From 3a9c974111f2fbab5ea455228fcc3088623716a0 Mon Sep 17 00:00:00 2001 From: Chenxiong Qi Date: Thu, 4 Jul 2024 20:29:55 +0800 Subject: [PATCH] feat: push Dockerfile to registry STONEBLD-2522 Signed-off-by: Chenxiong Qi --- .../0.1/build-image-manifest.yaml | 23 ++++++++++++++++ task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 25 +++++++++++++++++ .../0.1/buildah-remote-oci-ta.yaml | 26 ++++++++++++++++++ task/buildah-remote/0.1/buildah-remote.yaml | 26 ++++++++++++++++++ task/buildah-rhtap/0.1/buildah-rhtap.yaml | 24 +++++++++++++++++ task/buildah/0.1/buildah.yaml | 27 +++++++++++++++++++ 6 files changed, 151 insertions(+) diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml index 2967c78248..fcfb205e75 100644 --- a/task/build-image-manifest/0.1/build-image-manifest.yaml +++ b/task/build-image-manifest/0.1/build-image-manifest.yaml @@ -105,3 +105,26 @@ spec: capabilities: add: - SETFCAP + + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + df_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artype=application/vnd.konflux.dockerfile + + dockerfile_path=$(mktemp --suffix="${suffix}") + + arch_image_digest=$(oras manifest fetch "$IMAGE" | yq -P -oy | yq '.manifests[0].digest') + oras pull "${image_without_tag}@${arch_image_digest/:/-}${suffix}" >"$dockerfile_path" + + echo "Selecting auth for $IMAGE" + select-oci-auth $IMAGE >auth.json + + retry oras push --no-tty --registry-config auth.json --artifact-type "$artype" "$df_image" "$dockerfile_path" diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index b1b6308d1d..65fe5cc534 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -248,6 +248,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -544,3 +548,24 @@ spec: - cyclonedx - $(params.IMAGE) workingDir: /var/workdir + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + df_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artype=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)" diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index c5569532c6..00cd3cb9d2 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -265,6 +265,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -619,6 +623,28 @@ spec: image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 name: upload-sbom workingDir: /var/workdir + - computeResources: {} + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + name: push-dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + df_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artype=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)" volumes: - name: additional-secret secret: diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index d884cd3d11..80b8069c70 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -257,6 +257,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -616,6 +620,28 @@ spec: image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 name: upload-sbom workingDir: $(workspaces.source.path) + - computeResources: {} + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + name: push-dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + df_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artype=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)" volumes: - emptyDir: {} name: varlibcontainers diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index fe15071f82..e3e5b6e9e7 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -76,6 +76,8 @@ spec: exit 1 fi + cp "$dockerfile_path" /tmp/files/Dockerfile + BUILDAH_ARGS=() if [ -n "${BUILD_ARGS_FILE}" ]; then BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") @@ -216,6 +218,28 @@ spec: name: tmpfiles workingDir: /tmp/files + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /tmp/files/Dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + df_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artype=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd $(dirname "$DOCKERFILE_PATH") + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)" + volumes: - emptyDir: {} name: varlibcontainers diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 54bca444a7..98d5272ca7 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -112,6 +112,7 @@ spec: type: string - name: JAVA_COMMUNITY_DEPENDENCIES description: The Java dependencies that came from community sources such as Maven central. + stepTemplate: volumeMounts: - mountPath: /shared @@ -202,6 +203,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -520,6 +525,28 @@ spec: - $(params.IMAGE) workingDir: $(workspaces.source.path) + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + df_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artype=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)" + volumes: - name: varlibcontainers emptyDir: {}