Dynatrace · jskelin · Nov 21, 2024 · Nov 14, 2024 · Nov 21, 2024
@@ -0,0 +1,47 @@
+/*
+ * @license
+ * Copyright 2024 Dynatrace LLC
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+cosignSecrets = [[path        : "keptn-jenkins/monaco/cosign",
+                  secretValues: [
+                      [envVar: 'cosign_key', vaultKey: 'cosign.key', isRequired: true],
+                      [envVar: 'cosign_pub', vaultKey: 'cosign.pub', isRequired: true],
+                      [envVar: 'cosign_password', vaultKey: 'cosign_password', isRequired: true]
+                  ]]]
+
+void install(String version) {
+    sh(label: "install cosign tool", script: "go install github.com/sigstore/cosign/v2/cmd/cosign@${version}")
+}
+
+/**
+ * sign is a wrapper function which calls cosing sign
+ * @param image address in format registry/library/image:version (e.g. docker.io/dynatrace/dynatrace-configuration-as-code:2.17.0)
+ */
+void sign(String image) {
+    withEnv(["image=${image}"]) {
+        withVault(vaultSecrets: cosignSecrets) {
+            sh(label: "sign container",
+                script: 'COSIGN_PASSWORD=$cosign_password cosign sign --key=env://cosign_key $image -y --recursive')
+        }
+    }
+}
+
+String getPublicKey() {
+    withVault(vaultSecrets: cosignSecrets) {
+        return cosign_pub
+    }
+}
+
+return this
@@ -18,12 +18,12 @@
 /**
  * install sets the required tools
  */
-void install() {
-    sh(label: "download cyclonedx-gomod", script: 'go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.8.0')
+void install(String version) {
+    sh(label: "download cyclonedx-gomod", script: "go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@${version}")
 }
 
-void generate(String fileName) {
-    sh(label: "generate", script: "cyclonedx-gomod app -licenses -assert-licenses -json -main cmd/monaco/ -output ${fileName}")
+void generateSbom(String fileName) {
+    sh(label: "generate SBOM", script: "cyclonedx-gomod app -licenses -assert-licenses -json -main cmd/monaco/ -output ${fileName}")
 }
 
 return this
@@ -14,11 +14,12 @@
  * limitations under the License.
  */
 
+githubSecrets = [[path        : 'keptn-jenkins/monaco/github-credentials',
+                  secretValues: [[envVar: 'token', vaultKey: 'access_token', isRequired: true]]]]
+
 int createRelease(Map args = [version: null]) {
     withEnv(["version=${args.version}",]) {
-        withVault(vaultSecrets: [[path        : 'keptn-jenkins/monaco/github-credentials',
-                                  secretValues: [[envVar: 'token', vaultKey: 'access_token', isRequired: true]]]]
-        ) {
+        withVault(vaultSecrets: githubSecrets) {
             def jsonRes = sh(returnStdout: true, label: "create release on GitHub", script: '''
                         curl --request POST https://api.github.com/repos/Dynatrace/dynatrace-configuration-as-code/releases
                              --header "Accept: application/vnd.github+json"
@@ -39,20 +40,35 @@ int createRelease(Map args = [version: null]) {
     }
 }
 
-void pushFileToRelease(Map args = [rleaseName: null, source: null, releaseId: null]) {
-    withEnv(["rleaseName=${args.rleaseName}", "source=${args.source}", "releaseId=${args.releaseId}",
+void pushFileToRelease(Map args = [rleaseName: null, filename: null, releaseId: null]) {
+    withEnv(["rleaseName=${args.rleaseName}", "filename=${args.filename}", "releaseId=${args.releaseId}",
+    ]) {
+        withVault(githubSecrets) {
+            sh(label: "push file to GitHub", script: '''
+                    curl --request POST https://uploads.github.com/repos/Dynatrace/dynatrace-configuration-as-code/releases/$releaseId/assets?name=$rleaseName
+                         --header "Accept: application/vnd.github+json"
+                         --header "Authorization: Bearer $token"
+                         --header "X-GitHub-Api-Version: 2022-11-28"
+                         --header "Content-Type: application/octet-stream"
+                         --fail-with-body
+                         --data-binary @"$filename"
+                    '''.replaceAll("\n", " ").replaceAll(/ +/, " "))
+        }
+    }
+}
+
+void pushRawDataToRelease(Map args = [rleaseName: null, rawData: null, releaseId: null]) {
+    withEnv(["rleaseName=${args.rleaseName}", "rawData=${args.rawData}", "releaseId=${args.releaseId}",
     ]) {
-        withVault(vaultSecrets: [[path        : 'keptn-jenkins/monaco/github-credentials',
-                                  secretValues: [[envVar: 'token', vaultKey: 'access_token', isRequired: true]]]]
-        ) {
-            sh (label: "push to GitHub", script:  '''
+        withVault(githubSecrets) {
+            sh(label: "push raw data to GitHub", script: '''
                     curl --request POST https://uploads.github.com/repos/Dynatrace/dynatrace-configuration-as-code/releases/$releaseId/assets?name=$rleaseName
                          --header "Accept: application/vnd.github+json"
                          --header "Authorization: Bearer $token"
                          --header "X-GitHub-Api-Version: 2022-11-28"
                          --header "Content-Type: application/octet-stream"
                          --fail-with-body
-                         --data-binary @"$source"
+                         --data-raw "$rawData"
                     '''.replaceAll("\n", " ").replaceAll(/ +/, " "))
         }
     }

@@ -0,0 +1,58 @@
+/*
+ * @license
+ * Copyright 2023 Dynatrace LLC
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+void install() {
+    sh(label: "install ko build-tool", script: "make install-ko")
+}
+
+private def registrySecret(String registry) {
+    String path
+    switch (registry) {
+        case "DockerHub": path = "keptn-jenkins/monaco/dockerhub-deploy"
+        case "DT": path = "keptn-jenkins/monaco/registry-deploy"
+        default: path = "keptn-jenkins/monaco/registry-deploy"
+    }
+
+    return [[path        : "${path}",
+             secretValues: [
+                 [envVar: 'registry', vaultKey: 'registry', isRequired: true],
+                 [envVar: 'repo', vaultKey: 'repo', isRequired: true],
+                 [envVar: 'username', vaultKey: 'username', isRequired: true],
+                 [envVar: 'password', vaultKey: 'password', isRequired: true]]]]
+}
+
+
+void loginToRegistry(Map args = [registry: null]) {
+    withVault(vaultSecrets: registrySecret(args.registry)) {
+        sh(label: "sign in to container registry",
+            script: 'ko login --username=$username --password=$password $registry')
+    }
+}
+
+/**
+ * @return image address in format registry/library/image:version (e.g. docker.io/dynatrace/dynatrace-configuration-as-code:2.17.0)
+ */
+String buildContainer(Map args = [tags: null, registry: null]) {
+    withEnv(["tags=${args.tags.join(",")}", "version=${args.tags[0]}"]) { //, "vaultPath=${args.registrySecretsPath}"
+        withVault(vaultSecrets: registrySecret(args.registry)) {
+            sh(label: "build and publish container",
+                script: 'make docker-container REPO_PATH=$registry/$repo VERSION=$version TAGS=$tags')
+            return "$registry/$repo/dynatrace-configuration-as-code:$version"
+        }
+    }
+}
+
+return this
@@ -34,6 +34,18 @@ pipeline {
 
                     stage("Build binaries") {
                         def tasks = [:]
+
+                        tasks["Docker container"] = {
+                            stage("for testing") {
+                                releaseDockerContainer(ctx, "DT")
+                            }
+                            if (isRelease(ctx)) {
+                                stage ("for DockerHub") {
+                                    releaseDockerContainer(ctx, "DockerHub")
+                                }
+                            }
+                        }
+
                         //linux
                         for (arch in ["amd64", "arm64", "386"]) {
                             Release r = newRelease(os: "linux", arch: arch)
@@ -50,9 +62,7 @@ pipeline {
                             tasks[r.binary.name()] = { releaseBinary(ctx, r) }
                         }
 
-                        tasks["Generate SBOM"] = { sbom(ctx) }
-
-                        tasks["Docker container"] = { releaseDockerContainer(ctx) }
+                        tasks["Generate SBOM"] = { generateSBOM(ctx) }
 
                         parallel tasks
                     }
@@ -179,22 +189,22 @@ void releaseBinary(Context ctx, Release release) {
     }
 }
 
-void releaseDockerContainer(Context ctx) {
+void releaseDockerContainer(Context ctx, String registry) {
     stage("Build Docker") {
-        def dockerTools = load(".ci/jenkins/tools/docker.groovy")
-
-        dockerTools.installKo()
-        dockerTools.installCosign()
+        def ko = load(".ci/jenkins/tools/ko.groovy")
+        ko.install()
+        def cosign = load(".ci/jenkins/tools/cosign.groovy")
+        cosign.install("latest")
 
-        boolean latest = false
+        List<String> tags = [ctx.version]
         if (isFinal(ctx)) {
-            latest = true
+            tags << "latest"
+            ctx.githubRelease.addToRelease(rawData: cosign.getPublicKey(), underName: "cosign.pub")
         }
-        dockerTools.buildContainer(version: ctx.version, registrySecretsPath: "keptn-jenkins/monaco/registry-deploy", latest: latest)
 
-        if (isRelease(ctx)) {
-            dockerTools.buildContainer(version: ctx.version, registrySecretsPath: "keptn-jenkins/monaco/dockerhub-deploy", latest: latest)
-        }
+        ko.loginToRegistry(registry: registry)
+        image = ko.buildContainer(tags: tags, registry: registry)
+        cosign.sign(image)
     }
 }
 
@@ -260,16 +270,17 @@ def pushToDtRepository(Map args = [source: null, dest: null]) {
     }
 }
 
-void sbom(Context ctx) {
+void generateSBOM(Context ctx) {
     stage("Generate SBOM") {
         final String sbomName = "sbom.cdx.json"
-        def sbomTools = load(".ci/jenkins/tools/sbom.groovy")
 
-        sbomTools.install()
-        sbomTools.generate(sbomName)
+        def cyclonedxGomod = load(".ci/jenkins/tools/cyclonedxGomod.groovy")
+        cyclonedxGomod.install("latest")
+
+        cyclonedxGomod.generateSbom(sbomName)
         pushToDtRepository(source: sbomName, dest: "monaco/${ctx.version}/${sbomName}")
         if (isRelease(ctx)) {
-            ctx.githubRelease.addToRelease(source: sbomName, underName: sbomName)
+            ctx.githubRelease.addFileToRelease(filename: sbomName, underName: sbomName)
         }
     }
 }
@@ -305,12 +316,16 @@ class GithubRelease {
     }
 
     void addToRelease(Release release) {
-        githubTools.pushFileToRelease(rleaseName: release.binary.name(), source: release.binary.localPath(), releaseId: this.releaseId)
-        githubTools.pushFileToRelease(rleaseName: "${release.binary.shaName()}", source: release.binary.shaPath(), releaseId: this.releaseId)
+        githubTools.pushFileToRelease(rleaseName: release.binary.name(), filename: release.binary.localPath(), releaseId: this.releaseId)
+        githubTools.pushFileToRelease(rleaseName: "${release.binary.shaName()}", filename: release.binary.shaPath(), releaseId: this.releaseId)
+    }
+
+    void addFileToRelease(Map args = [filename: null, underName: null]) {
+        githubTools.pushFileToRelease(rleaseName: args.underName, filename: args.filename, releaseId: this.releaseId)
     }
 
-    void addToRelease(Map args = [source: null, underName: null]) {
-        githubTools.pushFileToRelease(rleaseName: args.underName, source: args.source, releaseId: this.releaseId)
+    void addToRelease(Map args = [rawData: null, underName: null]) {
+        githubTools.pushRawDataToRelease(rleaseName: args.underName, rawData: args.rawData, releaseId: this.releaseId)
     }
 }