Skip to content

Commit

Permalink
IMAGE_REF result from image building Tasks
Browse files Browse the repository at this point in the history
This helps in the reuse of the results when using matrix feature of
Tekton. Given that the concatenation of two results from matrix-spawned
Tasks is not supported, e.g.

    $(tasks.build-container-multiarch.results.IMAGE_URL[*])@$(tasks.build-container-multiarch.results.IMAGE_DIGEST[*])

will not expand correctly.

This produces the image reference in full in the `IMAGE_REF` result, so
the result from the matrix-spawned Tasks can be referenced using:

    $(tasks.build-container-multiarch.results.IMAGE_REF[*])

Reference: https://issues.redhat.com/browse/EC-654
  • Loading branch information
zregvart authored and arewm committed Jul 23, 2024
1 parent e5ac710 commit 6dd763a
Show file tree
Hide file tree
Showing 23 changed files with 156 additions and 10 deletions.
1 change: 1 addition & 0 deletions task/buildah-oci-ta/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|name|description|
|---|---|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_REF|Image reference of the built image|
|IMAGE_URL|Image repository where the built image was pushed|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
Expand Down
6 changes: 6 additions & 0 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,8 @@ spec:
results:
- name: IMAGE_DIGEST
description: Digest of the image just built
- name: IMAGE_REF
description: Image reference of the built image
- name: IMAGE_URL
description: Image repository where the built image was pushed
- name: JAVA_COMMUNITY_DEPENDENCIES
Expand Down Expand Up @@ -559,6 +561,10 @@ spec:
cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"
securityContext:
capabilities:
add:
Expand Down
6 changes: 6 additions & 0 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ spec:
results:
- description: Digest of the image just built
name: IMAGE_DIGEST
- description: Image reference of the built image
name: IMAGE_REF
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: The Java dependencies that came from community sources such as Maven
Expand Down Expand Up @@ -630,6 +632,10 @@ spec:
cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"
securityContext:
capabilities:
add:
Expand Down
48 changes: 48 additions & 0 deletions task/buildah-remote/0.2/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# buildah-remote task

Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.

## Parameters
|name|description|default value|required|
|---|---|---|---|
|IMAGE|Reference of the image buildah will produce.||true|
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
|CONTEXT|Path to the directory to use as context.|.|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|HERMETIC|Determines if build will be executed without network access.|false|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|
|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false|
|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false|
|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false|
|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false|
|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false|
|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false|
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false|
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|PLATFORM|The platform to build on||true|

## Results
|name|description|
|---|---|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|IMAGE_REF|Image reference of the built image|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|

## Workspaces
|name|description|optional|
|---|---|---|
|source|Workspace containing the source code to build.|false|
6 changes: 6 additions & 0 deletions task/buildah-remote/0.2/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,8 @@ spec:
name: IMAGE_DIGEST
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: Image reference of the built image
name: IMAGE_REF
- description: The counting of Java components by publisher in JSON format
name: SBOM_JAVA_COMPONENTS_COUNT
type: string
Expand Down Expand Up @@ -612,6 +614,10 @@ spec:
cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "$(workspaces.source.path)/image-digest"
} > "$(results.IMAGE_REF.path)"
securityContext:
capabilities:
add:
Expand Down
3 changes: 1 addition & 2 deletions task/buildah/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|name|description|default value|required|
|---|---|---|---|
|IMAGE|Reference of the image buildah will produce.||true|
|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false|
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
|CONTEXT|Path to the directory to use as context.|.|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|DOCKER_AUTH|unused, should be removed in next task version|""|false|
|HERMETIC|Determines if build will be executed without network access.|false|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
Expand All @@ -39,6 +37,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|---|---|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|IMAGE_REF|Image reference of the built image|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|

Expand Down
6 changes: 6 additions & 0 deletions task/buildah/0.2/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,8 @@ spec:
name: IMAGE_DIGEST
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: Image reference of the built image
name: IMAGE_REF
- name: SBOM_JAVA_COMPONENTS_COUNT
description: The counting of Java components by publisher in JSON format
type: string
Expand Down Expand Up @@ -509,6 +511,10 @@ spec:
cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "$(workspaces.source.path)/image-digest"
} > "$(results.IMAGE_REF.path)"
securityContext:
runAsUser: 0
Expand Down
1 change: 1 addition & 0 deletions task/oci-copy-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in
|name|description|
|---|---|
|IMAGE_DIGEST|Digest of the artifact just pushed|
|IMAGE_REF|Image reference of the built image|
|IMAGE_URL|Repository where the artifact was pushed|
|SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.|

3 changes: 3 additions & 0 deletions task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ spec:
results:
- name: IMAGE_DIGEST
description: Digest of the artifact just pushed
- name: IMAGE_REF
description: Image reference of the built image
- name: IMAGE_URL
description: Repository where the artifact was pushed
- name: SBOM_BLOB_URL
Expand Down Expand Up @@ -193,6 +195,7 @@ spec:
RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)"
computeResources:
limits:
memory: 1Gi
Expand Down
1 change: 1 addition & 0 deletions task/oci-copy/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.|
|IMAGE_REF|Image reference of the built image|

## Workspaces
|name|description|optional|
Expand Down
3 changes: 3 additions & 0 deletions task/oci-copy/0.1/oci-copy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ spec:
name: IMAGE_URL
- description: Link to the SBOM blob pushed to the registry.
name: SBOM_BLOB_URL
- name: IMAGE_REF
description: Image reference of the built image
stepTemplate:
env:
- name: OCI_COPY_FILE
Expand Down Expand Up @@ -178,6 +180,7 @@ spec:
RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)"
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
Expand Down
31 changes: 31 additions & 0 deletions task/rpm-ostree/0.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# rpm-ostree task

RPM Ostree

## Parameters
|name|description|default value|required|
|---|---|---|---|
|IMAGE|Reference of the image rpm-ostree will produce.||true|
|BUILDER_IMAGE|The location of the rpm-ostree builder image.|quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7|false|
|CONTEXT|Path to the directory to use as context.|.|false|
|IMAGE_FILE|The file to use to build the image||true|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|
|PLATFORM|The platform to build on||true|
|CONFIG_FILE|The relative path of the file used to configure the rpm-ostree tool found in source control. See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration|""|false|
|HERMETIC|Determines if build will be executed without network access.|false|false|

## Results
|name|description|
|---|---|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|IMAGE_REF|Image reference of the built image|
|BASE_IMAGES_DIGESTS|Digests of the base images used for build|
|SBOM_BLOB_URL|Reference, including digest to the SBOM blob|

## Workspaces
|name|description|optional|
|---|---|---|
|source|Workspace containing the source code to build.|false|
6 changes: 6 additions & 0 deletions task/rpm-ostree/0.1/rpm-ostree.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ spec:
name: IMAGE_DIGEST
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: Image reference of the built image
name: IMAGE_REF
- description: Digests of the base images used for build
name: BASE_IMAGES_DIGESTS
- name: SBOM_BLOB_URL
Expand Down Expand Up @@ -260,6 +262,10 @@ spec:
cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "$(workspaces.source.path)/image-digest"
} >"$(results.IMAGE_REF.path)"
# Remove tag from IMAGE while allowing registry to contain a port number.
sbom_repo="${IMAGE%:*}"
Expand Down
4 changes: 3 additions & 1 deletion task/s2i-java/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,17 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup
|PATH_CONTEXT|The location of the path to run s2i from|.|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|IMAGE|Location of the repo where image has to be pushed||true|
|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false|
|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false|
|DOCKER_AUTH|unused, should be removed in next task version|""|false|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|

## Results
|name|description|
|---|---|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|IMAGE_REF|Image reference of the built image|
|BASE_IMAGES_DIGESTS|Digests of the base images used for build|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
Expand Down
6 changes: 6 additions & 0 deletions task/s2i-java/0.1/s2i-java.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ spec:
name: IMAGE_DIGEST
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: Image reference of the built image
name: IMAGE_REF
- description: Digests of the base images used for build
name: BASE_IMAGES_DIGESTS
- name: SBOM_JAVA_COMPONENTS_COUNT
Expand Down Expand Up @@ -253,6 +255,10 @@ spec:
docker://$IMAGE
cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "$(workspaces.source.path)/image-digest"
} > "$(results.IMAGE_REF.path)"
securityContext:
runAsUser: 0
Expand Down
6 changes: 4 additions & 2 deletions task/s2i-nodejs/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,22 @@ In addition it generates a SBOM file, injects the SBOM file into final container
## Parameters
|name|description|default value|required|
|---|---|---|---|
|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583|false|
|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1|false|
|PATH_CONTEXT|The location of the path to run s2i from.|.|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|IMAGE|Location of the repo where image has to be pushed||true|
|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false|
|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false|
|DOCKER_AUTH|unused, should be removed in next task version|""|false|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|MAVEN_MIRROR_URL|The base URL of a mirror used for retrieving artifacts|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|

## Results
|name|description|
|---|---|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|IMAGE_REF|Image reference of the built image|
|BASE_IMAGES_DIGESTS|Digests of the base images used for build|

## Workspaces
Expand Down
6 changes: 6 additions & 0 deletions task/s2i-nodejs/0.1/s2i-nodejs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ spec:
name: IMAGE_DIGEST
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: Image reference of the built image
name: IMAGE_REF
- description: Digests of the base images used for build
name: BASE_IMAGES_DIGESTS
steps:
Expand Down Expand Up @@ -221,6 +223,10 @@ spec:
docker://$IMAGE
cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "$(workspaces.source.path)/image-digest"
} > "$(results.IMAGE_REF.path)"
securityContext:
runAsUser: 0
Expand Down
1 change: 1 addition & 0 deletions task/source-build-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Source image build.
|name|description|
|---|---|
|BUILD_RESULT|Build result.|
|IMAGE_REF|Image reference of the built image|
|SOURCE_IMAGE_DIGEST|The source image digest.|
|SOURCE_IMAGE_URL|The source image url.|

3 changes: 3 additions & 0 deletions task/source-build-oci-ta/0.1/source-build-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ spec:
results:
- name: BUILD_RESULT
description: Build result.
- name: IMAGE_REF
description: Image reference of the built image
- name: SOURCE_IMAGE_DIGEST
description: The source image digest.
- name: SOURCE_IMAGE_URL
Expand Down Expand Up @@ -156,6 +158,7 @@ spec:
cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL"
cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST"
jq -j '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)"
cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE"
computeResources:
Expand Down
1 change: 1 addition & 0 deletions task/source-build/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Source image build.
|BUILD_RESULT|Build result.|
|SOURCE_IMAGE_URL|The source image url.|
|SOURCE_IMAGE_DIGEST|The source image digest.|
|IMAGE_REF|Image reference of the built image|

## Workspaces
|name|description|optional|
Expand Down
3 changes: 3 additions & 0 deletions task/source-build/0.1/source-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ spec:
description: The source image url.
- name: SOURCE_IMAGE_DIGEST
description: The source image digest.
- name: IMAGE_REF
description: Image reference of the built image
workspaces:
- name: workspace
description: The workspace where source code is included.
Expand Down Expand Up @@ -157,5 +159,6 @@ spec:
cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL"
cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST"
jq -j '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)"
cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE"
Loading

0 comments on commit 6dd763a

Please sign in to comment.