Step: operator-pipelines-preflight-common-decrypt

This step will decrypt artifacts. Currently only one public key is able to decrypt so no additional variables are needed.

Container image used for this step: ci/fedora:latest

ci/fedora:latest resolves to an image imported from the specified imagestream tag on the build farm (documentation).

Environment

In addition to the default environment, the step exposes the following:

Variable Name Type Variable Content
PFLT_DOCKERCONFIG Parameter[?] The full path to a dockerconfigjson file, which is pushed to the target test cluster to access images in private repositories in the DeployableByOLM. If empty, no secret is created and the resource is assumed to be public.

Source Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env bash

# This step will decrypt preflight artifacts.
# https://github.com/redhat-openshift-ecosystem/openshift-preflight

# GPG keys are stored in vault for DPTP and OSD for the hosted pipeline
# Should new keys be generated, the private key 'Real name' MUST be 
# Preflight Trigger and the public key 'Real name' MUST be Operator
# Pipelines; the email address for either key is trivial

gpg_private_key_file=/var/run/operator-pipelines-gpg/private
gpg_public_key_file=/var/run/operator-pipelines-gpg/public

export PFLT_DOCKERCONFIG

if [ -n "${PFLT_DOCKERCONFIG}" ]
then
    echo "Import and trust private key"
    gpg -q --import $gpg_private_key_file 1> /dev/null
    echo "`gpg --list-keys|grep -B1 'Preflight Trigger'|awk 'NR==1 { print }'|tr -d '[:space:]'`":6: | gpg --import-ownertrust 1> /dev/null

    echo "Import and trust public key"
    gpg -q --import $gpg_public_key_file 1> /dev/null
    echo "`gpg --list-keys|grep -B1 'Operator Pipelines'|awk 'NR==1 { print }'|tr -d '[:space:]'`":6: | gpg -q --import-ownertrust 1> /dev/null

    echo "Decrypting artifacts"
    echo ${PFLT_DOCKERCONFIG} | basenc -d --base16 | gpg -q --decrypt - 2> /dev/null 1> ${SHARED_DIR}/decrypted_config.json

    echo "Artifacts decrypted and accessible"
    exit 0
else
    echo "No artifacts to decrypt"
    exit 0
fi

Properties

Property Value Description
Resource requests (cpu) 1000m Used in .resources.requests of the pod running this step.
Resource requests (memory) 400Mi Used in .resources.requests of the pod running this step.

GitHub Link:

https://github.com/openshift/release/blob/master/ci-operator/step-registry/operator-pipelines/preflight-common/decrypt/operator-pipelines-preflight-common-decrypt-ref.yaml

Owners:

Approvers:

Source code for this page located on GitHub