From bca31e56fd08ed9ddd7b2bfa625f2dd90581a858 Mon Sep 17 00:00:00 2001 From: Chenxiong Qi Date: Thu, 4 Jul 2024 20:29:55 +0800 Subject: [PATCH] feat: push Dockerfile to registry STONEBLD-2522 Signed-off-by: Chenxiong Qi --- .../0.1/build-image-manifest.yaml | 35 +++++++++++++++++++ task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 25 +++++++++++++ .../0.1/buildah-remote-oci-ta.yaml | 26 ++++++++++++++ task/buildah-remote/0.1/buildah-remote.yaml | 26 ++++++++++++++ task/buildah-rhtap/0.1/buildah-rhtap.yaml | 24 +++++++++++++ task/buildah/0.1/buildah.yaml | 27 ++++++++++++++ 6 files changed, 163 insertions(+) diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml index 2967c78248..1a9ba37db5 100644 --- a/task/build-image-manifest/0.1/build-image-manifest.yaml +++ b/task/build-image-manifest/0.1/build-image-manifest.yaml @@ -105,3 +105,38 @@ spec: capabilities: add: - SETFCAP + + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artifact_type=application/vnd.konflux.dockerfile + + # Select a Dockerfile from one of the arch + arch_image_digest=$(oras manifest fetch "$IMAGE" | yq -P -oy | yq '.manifests[0].digest') + output_dir=$(mktemp -d) + retry oras pull --output "$output_dir" "${image_without_tag}:${arch_image_digest/:/-}${suffix}" + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + # Do not assume the actual file name. Generally, it could be Dockerfile or Containerfile. + cd "$output_dir" + n=0 + find . -type f | while read filename; do + if [ $n -gt 1 ]; then + echo "Multiple container files exist in the dockerfile image." >&2 + ls >&2 + exit 1 + fi + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename "$filename")" + ((n++)) + done diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index b1b6308d1d..c88eaaf05c 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -248,6 +248,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -544,3 +548,24 @@ spec: - cyclonedx - $(params.IMAGE) workingDir: /var/workdir + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artifact_type=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)" diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index c5569532c6..eedb6ac366 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -265,6 +265,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -619,6 +623,28 @@ spec: image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 name: upload-sbom workingDir: /var/workdir + - computeResources: {} + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + name: push-dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artifact_type=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)" volumes: - name: additional-secret secret: diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index d884cd3d11..d6538ddc8a 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -257,6 +257,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -616,6 +620,28 @@ spec: image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 name: upload-sbom workingDir: $(workspaces.source.path) + - computeResources: {} + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + name: push-dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artifact_type=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)" volumes: - emptyDir: {} name: varlibcontainers diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index fe15071f82..6a7db2c18a 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -76,6 +76,8 @@ spec: exit 1 fi + cp "$dockerfile_path" /tmp/files/Dockerfile + BUILDAH_ARGS=() if [ -n "${BUILD_ARGS_FILE}" ]; then BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") @@ -216,6 +218,28 @@ spec: name: tmpfiles workingDir: /tmp/files + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /tmp/files/Dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artifact_type=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd $(dirname "$DOCKERFILE_PATH") + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)" + volumes: - emptyDir: {} name: varlibcontainers diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 54bca444a7..1d5fc963fa 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -112,6 +112,7 @@ spec: type: string - name: JAVA_COMMUNITY_DEPENDENCIES description: The Java dependencies that came from community sources such as Maven central. + stepTemplate: volumeMounts: - mountPath: /shared @@ -202,6 +203,10 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi + + # Record the original Dockerfile for pushing later. + cp "$dockerfile_path" /shared/Dockerfile + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" touch /var/lib/containers/java @@ -520,6 +525,28 @@ spec: - $(params.IMAGE) workingDir: $(workspaces.source.path) + - name: push-dockerfile + image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39 + env: + - name: IMAGE_DIGEST_FILE + value: $(results.IMAGE_DIGEST.path) + - name: DOCKERFILE_PATH + value: /shared/Dockerfile + script: | + suffix=".dockerfile" + image_without_tag=${IMAGE%:*} + # remove the potential existing newline + manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n') + dockerfile_image=${image_without_tag}:${manifest_digest/:/-}${suffix} + artifact_type=application/vnd.konflux.dockerfile + + echo "Selecting auth for $IMAGE" + auth_json=$(mktemp) + select-oci-auth $IMAGE >"$auth_json" + + cd "$(dirname $DOCKERFILE_PATH)" + retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artifact_type" "$dockerfile_image" "$(basename $DOCKERFILE_PATH)" + volumes: - name: varlibcontainers emptyDir: {}