-
Notifications
You must be signed in to change notification settings - Fork 141
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
IMAGE_REF
result from image building Tasks
This helps in the reuse of the results when using matrix feature of Tekton. Given that the concatenation of two results from matrix-spawned Tasks is not supported, e.g. $(tasks.build-container-multiarch.results.IMAGE_URL[*])@$(tasks.build-container-multiarch.results.IMAGE_DIGEST[*]) will not expand correctly. This produces the image reference in full in the `IMAGE_REF` result, so the result from the matrix-spawned Tasks can be referenced using: $(tasks.build-container-multiarch.results.IMAGE_REF[*]) Reference: https://issues.redhat.com/browse/EC-654
- Loading branch information
Showing
24 changed files
with
206 additions
and
124 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# buildah-remote-oci-ta task | ||
|
||
Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. | ||
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. | ||
When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. | ||
When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. | ||
|
||
## Parameters | ||
|name|description|default value|required| | ||
|---|---|---|---| | ||
|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| | ||
|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| | ||
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| | ||
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| | ||
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| | ||
|COMMIT_SHA|The image is built from this commit.|""|false| | ||
|CONTEXT|Path to the directory to use as context.|.|false| | ||
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| | ||
|DOCKER_AUTH|unused, should be removed in next task version|""|false| | ||
|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| | ||
|HERMETIC|Determines if build will be executed without network access.|false|false| | ||
|IMAGE|Reference of the image buildah will produce.||true| | ||
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| | ||
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| | ||
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| | ||
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| | ||
|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| | ||
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| | ||
|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| | ||
|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| | ||
|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| | ||
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| | ||
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| | ||
|PLATFORM|The platform to build on||true| | ||
|
||
## Results | ||
|name|description| | ||
|---|---| | ||
|BASE_IMAGES_DIGESTS|Digests of the base images used for build| | ||
|IMAGE_DIGEST|Digest of the image just built| | ||
|IMAGE_REF|Image reference of the built image| | ||
|IMAGE_URL|Image repository where the built image was pushed| | ||
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| | ||
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,70 +1,23 @@ | ||
# oci-copy task | ||
|
||
Given an `oci-copy.yaml` file in the user's source directory, the `oci-copy` task will copy content from arbitrary urls into the OCI registry. | ||
|
||
It generates a limited SBOM and pushes that into the OCI registry alongside the image. | ||
|
||
It is not to be considered safe for general use as it cannot provide a high degree of provenance for artficats and reports them only as "general" type artifacts in the purl spec it reports in the SBOM. Use only in limited situations. | ||
|
||
Note: the bearer token secret, if specified, will be sent to **all servers listed in the oci-copy.yaml file**. | ||
Given a file in the user's source directory, copy content from arbitrary urls into the OCI registry. | ||
|
||
## Parameters | ||
|name|description|default value|required| | ||
|---|---|---|---| | ||
|IMAGE|Reference of the image buildah will produce.||true| | ||
|IMAGE|Reference of the image we will push||true| | ||
|OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| | ||
|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false| | ||
|
||
|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| | ||
|
||
## Results | ||
|name|description| | ||
|---|---| | ||
|IMAGE_DIGEST|Digest of the image just built| | ||
|IMAGE_URL|Image repository where the built image was pushed| | ||
|IMAGE_DIGEST|Digest of the artifact just pushed| | ||
|IMAGE_URL|Repository where the artifact was pushed| | ||
|SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| | ||
|IMAGE_REF|Image reference of the built image| | ||
|
||
## Workspaces | ||
|name|description|optional| | ||
|---|---|---| | ||
|source|Workspace containing the source code to copy.|false| | ||
|
||
## oci-copy.yaml schema | ||
JSON schema for the `oci-copy.yaml` file. | ||
|
||
```json | ||
{ | ||
"type": "object", | ||
"required": ["artifacts", "artifact_type"], | ||
"properties": { | ||
"artifact_type": { | ||
"description": "Artifact type to be applied to the top-level OCI artifact, i.e. `application/x-mlmodel`", | ||
"type": "string" | ||
}, | ||
"artifacts": { | ||
"type": "array", | ||
"items": { | ||
"type": "object", | ||
"required": ["source", "filename", "type", "sha256sum"], | ||
"properties": { | ||
"source": { | ||
"description": "URL of the artifact to copy", | ||
"type": "string" | ||
}, | ||
"filename": { | ||
"description": "Filename that should be applied to the artifact in the OCI registry", | ||
"type": "string" | ||
}, | ||
"type": { | ||
"description": "Media type that should be applied to the artifact in the OCI registry", | ||
"type": "string" | ||
}, | ||
"sha256sum": { | ||
"description": "Digest of the artifact to be checked before copy", | ||
"type": "string" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
``` | ||
|source|Workspace containing the source artifacts to copy|false| |
Oops, something went wrong.