From fe4e6914cd5d84589da3617b6e0e5b7535828596 Mon Sep 17 00:00:00 2001 From: ppbaena Date: Fri, 10 Nov 2023 10:20:47 +0100 Subject: [PATCH 1/2] Disable SRP action from Kubeapps --- .../actions/srp-source-provenance/action.yml | 91 ------------------- .github/workflows/kubeapps-general.yaml | 14 --- 2 files changed, 105 deletions(-) delete mode 100644 .github/actions/srp-source-provenance/action.yml diff --git a/.github/actions/srp-source-provenance/action.yml b/.github/actions/srp-source-provenance/action.yml deleted file mode 100644 index eebaa86208f..00000000000 --- a/.github/actions/srp-source-provenance/action.yml +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright 2018-2023 the Kubeapps contributors. -# SPDX-License-Identifier: Apache-2.0 - ---- -name: SRP Report -description: Install SRP CLI and Submit Provenance -inputs: - SRP_CLI_VERSION: - description: Version of the SRP CLI tool - required: false - default: latest - SRP_CLIENT_ID: - description: ID for SRP API Credentials - required: true - SRP_CLIENT_SECRET: - description: SECRET for SRP API Credentials - required: true - VERSION: - description: Release Version - required: true -runs: - using: "composite" - steps: - - name: Download SRP CLI - shell: bash - env: - SRP_CLI_VERSION: ${{ inputs.SRP_CLI_VERSION }} - run: | - set -u - mkdir -p /tmp/srp-cli - if [[ "${SRP_CLI_VERSION}" == "latest" ]]; then - curl https://srp-cli.s3.amazonaws.com/srp-cli-latest.tgz -o /tmp/srp-cli/srp-cli-latest.tgz - tar xvzf /tmp/srp-cli/srp-cli-latest.tgz -C /tmp/srp-cli/ - else - wget "https://vmwaresaas.jfrog.io/artifactory/srp-tools/srpcli/${SRP_CLI_VERSION}/linux-amd64/srp" -O /tmp/srp-cli/srp - fi - chmod +x /tmp/srp-cli/srp - sudo mv /tmp/srp-cli/srp /usr/local/bin/. - srp --version - - name: Configure SRP - env: - SRP_CLIENT_ID: ${{ inputs.SRP_CLIENT_ID }} - SRP_CLIENT_SECRET: ${{ inputs.SRP_CLIENT_SECRET }} - shell: bash - run: | - set -u - srp config auth --client-id=${SRP_CLIENT_ID} --client-secret=${SRP_CLIENT_SECRET} - - name: Create Source Provenance File - env: - VERSION: ${{ inputs.VERSION }} - shell: bash - run: | - set -eu - export GITHUB_FQDN=$(echo "${GITHUB_SERVER_URL}" | sed -e "s/^https:\/\///") - export BUILD_ID=${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT} - export COMP_UID="uid.obj.build.github(instance='${GITHUB_FQDN}',namespace='${GITHUB_REPOSITORY}',ref='${GITHUB_REF}',action='${GITHUB_ACTION}',build_id='$BUILD_ID')" - echo "COMP_UID=$COMP_UID" >> $GITHUB_ENV - echo "COMP_UID=$COMP_UID" - mkdir -p /tmp/provenance - sudo srp provenance source \ - --verbose \ - --scm-type git \ - --name "kubeapps" \ - --path ./ \ - --saveto /tmp/provenance/source.json \ - --comp-uid ${COMP_UID} \ - --build-number ${BUILD_ID} \ - --version ${VERSION} \ - --all-ephemeral true \ - --build-type release - - name: Validate and submit the source provenance files to the SRP Metadata service - shell: bash - run: | - echo "COMP_UID: $COMP_UID" - export COMP_UID=${COMP_UID//\//\%2f} - export SRP_UID="uid.mtd.provenance_2_5.fragment(obj_uid=$COMP_UID,revision='')" - echo "SRP_UID: ${SRP_UID}" - echo "SOURCE PROVENANCE FILE CONTENT:" - cat /tmp/provenance/source.json - echo "" - srp uid validate ${SRP_UID} - srp metadata submit \ - --verbose \ - --srp-endpoint https://apigw.vmware.com/v1/s1/api/helix-beta \ - --uid "${SRP_UID}" \ - --path /tmp/provenance/source.json - - name: Upload SRP file as a build artifact - uses: actions/upload-artifact@v3 - with: - name: srp-source-provenance-file - path: /tmp/provenance/source.json diff --git a/.github/workflows/kubeapps-general.yaml b/.github/workflows/kubeapps-general.yaml index 4401f95cd06..4b5b98e4bce 100644 --- a/.github/workflows/kubeapps-general.yaml +++ b/.github/workflows/kubeapps-general.yaml @@ -592,20 +592,6 @@ jobs: docker push $prod_image done - srp_report: - needs: - - setup - - push_images - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: ./.github/actions/srp-source-provenance - with: - SRP_CLI_VERSION: ${{env.SRP_CLI_VERSION}} - SRP_CLIENT_ID: ${{secrets.SRP_CLIENT_ID}} - SRP_CLIENT_SECRET: ${{secrets.SRP_CLIENT_SECRET}} - VERSION: ${{needs.setup.outputs.version}} - sync_chart_from_bitnami: needs: - setup From 9efb59f4c5c84d5a09d476577c54060d924f69bb Mon Sep 17 00:00:00 2001 From: ppbaena Date: Fri, 10 Nov 2023 11:51:42 +0100 Subject: [PATCH 2/2] Remove SRP variables --- .github/workflows/kubeapps-general.yaml | 1 - site/content/docs/latest/reference/developer/release-process.md | 1 - site/content/docs/latest/reference/testing/ci.md | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/kubeapps-general.yaml b/.github/workflows/kubeapps-general.yaml index 4b5b98e4bce..a9e1901d051 100644 --- a/.github/workflows/kubeapps-general.yaml +++ b/.github/workflows/kubeapps-general.yaml @@ -66,7 +66,6 @@ env: GKE_ZONE: "us-east1-c" GKE_PROJECT: "vmware-kubeapps-ci" GKE_CLUSTER: "kubeapps-test" - SRP_CLI_VERSION: "0.9.9-20230724044630-61ef470-169" jobs: setup: diff --git a/site/content/docs/latest/reference/developer/release-process.md b/site/content/docs/latest/reference/developer/release-process.md index 425b4774666..f354489f390 100644 --- a/site/content/docs/latest/reference/developer/release-process.md +++ b/site/content/docs/latest/reference/developer/release-process.md @@ -55,7 +55,6 @@ The versions used there _must_ match the ones used for building the container im - `KIND_VERSION` should be updated with the [latest stable version from the kind releases](https://github.com/kubernetes-sigs/kind/releases). - `K8S_KIND_VERSION` _must_ match the Kubernetes minor version used in `GKE_REGULAR_VERSION_XX` and should be updated with one of the available image tags for a given [Kind release](https://github.com/kubernetes-sigs/kind/releases). - `POSTGRESQL_VERSION` _must_ match the version used by the [Bitnami PostgreSQL chart](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml). -- `SRP_CLI_VERSION` _should_ be up to date according to the [latest stable version from the SRP CLI builds](https://vmwaresaas.jfrog.io/ui/native/srp-tools/srpcli). Besides, the `GKE_STABLE_VERSION` and the `GKE_REGULAR_VERSION` might have to be updated if the _Stable_ and _Regular_ Kubernetes versions in GKE have changed. Check this information on [this GKE release notes website](https://cloud.google.com/kubernetes-engine/docs/release-notes). diff --git a/site/content/docs/latest/reference/testing/ci.md b/site/content/docs/latest/reference/testing/ci.md index 2983e7a999e..5c01fe2255d 100644 --- a/site/content/docs/latest/reference/testing/ci.md +++ b/site/content/docs/latest/reference/testing/ci.md @@ -88,7 +88,6 @@ job uses a matrix to parameterize and parallelize the `local_e2e_tests` job, so (carvel, flux, main, etc), and we would need to configure a status check in the branch protections rules for every item in the matrix. * `push_images`: each time a new commit is pushed to the main branch or a new version tag is created, the CI images (which have already been built) get re-tagged and pushed to the `kubeapps` account in Dockerhub. -* `srp_report`: it generates and submits the source provenance file, required to comply with the SRP (Secure Release Pipeline) requirements. * `sync_chart_from_bitnami`: each time a new commit is pushed to the main branch, it brings the current changes in the upstream [bitnami/charts repository](https://github.com/bitnami/charts/tree/main/bitnami/kubeapps) and merges the changes. This step involves: * Checking if the Bitnami chart version is greater than the Kubeapps development chart version. If not, stop.