1#!/usr/bin/env bash
2# =============================================================================
3# SCRIPT NAME: sign-pallet-containers.sh
4# DESCRIPTION:
5# Find container_push targets and modify for container_sign
6#
7# USAGE:
8# Testing:
9# ./sign-pallet-containers.sh -a "test" -k path/to/key/definition:my-cosign-key path/to/sources another/path/to/sources
10#
11# Running:
12# ./sign-pallet-containers.sh -a "run" -k path/to/key/definition:my-cosign-key path/to/sources another/path/to/sources
13# =============================================================================
14
15usage() { echo "Usage: $0 [-k gcp_kms_key reference] [-a action (one of test, run)] push/paths to/resolve" 1>&2; exit 0; }
16[ $# -eq 0 ] && usage
17while getopts "a:k:h" opt; do
18 case $opt in
19 a) sign_action="$OPTARG"
20 { [ "$sign_action" == "run" ] || [ "$sign_action" == "test" ]; } || usage
21 ;;
22 k) cosign_key="--//hack/build/rules/container/sign:gcp_kms_key=$OPTARG" ;;
23 h | *) usage ;;
24 esac
25done
26
27# Get remaining args as paths
28shift $((OPTIND-1))
29
30echo "sign_action: $sign_action"
31echo "cosign_key: $cosign_key"
32
33push_paths=( "$@" )
34
35# Check if PUSH_PATHS is set, if not exit
36if [ "${#push_paths[@]}" == 0 ]; then
37 echo "Error: no push paths found"
38 exit 1
39fi
40
41bazel_targets=("${push_paths[@]}")
42echo "bazel targets: ${bazel_targets[*]}"
43
44for item in "${push_paths[@]}"; do
45 kustomization_targets="$kustomization_targets//${item}/... "
46done
47
48echo "kustomization targets: $kustomization_targets"
49pushes=() # collect the targets here
50
51# find all the container_push targets, convert to container_sign and add to pushes
52get_targets() {
53 search_bazel_targets
54 search_kustomization_images
55}
56
57# find the bzl:// targets and add to pushes
58search_bazel_targets() {
59 # Intentionally unquoted bazel_targets to allow word splitting
60 # shellcheck disable=SC2086
61 targets=$(grep -hr '^[^#]*bzl://' "${bazel_targets[@]}" |
62 awk -F'bzl:' '{print $2}' |
63 awk -F'#' '{print $1}' |
64 tr -d "\",")
65 for line in $targets; do pushes+=("${line//container_push/container_sign}"); done
66}
67
68# find the kustomization images and add to pushes
69search_kustomization_images() {
70 targets=$(bazel query 'attr(images, 1, kind(kustomization, set('"$kustomization_targets"')))' --output streamed_jsonproto |
71 jq -rs '.[].rule.attribute[]|select(.name == "images").labelKeyedStringDictValue[].key')
72 for line in $targets; do pushes+=("${line//container_push/container_sign}"); done
73}
74
75get_targets
76
77# Intentionally unquoted bazel_targets to allow word splitting
78# shellcheck disable=SC2068
79# formatted_pushes=$(echo ${pushes[@]} | sort -u )
80IFS=" " read -r -a formatted_pushes <<< "$(echo "${pushes[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ')"
81number_of_pushes=${#formatted_pushes[@]}
82
83# execute an action if passed in
84if [ "${sign_action}x" == "testx" ]; then
85 echo "would be using $cosign_key"
86 echo "pushes "
87 echo "${formatted_pushes[@]}"
88 echo "number of pushes: $number_of_pushes"
89elif [ "${sign_action}x" == "runx" ]; then
90 echo "number of pushes: $number_of_pushes"
91 # Intentionally unquoted bazel_targets to allow word splitting
92 # shellcheck disable=SC2068,SC2086
93 for push in ${formatted_pushes[@]}; do
94 bazel run "$cosign_key" "$push"
95 done
96else
97 echo "no valid SIGN_ACTION found exiting"
98 exit 1
99fi
View as plain text