: "Image / Generator"
+    needs: build
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image: sbomer-generator
+      artifact: cli
+    secrets: inherit
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,8 @@
 build
 node_modules
 
+certs
+
 #Maven
 target/
 pom.xml.tag

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -0,0 +1,133 @@
+.job-deploy-default-scripts: &job-deploy-default-scripts
+  - curl -L "https://${INTERNAL_CERTS_HOST}/certs/2022-IT-Root-CA.pem" -o /usr/local/share/ca-certificates/2022-IT-Root-CA.pem
+  - curl -L "https://${INTERNAL_CERTS_HOST}/certs/2015-IT-Root-CA.pem" -o /usr/local/share/ca-certificates/2015-IT-Root-CA.pem
+  - curl -L "https://${INTERNAL_CERTS_HOST}/chains/rhcs-ca-chain-2022-cross-signed-2015.crt" -o /usr/local/share/ca-certificates/rhcs-ca-chain-2022-cross-signed-2015.crt
+  - update-ca-certificates
+
+.job-deploy: &job-deploy
+  stage: deploy
+  image:
+    name: alpine/helm:3.14.0
+    entrypoint: [""]
+  artifacts:
+    name: manifests
+    when: always
+    paths:
+      - manifest-prev.yaml
+      - manifest.yaml
+
+default:
+  tags: [docker]
+
+ensure-images:
+  image:
+    name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398
+    entrypoint: [""]
+  stage: .pre
+  resource_group: deploy
+  timeout: 10m
+  script:
+    - dnf install -y --setopt=tsflags=nodocs skopeo
+    - |
+      function wait_for_image() {
+        if ! skopeo inspect --creds "${QUAY_CREDS_STAGE}" "docker://${IMAGE_REGISTRY_STAGE}/${1}:${CI_COMMIT_SHORT_SHA}" > "image-manifest-${1}.json"; then
+          sleep 30
+        fi
+      }
+
+      for image in "sbomer-service" "sbomer-cache" "sbomer-generator"; do
+        wait_for_image "${image}"
+      done
+  artifacts:
+    name: image-manifests
+    paths:
+      - image-manifest-*.json
+
+deploy-stage:
+  <<: *job-deploy
+  script:
+    - *job-deploy-default-scripts
+    - helm --kubeconfig $KUBECONFIG --kube-context sbomer-stage get manifest sbomer > manifest-prev.yaml || true
+    - helm --kube-context sbomer-stage upgrade --install --wait --timeout 5m0s --set generator.image.tag=${CI_COMMIT_SHORT_SHA} --set cache.image.tag=${CI_COMMIT_SHORT_SHA} --set service.image.tag=${CI_COMMIT_SHORT_SHA} --values "https://${INTERNAL_GITLAB_HOST}/project-ncl/sbomer-support/-/raw/main/helm/stage.yaml" --values ./helm/env/stage.yaml sbomer ./helm
+    - helm --kubeconfig $KUBECONFIG --kube-context sbomer-stage get manifest sbomer > manifest.yaml || true
+  needs:
+    - job: ensure-images
+  only: [main]
+
+e2e-stage:
+  image:
+    name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398
+    entrypoint: [""]
+  stage: deploy
+  cache:
+    paths:
+      - .m2/repository
+  resource_group: deploy
+  timeout: 20m
+  variables:
+    MAVEN_OPTS: >-
+      -Dhttps.protocols=TLSv1.2
+      -Dmaven.repo.local=.m2/repository
+      -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN
+      -Dorg.slf4j.simpleLogger.showDateTime=true
+      -Djava.awt.headless=true
+  script:
+    - curl -s "https://get.sdkman.io" | bash
+    - source "$HOME/.sdkman/bin/sdkman-init.sh"
+    - sdk install java 17.0.9
+    - sdk install maven 3.9.5
+    - ./hack/run-test-e2e.sh -P e2e-stage -DsbomerStageUri="https://${SBOMER_STAGE_HOST}" -DdatagrepperStageUri="https://${DATAGREPPER_STAGE_HOST}"
+  artifacts:
+    reports:
+      junit:
+        - "e2e/target/surefire-reports/**/*.xml"
+  needs:
+    - job: deploy-stage
+  only: [main]
+
+promote:
+  image:
+    name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398
+    entrypoint: [""]
+  stage: deploy
+  when: manual
+  resource_group: deploy
+  script:
+    - dnf install -y --setopt=tsflags=nodocs skopeo
+    - skopeo copy --src-creds "${QUAY_CREDS_STAGE}" --dest-creds "${QUAY_CREDS_PROD}" "docker://${IMAGE_REGISTRY_STAGE}/sbomer-cache:${CI_COMMIT_SHORT_SHA}" "docker://${IMAGE_REGISTRY_PROD}/sbomer-cache:${CI_COMMIT_SHORT_SHA}"
+    - skopeo copy --src-creds "${QUAY_CREDS_STAGE}" --dest-creds "${QUAY_CREDS_PROD}" "docker://${IMAGE_REGISTRY_STAGE}/sbomer-service:${CI_COMMIT_SHORT_SHA}" "docker://${IMAGE_REGISTRY_PROD}/sbomer-service:${CI_COMMIT_SHORT_SHA}"
+    - skopeo copy --src-creds "${QUAY_CREDS_STAGE}" --dest-creds "${QUAY_CREDS_PROD}" "docker://${IMAGE_REGISTRY_STAGE}/sbomer-generator:${CI_COMMIT_SHORT_SHA}" "docker://${IMAGE_REGISTRY_PROD}/sbomer-generator:${CI_COMMIT_SHORT_SHA}"
+  needs:
+    - job: e2e-stage
+  only: [main]
+
+deploy-prod:
+  <<: *job-deploy
+  script:
+    - *job-deploy-default-scripts
+    - helm --kubeconfig $KUBECONFIG --kube-context sbomer-prod get manifest sbomer > manifest-prev.yaml || true
+    - helm --kube-context sbomer-prod upgrade --install --wait --timeout 5m0s --set generator.image.tag=${CI_COMMIT_SHORT_SHA} --set cache.image.tag=${CI_COMMIT_SHORT_SHA} --set service.image.tag=${CI_COMMIT_SHORT_SHA} --values "https://${INTERNAL_GITLAB_HOST}/project-ncl/sbomer-support/-/raw/main/helm/prod.yaml" --values ./helm/env/prod.yaml sbomer ./helm
+    - helm --kubeconfig $KUBECONFIG --kube-context sbomer-prod get manifest sbomer > manifest.yaml || true
+  needs:
+    - job: promote
+  only: [main]
+
+pages:
+  image:
+    name: registry.access.redhat.com/ubi9@sha256:fc300be6adbdf2ca812ad01efd0dee2a3e3f5d33958ad6cd99159e25e9ee1398
+    entrypoint: [""]
+  stage: deploy
+  script:
+    - dnf install -y --setopt=tsflags=nodocs make gcc-c++
+    - curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
+    - export NVM_DIR="$HOME/.nvm" && . "$NVM_DIR/nvm.sh" --no-use
+    - nvm install v18
+    - npm install --global yarn
+    - yarn install --frozen-lockfile --no-progress
+    - >
+      NODE_TLS_REJECT_UNAUTHORIZED=0
+      npx antora --fetch --to-dir public antora-playbook.yml
+  artifacts:
+    paths:
+      - public
+  only: [main]
diff --git a/hack/internal/build-image.sh b/hack/internal/build-image.sh
@@ -89,6 +89,12 @@ else
   CONTAINERFILE="Containerfile"
 fi
 
+mkdir -p certs
+
+curl -L https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem -o certs/2022-IT-Root-CA.pem
+curl -L https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem -o certs/2015-IT-Root-CA.pem
+curl -L https://certs.corp.redhat.com/chains/rhcs-ca-chain-2022-cross-signed-2015.crt -o certs/rhcs-ca-chain-2022-cross-signed-2015.crt
+
 "${BUILD_SCRIPT[@]}" build -t "$IMAGE_TAG_LATEST" -f "images/${IMAGE_SLUG}/${CONTAINERFILE}" .
 
 if [ "$PUSH" = "yes" ]; then

diff --git a/images/sbomer-cache/Containerfile b/images/sbomer-cache/Containerfile
@@ -4,7 +4,7 @@ FROM registry.access.redhat.com/ubi9/nginx-120@sha256:ff18b7501cb56d411daace3909
 
 USER root
 
-RUN curl -L https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem -o /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem
+COPY certs/2022-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem
 RUN update-ca-trust
 
 COPY images/sbomer-cache/nginx.conf.template /etc/nginx/nginx.conf.template

diff --git a/images/sbomer-generator/Containerfile b/images/sbomer-generator/Containerfile
@@ -15,8 +15,11 @@ ENV HOME=/workdir
 RUN chown -R 65532:0 /workdir && \
     chmod -R g=u /workdir
 
-COPY --chown=65532:0 images/sbomer-generator/install_cert.sh /workdir/
-RUN sh -c ./install_cert.sh
+COPY certs/2022-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem
+COPY certs/2015-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/2015-IT-Root-CA.pem
+COPY certs/rhcs-ca-chain-2022-cross-signed-2015.crt /etc/pki/ca-trust/source/anchors/rhcs-ca-chain-2022-cross-signed-2015.crt
+
+RUN update-ca-trust
 
 USER 65532
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,8 @@ @@
     build
     node_modules
+    certs
     #Maven
     target/
     pom.xml.tag
@@ Expand Down @@