Step: operator-pipelines-preflight-common-encrypt

This step will encrypt artifacts. Currently only one public key is able to decrypt so no additional variables are needed.

Container image used for this step: ci/fedora:latest

ci/fedora:latest resolves to an image imported from the specified imagestream tag on the build farm (documentation).

Environment

Step exposes no environmental variables except the defaults.

Source Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env bash

# This step will encrypt preflight artifacts.
# https://github.com/redhat-openshift-ecosystem/openshift-preflight

# GPG keys are stored in vault for DPTP and OSD for the hosted pipeline
# Should new keys be generated, the private key 'Real name' MUST be 
# Preflight Trigger and the public key 'Real name' MUST be Operator
# Pipelines; the email address for either key is trivial

gpg_private_key_file=/var/run/operator-pipelines-gpg/private
gpg_public_key_file=/var/run/operator-pipelines-gpg/public
preflight_targz_file="${SHARED_DIR}/preflight.tar.gz"
preflight_targz_file_encrypted="${SHARED_DIR}/preflight.tar.gz.asc"

echo "Import and trust private key"
gpg -q --import $gpg_private_key_file 1> /dev/null
echo "`gpg --list-keys|grep -B1 'Preflight Trigger'|awk 'NR==1 { print }'|tr -d '[:space:]'`":6: | gpg --import-ownertrust 1> /dev/null

echo "Import and trust public key"
gpg -q --import $gpg_public_key_file 1> /dev/null
echo "`gpg --list-keys|grep -B1 'Operator Pipelines'|awk 'NR==1 { print }'|tr -d '[:space:]'`":6: | gpg -q --import-ownertrust 1> /dev/null

echo "Sign the public key"
gpg -q --batch --yes --sign-key "`gpg --list-keys|grep -B1 'Operator Pipelines'|awk 'NR==1 { print }'|tr -d '[:space:]'`" 1> /dev/null

echo "Encrypting artifacts"
gpg -q --encrypt --sign --armor -r "`gpg --list-keys|grep -B1 'Operator Pipelines'|awk 'NR==1 { print }'|tr -d '[:space:]'`" $preflight_targz_file 1> /dev/null

echo "Make encrypted artifacts accessible"
mv $preflight_targz_file_encrypted ${ARTIFACT_DIR}

echo "Artifacts encrypted and accessible"
exit 0

Properties

Property Value Description
Resource requests (cpu) 1000m Used in .resources.requests of the pod running this step.
Resource requests (memory) 400Mi Used in .resources.requests of the pod running this step.

GitHub Link:

https://github.com/openshift/release/blob/master/ci-operator/step-registry/operator-pipelines/preflight-common/encrypt/operator-pipelines-preflight-common-encrypt-ref.yaml

Owners:

Approvers:

Source code for this page located on GitHub