RHTAP: Add jenkins as CI builder (redhat-cop#8901)

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

Author: treddy08

ansible/roles_ocp_workloads/ocp4_workload_jenkins/tasks/workload.yml

@@ -16,6 +16,8 @@
   - ./templates/service.yaml.j2
   - ./templates/service_jnlp.yaml.j2
   - ./templates/role_binding.yaml.j2
+  - ./role_binding_privileged.yaml.j2
+  - ./role_binding_webhook_unauthenticated.yaml.j2
   - ./templates/route.yaml.j2
   - ./templates/deployment.yaml.j2
 

ansible/roles_ocp_workloads/ocp4_workload_jenkins/templates/role_binding_privileged.yaml.j2

@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: 'system:openshift:scc:anyuid'
+  namespace: {{ ocp4_workload_jenkins_project }}
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: {{ ocp4_workload_jenkins_project }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:openshift:scc:privileged'

ansible/roles_ocp_workloads/ocp4_workload_jenkins/templates/role_binding_webhook_unauthenticated.yaml.j2

@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: webhook-access-unauthenticated
+  namespace: {{ ocp4_workload_jenkins_project }}
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: 'system:unauthenticated'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:webhook'

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/defaults/main.yml

@@ -119,3 +119,6 @@ ocp4_workload_trusted_application_pipeline_env_type: ocp4-cluster
 ocp4_workload_trusted_application_pipeline_cloud_provider: "{{ cloud_provider | default('ec2') }}"
 
 ocp4_workload_trusted_application_pipeline_orchestrator_enabled: "{{ orchestrator_enabled | default('true') | bool }}"
+
+ocp4_workload_trusted_application_pipeline_jenkins_namespace: jenkins
+ocp4_workload_trusted_application_pipeline_jenkins_admin_password: password

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/files/external-secret-common-password.yml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: common-password-secret
+spec:
+  secretStoreRef:
+    name: vault-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: common-password-secret
+  data:
+  - secretKey: password
+    remoteRef:
+      key:  secrets/janusidp/common_password
+      property: password

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/files/external-secret-gitlab-webhook.yml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitlab-webhook-secret
+spec:
+  secretStoreRef:
+    name: vault-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: gitlab-webhook-secret
+  data:
+  - secretKey: WebHookSecretKey
+    remoteRef:
+      key: secrets/janusidp/gitlab_webhook
+      property: secret

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/files/external-secret-stackrox-token.yml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: stackrox-token
+spec:
+  secretStoreRef:
+    name: vault-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: stackrox-token
+  data:
+  - secretKey: rox_api_token
+    remoteRef:
+      key: secrets/janusidp/stackrox
+      property: token

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/files/external-secret-trustification.yml

@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: trustification-secret
+spec:
+  secretStoreRef:
+    name: vault-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: trustification-secret
+  data:
+  - secretKey: bombastic_api_url
+    remoteRef:
+      key: secrets/janusidp/tpa/bombastic_api_url
+      property: value
+  - secretKey: oidc_issuer_url
+    remoteRef:
+      key: secrets/janusidp/tpa/oidc_issuer_url
+      property: value
+  - secretKey: oidc_client_id
+    remoteRef:
+      key: secrets/janusidp/tpa/oidc_client_id
+      property: value
+  - secretKey: oidc_client_secret
+    remoteRef:
+      key: secrets/janusidp/tpa/oidc_client_secret
+      property: value

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/files/jenkins-global-config.xml

@@ -0,0 +1,121 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<org.jenkinsci.plugins.configfiles.GlobalConfigFiles plugin="[email protected]_4518b_">
+  <configs class="sorted-set">
+    <comparator class="org.jenkinsci.plugins.configfiles.ConfigByIdComparator"/>
+    <org.jenkinsci.plugins.configfiles.custom.CustomConfig>
+      <id>create.att.predicate.sh</id>
+      <name>create.att.predicate.sh</name>
+      <comment></comment>
+      <content>#
+# Create attestation predicate for RHTAP Jenkins builds
+#
+# Useful references:
+# - https://slsa.dev/spec/v1.0/provenance
+# - https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#using-environment-variables
+# - http://localhost:8080/env-vars.html/
+#   (Replace localhost with your Jenkins instance)
+#
+yq -o=json -I=0 &lt;&lt; EOT
+---
+buildDefinition:
+  buildType: &quot;https://redhat.com/rhtap/slsa-build-types/${CI_TYPE}-build/v1&quot;
+  externalParameters: {}
+  internalParameters: {}
+  resolvedDependencies:
+    - uri: &quot;git+${GIT_URL}&quot;
+      digest:
+        gitCommit: &quot;${GIT_COMMIT}&quot;
+
+runDetails:
+  builder:
+    id: &quot;${NODE_NAME}&quot;
+    builderDependencies: []
+    version:
+      # Not sure if this is the right place for these...
+      buildNumber: &quot;${BUILD_NUMBER}&quot;
+      jobName: &quot;${JOB_NAME}&quot;
+      executorNumber: &quot;${EXECUTOR_NUMBER}&quot;
+      jenkinsHome: &quot;${JENKINS_HOME}&quot;
+      buildUrl: &quot;${BUILD_URL}&quot;
+      jobUrl: &quot;${JOB_URL}&quot;
+
+  metadata:
+    invocationID: &quot;${BUILD_TAG}&quot;
+    startedOn: &quot;$(cat $RESULTS/init/START_TIME)&quot;
+    # Inaccurate, but maybe close enough
+    finishedOn: &quot;$(date +%Y-%m-%dT%H:%M:%SZ)&quot;
+
+  byproducts:
+    - name: SBOM_BLOB
+      uri: &quot;$(cat &quot;$BASE_RESULTS&quot;/buildah-rhtap/SBOM_BLOB_URL)&quot;
+
+EOT</content>
+      <providerId>org.jenkinsci.plugins.configfiles.custom.CustomConfig</providerId>
+      <customizedCredentialMappings/>
+    </org.jenkinsci.plugins.configfiles.custom.CustomConfig>
+    <org.jenkinsci.plugins.configfiles.custom.CustomConfig>
+      <id>merge.sboms.py</id>
+      <name>merge.sboms.py</name>
+      <comment></comment>
+      <content>#!/bin/python3
+import hashlib
+import json
+import os
+import re
+
+### load SBOMs ###
+
+with open(os.getenv(&quot;TEMP_DIR&quot;) + &quot;/files/sbom-image.json&quot;) as f:
+  image_sbom = json.load(f)
+
+with open(os.getenv(&quot;TEMP_DIR&quot;) + &quot;/files/sbom-source.json&quot;) as f:
+  source_sbom = json.load(f)
+
+
+### attempt to deduplicate components ###
+
+component_list = image_sbom.get(&quot;components&quot;, [])
+existing_purls = [c[&quot;purl&quot;] for c in component_list if &quot;purl&quot; in c]
+
+for component in source_sbom.get(&quot;components&quot;, []):
+  if &quot;purl&quot; in component:
+    if component[&quot;purl&quot;] not in existing_purls:
+      component_list.append(component)
+      existing_purls.append(component[&quot;purl&quot;])
+  else:
+    # We won&apos;t try to deduplicate components that lack a purl.
+    # This should only happen with operating-system type components,
+    # which are only reported in the image SBOM.
+    component_list.append(component)
+
+component_list.sort(key=lambda c: c[&quot;type&quot;] + c[&quot;name&quot;])
+image_sbom[&quot;components&quot;] = component_list
+
+
+### write the CycloneDX unified SBOM ###
+
+with open(os.getenv(&quot;TEMP_DIR&quot;) + &quot;/files/sbom-cyclonedx.json&quot;, &quot;w&quot;) as f:
+  json.dump(image_sbom, f, indent=4)
+
+
+### write the SBOM blob URL result ###
+
+with open(os.getenv(&quot;TEMP_DIR&quot;) + &quot;/files/sbom-cyclonedx.json&quot;, &quot;rb&quot;) as f:
+  sbom_digest = hashlib.file_digest(f, &quot;sha256&quot;).hexdigest()
+
+# https://github.com/opencontainers/distribution-spec/blob/main/spec.md?plain=1#L160
+tag_regex = &quot;[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}&quot;
+
+# the tag must be after a colon, but always at the end of the string
+# this avoids conflict with port numbers
+image_without_tag = re.sub(f&quot;:{tag_regex}\$&quot;, &quot;&quot;, os.getenv(&quot;IMAGE&quot;))
+
+sbom_blob_url = f&quot;{image_without_tag}@sha256:{sbom_digest}&quot;
+
+with open(os.getenv(&quot;RESULT_PATH&quot;), &quot;w&quot;) as f:
+  f.write(sbom_blob_url)</content>
+      <providerId>org.jenkinsci.plugins.configfiles.custom.CustomConfig</providerId>
+      <customizedCredentialMappings/>
+    </org.jenkinsci.plugins.configfiles.custom.CustomConfig>
+  </configs>
+</org.jenkinsci.plugins.configfiles.GlobalConfigFiles>

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/tasks/setup_jenkins.yml

@@ -0,0 +1,85 @@
+---
+- name: Copy global config files to host
+  ansible.builtin.copy:
+    src: files/jenkins-global-config.xml
+    dest: /tmp/jenkins-global-config.xml
+
+- name: Transfer pipeline files to container
+  shell: |
+    JENKINS_POD=$(oc get pod -l deployment=jenkins -n jenkins --no-headers | awk '{ print $1 }')
+    oc cp /tmp/jenkins-global-config.xml {{ ocp4_workload_trusted_application_pipeline_jenkins_namespace
+    }}/$JENKINS_POD:/var/lib/jenkins/org.jenkinsci.plugins.configfiles.GlobalConfigFiles.xml -c jenkins
+    oc delete pod $JENKINS_POD -n {{ ocp4_workload_trusted_application_pipeline_jenkins_namespace
+    }}
+
+- name: Create Jenkins Secrets
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('file', item) | from_yaml }}"
+    namespace: "{{ ocp4_workload_trusted_application_pipeline_jenkins_namespace }}"
+  loop:
+  - external-secret-trustification.yml
+  - external-secret-gitlab-webhook.yml
+  - external-secret-common-password.yml
+  - external-secret-stackrox-token.yml
+
+- name: Create Jenkins Job Runner Resources
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('template', item) | from_yaml }}"
+  loop:
+  - cluster-role-binding-job-runner-sa-cluster-edit.yml.j2
+  - sa-jenkins-job-runner.yml.j2
+
+- name: Retrieve cosign signing secret
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: Secret
+    name: signing-secrets
+    namespace: "{{ ocp4_workload_trusted_application_pipeline_pipelines_namespace }}"
+  register: r_signing_secrets
+  retries: 120
+  delay: 10
+  until:
+  - r_signing_secrets is defined
+  - r_signing_secrets.resources is defined
+  - r_signing_secrets.resources | length > 0
+
+- name: Creating Cosign Signing Secret
+  shell: |
+    oc create secret generic signing-secrets -n {{
+    ocp4_workload_trusted_application_pipeline_jenkins_namespace }} \
+    --from-literal=cosign.key={{ r_signing_secrets.resources[0].data['cosign.key'] }} \
+    --from-literal=cosign.pub={{ r_signing_secrets.resources[0].data['cosign.pub'] }} \
+    --from-literal=cosign.password={{ r_signing_secrets.resources[0].data['cosign.password'] | b64decode }}
+
+- name: Wait until Jenkins is fully up and running
+  k8s_info:
+    api_version: v1
+    kind: Deployment
+    name: jenkins
+    namespace: "{{ ocp4_workload_trusted_application_pipeline_jenkins_namespace }}"
+  register: r_jenkins
+  retries: 60
+  delay: 10
+  until:
+  - r_jenkins.resources[0].status is defined
+  - r_jenkins.resources[0].status.readyReplicas is defined
+  - r_jenkins.resources[0].status.readyReplicas == r_jenkins.resources[0].spec.replicas
+
+- name: Generate Jenkins API Token
+  uri:
+    url: "{{ ocp4_workload_trusted_application_pipeline_jenkins_host }}/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken"
+    user: admin
+    password: "{{ ocp4_workload_trusted_application_pipeline_jenkins_admin_password }}"
+    method: POST
+    force_basic_auth: true
+    validate_certs: false
+    body_format: form-urlencoded
+    body:
+      newTokenName: backstage
+  register: r_jenkins_token
+
+- name: Set Jenkins Token Fact
+  set_fact:
+    ocp4_workload_trusted_application_pipeline_jenkins_token: "{{ r_jenkins_token.json.data.tokenValue }}"

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/tasks/workload.yml

@@ -68,6 +68,9 @@
     ocp4_workload_trusted_application_pipeline_tpa_issuer_url: "https://sso-{{
       ocp4_workload_trusted_application_pipeline_tpa_namespace }}.{{
       r_ingress_config.resources[0].spec.domain }}/realms/chicken"
+    ocp4_workload_trusted_application_pipeline_jenkins_host: "https://jenkins-{{
+      ocp4_workload_trusted_application_pipeline_jenkins_namespace }}.{{
+      r_ingress_config.resources[0].spec.domain }}"
 
 - name: Setup Gitlab dependencies
   ansible.builtin.include_tasks:
@@ -84,6 +87,15 @@
   loop_control:
     loop_var: location
 
+- name: Run RHTAP specific tasks
+  ansible.builtin.include_tasks: "{{ item }}"
+  loop:
+  - setup_cyclonedx_repo_server.yml
+  - setup_tekton_chains.yml
+  - setup_stackrox.yml
+  - setup_tpa_secrets.yml
+  - setup_jenkins.yml
+
 - name: Setup Backstage dependencies
   ansible.builtin.include_tasks:
     file: ./setup_backstage.yml
@@ -96,14 +108,6 @@
   ansible.builtin.include_tasks:
     file: ./setup_devspaces.yml
 
-- name: Run RHTAP specific tasks
-  ansible.builtin.include_tasks: "{{ item }}"
-  loop:
-  - setup_cyclonedx_repo_server.yml
-  - setup_tekton_chains.yml
-  - setup_stackrox.yml
-  - setup_tpa_secrets.yml
-
 - name: Build user output
   block:
   - name: Set user_list

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/templates/cluster-role-binding-job-runner-sa-cluster-edit.yml.j2

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jenkins-jobrunner-edit
+subjects:
+  - kind: ServiceAccount
+    name: job-runner
+    namespace: {{ ocp4_workload_trusted_application_pipeline_jenkins_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit