-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate the first SBOM protoype from the Kubernetes release process #2095
Conversation
/milestone v1.22 |
I gave it a test run with
|
Since this PR has not merged I will further this branch to generate the first BOM prototypes from the release process. |
8e5e122
to
9c32986
Compare
bb6ad2b
to
4fa3f7b
Compare
/test pull-release-integration-test |
This change prewarms the license cache when we prepare the workspace before staging a new build. The idea is to perform all the requests to download the data at the beginning, to have it ready when we generate the Bill of Materials, failing early if there is a communications issue
Log messages from the SPDX File where overwhelming the GCB log. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
Add TestGenerateBillOfMaterials() which uses the mocks to test the new stage implementation functions. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
This commit adds the Bill of Materials generation function as the 10th step of staging in the Kubernetes release process. This function generates the SPDX documents for each of the versions cut. Once done, the files are copied to the satging bucket. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
While we finish the supported platforms code, we list the produced binaries and images using a temporary function ListArtifacts(). This function will be replaced with the supporte platforms framework once it's finished (Ref kubernetes#1926) Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
This commit generates the release artifacts SBOM for each of the kubernetes versions built during stage. The artifacts SBOM includes the binaries and images. The source code gets a separate Bill of Materials to make them both more manageable as they are rather large files. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
This commits plugs the generation of the kubernetes source code SBOM into the stage phase of the release process. The source code SBOM is generated on lye once as all versions in a release are cut at the same point in the commit history. After generating the source SBOM, it is customized and tagged with its own namespace before writing the SPDX file. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
The SBOM integration is ready to go! 🎉 There are still details to iron out, but the big chunk is done. We are ready to produce the first set of SBOMs for /hold cancel |
@puerco is the list of things in the SBOM, exactly reflect the stuff in the LICENSES/ directory in k/k? (or does it have more stuff?) |
All the data in LICENSES should be included plus a lot more. Most should be there now, but I noticed in the logs that some packages could not be downloaded and hence have no license declared. I have to check why. This PR lays the groundwork to generate the doc automatically. Once this is in, my focus will be on perfecting the output for beta.0 The licensing data of dependencies will be 1:1 to the LICENSES dir but I have yet to write some scripts to verify. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: puerco, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@puerco "plus a lot more" sounds like could be a concern... |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR integrates the Bill of Materials code Into the release process. This generates the first SBOM prototypes that describe a Kubernetes release. We are generating one SBOM for the source code and one for the release artifacts. The proposed namespaces for these are the following:
This PR aims to test the integration of the BOM code with the Kubernetes Release process. The resulting SBOM documents will describe the release source and artifacts, but will not include yet all the features of the SPDX libraries. They will do most of the work of creating the BOM however, enabling us to look for bugs and polish the documents to their final state in beta.0.
This PR is broken into several commits, I've attempted to add meaningful descriptions to each one. The most important changes are:
GenerateBillOfMaterials()
step that builds the SPDX documents.Which issue(s) this PR fixes:
Part of: #1837
Special notes for your reviewer:
The SBOM generation has been tested in several test runs of the release process. I've verified that both stage and release work as expected. For details see:
One of the commits features a temporary function:
ListArtifacts()
. This function will be replaced with the Supported Platforms framework once we finish it (ref: #1926 )Does this PR introduce a user-facing change?