Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/main'
Browse files Browse the repository at this point in the history
  • Loading branch information
Katka92 committed Sep 21, 2023
2 parents 6d4a139 + b790e88 commit 493fc64
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 23 deletions.
96 changes: 77 additions & 19 deletions components/enterprise-contract/ecp.yaml
Original file line number Diff line number Diff line change
@@ -1,44 +1,102 @@
#
# The contents of this file are automatically generated based on the RHTAP configs defined in the
# github.com/enterprise-contract/config repo. Any manual modifications will be overridden.
#

---
apiVersion: appstudio.redhat.com/v1alpha1
kind: EnterpriseContractPolicy
metadata:
name: default
namespace: enterprise-contract-service
spec:
description: >
Use the policy rules from the "minimal" collection. This and other collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections The minimal collection is a small set of policy rules that should be easy to pass for brand new Stonesoup users. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules
configuration:
include:
- "@minimal"
exclude:
# This can be removed once https://issues.redhat.com/browse/OCPBUGS-8428 is addressed
# Exclude step_image_registries for now since it can cause false
# positives due to https://issues.redhat.com/browse/OCPBUGS-8428
- step_image_registries
include:
- '@slsa1'
- '@slsa2'
- '@slsa3'
description: Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new RHTAP applications. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.
publicKey: k8s://openshift-pipelines/public-key
sources:
- name: Release Policies
data:
- data:
- github.com/release-engineering/rhtap-ec-policy//data?ref=be7e1ef73bdeef2752dde400a52f9eab9b7542ca
- oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest@sha256:021515caf0a4fb6455ada88fcd155baef5b5e5e229e62a587c44e0ff8c5024a0
- oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest@sha256:85431601d5d50520d6de63f649d37943a68c86de0a62228dab30a7774fa074c0
name: Default
policy:
- oci::quay.io/enterprise-contract/ec-release-policy:git-1f33b3b@sha256:e9a2feafa17a2b189b20376e29d787a2f7816885491bd19ea37d4e95876ed380
- oci::quay.io/enterprise-contract/ec-release-policy:git-89e9175@sha256:5b58d42b9392263eab7824ab5278e3a0e9ff57243c189ef63d24bf2867abf128
---
apiVersion: appstudio.redhat.com/v1alpha1
kind: EnterpriseContractPolicy
metadata:
name: all
namespace: enterprise-contract-service
spec:
description: >
Evaluate components with all of the available policy rules. The policy rules are described in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html
# An empty configuration, by default, means all policy rules.
configuration: {}
configuration:
exclude:
# Exclude step_image_registries for now since it can cause false
# positives due to https://issues.redhat.com/browse/OCPBUGS-8428
- step_image_registries
include:
- '*'
description: Include every rule in the default policy source. For experiments only. This is not expected to pass for RHTAP builds without excluding some rules. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.
publicKey: k8s://openshift-pipelines/public-key
sources:
- data:
- github.com/release-engineering/rhtap-ec-policy//data?ref=be7e1ef73bdeef2752dde400a52f9eab9b7542ca
- oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest@sha256:85431601d5d50520d6de63f649d37943a68c86de0a62228dab30a7774fa074c0
name: Default
policy:
- oci::quay.io/enterprise-contract/ec-release-policy:git-89e9175@sha256:5b58d42b9392263eab7824ab5278e3a0e9ff57243c189ef63d24bf2867abf128
---
apiVersion: appstudio.redhat.com/v1alpha1
kind: EnterpriseContractPolicy
metadata:
name: redhat
namespace: enterprise-contract-service
spec:
configuration:
exclude:
# Exclude step_image_registries for now since it can cause false
# positives due to https://issues.redhat.com/browse/OCPBUGS-8428
- step_image_registries
include:
- '@redhat'
description: Includes the full set of rules and policies required internally by Red Hat when building Red Hat products. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.
publicKey: k8s://openshift-pipelines/public-key
sources:
- data:
- github.com/release-engineering/rhtap-ec-policy//data?ref=be7e1ef73bdeef2752dde400a52f9eab9b7542ca
- oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest@sha256:85431601d5d50520d6de63f649d37943a68c86de0a62228dab30a7774fa074c0
name: Default
policy:
- oci::quay.io/enterprise-contract/ec-release-policy:git-89e9175@sha256:5b58d42b9392263eab7824ab5278e3a0e9ff57243c189ef63d24bf2867abf128
---
apiVersion: appstudio.redhat.com/v1alpha1
kind: EnterpriseContractPolicy
metadata:
name: slsa3
namespace: enterprise-contract-service
spec:
configuration:
exclude:
# Exclude step_image_registries for now since it can cause false
# positives due to https://issues.redhat.com/browse/OCPBUGS-8428
- step_image_registries
include:
- '@minimal'
- '@slsa1'
- '@slsa2'
- '@slsa3'
description: Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.
publicKey: k8s://openshift-pipelines/public-key
sources:
- name: Release Policies
data:
- data:
- github.com/release-engineering/rhtap-ec-policy//data?ref=be7e1ef73bdeef2752dde400a52f9eab9b7542ca
- oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest@sha256:021515caf0a4fb6455ada88fcd155baef5b5e5e229e62a587c44e0ff8c5024a0
- oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest@sha256:85431601d5d50520d6de63f649d37943a68c86de0a62228dab30a7774fa074c0
name: Default
policy:
- oci::quay.io/enterprise-contract/ec-release-policy:git-1f33b3b@sha256:e9a2feafa17a2b189b20376e29d787a2f7816885491bd19ea37d4e95876ed380
- oci::quay.io/enterprise-contract/ec-release-policy:git-89e9175@sha256:5b58d42b9392263eab7824ab5278e3a0e9ff57243c189ef63d24bf2867abf128
8 changes: 4 additions & 4 deletions components/enterprise-contract/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/enterprise-contract/enterprise-contract-controller/config/crd?ref=82f518c5971a4c249f9bb46ea8521958c563c549
- https://github.com/enterprise-contract/enterprise-contract-controller/config/crd?ref=df2bb8a22d46ddd526d407c07d4d205d2ad6c4ae
- ecp.yaml
- role.yaml
- rolebinding.yaml
Expand All @@ -11,11 +11,11 @@ configMapGenerator:
- name: ec-defaults
namespace: enterprise-contract-service
literals:
- verify_ec_task_bundle=quay.io/enterprise-contract/ec-task-bundle:2aa427bc12fab0cc5fdda95085f73534d3fd86f2@sha256:664b782af26a3b175d1f64f642b42014110d6d8a801a885313c0209b2b56d72a
- verify_ec_task_bundle=quay.io/enterprise-contract/ec-task-bundle:306267989ecea379471646ef0dee97255c920634@sha256:0fdef06f78674fa2419b795a367b75076c4aedcf0947aa22d957471412cb3bbb
- verify_ec_task_git_url=https://github.com/enterprise-contract/ec-cli.git
- verify_ec_task_git_revision=2aa427bc12fab0cc5fdda95085f73534d3fd86f2
- verify_ec_task_git_revision=306267989ecea379471646ef0dee97255c920634
- verify_ec_task_git_pathInRepo=tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
images:
- name: quay.io/redhat-appstudio/enterprise-contract-controller
newName: quay.io/redhat-appstudio/enterprise-contract-controller
newTag: 82f518c5971a4c249f9bb46ea8521958c563c549
newTag: df2bb8a22d46ddd526d407c07d4d205d2ad6c4ae

0 comments on commit 493fc64

Please sign in to comment.