From 919809dd06bc90f056a89902ba9e29b2e3ca23e5 Mon Sep 17 00:00:00 2001 From: "Bartra, Rick (rb560u)" Date: Thu, 11 Mar 2021 17:08:27 -0500 Subject: [PATCH] (fix) CVE report not showing Unauthenticated GET calls to Harbor are no longer supported, so the build out of the CVE report link was not working due to the empty information behind retrieved from Harbor. This commit updates the GET calls to Harbor to use a netrc for authentication. Change-Id: I65a8ecf2d567f4ac9293dc8d5f39ab40cdca4c84 --- .../templates/Secret-harbor-netrc.yaml | 11 +++++++++++ .../jarvis-system/templates/Task-createFailure.yaml | 12 +++++++++--- .../jarvis-system/templates/Task-createSuccess.yaml | 13 ++++++++++--- charts/jarvis-system/values.yaml | 7 ++++++- 4 files changed, 36 insertions(+), 7 deletions(-) create mode 100644 charts/jarvis-system/templates/Secret-harbor-netrc.yaml diff --git a/charts/jarvis-system/templates/Secret-harbor-netrc.yaml b/charts/jarvis-system/templates/Secret-harbor-netrc.yaml new file mode 100644 index 00000000..490eb75a --- /dev/null +++ b/charts/jarvis-system/templates/Secret-harbor-netrc.yaml @@ -0,0 +1,11 @@ +{{- define "Secret-harbor-netrc" -}} +{{- $HARBOR_URL := $.Values.params.harbor.dashboard.host -}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ template "helpers.labels.fullname" . }}-harbor-netrc +data: + harbor-netrc: {{ b64enc ( printf "machine %s login %s password %s" $HARBOR_URL $.Values.config.test.ldap_username $.Values.config.test.ldap_password ) }} +{{- end -}} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-harbor-netrc" ) }} diff --git a/charts/jarvis-system/templates/Task-createFailure.yaml b/charts/jarvis-system/templates/Task-createFailure.yaml index 54eecf5a..586a4e18 100644 --- a/charts/jarvis-system/templates/Task-createFailure.yaml +++ b/charts/jarvis-system/templates/Task-createFailure.yaml @@ -21,12 +21,14 @@ spec: - name: gerrit-netrc mountPath: /run/jarvis/gerrit-netrc subPath: gerrit-netrc + - name: harbor-netrc + mountPath: /run/jarvis/harbor-netrc script: | #!/bin/bash set -eu -o pipefail -x # Get project information from Harbor - PROJECT_INFO=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json") + PROJECT_INFO=$(curl -k -X GET --netrc-file /run/jarvis/harbor-netrc/harbor-netrc "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json") PROJECT_ID=$(echo $PROJECT_INFO | jq -r '.project'[0].'project_id') # Get the taskRun uid from the microflow-setup-image pod @@ -47,7 +49,7 @@ spec: if [ $REPO_COUNT -gt 0 ]; then REPOSITORY_NAME=$(echo $PROJECT_INFO | jq -r '.repository'[0].'repository_name' | awk -F"/" '{print $2}') # Grabs the SHA256 of the corresponding artifact based off taskrun uid - SHA256=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest') + SHA256=$(curl -k -X GET --netrc-file /run/jarvis/harbor-netrc/harbor-netrc "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest') MESSAGE="${MESSAGE}\n\n----- Image Scan Report -----\nhttps://{{ .Values.params.harbor.dashboard.host }}/harbor/projects/${PROJECT_ID}/repositories/${REPOSITORY_NAME}/artifacts/${SHA256}" fi @@ -90,6 +92,10 @@ spec: items: - key: gerrit-netrc path: gerrit-netrc + - name: harbor-netrc + secret: + secretName: {{ template "helpers.labels.fullname" . }}-harbor-netrc + defaultMode: 0444 ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-createFailure" ) }} \ No newline at end of file +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-createFailure" ) }} diff --git a/charts/jarvis-system/templates/Task-createSuccess.yaml b/charts/jarvis-system/templates/Task-createSuccess.yaml index 5748a918..eb4e67d4 100644 --- a/charts/jarvis-system/templates/Task-createSuccess.yaml +++ b/charts/jarvis-system/templates/Task-createSuccess.yaml @@ -21,12 +21,15 @@ spec: - name: gerrit-netrc mountPath: /run/jarvis/gerrit-netrc subPath: gerrit-netrc + - name: harbor-netrc + mountPath: /run/jarvis/harbor-netrc + script: | #!/bin/bash set -eu -o pipefail -x # Get project information from Harbor - PROJECT_INFO=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json") + PROJECT_INFO=$(curl -k -X GET --netrc-file /run/jarvis/harbor-netrc/harbor-netrc "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json") PROJECT_ID=$(echo $PROJECT_INFO | jq -r '.project'[0].'project_id') # Get the taskRun uid from the microflow-setup-image pod @@ -47,7 +50,7 @@ spec: if [ $REPO_COUNT -gt 0 ]; then REPOSITORY_NAME=$(echo $PROJECT_INFO | jq -r '.repository'[0].'repository_name' | awk -F"/" '{print $2}') # Grabs the SHA256 of the corresponding artifact based off taskrun uid - SHA256=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest') + SHA256=$(curl -k -X GET --netrc-file /run/jarvis/harbor-netrc/harbor-netrc "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest') MESSAGE="${MESSAGE}\n\n----- Image Scan Report -----\nhttps://{{ .Values.params.harbor.dashboard.host }}/harbor/projects/${PROJECT_ID}/repositories/${REPOSITORY_NAME}/artifacts/${SHA256}" fi @@ -90,6 +93,10 @@ spec: items: - key: gerrit-netrc path: gerrit-netrc + - name: harbor-netrc + secret: + secretName: {{ template "helpers.labels.fullname" . }}-harbor-netrc + defaultMode: 0444 ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-createSuccess" ) }} \ No newline at end of file +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-createSuccess" ) }} diff --git a/charts/jarvis-system/values.yaml b/charts/jarvis-system/values.yaml index 8f00cfb2..1400adb2 100644 --- a/charts/jarvis-system/values.yaml +++ b/charts/jarvis-system/values.yaml @@ -67,4 +67,9 @@ params: orgid: 1 harbor: dashboard: - host: harbor-core.jarvis.local \ No newline at end of file + host: harbor-core.jarvis.local + +config: + test: + ldap_username: jarvis + ldap_password: password