Generate the first SBOM protoype from the Kubernetes release process #2095
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
do-not-merge/hold
puerco
changed the title
|
/milestone v1.22 |
|
I gave it a test run with |
k8s-ci-robot
added
size/S
|
Since this PR has not merged I will further this branch to generate the first BOM prototypes from the release process. |
k8s-ci-robot
added
size/L
puerco
changed the title
puerco
force-pushed
the
bom-rproc-1
branch
2 times, most recently
from
8e5e122
to
9c32986
Compare
k8s-ci-robot
added
size/XL
puerco
force-pushed
the
bom-rproc-1
branch
6 times, most recently
from
bb6ad2b
to
4fa3f7b
Compare
|
/test pull-release-integration-test |
This change prewarms the license cache when we prepare the workspace before staging a new build. The idea is to perform all the requests to download the data at the beginning, to have it ready when we generate the Bill of Materials, failing early if there is a communications issue
Log messages from the SPDX File where overwhelming the GCB log. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
Add TestGenerateBillOfMaterials() which uses the mocks to test the new stage implementation functions. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
This commit adds the Bill of Materials generation function as the 10th step of staging in the Kubernetes release process. This function generates the SPDX documents for each of the versions cut. Once done, the files are copied to the satging bucket. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
While we finish the supported platforms code, we list the produced binaries and images using a temporary function ListArtifacts(). This function will be replaced with the supporte platforms framework once it's finished (Ref kubernetes#1926) Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
This commit generates the release artifacts SBOM for each of the kubernetes versions built during stage. The artifacts SBOM includes the binaries and images. The source code gets a separate Bill of Materials to make them both more manageable as they are rather large files. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
This commits plugs the generation of the kubernetes source code SBOM into the stage phase of the release process. The source code SBOM is generated on lye once as all versions in a release are cut at the same point in the commit history. After generating the source SBOM, it is customized and tagged with its own namespace before writing the SPDX file. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
puerco
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
The SBOM integration is ready to go! 🎉 There are still details to iron out, but the big chunk is done. We are ready to produce the first set of SBOMs for /hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
@puerco is the list of things in the SBOM, exactly reflect the stuff in the LICENSES/ directory in k/k? (or does it have more stuff?) |
|
All the data in LICENSES should be included plus a lot more. Most should be there now, but I noticed in the logs that some packages could not be downloaded and hence have no license declared. I have to check why. This PR lays the groundwork to generate the doc automatically. Once this is in, my focus will be on perfecting the output for beta.0 The licensing data of dependencies will be 1:1 to the LICENSES dir but I have yet to write some scripts to verify. |
saschagrunert
approved these changes
Jun 7, 2021
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: puerco, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@puerco "plus a lot more" sounds like could be a concern... |
17 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR integrates the Bill of Materials code Into the release process. This generates the first SBOM prototypes that describe a Kubernetes release. We are generating one SBOM for the source code and one for the release artifacts. The proposed namespaces for these are the following:
This PR aims to test the integration of the BOM code with the Kubernetes Release process. The resulting SBOM documents will describe the release source and artifacts, but will not include yet all the features of the SPDX libraries. They will do most of the work of creating the BOM however, enabling us to look for bugs and polish the documents to their final state in beta.0.
This PR is broken into several commits, I've attempted to add meaningful descriptions to each one. The most important changes are:
GenerateBillOfMaterials()step that builds the SPDX documents.Which issue(s) this PR fixes:
Part of: #1837
Special notes for your reviewer:
The SBOM generation has been tested in several test runs of the release process. I've verified that both stage and release work as expected. For details see:
One of the commits features a temporary function:
ListArtifacts(). This function will be replaced with the Supported Platforms framework once we finish it (ref: #1926 )Does this PR introduce a user-facing change?