Skip to content

Commit d7b96e0

Browse files
manojgollaprolu21manojgollaprolu21
authored
Merge pull request #31 from ibm-hyper-protect/manoj-1.3.0.8-changes
adding changes for 1.3.0.8- build.py file
2 parents 257ac69 + dc63aca commit d7b96e0

File tree

1 file changed

+71
-14
lines changed

1 file changed

+71
-14
lines changed

build.py

Lines changed: 71 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -62,8 +62,11 @@
6262
'DOCKER_CONTENT_TRUST_BASE',
6363
'DOCKER_CONTENT_TRUST_BASE_SERVER',
6464
'DOCKER_CONTENT_TRUST_PUSH_SERVER',
65+
'ICR_BASE_REPO',
66+
'ICR_BASE_REPO_PUBLIC_KEY',
6567
'DOCKERFILE_PATH',
6668
'DOCKER_BUILD_PATH',
69+
'ISV_SECRET',
6770
'ENV_WHITELIST',
6871
'EXIT_NONZERO'}
6972
additional_env_vars = {'RUNQ_ROOTDISK',
@@ -267,6 +270,12 @@ def init(self, update=False):
267270
else:
268271
body["GITHUB_KEY"] = ""
269272

273+
274+
if 'icr_base_repo_public_key' in self.params and self.params['icr_base_repo_public_key'] != '':
275+
body["BASE_REPO_PUBLIC_KEY"] = self.read_key(self.params['icr_base_repo_public_key'])
276+
else:
277+
body["BASE_REPO_PUBLIC_KEY"] = ""
278+
270279
if 'new_secret' in self.params and update:
271280
if not 'secret' in self.params:
272281
logger.error('init/update: SECRET has not been defined')
@@ -410,6 +419,8 @@ def config_python(self):
410419

411420
logger.info('a python config file has been written to {}.'.format(repo_regfile_name+'.py'))
412421

422+
423+
413424
def config_json(self):
414425
self.less_verbose(delta=2)
415426
resp, status_code = self.request_api('get-config-json', requests.get, '/config-json', json_response=True)
@@ -426,6 +437,7 @@ def config_json(self):
426437
if 'repo_id' in self.params and self.params['repo_id'] != '':
427438
repo_regfile_name = self.params['repo_id']
428439

440+
429441
config = resp
430442
if not 'cap_add' in config or not 'ALL' in config['cap_add']:
431443
config['cap_add'] = ['ALL']
@@ -435,6 +447,30 @@ def config_json(self):
435447
if not env_var in config['envs_whitelist']:
436448
config['envs_whitelist'].append(env_var)
437449

450+
#to add IV secret to .enc file if isv flag is set
451+
if args.isv_secrets:
452+
if 'isv_secret' in self.params and len(self.params['isv_secret'])!=0:
453+
isv=self.params['isv_secret']
454+
isv_secrets={}
455+
key_value_pair={}
456+
for key,value in isv.items():
457+
if (len(key) != 0 and len(value) != 0):
458+
key_value_pair.update({key:value})
459+
isv_secrets.update(key_value_pair)
460+
else:
461+
if (len(key) == 0 or len(value) == 0):
462+
logger.fatal('Provide valid values of secrets in form of key and value pair')
463+
sys.exit(-1)
464+
465+
secrets_json = {'secrets':{'mount_path': '/isv_secrets/secrets.json', 'secrets_list': isv_secrets}}
466+
config.update(secrets_json)
467+
468+
else:
469+
logger.fatal('No values are provided under ISV_SECRET')
470+
sys.exit(-1)
471+
472+
473+
438474
cc = config_cipher.ConfigCipher(args.loglevel)
439475
email = self.params['email'] if 'email' in self.params else ''
440476
keyid = self.params['key_id'] if 'key_id' in self.params else 'secure-build'
@@ -448,6 +484,9 @@ def config_json(self):
448484

449485
logger.info('a json config file has been written to {}.'.format(repo_regfile_name+'.enc'))
450486

487+
488+
489+
451490
def instance_env(self):
452491
env_vars = {}
453492
if 'root_ssh_key_file' in self.params:
@@ -566,7 +605,7 @@ def get_publickey(self):
566605
f.write(public_key_pem)
567606
return public_key_pem
568607

569-
def get_dct_publickey(self):
608+
def get_signed_image_publickey(self):
570609
resp, status_code = self.request_api('get-config-json', requests.get, '/config-json', json_response=True)
571610

572611
if status_code != 201:
@@ -575,18 +614,35 @@ def get_dct_publickey(self):
575614
return
576615

577616
if not 'public_key' in resp:
578-
logger.fatal("get-dct-publickey response=" + json.dumps(resp, indent=4))
617+
logger.fatal("get-signed-image-publickey response=" + json.dumps(resp, indent=4))
579618
sys.exit(-1)
580619

581-
dct_public_key = resp['public_key']
620+
signed_image_public_key = resp['public_key']
582621
repo_name = resp['repository_name'].replace("/","-")
583622
if self.verbose > 0:
584-
logger.info("get-dct-publickey response=" + dct_public_key)
585-
dct_public_key_file = repo_name + 'dct-public.key'
586-
with open(dct_public_key_file, 'w') as f:
587-
f.write(dct_public_key)
588-
logger.info("Downloaded DCT public key to file " + dct_public_key_file)
589-
return dct_public_key
623+
logger.info("get-signed-image-publickey response=" + signed_image_public_key)
624+
signed_image_public_key_file = repo_name + '-public.key'
625+
with open(signed_image_public_key_file, 'w') as f:
626+
f.write(signed_image_public_key)
627+
logger.info("Downloaded signed image public key to file " + signed_image_public_key_file)
628+
return signed_image_public_key
629+
630+
def get_digest(self):
631+
self.less_verbose(delta=2)
632+
resp, status_code = self.request_api(
633+
'get-digest', requests.get, '/imagedigest', json_response=True)
634+
self.more_verbose(delta=2)
635+
636+
if status_code != 201:
637+
logger.error(resp.decode('utf-8'))
638+
return
639+
640+
if self.verbose > 1:
641+
logger.info('image_digest={}'.format(json.dumps(resp, indent=4)))
642+
643+
digest_value = os.popen('echo ' + str(resp) + '| tr -d "[]"')
644+
print('Digest value of the built image:', digest_value.read())
645+
digest_value.close()
590646

591647
def read_key(self, key_file):
592648
with open(os.path.expanduser(key_file), 'r') as f:
@@ -617,7 +673,7 @@ def update_param_file(self, new_params):
617673
parser = argparse.ArgumentParser(prog='build.py')
618674
parser.add_argument("-v", "--verbose", action="count", default=0, help="increase verbosity")
619675
parser.add_argument("--version", action="version", version="%(prog)s v0.221", help="show version")
620-
parser.add_argument("command", help="[init|update|build|clean|status|log|get-config-json|get-config-python|get-manifest|get-publickey|get-dct-publickey|get-state-image|post-state-image|create-client-cert|create-server-cert|delete-certificates|instance-env]")
676+
parser.add_argument("command", help="[init|update|build|clean|status|log|get-config-json|get-config-python|get-manifest|get-publickey|get-signed-image-publickey|get-digest|get-state-image|post-state-image|create-client-cert|create-server-cert|delete-certificates|instance-env]")
621677
parser.add_argument("--github-key-file", help="github_key_file")
622678
parser.add_argument("--log", help="log_name")
623679
parser.add_argument("--loglevel", default='INFO', help="log level")
@@ -642,6 +698,7 @@ def update_param_file(self, new_params):
642698
parser.add_argument("--rd-path", help="encrypted registration file")
643699
parser.add_argument("--key-id", help="vendor key id")
644700
parser.add_argument("--email", help="vendor key user email")
701+
parser.add_argument("--isv-secrets",action="count", default=False, help="If --isvsecret flag is true, isv secrets will be set to registration file. By default flag is false so no isv secrets will be set.")
645702
args = parser.parse_args()
646703

647704
if args.verbose > 1:
@@ -684,8 +741,10 @@ def update_param_file(self, new_params):
684741
build.verify_manifest(manifest_name, public_key_pem, args.verify_test)
685742
elif command == "get-publickey":
686743
build.get_publickey()
687-
elif command == "get-dct-publickey":
688-
build.get_dct_publickey()
744+
elif command == "get-signed-image-publickey":
745+
build.get_signed_image_publickey()
746+
elif command == "get-digest":
747+
build.get_digest()
689748
elif command == "get-state-image":
690749
build.get_state_image()
691750
elif command == "post-state-image":
@@ -704,5 +763,3 @@ def update_param_file(self, new_params):
704763
build.instance_env()
705764
else:
706765
logger.fatal("unknown command: " + command)
707-
708-

0 commit comments

Comments
 (0)