-
Notifications
You must be signed in to change notification settings - Fork 140
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
505 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Build-maven-zip-oci-ta task | ||
|
||
Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. | ||
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. | ||
Note that this task needs the output of prefetch-dependencies-oci-ta task. If it is not activated, there will not be any output from this task. | ||
|
||
## Parameters | ||
|
||
| name | description | default value | required | | ||
| -------------------- | ---------------------------------------------------------------------- | ---------------- | -------- | | ||
| IMAGE | Reference of the OCI-Artifact this build-maven-zip task will produce. | | true | | ||
| PREFETCH_INPUT | The prefetched content which is used in the build. | generic | false | | ||
| PREFETCH_ROOT | The root directory of the artifacts in the prefetched directory. | maven-repository | false | | ||
| BUNDLE_NAME | The zip bundle name of archived artifacts. | maven-repository | false | | ||
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false | | ||
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false | | ||
|
||
## Results | ||
|
||
| name | description | | ||
| ------------- | --------------------------------------------------------------------------------- | | ||
| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | ||
| IMAGE_URL | Image repository and tag where the built OCI-Artifact was pushed | | ||
| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | |
215 changes: 215 additions & 0 deletions
215
task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,215 @@ | ||
apiVersion: tekton.dev/v1 | ||
kind: Task | ||
metadata: | ||
labels: | ||
app.kubernetes.io/version: "0.1" | ||
build.appstudio.redhat.com/build_type: "maven-zip" | ||
annotations: | ||
tekton.dev/pipelines.minVersion: "0.12.1" | ||
tekton.dev/tags: "maven-build, konflux" | ||
name: build-maven-zip-oci-ta | ||
spec: | ||
description: |- | ||
This takes existing Image Manifests and combines them in an Image Index. | ||
params: | ||
- description: Reference of the image buildah will produce. | ||
name: IMAGE | ||
type: string | ||
- default: "generic" | ||
description: The prefetched content which is used in the build. | ||
name: PREFETCH_INPUT | ||
type: string | ||
- default: "maven-repository" | ||
description: The root of the prefetched artifacts | ||
name: PREFETCH_ROOT | ||
type: string | ||
- default: "maven-repository" | ||
description: The zip bundle name of archived artifacts | ||
name: BUNDLE_NAME | ||
type: string | ||
- default: "" | ||
description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | ||
name: IMAGE_EXPIRES_AFTER | ||
type: string | ||
- name: CACHI2_ARTIFACT | ||
description: The Trusted Artifact URI pointing to the artifact with | ||
the prefetched dependencies. | ||
type: string | ||
default: "" | ||
- name: caTrustConfigMapName | ||
type: string | ||
description: The name of the ConfigMap to read CA bundle data from. | ||
default: trusted-ca | ||
- name: caTrustConfigMapKey | ||
type: string | ||
description: The name of the key in the ConfigMap that contains the CA bundle data. | ||
default: ca-bundle.crt | ||
|
||
results: | ||
- description: Digest of the image just built | ||
name: IMAGE_DIGEST | ||
- description: Image repository and tag where the built image was pushed | ||
name: IMAGE_URL | ||
- name: SBOM_BLOB_URL | ||
description: Reference of SBOM blob digest to enable digest-based verification from provenance | ||
type: string | ||
stepTemplate: | ||
volumeMounts: | ||
- mountPath: /shared | ||
name: shared | ||
env: | ||
- name: IMAGE | ||
value: $(params.IMAGE) | ||
- name: INPUT | ||
value: $(params.PREFETCH_INPUT) | ||
- name: PKG_ROOT | ||
value: $(params.PREFETCH_ROOT) | ||
- name: BUNDLE_NAME | ||
value: $(params.BUNDLE_NAME) | ||
- name: IMAGE_EXPIRES_AFTER | ||
value: $(params.IMAGE_EXPIRES_AFTER) | ||
|
||
steps: | ||
- name: use-trusted-artifact | ||
image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac | ||
args: | ||
- use | ||
- $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 | ||
- image: quay.io/konflux-ci/appstudio-utils@sha256:d0fecb67dd98d874704f2e3d20686363de7cbb42c15ad2b1d8e8c38118c50078 | ||
name: prepare | ||
computeResources: | ||
limits: | ||
memory: 8Gi | ||
cpu: '4' | ||
requests: | ||
memory: 2Gi | ||
cpu: '1' | ||
script: | | ||
#!/bin/bash | ||
set -e | ||
# Generate checksums for all maven artifact files. It will ignore the checksum files | ||
# and signature files if they existed there | ||
pkgpath="/var/workdir/cachi2/output/deps/$INPUT" | ||
if [ -d "$pkgpath/${PKG_ROOT}" ]; then | ||
echo "Generating checksums for artifacts" | ||
while IFS= read -r -d '' f | ||
do | ||
md5sum "$f" | awk '{print $1}'> "$f.md5" | ||
sha1sum "$f" | awk '{print $1}'> "$f.sha1" | ||
sha256sum "$f" | awk '{print $1}'> "$f.sha256" | ||
done < <(find "$pkgpath/${PKG_ROOT}" -type f ! -name "*.md5" \ | ||
! -name "*.sha1" ! -name "*.sha128" ! -name "*.sha256" \ | ||
! -name "*.sha512" ! -name "*.asc" -print0) | ||
# Bundle the artifacts and checksums together into a zip file | ||
cd "$pkgpath" | ||
echo "create maven zip to /var/workdir/cachi2/output/${BUNDLE_NAME}.zip" | ||
zip -rq "${BUNDLE_NAME}.zip" "${PKG_ROOT}" | ||
mv "${BUNDLE_NAME}.zip" "/shared/${BUNDLE_NAME}.zip" | ||
else | ||
echo "No ${PKG_ROOT} dir found, can not generate maven zip!" | ||
exit 1 | ||
fi | ||
securityContext: | ||
capabilities: | ||
add: | ||
- SETFCAP | ||
- image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9 | ||
name: build | ||
computeResources: | ||
limits: | ||
memory: 8Gi | ||
cpu: '4' | ||
requests: | ||
memory: 2Gi | ||
cpu: '1' | ||
script: | | ||
#!/bin/bash | ||
set -e | ||
if [ -f "/shared/${BUNDLE_NAME}.zip" ]; then | ||
mv "/shared/${BUNDLE_NAME}.zip" "./${BUNDLE_NAME}.zip" | ||
select-oci-auth "$IMAGE" > auth.json | ||
[ -n "$IMAGE_EXPIRES_AFTER" ] && EXPIRE_LABEL=("--annotation" "quay.expires-after=$IMAGE_EXPIRES_AFTER") | ||
oras push "$IMAGE" \ | ||
--registry-config auth.json \ | ||
"${EXPIRE_LABEL[@]}" \ | ||
--artifact-type application/vnd.maven+zip "${BUNDLE_NAME}.zip" | ||
RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") | ||
echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" | ||
echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" | ||
else | ||
echo "The maven zip file is not found!" | ||
exit 1 | ||
fi | ||
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later | ||
if [ -f "/var/workdir/cachi2/output/bom.json" ]; then | ||
cp "/var/workdir/cachi2/output/bom.json" ./sbom-cachi2.json | ||
else | ||
echo "The SBOM file for fetched artifacts is not found!" | ||
exit 1 | ||
fi | ||
securityContext: | ||
capabilities: | ||
add: | ||
- SETFCAP | ||
volumeMounts: | ||
- name: trusted-ca | ||
mountPath: /mnt/trusted-ca | ||
readOnly: true | ||
- name: prepare-sboms | ||
image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:53a3041dff341b7fd1765b9cc2c324625d19e804b2eaff10a6e6d9dcdbde3a91 | ||
computeResources: | ||
limits: | ||
memory: 512Mi | ||
cpu: 200m | ||
requests: | ||
memory: 256Mi | ||
cpu: 100m | ||
script: | | ||
if [ -f sbom-cachi2.json ]; then | ||
mv sbom-cachi2.json sbom-cyclonedx.json | ||
echo "Creating sbom-purl.json" | ||
python3 /scripts/create_purl_sbom.py | ||
fi | ||
securityContext: | ||
runAsUser: 0 | ||
- name: upload-sbom | ||
image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 | ||
script: | | ||
#!/bin/bash | ||
ca_bundle=/mnt/trusted-ca/ca-bundle.crt | ||
if [ -f "$ca_bundle" ]; then | ||
echo "INFO: Using mounted CA bundle: $ca_bundle" | ||
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors | ||
update-ca-trust | ||
fi | ||
cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE" | ||
# Remove tag from IMAGE while allowing registry to contain a port number. | ||
sbom_repo="${IMAGE%:*}" | ||
sbom_tag="sha256-$(< "$(results.IMAGE_DIGEST.path)" cut -d: -f2).sbom" | ||
# The SBOM_BLOB_URL is created by `cosign attach sbom`. | ||
echo -n "${sbom_repo}:${sbom_tag}" | tee "$(results.SBOM_BLOB_URL.path)" | ||
computeResources: | ||
limits: | ||
memory: 512Mi | ||
cpu: 200m | ||
requests: | ||
memory: 256Mi | ||
cpu: 100m | ||
volumeMounts: | ||
- name: trusted-ca | ||
mountPath: /mnt/trusted-ca | ||
readOnly: true | ||
|
||
volumes: | ||
- name: shared | ||
emptyDir: {} | ||
- name: trusted-ca | ||
configMap: | ||
name: $(params.caTrustConfigMapName) | ||
items: | ||
- key: $(params.caTrustConfigMapKey) | ||
path: ca-bundle.crt | ||
optional: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- build-maven-zip-oci-ta.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# See the OWNERS docs: https://go.k8s.io/owners | ||
approvers: | ||
- build-team | ||
reviewers: | ||
- build-team | ||
- ligangty | ||
- yma96 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# Build-maven-zip task | ||
|
||
Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. | ||
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. | ||
Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task. | ||
|
||
## Parameters | ||
|
||
| name | description | default value | required | | ||
| -------------------- | ---------------------------------------------------------------------- | ---------------- | -------- | | ||
| IMAGE | Reference of the OCI-Artifact this build-maven-zip task will produce. | | true | | ||
| PREFETCH_INPUT | The prefetched content which is used in the build. | generic | false | | ||
| PREFETCH_ROOT | The root directory of the artifacts in the prefetched directory. | maven-repository | false | | ||
| BUNDLE_NAME | The zip bundle name of archived artifacts. | maven-repository | false | | ||
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false | | ||
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false | | ||
|
||
## Results | ||
|
||
| name | description | | ||
| ------------- | --------------------------------------------------------------------------------- | | ||
| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | ||
| IMAGE_URL | Image repository and tag where the built OCI-Artifact was pushed | | ||
| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | | ||
|
||
## Workspaces | ||
|
||
| name | description | optional | | ||
| ------ | ---------------------------------------------- | -------- | | ||
| source | Workspace containing the source code to build. | false | |
Oops, something went wrong.