Skip to content

Commit

Permalink
feat: add new task push-build-file
Browse files Browse the repository at this point in the history
Add a new task push-build-file to push Dockerfile to registry as an OCI
artifact.

Using term "build file" to indicate the common used Dockerfile or
Containerfile in various containerized applications.

oras is used to push the file and any build file image consumer also has
to use oras to pull.

This new task is added to docker-build pipeline and enabled by default.

Trusted Artifacts version of push-build-file is created accordingly and
updated into the docker-build-oci-ta pipeline.

Signed-off-by: Chenxiong Qi <[email protected]>
  • Loading branch information
tkdchen committed Jul 11, 2024
1 parent b5dd706 commit 2e8a3ba
Show file tree
Hide file tree
Showing 15 changed files with 229 additions and 158 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,6 @@
pipeline-bundle-list
task-bundle-list
bundle_values.env

*~
*.swp
13 changes: 13 additions & 0 deletions pipelines/docker-build-oci-ta/patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
# 9 clamav-scan
# 10 sbom-json-check
# 11 apply-tags
# 12 push-build-file

# clone-repository Task
- op: replace
Expand Down Expand Up @@ -112,6 +113,18 @@
- op: remove
path: /spec/tasks/8/workspaces/0

# push-build-file
- op: replace
path: /spec/tasks/12/taskRef/name
value: push-build-file-oci-ta
- op: add
path: /spec/tasks/12/params/-
value:
name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- op: remove
path: /spec/tasks/12/workspaces/0

# Order of finally Tasks from the base docker-build Pipeline:
# $ kustomize build pipelines/docker-build | yq .spec.finally.[].name | nl -v 0
# 0 show-sbom
Expand Down
2 changes: 2 additions & 0 deletions pipelines/docker-build-rhtap/patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@
# 8 sast-snyk-check
# 9 clamav-scan
# 10 sbom-json-check
# 11 apply-tags
# 12 push-build-file
- op: replace
path: /spec/tasks/3/runAfter/0
value: clone-repository
Expand Down
18 changes: 18 additions & 0 deletions pipelines/template-build/template-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,24 @@ spec:
params:
- name: IMAGE
value: $(tasks.build-container.results.IMAGE_URL)
- name: push-build-file
runAfter:
- build-container
taskRef:
name: push-build-file
version: "0.1"
params:
- name: IMAGE
value: $(tasks.build-container.results.IMAGE_URL)
- name: IMAGE_DIGEST
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: BUILD_FILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
workspaces:
- name: workspace
workspace: workspace

finally:
- name: show-sbom
Expand Down
35 changes: 0 additions & 35 deletions task/build-image-manifest/0.1/build-image-manifest.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -104,38 +104,3 @@ spec:
capabilities:
add:
- SETFCAP

- name: push-dockerfile
image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
env:
- name: IMAGE_DIGEST_FILE
value: $(results.IMAGE_DIGEST.path)
script: |
suffix=".dockerfile"
image_without_tag=${IMAGE%:*}
# remove the potential existing newline
manifest_digest=$(cat "${IMAGE_DIGEST_FILE}")
dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
artifact_type=application/vnd.konflux.dockerfile
# Select a Dockerfile from one of the arch
arch_image_digest=$(oras manifest fetch "$IMAGE" | yq -P -oy | yq '.manifests[0].digest')
output_dir=$(mktemp -d)
retry oras pull --output "$output_dir" "${image_without_tag}:${arch_image_digest/:/-}${suffix}"
echo "Selecting auth for $IMAGE"
auth_json=$(mktemp)
select-oci-auth $IMAGE >"$auth_json"
# Do not assume the actual file name. Generally, it could be Dockerfile or Containerfile.
cd "$output_dir"
n=1
find . -type f | while read -r filename; do
if [ $n -gt 1 ]; then
echo "Multiple container files exist in the dockerfile image." >&2
ls >&2
exit 1
fi
retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename "$filename")"
((++n))
done
24 changes: 0 additions & 24 deletions task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -249,9 +249,6 @@ spec:
exit 1
fi
# Record the original Dockerfile for pushing later.
cp "$dockerfile_path" /shared/Dockerfile
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
Expand Down Expand Up @@ -548,24 +545,3 @@ spec:
- cyclonedx
- $(params.IMAGE)
workingDir: /var/workdir
- name: push-dockerfile
image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
env:
- name: IMAGE_DIGEST_FILE
value: $(results.IMAGE_DIGEST.path)
- name: DOCKERFILE_PATH
value: /shared/Dockerfile
script: |
suffix=".dockerfile"
image_without_tag=${IMAGE%:*}
# remove the potential existing newline
manifest_digest=$(cat "${IMAGE_DIGEST_FILE}")
dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
artifact_type=application/vnd.konflux.dockerfile
echo "Selecting auth for $IMAGE"
auth_json=$(mktemp)
select-oci-auth $IMAGE >"$auth_json"
cd "$(dirname $DOCKERFILE_PATH)"
retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)"
25 changes: 0 additions & 25 deletions task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -266,9 +266,6 @@ spec:
exit 1
fi
# Record the original Dockerfile for pushing later.
cp "$dockerfile_path" /shared/Dockerfile
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
Expand Down Expand Up @@ -623,28 +620,6 @@ spec:
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
name: upload-sbom
workingDir: /var/workdir
- computeResources: {}
env:
- name: IMAGE_DIGEST_FILE
value: $(results.IMAGE_DIGEST.path)
- name: DOCKERFILE_PATH
value: /shared/Dockerfile
image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
name: push-dockerfile
script: |
suffix=".dockerfile"
image_without_tag=${IMAGE%:*}
# remove the potential existing newline
manifest_digest=$(cat "${IMAGE_DIGEST_FILE}")
dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
artifact_type=application/vnd.konflux.dockerfile
echo "Selecting auth for $IMAGE"
auth_json=$(mktemp)
select-oci-auth $IMAGE >"$auth_json"
cd "$(dirname $DOCKERFILE_PATH)"
retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)"
volumes:
- name: additional-secret
secret:
Expand Down
25 changes: 0 additions & 25 deletions task/buildah-remote/0.1/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -258,9 +258,6 @@ spec:
exit 1
fi
# Record the original Dockerfile for pushing later.
cp "$dockerfile_path" /shared/Dockerfile
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
Expand Down Expand Up @@ -620,28 +617,6 @@ spec:
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
name: upload-sbom
workingDir: $(workspaces.source.path)
- computeResources: {}
env:
- name: IMAGE_DIGEST_FILE
value: $(results.IMAGE_DIGEST.path)
- name: DOCKERFILE_PATH
value: /shared/Dockerfile
image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
name: push-dockerfile
script: |
suffix=".dockerfile"
image_without_tag=${IMAGE%:*}
# remove the potential existing newline
manifest_digest=$(cat "${IMAGE_DIGEST_FILE}")
dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
artifact_type=application/vnd.konflux.dockerfile
echo "Selecting auth for $IMAGE"
auth_json=$(mktemp)
select-oci-auth $IMAGE >"$auth_json"
cd "$(dirname $DOCKERFILE_PATH)"
retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)"
volumes:
- emptyDir: {}
name: varlibcontainers
Expand Down
24 changes: 0 additions & 24 deletions task/buildah-rhtap/0.1/buildah-rhtap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,6 @@ spec:
exit 1
fi
cp "$dockerfile_path" /tmp/files/Dockerfile
BUILDAH_ARGS=()
if [ -n "${BUILD_ARGS_FILE}" ]; then
BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}")
Expand Down Expand Up @@ -218,28 +216,6 @@ spec:
name: tmpfiles
workingDir: /tmp/files

- name: push-dockerfile
image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
env:
- name: IMAGE_DIGEST_FILE
value: $(results.IMAGE_DIGEST.path)
- name: DOCKERFILE_PATH
value: /tmp/files/Dockerfile
script: |
suffix=".dockerfile"
image_without_tag=${IMAGE%:*}
# remove the potential existing newline
manifest_digest=$(cat "${IMAGE_DIGEST_FILE}")
dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
artifact_type=application/vnd.konflux.dockerfile
echo "Selecting auth for $IMAGE"
auth_json=$(mktemp)
select-oci-auth $IMAGE >"$auth_json"
cd $(dirname "$DOCKERFILE_PATH")
retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)"
volumes:
- emptyDir: {}
name: varlibcontainers
Expand Down
25 changes: 0 additions & 25 deletions task/buildah/0.1/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -204,9 +204,6 @@ spec:
exit 1
fi
# Record the original Dockerfile for pushing later.
cp "$dockerfile_path" /shared/Dockerfile
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
Expand Down Expand Up @@ -525,28 +522,6 @@ spec:
- $(params.IMAGE)
workingDir: $(workspaces.source.path)

- name: push-dockerfile
image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
env:
- name: IMAGE_DIGEST_FILE
value: $(results.IMAGE_DIGEST.path)
- name: DOCKERFILE_PATH
value: /shared/Dockerfile
script: |
suffix=".dockerfile"
image_without_tag=${IMAGE%:*}
# remove the potential existing newline
manifest_digest=$(cat "${IMAGE_DIGEST_FILE}")
dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
artifact_type=application/vnd.konflux.dockerfile
echo "Selecting auth for $IMAGE"
auth_json=$(mktemp)
select-oci-auth $IMAGE >"$auth_json"
cd "$(dirname $DOCKERFILE_PATH)"
retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)"
volumes:
- name: varlibcontainers
emptyDir: {}
Expand Down
Loading

0 comments on commit 2e8a3ba

Please sign in to comment.