#!/usr/bin/env bash # ============================================================================= # SCRIPT NAME: sign-pallet-containers.sh # DESCRIPTION: # Find container_push targets and modify for container_sign # # USAGE: # Testing: # ./sign-pallet-containers.sh -a "test" -k path/to/key/definition:my-cosign-key path/to/sources another/path/to/sources # # Running: # ./sign-pallet-containers.sh -a "run" -k path/to/key/definition:my-cosign-key path/to/sources another/path/to/sources # ============================================================================= usage() { echo "Usage: $0 [-k gcp_kms_key reference] [-a action (one of test, run)] push/paths to/resolve" 1>&2; exit 0; } [ $# -eq 0 ] && usage while getopts "a:k:h" opt; do case $opt in a) sign_action="$OPTARG" { [ "$sign_action" == "run" ] || [ "$sign_action" == "test" ]; } || usage ;; k) cosign_key="--//hack/build/rules/container/sign:gcp_kms_key=$OPTARG" ;; h | *) usage ;; esac done # Get remaining args as paths shift $((OPTIND-1)) echo "sign_action: $sign_action" echo "cosign_key: $cosign_key" push_paths=( "$@" ) # Check if PUSH_PATHS is set, if not exit if [ "${#push_paths[@]}" == 0 ]; then echo "Error: no push paths found" exit 1 fi bazel_targets=("${push_paths[@]}") echo "bazel targets: ${bazel_targets[*]}" for item in "${push_paths[@]}"; do kustomization_targets="$kustomization_targets//${item}/... " done echo "kustomization targets: $kustomization_targets" pushes=() # collect the targets here # find all the container_push targets, convert to container_sign and add to pushes get_targets() { search_bazel_targets search_kustomization_images } # find the bzl:// targets and add to pushes search_bazel_targets() { # Intentionally unquoted bazel_targets to allow word splitting # shellcheck disable=SC2086 targets=$(grep -hr '^[^#]*bzl://' "${bazel_targets[@]}" | awk -F'bzl:' '{print $2}' | awk -F'#' '{print $1}' | tr -d "\",") for line in $targets; do pushes+=("${line//container_push/container_sign}"); done } # find the kustomization images and add to pushes search_kustomization_images() { targets=$(bazel query 'attr(images, 1, kind(kustomization, set('"$kustomization_targets"')))' --output streamed_jsonproto | jq -rs '.[].rule.attribute[]|select(.name == "images").labelKeyedStringDictValue[].key') for line in $targets; do pushes+=("${line//container_push/container_sign}"); done } get_targets # Intentionally unquoted bazel_targets to allow word splitting # shellcheck disable=SC2068 # formatted_pushes=$(echo ${pushes[@]} | sort -u ) IFS=" " read -r -a formatted_pushes <<< "$(echo "${pushes[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ')" number_of_pushes=${#formatted_pushes[@]} # execute an action if passed in if [ "${sign_action}x" == "testx" ]; then echo "would be using $cosign_key" echo "pushes " echo "${formatted_pushes[@]}" echo "number of pushes: $number_of_pushes" elif [ "${sign_action}x" == "runx" ]; then echo "number of pushes: $number_of_pushes" # Intentionally unquoted bazel_targets to allow word splitting # shellcheck disable=SC2068,SC2086 for push in ${formatted_pushes[@]}; do bazel run "$cosign_key" "$push" done else echo "no valid SIGN_ACTION found exiting" exit 1 fi