Create EC policy config for validating Task definitions

Makefile

@@ -6,28 +6,30 @@ DATA_JSON=src/data.json
 
 POLICY_TEMPLATE=src/policy.yaml.tmpl
 POLICY_RHTAP_TEMPLATE=src/policy-rhtap.yaml.tmpl
+POLICY_RHTAP_TASKS_TEMPLATE=src/policy-rhtap-tasks.yaml.tmpl
 POLICY_GITHUB_TEMPLATE=src/policy-github.yaml.tmpl
 
 ifndef GOMPLATE
 	GOMPLATE=gomplate
 endif
 
-%/policy.yaml: $(POLICY_TEMPLATE) $(DATA_JSON) $(POLICY_RHTAP_TEMPLATE) $(POLICY_GITHUB_TEMPLATE) Makefile
+%/policy.yaml: $(POLICY_TEMPLATE) $(DATA_JSON) $(POLICY_RHTAP_TEMPLATE) $(POLICY_RHTAP_TASKS_TEMPLATE) $(POLICY_GITHUB_TEMPLATE) Makefile
 	@mkdir -p $(*)
 	@env NAME=$(*) $(GOMPLATE) -d data=$(DATA_JSON) --file $< \
-		-t rhtap=$(POLICY_RHTAP_TEMPLATE) -t github=$(POLICY_GITHUB_TEMPLATE) \
+		-t rhtap=$(POLICY_RHTAP_TEMPLATE) -t rhtap-tasks=$(POLICY_RHTAP_TASKS_TEMPLATE) -t github=$(POLICY_GITHUB_TEMPLATE) \
 		-o $@
 
 POLICY_FILES=$(shell jq -r '"\(keys | .[])/policy.yaml"' src/data.json)
 
 README_TEMPLATE=src/README.md.tmpl
 README_RHTAP_TEMPLATE=src/README-rhtap.md.tmpl
+README_RHTAP_TASKS_TEMPLATE=src/README-rhtap-tasks.md.tmpl
 README_GITHUB_TEMPLATE=src/README-github.md.tmpl
 README_FILE=README.md
 
-$(README_FILE): $(README_TEMPLATE) $(DATA_JSON) $(README_RHTAP_TEMPLATE) $(README_GITHUB_TEMPLATE) Makefile
+$(README_FILE): $(README_TEMPLATE) $(DATA_JSON) $(README_RHTAP_TEMPLATE) $(README_RHTAP_TASKS_TEMPLATE) $(README_GITHUB_TEMPLATE) Makefile
 	@$(GOMPLATE) -d data=$(DATA_JSON) --file $< \
-		-t rhtap=$(README_RHTAP_TEMPLATE) -t github=$(README_GITHUB_TEMPLATE) \
+		-t rhtap=$(README_RHTAP_TEMPLATE) -t rhtap-tasks=$(README_RHTAP_TASKS_TEMPLATE) -t github=$(README_GITHUB_TEMPLATE) \
 		> $@
 
 all: $(POLICY_FILES) $(README_FILE)

README.md

@@ -70,6 +70,21 @@ Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic
   * Path in repository: [`pipelines/enterprise-contract-slsa3.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-slsa3.yaml)
 
 
+## Red Hat Trusted Application Pipeline - Tasks
+
+These are policy rules used to verify Tekton Task definitions meet the Red Hat guidelines for being
+considered trusted.
+
+The policy configuration files are:
+
+### Red Hat Trusted Tasks
+
+Rules used to verify Tekton Task definitions comply to Red Hat's standards.
+
+* URL for Enterprise Contract: `github.com/enterprise-contract/config//redhat-trusted-tasks`
+* Source: [redhat-trusted-tasks/policy.yaml](https://github.com/enterprise-contract/config/blob/main/redhat-trusted-tasks/policy.yaml)
+
+
 ## GitHub
 
 Container images built via [GitHub Actions](https://docs.github.com/actions) can be verified with

hack/update-infra-deployments.sh

@@ -42,12 +42,46 @@ cd "$(git rev-parse --show-toplevel)"
 # Something else is reponsible for maintaining the policy URL refs. Here we save their current value
 # so we can ensure they stay the same. As a sanity check, we ensure that a single policy URL is used
 # across all policies for the sake of simplicity given that is the current state.
-policy_url="$(< "${OUTPUT}" yq '.spec.sources[].policy[]' | grep -v -- '---' | sort -u)"
-if [[ "$(echo $policy_url | wc -w)" -ne "1" ]]; then
-    echo -e "Unexpected amount of policy URLs: \n${policy_url}"
-    exit 1
-fi
-echo $policy_url
+function get_policy_url() {
+    local marker
+    local url
+
+    marker="$1"
+
+    url="$(
+        < "${OUTPUT}" \
+        marker="${marker}" \
+        yq '.spec.sources[].policy[] | select(contains(strenv(marker)))' -o json -r | sort -u
+    )"
+
+    if [[ "$(echo $url | wc -w)" -gt "1" ]]; then
+        echo -e "Unexpected amount of policy URLs: \n${url}"
+        exit 1
+    fi
+
+    printf "${url}"
+}
+
+function get_policy_configs() {
+    local configs
+    local environment
+
+    environment="$1"
+
+    configs="$(
+        < src/data.json \
+        environment="${environment}" \
+        jq -r 'to_entries | .[] | select(.value.environment == env.environment) | select(.value.deprecated | not) | "\(.key)/policy.yaml"' \
+    | sort)"
+
+    printf "${configs}"
+}
+
+release_policy_url="$(get_policy_url "ec-release-policy")"
+echo "Release policy URL: ${release_policy_url}"
+
+task_policy_url="$(get_policy_url "ec-task-policy")"
+echo "Task policy URL: ${task_policy_url}"
 
 # Always generate the output file from scratch and add some helper text on the generated file.
 echo '#
@@ -56,33 +90,55 @@ echo '#
 #
 ' > "${OUTPUT}"
 
-# Figure out which policy config files to use.
-policy_configs="$(
-    < src/data.json \
-    jq -r 'to_entries| .[] | select(.value.environment == "rhtap") | select(.value.deprecated | not) | "\(.key)/policy.yaml"' \
-    | sort)"
+if [[ ! -z $release_policy_url ]]; then
+    # Figure out which release policy config files to use.
+    policy_configs="$(get_policy_configs "rhtap")"
 
-for policy_config in $policy_configs; do
-    name="$(dirname $policy_config)"
-    # For legacy reasons, the everything config is called "all" in RHTAP
-    if [[ "${name}" == 'everything' ]]; then
-        name='all'
-    fi
+    for policy_config in $policy_configs; do
+        name="$(dirname $policy_config)"
+        # For legacy reasons, the everything config is called "all" in RHTAP
+        if [[ "${name}" == 'everything' ]]; then
+            name='all'
+        fi
 
-    echo "---" >> "${OUTPUT}"
-    name="${name}" policy="${policy_url}" \
-    yq -P -o yaml '{
-        "apiVersion": "appstudio.redhat.com/v1alpha1",
-        "kind": "EnterpriseContractPolicy",
-        "metadata": {
-            "name": strenv(name),
-            "namespace": "enterprise-contract-service"
-        },
-        "spec": . }
-        | .spec.sources[].policy = [strenv(policy)]
-        | .spec.publicKey = "k8s://openshift-pipelines/public-key"
-        | sort_keys(..) ' \
-        "${policy_config}"  >> "${OUTPUT}"
-done
+        echo "---" >> "${OUTPUT}"
+        name="${name}" policy="${release_policy_url}" \
+        yq -P -o yaml '{
+            "apiVersion": "appstudio.redhat.com/v1alpha1",
+            "kind": "EnterpriseContractPolicy",
+            "metadata": {
+                "name": strenv(name),
+                "namespace": "enterprise-contract-service"
+            },
+            "spec": . }
+            | .spec.sources[].policy = [strenv(policy)]
+            | .spec.publicKey = "k8s://openshift-pipelines/public-key"
+            | sort_keys(..) ' \
+            "${policy_config}"  >> "${OUTPUT}"
+    done
+fi
+
+if [[ ! -z $task_policy_url ]]; then
+    # Figure out which task policy config files to use.
+    task_policy_configs="$(get_policy_configs "rhtap-tasks")"
+
+    for policy_config in $task_policy_configs; do
+        name="$(dirname $policy_config)"
+
+        echo "---" >> "${OUTPUT}"
+        name="${name}" policy="${task_policy_url}" \
+        yq -P -o yaml '{
+            "apiVersion": "appstudio.redhat.com/v1alpha1",
+            "kind": "EnterpriseContractPolicy",
+            "metadata": {
+                "name": strenv(name),
+                "namespace": "enterprise-contract-service"
+            },
+            "spec": . }
+            | .spec.sources[].policy = [strenv(policy)]
+            | sort_keys(..) ' \
+            "${policy_config}"  >> "${OUTPUT}"
+    done
+fi
 
 echo 'infra-deployments updated successfully'

hack/verify-policy-sources.sh

@@ -55,7 +55,7 @@ verify_url() {
     fi
 }
 
-policy_configs="$(< src/data.json yq '.[].name + "/policy.yaml"' -r)"
+policy_configs="$(< src/data.json yq '. | keys | .[] + "/policy.yaml"' -r)"
 
 policy_urls="$(yq eval '.sources[].policy[]' $policy_configs | grep -v -- '---' | sort -u)"
 for url in $policy_urls; do

redhat-trusted-tasks/policy.yaml

@@ -0,0 +1,21 @@
+# To use this policy with the ec command line:
+#   ec validate input \
+#     --file $FILE \
+#     --policy github.com/enterprise-contract/config//redhat-trusted-tasks
+#
+name: Red Hat Trusted Tasks
+description: >-
+  Rules used to verify Tekton Task definitions comply to Red Hat's standards.
+sources:
+  - name: Default
+    policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/task
+    data:
+      - github.com/release-engineering/rhtap-ec-policy//data
+    config:
+      include:
+        - kind
+        - step_image_registries
+      exclude:
+        []

src/README-rhtap-tasks.md.tmpl

@@ -0,0 +1,8 @@
+{{ with .data }}
+### {{ .name }}
+
+{{ .description }}
+
+* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ $.directory }}`
+* Source: [{{ $.directory }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ $.directory }}/policy.yaml)
+{{- end }}

src/README.md.tmpl

@@ -23,6 +23,22 @@ The policy configuration files are:
   {{- end }}
 {{- end }}
 
+## Red Hat Trusted Application Pipeline - Tasks
+
+These are policy rules used to verify Tekton Task definitions meet the Red Hat guidelines for being
+considered trusted.
+
+The policy configuration files are:
+{{ range $k, $v := ds "data" }}
+  {{- with coll.Dict "directory" $k "data" $v }}
+    {{- if not (index .data "deprecated") }}
+      {{- if eq .data.environment "rhtap-tasks" }}
+        {{- template "rhtap-tasks" . }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
 ## GitHub
 
 Container images built via [GitHub Actions](https://docs.github.com/actions) can be verified with

src/data.json

@@ -26,7 +26,10 @@
     "description": "Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds.",
     "environment": "rhtap",
     "include": ["@redhat"],
-    "exclude": ["hermetic_build_task", "tasks.required_tasks_found:prefetch-dependencies"]
+    "exclude": [
+      "hermetic_build_task",
+      "tasks.required_tasks_found:prefetch-dependencies"
+    ]
   },
   "slsa3": {
     "name": "SLSA3",
@@ -42,6 +45,13 @@
     "include": ["*"],
     "exclude": []
   },
+  "redhat-trusted-tasks": {
+    "name": "Red Hat Trusted Tasks",
+    "description": "Rules used to verify Tekton Task definitions comply to Red Hat's standards.",
+    "environment": "rhtap-tasks",
+    "include": ["kind", "step_image_registries"],
+    "exclude": []
+  },
   "github-default": {
     "name": "GitHub Default",
     "description": "Rules for container images built via GitHub Workflows.",

src/policy-rhtap-tasks.yaml.tmpl

@@ -0,0 +1,23 @@
+{{ with .data -}}
+# To use this policy with the ec command line:
+#   ec validate input \
+#     --file $FILE \
+#     --policy github.com/enterprise-contract/config//{{ $.directory }}
+#
+name: {{.name}}
+description: >-
+  {{ .description }}
+sources:
+  - name: Default
+    policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/task
+    data:
+      - github.com/release-engineering/rhtap-ec-policy//data
+    config:
+      include:
+        {{ .include | toYAML | strings.Indent 8 | strings.TrimSpace }}
+      exclude:
+        {{ .exclude | toYAML | strings.Indent 8 | strings.TrimSpace }}
+
+{{- end -}}

src/policy.yaml.tmpl

@@ -4,6 +4,8 @@
     {{- with coll.Dict "directory" $key "data" $data }}
       {{- if eq .data.environment "rhtap" }}
         {{- template "rhtap" . }}
+      {{- else if eq .data.environment "rhtap-tasks" }}
+        {{- template "rhtap-tasks" . }}
       {{- else }}
         {{- template "github" . }}
       {{- end }}