eclipse-cbi · netomi · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -35,17 +35,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
       with:
             java-version: '17'
             distribution: 'temurin'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@e8b34a2aaa1d35eab0b758128337086bb22bc6bf # v2.26.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@e8b34a2aaa1d35eab0b758128337086bb22bc6bf # v2.26.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@e8b34a2aaa1d35eab0b758128337086bb22bc6bf # v2.26.5
diff --git a/deploy.sh b/deploy.sh
@@ -27,6 +27,7 @@ git checkout "tags/v${VERSION}" -b "v${VERSION}-branch"
 ./webservice/service-deployment.sh webservice/signing/jar/default.jsonnet "${VERSION}"
 ./webservice/service-deployment.sh webservice/signing/jar/jce.jsonnet "${VERSION}"
 ./webservice/service-deployment.sh webservice/signing/windows/service.jsonnet "${VERSION}"
+./webservice/service-deployment.sh webservice/signing/macosx/service.jsonnet "${VERSION}"
 
 git checkout main
 git branch -d "v${VERSION}-branch"
diff --git a/webservice/deployment.libsonnet b/webservice/deployment.libsonnet
@@ -1,10 +1,22 @@
-local newDeployment(name, artifactId, version) = {
+local newKubeResources(version) = {
+  limits: {
+    cpu: if std.endsWith(version, "SNAPSHOT") then "1" else "4",
+    memory: if std.endsWith(version, "SNAPSHOT") then "1Gi" else "2Gi"
+  },
+  requests: {
+    cpu: if std.endsWith(version, "SNAPSHOT") then "50m" else "500m",
+    memory: if std.endsWith(version, "SNAPSHOT") then "1Gi" else "2Gi"
+  },
+};
+
+local newDeployment(name, artifactId, version, routeTimeout = 60, maxMemory = 512, kubeResources = newKubeResources(version)) = {
   name: name,
   version: version,
   groupId: "org.eclipse.cbi",
   artifactId: artifactId,
   mavenRepoURL: "repo.eclipse.org",
   mavenRepoName: "cbi",
+  maxMemory: maxMemory,
   port: 8080,
   docker: {
     registry: "docker.io",
@@ -86,16 +98,7 @@ local newDeployment(name, artifactId, version) = {
                       containerPort: $.port,
                     }
                   ],
-                  resources: {
-                    limits: {
-                      cpu: if std.endsWith($.version, "SNAPSHOT") then "1" else "4",
-                      memory: if std.endsWith($.version, "SNAPSHOT") then "1Gi" else "2Gi"
-                    },
-                    requests: {
-                      cpu: if std.endsWith($.version, "SNAPSHOT") then "50m" else "500m",
-                      memory: if std.endsWith($.version, "SNAPSHOT") then "1Gi" else "2Gi"
-                    },
-                  },
+                  resources: kubeResources,
                   livenessProbe: {
                     failureThreshold: 3,
                     httpGet: {
@@ -172,7 +175,7 @@ local newDeployment(name, artifactId, version) = {
         kind: "Route",
         metadata: metadata(nameByEnv($.name)) + {
           annotations: {
-            "haproxy.router.openshift.io/timeout": "60s"
+            "haproxy.router.openshift.io/timeout": "%ds" % [routeTimeout]
           },
         },
         spec: {
@@ -215,7 +218,7 @@ local newDeployment(name, artifactId, version) = {
       && rm -f temurin11.tar.gz
 
     ENTRYPOINT [ "java", \
-      "-showversion", "-XshowSettings:vm", "-Xmx512m", \
+      "-showversion", "-XshowSettings:vm", "-Xmx%(maxMemory)dm", \
       "-jar", "/usr/local/%(name)s/%(artifactId)s-%(version)s.jar", \
       "-c", "%(configurationPath)s/%(configurationFilename)s" \
     ]
@@ -233,7 +236,7 @@ local newDeployment(name, artifactId, version) = {
       && rm -f temurin11.tar.gz
 
     ENTRYPOINT [ "java", \
-      "-showversion", "-XshowSettings:vm", "-Xmx512m", \
+      "-showversion", "-XshowSettings:vm", "-Xmx%(maxMemory)dm", \
       "-jar", "/usr/local/%(name)s/%(artifactId)s-%(version)s.jar", \
       "-c", "%(configurationPath)s/%(configurationFilename)s" \
     ]
@@ -243,4 +246,5 @@ local newDeployment(name, artifactId, version) = {
 };
 {
   newDeployment:: newDeployment,
+  newKubeResources:: newKubeResources,
 }
diff --git a/webservice/signing/keychain.sh b/webservice/signing/keychain.sh
@@ -0,0 +1,55 @@
+#! /usr/bin/env bash
+#*******************************************************************************
+# Copyright (c) 2020 Eclipse Foundation and others.
+# This program and the accompanying materials are made available
+# under the terms of the Eclipse Public License 2.0
+# which is available at http://www.eclipse.org/legal/epl-v20.html
+# SPDX-License-Identifier: EPL-2.0
+#*******************************************************************************
+
+# Bash strict-mode
+set -o errexit
+set -o nounset
+set -o pipefail
+
+IFS=$'\n\t'
+
+# Json that will be used for finding keystore metadata can either be passed to stdin or
+# as the file path in $1
+JSON_FILE="${1:-"/dev/stdin"}"
+SERVICE_JSON=$(<"${JSON_FILE}")
+
+KUBECTL_OPT=()
+TEMP_FILES=()
+
+for ENTRY in $(jq -r '.keystore.entries | map(tostring) | join("\n")' <<<"${SERVICE_JSON}"); do
+  ENTRY_NAME="$(jq -r '.name' <<<"${ENTRY}")"
+
+  echo "INFO: Processing keychain '${ENTRY_NAME}'"
+
+  KEYCHAIN_FILE="$(mktemp)"
+  PASSWD_FILE="$(mktemp)"
+
+  TEMP_FILES+=(${KEYCHAIN_FILE} ${PASSWD_FILE})
+
+  pass $(jq -r '.keychain.pass' <<<"${ENTRY}") >> "${KEYCHAIN_FILE}"
+  pass $(jq -r '.password.pass' <<<"${ENTRY}") >> "${PASSWD_FILE}"
+
+  KEYCHAIN_FILENAME=$(jq -r '.keychain.filename' <<<"${ENTRY}")
+  PASSWD_FILENAME=$(jq -r '.password.filename' <<<"${ENTRY}")
+
+  KUBECTL_OPT+=("--from-file=${KEYCHAIN_FILENAME}=${KEYCHAIN_FILE}")
+  KUBECTL_OPT+=("--from-file=${PASSWD_FILENAME}=${PASSWD_FILE}")
+done
+
+# apply keystore to the cluster
+kubectl create secret generic "$(jq -r '.keystore.secretName' <<<"${SERVICE_JSON}")" \
+  --namespace "$(jq -r '.kube.namespace' <<<"${SERVICE_JSON}")" \
+  "${KUBECTL_OPT[@]}" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+for TMP_FILE in "${TEMP_FILES[@]}"
+do
+  # echo "Deleting temp file: ${TMP_FILE}"
+  rm -f "${TMP_FILE}"
+done
diff --git a/webservice/signing/macosx/create-keychain.sh b/webservice/signing/macosx/create-keychain.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Usage:
+#
+# ./create-keychain.sh <certificate file> <private key file> <private key password file>
+#
+# Create Application keychain:
+# ./create-keychain.sh developerID_application.cer private_key.p12 private_key.passwd
+#
+# Create Installer keychain:
+# ./create-keychain.sh developerID_installer.cer private_key.p12 private_key.passwd
+#
+# Resulting keychain is stored in file keychain-export.p12
+# Keychain password is stored in file keychain-export.passwd
+
+DIR=$(pwd)
+KEYCHAIN="${DIR}/temp.keychain"
+KEYCHAIN_PASSWD="$(pwgen -s -y -1 24)"
+
+if [ -f "${KEYCHAIN}" ];
+then
+  echo "Deleting keychain: ${KEYCHAIN}"
+  rm -f "${KEYCHAIN}"
+fi
+
+echo "Creating kechain: ${KEYCHAIN}"
+security create-keychain -p "${KEYCHAIN_PASSWD}" "${KEYCHAIN}"
+
+echo "Update keychain search list"
+security list-keychain -s $(security list-keychains | grep -v "${KEYCHAIN}" | xargs) "${KEYCHAIN}"
+security list-keychain
+
+CERTIFICATE=${1}
+echo "Import certificate: ${CERTIFICATE}"
+security import "${CERTIFICATE}" -k "${KEYCHAIN}"
+PRIVATE_KEY=${2}
+PRIVATE_KEY_PASSWORD=${3}
+echo "Import private key: ${PRIVATE_KEY}"
+security import "${PRIVATE_KEY}" -k "${KEYCHAIN}" -P "$(cat $PRIVATE_KEY_PASSWORD)"
+
+security show-keychain-info "${KEYCHAIN}"
+
+EXPORT="${DIR}/keychain-export.p12"
+echo "Export identity to ${EXPORT}"
+security export -k "${KEYCHAIN}" -t identities -f pkcs12 -o "${EXPORT}" -P "${KEYCHAIN_PASSWD}"
+
+echo "${KEYCHAIN_PASSWD}" > "${DIR}/keychain-export.passwd"
+
+security list-keychain -s $(security list-keychains | grep -v "${KEYCHAIN}" | xargs)
diff --git a/webservice/signing/macosx/services.jsonnet → ...ce/signing/macosx/forward-service.jsonnet b/webservice/signing/macosx/services.jsonnet → ...ce/signing/macosx/forward-service.jsonnet