cincinnati-op: add test fips-image-scan

Author: hongkailiu

ci-operator/config/openshift/cincinnati-operator/openshift-cincinnati-operator-master.yaml

@@ -3,6 +3,10 @@ base_images:
     name: cincinnati-build-root
     namespace: cincinnati-ci
     tag: deploy
+  fips-check-payload:
+    name: check-payload
+    namespace: ci
+    tag: latest
   operator-sdk:
     name: "4.15"
     namespace: origin
@@ -131,6 +135,71 @@ tests:
           cpu: 100m
           memory: 200Mi
     workflow: generic-claim
+- as: fips-ci-image-scan
+  optional: true
+  steps:
+    test:
+    - as: check-payload
+      commands: |
+        set -euo pipefail
+
+        declare -A SCAN_IMAGES
+        SCAN_IMAGES=( ["cincinnati-operator"]="$RELATED_IMAGE_OPERATOR" )
+
+        export REGISTRY_AUTH_FILE=/var/secrets/registry-pull-secret/.dockerconfigjson
+        for image_k in "${!SCAN_IMAGES[@]}"
+        do
+          checking "image: ${SCAN_IMAGES[$image_k]} ..."
+          mkdir -p /tmp/oci-images
+          skopeo copy --remove-signatures docker://"${SCAN_IMAGES[$image_k]}" oci:/tmp/oci-images:"$image_k":latest
+          mkdir -p /tmp/unpacked-images/"$image_k"
+          umoci raw unpack --rootless --image /tmp/oci-images:"$image_k":latest /tmp/unpacked-images/"$image_k"
+          mkdir -p "$ARTIFACT_DIR"/"$image_k"
+          /check-payload scan local -v=6 --path=/tmp/unpacked-images/"$image_k" --output-file=$ARTIFACT_DIR/$image_k/check-payload-report.txt
+        done
+      credentials:
+      - mount_path: /var/secrets/registry-pull-secret
+        name: registry-pull-credentials
+        namespace: test-credentials
+      dependencies:
+      - env: RELATED_IMAGE_OPERATOR
+        name: pipeline:cincinnati-operator
+      from: fips-check-payload
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+- as: fips-production-image-scan
+  cron: '@yearly'
+  steps:
+    test:
+    - as: check-payload
+      commands: |
+        set -euo pipefail
+
+        declare -A SCAN_IMAGES
+        SCAN_IMAGES=( ["cincinnati-operator"]="registry.redhat.io/openshift-update-service/openshift-update-service-rhel8-operator:latest" )
+
+        export REGISTRY_AUTH_FILE=/var/secrets/ci-pull-credentials/.dockerconfigjson
+        for image_k in "${!SCAN_IMAGES[@]}"
+        do
+          checking "image: ${SCAN_IMAGES[$image_k]} ..."
+          mkdir -p /tmp/oci-images
+          skopeo copy --remove-signatures docker://"${SCAN_IMAGES[$image_k]}" oci:/tmp/oci-images:"$image_k":latest
+          mkdir -p /tmp/unpacked-images/"$image_k"
+          umoci raw unpack --rootless --image /tmp/oci-images:"$image_k":latest /tmp/unpacked-images/"$image_k"
+          mkdir -p "$ARTIFACT_DIR"/"$image_k"
+          /check-payload scan local -v=6 --path=/tmp/unpacked-images/"$image_k" --output-file=$ARTIFACT_DIR/$image_k/check-payload-report.txt
+        done
+      credentials:
+      - mount_path: /var/secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        namespace: test-credentials
+      from: fips-check-payload
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
 - as: operator-e2e-new-ocp-published-graph-data
   cluster_claim:
     architecture: amd64

ci-operator/jobs/openshift/cincinnati-operator/openshift-cincinnati-operator-master-periodics.yaml

@@ -0,0 +1,61 @@
+periodics:
+- agent: kubernetes
+  cluster: build03
+  cron: '@yearly'
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: cincinnati-operator
+  labels:
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cincinnati-operator-master-fips-production-image-scan
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=fips-production-image-scan
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/openshift/cincinnati-operator/openshift-cincinnati-operator-master-presubmits.yaml

@@ -55,6 +55,69 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )ci-bundle-cincinnati-bundle,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build09
+    context: ci/prow/fips-ci-image-scan
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cincinnati-operator-master-fips-ci-image-scan
+    optional: true
+    rerun_command: /test fips-ci-image-scan
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=fips-ci-image-scan
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )fips-ci-image-scan,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches: