Skip to content

Commit

Permalink
Update buildah-remote-oci-ta
Browse files Browse the repository at this point in the history
  • Loading branch information
zregvart committed Jun 10, 2024
1 parent a2b080f commit 5f09a49
Showing 1 changed file with 103 additions and 77 deletions.
180 changes: 103 additions & 77 deletions task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,43 +16,45 @@ spec:
When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.
params:
- description: Reference of the image buildah will produce.
name: IMAGE
type: string
- description: The Trusted Artifact URI pointing to the artifact with the application
source code.
name: SOURCE_ARTIFACT
- default: []
description: Array of --build-arg values ("arg=value" strings)
name: BUILD_ARGS
type: array
- default: ""
description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file
name: BUILD_ARGS_FILE
type: string
- default: ""
description: The Trusted Artifact URI pointing to the artifact with the prefetched
dependencies.
name: CACHI2_ARTIFACT
type: string
- default: ./Dockerfile
description: Path to the Dockerfile to build.
name: DOCKERFILE
- default: ""
description: The image is built from this commit.
name: COMMIT_SHA
type: string
- default: .
description: Path to the directory to use as context.
name: CONTEXT
type: string
- default: "true"
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
registry)
name: TLSVERIFY
- default: ./Dockerfile
description: Path to the Dockerfile to build.
name: DOCKERFILE
type: string
- default: ""
description: unused, should be removed in next task version
name: DOCKER_AUTH
type: string
- default: etc-pki-entitlement
description: Name of secret which contains the entitlement certificates
name: ENTITLEMENT_SECRET
type: string
- default: "false"
description: Determines if build will be executed without network access.
name: HERMETIC
type: string
- default: ""
description: In case it is not empty, the prefetched content should be made available
to the build.
name: PREFETCH_INPUT
- description: Reference of the image buildah will produce.
name: IMAGE
type: string
- default: ""
description: Delete image tag after specified time. Empty means to keep the image
Expand All @@ -61,83 +63,90 @@ spec:
name: IMAGE_EXPIRES_AFTER
type: string
- default: ""
description: The image is built from this commit.
name: COMMIT_SHA
description: In case it is not empty, the prefetched content should be made available
to the build.
name: PREFETCH_INPUT
type: string
- description: The Trusted Artifact URI pointing to the artifact with the application
source code.
name: SOURCE_ARTIFACT
type: string
- default: ""
description: Target stage in Dockerfile to build. If not specified, the Dockerfile
is processed entirely to (and including) its last stage.
name: TARGET_STAGE
type: string
- default: "true"
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
registry)
name: TLSVERIFY
type: string
- default: repos.d
description: Path in the git repository in which yum repository files are stored
name: YUM_REPOS_D_SRC
- default: fetched.repos.d
description: Path in source workspace where dynamically-fetched repos are present
name: YUM_REPOS_D_FETCHED
- default: repos.d
description: Path in the git repository in which yum repository files are stored
name: YUM_REPOS_D_SRC
- default: /etc/yum.repos.d
description: Target path on the container in which yum repository files should
be made available
name: YUM_REPOS_D_TARGET
- default: ""
description: Target stage in Dockerfile to build. If not specified, the Dockerfile
is processed entirely to (and including) its last stage.
name: TARGET_STAGE
- default: ca-bundle.crt
description: The name of the key in the ConfigMap that contains the CA bundle
data.
name: caTrustConfigMapKey
type: string
- default: etc-pki-entitlement
description: Name of secret which contains the entitlement certificates
name: ENTITLEMENT_SECRET
type: string
- default: []
description: Array of --build-arg values ("arg=value" strings)
name: BUILD_ARGS
type: array
- default: ""
description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file
name: BUILD_ARGS_FILE
- default: trusted-ca
description: The name of the ConfigMap to read CA bundle data from.
name: caTrustConfigMapName
type: string
- description: The platform to build on
name: PLATFORM
type: string
results:
- description: Digests of the base images used for build
name: BASE_IMAGES_DIGESTS
- description: Digest of the image just built
name: IMAGE_DIGEST
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: Digests of the base images used for build
name: BASE_IMAGES_DIGESTS
- description: The counting of Java components by publisher in JSON format
name: SBOM_JAVA_COMPONENTS_COUNT
type: string
- description: The Java dependencies that came from community sources such as Maven
central.
name: JAVA_COMMUNITY_DEPENDENCIES
- description: The counting of Java components by publisher in JSON format
name: SBOM_JAVA_COMPONENTS_COUNT
type: string
stepTemplate:
computeResources: {}
env:
- name: BUILDAH_FORMAT
value: oci
- name: STORAGE_DRIVER
value: vfs
- name: HERMETIC
value: $(params.HERMETIC)
- name: BUILD_ARGS_FILE
value: $(params.BUILD_ARGS_FILE)
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: ENTITLEMENT_SECRET
value: $(params.ENTITLEMENT_SECRET)
- name: HERMETIC
value: $(params.HERMETIC)
- name: IMAGE
value: $(params.IMAGE)
- name: TLSVERIFY
value: $(params.TLSVERIFY)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: YUM_REPOS_D_SRC
value: $(params.YUM_REPOS_D_SRC)
- name: STORAGE_DRIVER
value: vfs
- name: TARGET_STAGE
value: $(params.TARGET_STAGE)
- name: TLSVERIFY
value: $(params.TLSVERIFY)
- name: YUM_REPOS_D_FETCHED
value: $(params.YUM_REPOS_D_FETCHED)
- name: YUM_REPOS_D_SRC
value: $(params.YUM_REPOS_D_SRC)
- name: YUM_REPOS_D_TARGET
value: $(params.YUM_REPOS_D_TARGET)
- name: TARGET_STAGE
value: $(params.TARGET_STAGE)
- name: ENTITLEMENT_SECRET
value: $(params.ENTITLEMENT_SECRET)
- name: BUILD_ARGS_FILE
value: $(params.BUILD_ARGS_FILE)
- name: BUILDER_IMAGE
value: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
volumeMounts:
Expand Down Expand Up @@ -197,13 +206,21 @@ spec:
rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/"
rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/"
rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/"
rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/"
rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/"
rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/"
cat >scripts/script-build.sh <<'REMOTESSHEOF'
#!/bin/bash
set -o verbose
set -e
cd /var/workdir
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
Expand Down Expand Up @@ -237,7 +254,7 @@ spec:
sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
# Setting new namespace to run buildah - 2^32-2
echo 'root:1:4294967294' | tee -a /etc/subuid >> /etc/subgid
echo 'root:1:4294967294' | tee -a /etc/subuid >>/etc/subgid
BUILDAH_ARGS=()
Expand Down Expand Up @@ -318,7 +335,7 @@ spec:
container=$(buildah from --pull-never $IMAGE)
buildah mount $container | tee /shared/container_path
echo $container > /shared/container_name
echo $container >/shared/container_name
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
Expand All @@ -329,36 +346,37 @@ spec:
touch $(results.BASE_IMAGES_DIGESTS.path)
for image in $BASE_IMAGES; do
if [ "${image}" != "scratch" ]; then
buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> $(results.BASE_IMAGES_DIGESTS.path)
buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>$( results.BASE_IMAGES_DIGESTS.path)
fi
done
# Needed to generate base images SBOM
echo "$BASE_IMAGES" > /var/workdir/base_images_from_dockerfile
echo "$BASE_IMAGES" >/var/workdir/base_images_from_dockerfile
buildah push "$IMAGE" oci:rhtap-final-image
REMOTESSHEOF
chmod +x scripts/script-build.sh
rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
-e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
-e STORAGE_DRIVER="$STORAGE_DRIVER" \
-e HERMETIC="$HERMETIC" \
-e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \
-e CONTEXT="$CONTEXT" \
-e DOCKERFILE="$DOCKERFILE" \
-e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \
-e HERMETIC="$HERMETIC" \
-e IMAGE="$IMAGE" \
-e TLSVERIFY="$TLSVERIFY" \
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
-e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \
-e STORAGE_DRIVER="$STORAGE_DRIVER" \
-e TARGET_STAGE="$TARGET_STAGE" \
-e TLSVERIFY="$TLSVERIFY" \
-e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \
-e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \
-e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \
-e TARGET_STAGE="$TARGET_STAGE" \
-e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \
-e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \
-e COMMIT_SHA="$COMMIT_SHA" \
-v "$BUILD_DIR/volumes/shared:/shared:Z" \
-v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \
-v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \
-v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \
-v "$BUILD_DIR/.docker/:/root/.docker:Z" \
-v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \
-v $BUILD_DIR/scripts:/script:Z \
Expand All @@ -381,8 +399,9 @@ spec:
name: varlibcontainers
- mountPath: /entitlement
name: etc-pki-entitlement
- mountPath: /shared
name: shared
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
- mountPath: /ssh
name: ssh
readOnly: true
Expand Down Expand Up @@ -458,9 +477,9 @@ spec:
image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8
name: merge-cachi2-sbom
script: |
if [ -f "/var/workdir/sbom-cachi2.json" ]; then
if [ -f "sbom-cachi2.json" ]; then
echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
/src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
/src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json
mv sbom-temp.json sbom-cyclonedx.json
else
echo "Skipping step since no Cachi2 SBOM was produced"
Expand Down Expand Up @@ -549,16 +568,23 @@ spec:
name: upload-sbom
workingDir: /var/workdir
volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: shared
- emptyDir: {}
name: workdir
- name: etc-pki-entitlement
secret:
optional: true
secretName: $(params.ENTITLEMENT_SECRET)
- emptyDir: {}
name: shared
- configMap:
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
name: $(params.caTrustConfigMapName)
optional: true
name: trusted-ca
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: workdir
- name: ssh
secret:
optional: false
Expand Down

0 comments on commit 5f09a49

Please sign in to comment.