From bf099f908b9aa2ff9aba59916c1a22adddb6abf3 Mon Sep 17 00:00:00 2001 From: arewm Date: Mon, 29 Jul 2024 11:49:07 -0400 Subject: [PATCH] Enable remote tasks to be run in cluster By default, we should run builds matching the local architecture in-cluster to reduce the overhead of provisioning platforms. This will enable a fully matrixed build for all images using only the remote builds. This change will require the multi-platform controller to set the /ssh/host to localhost in order for the builds to run in-cluster. In a change from the prior behavior, we will now append a sanitized version of the entire PLATFORM to the image tag upon request. This behavior is now needs to be explicitly requested. Signed-off-by: arewm --- task-generator/remote/main.go | 117 +++++++----- .../0.1/buildah-remote-oci-ta.yaml | 134 ++++++++------ .../0.2/buildah-remote-oci-ta.yaml | 173 ++++++++++-------- task/buildah-remote/0.1/buildah-remote.yaml | 136 ++++++++------ task/buildah-remote/0.2/buildah-remote.yaml | 173 ++++++++++-------- 5 files changed, 416 insertions(+), 317 deletions(-) diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index 7d9b74f5d7..de2fa32353 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -102,14 +102,16 @@ func convertToSsh(task *tektonapi.Task, taskVersion string) { // The images produced in multi-platform builds need to have unique tags in order // to prevent them from getting garbage collected before generating the image index. // We can simplify this process, preventing the need for users to manually specify - // the image by auto-appending the architecture from the PLATFORM parameter. For - // example, this will append -arm64 if PLATFORM is linux/arm64 if not present. Since - // we cannot modify the parameter itself, this replacement needs to happen in any task - // step where the IMAGE parameter is used. - // If a user defines the IMAGE parameter with an -arm64 suffix, the arm64 suffix will - // not be appended again based on the PLATFORM. - adjustRemoteImage := `if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + // the image by auto-appending the a sanitized PLATFORM parameter. For example, this + // will append linux-arm64 if PLATFORM is linux/arm64 and IMAGE_APPEND_PLATFORM is true. + // Many special characters are not allowed in tags so we will replace anything that + // isn't alphanumeric with a "-" to be safe. Since we cannot modify the parameter itself, + // this replacement needs to happen in any task step where the IMAGE parameter is used. + // IMAGE_APPEND_PLATFORM will be set to "false" by default so appending the platform is + // and explicit opt-in. + adjustRemoteImage := `if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi ` @@ -142,55 +144,65 @@ if [ -e "/ssh/error" ]; then #no server could be provisioned cat /ssh/error exit 1 +fi +export SSH_HOST=$(cat /ssh/host) +[ "$SSH_HOST" == "localhost" ] && IS_LOCALHOST=true + +if [[ $IS_LOCALHOST ]]; then + echo "Localhost detected; running build in cluster" elif [ -e "/ssh/otp" ]; then - curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa + echo "" >> ~/.ssh/id_rsa else cp /ssh/id_rsa ~/.ssh fi -chmod 0400 ~/.ssh/id_rsa -export SSH_HOST=$(cat /ssh/host) -export BUILD_DIR=$(cat /ssh/user-dir) -export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + mkdir -p scripts -echo "$BUILD_DIR" -ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" - -PORT_FORWARD="" -PODMAN_PORT_FORWARD="" -if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then -PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" -PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" -fi + +if ! [[ $IS_LOCALHOST ]]; then + chmod 0400 ~/.ssh/id_rsa + export BUILD_DIR=$(cat /ssh/user-dir) + export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + echo "$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" + + PORT_FORWARD="" + PODMAN_PORT_FORWARD="" + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then + PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" + PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + fi ` - if taskVersion != "0.1" { - ret += adjustRemoteImage - } env := "$PODMAN_PORT_FORWARD \\\n" // disable podman subscription-manager integration - env += " --tmpfs /run/secrets \\\n" + env += " --tmpfs /run/secrets \\\n" // Before the build we sync the contents of the workspace to the remote host for _, workspace := range task.Spec.Workspaces { - ret += "\nrsync -ra $(workspaces." + workspace.Name + ".path)/ \"$SSH_HOST:$BUILD_DIR/workspaces/" + workspace.Name + "/\"" - podmanArgs += " -v \"$BUILD_DIR/workspaces/" + workspace.Name + ":$(workspaces." + workspace.Name + ".path):Z\" \\\n" + ret += "\n rsync -ra $(workspaces." + workspace.Name + ".path)/ \"$SSH_HOST:$BUILD_DIR/workspaces/" + workspace.Name + "/\"" + podmanArgs += " -v \"$BUILD_DIR/workspaces/" + workspace.Name + ":$(workspaces." + workspace.Name + ".path):Z\" \\\n" } // Also sync the volume mounts from the template for _, volume := range task.Spec.StepTemplate.VolumeMounts { - ret += "\nrsync -ra " + volume.MountPath + "/ \"$SSH_HOST:$BUILD_DIR/volumes/" + volume.Name + "/\"" - podmanArgs += " -v \"$BUILD_DIR/volumes/" + volume.Name + ":" + volume.MountPath + ":Z\" \\\n" + ret += "\n rsync -ra " + volume.MountPath + "/ \"$SSH_HOST:$BUILD_DIR/volumes/" + volume.Name + "/\"" + podmanArgs += " -v \"$BUILD_DIR/volumes/" + volume.Name + ":" + volume.MountPath + ":Z\" \\\n" } for _, volume := range step.VolumeMounts { if syncVolumes[volume.Name] { - ret += "\nrsync -ra " + volume.MountPath + "/ \"$SSH_HOST:$BUILD_DIR/volumes/" + volume.Name + "/\"" - podmanArgs += " -v \"$BUILD_DIR/volumes/" + volume.Name + ":" + volume.MountPath + ":Z\" \\\n" + ret += "\n rsync -ra " + volume.MountPath + "/ \"$SSH_HOST:$BUILD_DIR/volumes/" + volume.Name + "/\"" + podmanArgs += " -v \"$BUILD_DIR/volumes/" + volume.Name + ":" + volume.MountPath + ":Z\" \\\n" } } - ret += "\nrsync -ra \"$HOME/.docker/\" \"$SSH_HOST:$BUILD_DIR/.docker/\"" - podmanArgs += " -v \"$BUILD_DIR/.docker/:/root/.docker:Z\" \\\n" - ret += "\nrsync -ra \"/tekton/results/\" \"$SSH_HOST:$BUILD_DIR/tekton-results/\"" - podmanArgs += " -v \"$BUILD_DIR/tekton-results/:/tekton/results:Z\" \\\n" + ret += "\n rsync -ra \"$HOME/.docker/\" \"$SSH_HOST:$BUILD_DIR/.docker/\"" + podmanArgs += " -v \"$BUILD_DIR/.docker/:/root/.docker:Z\" \\\n" + ret += "\n rsync -ra \"/tekton/results/\" \"$SSH_HOST:$BUILD_DIR/results/\"" + podmanArgs += " -v \"$BUILD_DIR/results/:/tekton/results:Z\" \\\n" + ret += "\nfi\n" + + if taskVersion != "0.1" { + ret += adjustRemoteImage + } script := "scripts/script-" + step.Name + ".sh" @@ -212,37 +224,39 @@ fi ret += "cd " + step.WorkingDir + "\n" } ret += step.Script - ret += "\nbuildah push \"$IMAGE\" oci:rhtap-final-image" + ret += "\nbuildah push \"$IMAGE\" \"oci:konflux-final-image:$IMAGE\"" ret += "\nREMOTESSHEOF" - ret += "\nchmod +x " + script + ret += "\nchmod +x " + script + "\n" if task.Spec.StepTemplate != nil { for _, e := range task.Spec.StepTemplate.Env { - env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n" + env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n" } } - ret += "\nrsync -ra scripts \"$SSH_HOST:$BUILD_DIR\"" - containerScript := "/script/script-" + step.Name + ".sh" + ret += "\nif ! [[ $IS_LOCALHOST ]]; then" + ret += "\n rsync -ra scripts \"$SSH_HOST:$BUILD_DIR\"" + containerScript := "scripts/script-" + step.Name + ".sh" for _, e := range step.Env { - env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n" + env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n" } - podmanArgs += " -v $BUILD_DIR/scripts:/script:Z \\\n" - ret += "\nssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman run " + env + "" + podmanArgs + "--user=0 --rm \"$BUILDER_IMAGE\" " + containerScript + podmanArgs += " -v \"$BUILD_DIR/scripts:/scripts:Z\" \\\n" + ret += "\n ssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman run " + env + "" + podmanArgs + " --user=0 --rm \"$BUILDER_IMAGE\" /" + containerScript // Sync the contents of the workspaces back so subsequent tasks can use them for _, workspace := range task.Spec.Workspaces { - ret += "\nrsync -ra \"$SSH_HOST:$BUILD_DIR/workspaces/" + workspace.Name + "/\" \"$(workspaces." + workspace.Name + ".path)/\"" + ret += "\n rsync -ra \"$SSH_HOST:$BUILD_DIR/workspaces/" + workspace.Name + "/\" \"$(workspaces." + workspace.Name + ".path)/\"" } for _, volume := range task.Spec.StepTemplate.VolumeMounts { - ret += "\nrsync -ra \"$SSH_HOST:$BUILD_DIR/volumes/" + volume.Name + "/\" " + volume.MountPath + "/" + ret += "\n rsync -ra \"$SSH_HOST:$BUILD_DIR/volumes/" + volume.Name + "/\" " + volume.MountPath + "/" } //sync back results - ret += "\nrsync -ra \"$SSH_HOST:$BUILD_DIR/tekton-results/\" \"/tekton/results/\"" + ret += "\n rsync -ra \"$SSH_HOST:$BUILD_DIR/results/\" \"/tekton/results/\"" - ret += "\nbuildah pull oci:rhtap-final-image" + ret += "\n buildah pull \"oci:konflux-final-image:$IMAGE\"" + ret += "\nelse\n bash " + containerScript + ret += "\nfi" ret += "\nbuildah images" - ret += "\nbuildah tag localhost/rhtap-final-image \"$IMAGE\"" ret += "\ncontainer=$(buildah from --pull-never \"$IMAGE\")\nbuildah mount \"$container\" | tee /shared/container_path\necho $container > /shared/container_name" for _, i := range strings.Split(ret, "\n") { @@ -276,5 +290,8 @@ fi task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "BUILDER_IMAGE", Value: builderImage}) if taskVersion != "0.1" { task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "PLATFORM", Value: "$(params.PLATFORM)"}) + + task.Spec.Params = append(task.Spec.Params, tektonapi.ParamSpec{Name: "IMAGE_APPEND_PLATFORM", Type: tektonapi.ParamTypeString, Description: "Whether to append a sanitized platform architecture on the IMAGE tag", Default: &tektonapi.ParamValue{StringVal: "false", Type: tektonapi.ParamTypeString}}) + task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "IMAGE_APPEND_PLATFORM", Value: "$(params.IMAGE_APPEND_PLATFORM)"}) } } diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 000ea36bf3..ffe1257fe3 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -220,35 +220,45 @@ spec: #no server could be provisioned cat /ssh/error exit 1 + fi + export SSH_HOST=$(cat /ssh/host) + [ "$SSH_HOST" == "localhost" ] && IS_LOCALHOST=true + + if [[ $IS_LOCALHOST ]]; then + echo "Localhost detected; running build in cluster" elif [ -e "/ssh/otp" ]; then - curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa + echo "" >> ~/.ssh/id_rsa else cp /ssh/id_rsa ~/.ssh fi - chmod 0400 ~/.ssh/id_rsa - export SSH_HOST=$(cat /ssh/host) - export BUILD_DIR=$(cat /ssh/user-dir) - export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + mkdir -p scripts - echo "$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" - - PORT_FORWARD="" - PODMAN_PORT_FORWARD="" - if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then - PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" - PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + + if ! [[ $IS_LOCALHOST ]]; then + chmod 0400 ~/.ssh/id_rsa + export BUILD_DIR=$(cat /ssh/user-dir) + export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + echo "$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" + + PORT_FORWARD="" + PODMAN_PORT_FORWARD="" + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then + PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" + PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + fi + + rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" + rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" + rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" + rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" + rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" + rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" + rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/results/" fi - rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" - rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" - rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" - rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" - rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" - rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" - rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" - rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' #!/bin/bash set -o verbose @@ -428,47 +438,51 @@ spec: # Needed to generate base images SBOM echo "$BASE_IMAGES" >/var/workdir/base_images_from_dockerfile - buildah push "$IMAGE" oci:rhtap-final-image + buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh - rsync -ra scripts "$SSH_HOST:$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ - --tmpfs /run/secrets \ - -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ - -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ - -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ - -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ - -e CONTEXT="$CONTEXT" \ - -e DOCKERFILE="$DOCKERFILE" \ - -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ - -e HERMETIC="$HERMETIC" \ - -e IMAGE="$IMAGE" \ - -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ - -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ - -e SQUASH="$SQUASH" \ - -e STORAGE_DRIVER="$STORAGE_DRIVER" \ - -e TARGET_STAGE="$TARGET_STAGE" \ - -e TLSVERIFY="$TLSVERIFY" \ - -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ - -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ - -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ - -e COMMIT_SHA="$COMMIT_SHA" \ - -v "$BUILD_DIR/volumes/shared:/shared:Z" \ - -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ - -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ - -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ - -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ - -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ - -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ - -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ - -v $BUILD_DIR/scripts:/script:Z \ - --user=0 --rm "$BUILDER_IMAGE" /script/script-build.sh - rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ - rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ - rsync -ra "$SSH_HOST:$BUILD_DIR/tekton-results/" "/tekton/results/" - buildah pull oci:rhtap-final-image + + if ! [[ $IS_LOCALHOST ]]; then + rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ + -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ + -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ + -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ + -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ + -e CONTEXT="$CONTEXT" \ + -e DOCKERFILE="$DOCKERFILE" \ + -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e HERMETIC="$HERMETIC" \ + -e IMAGE="$IMAGE" \ + -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e SQUASH="$SQUASH" \ + -e STORAGE_DRIVER="$STORAGE_DRIVER" \ + -e TARGET_STAGE="$TARGET_STAGE" \ + -e TLSVERIFY="$TLSVERIFY" \ + -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ + -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ + -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ + -e COMMIT_SHA="$COMMIT_SHA" \ + -v "$BUILD_DIR/volumes/shared:/shared:Z" \ + -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ + -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ + -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ + -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ + -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ + -v "$BUILD_DIR/results/:/tekton/results:Z" \ + -v "$BUILD_DIR/scripts:/scripts:Z" \ + --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh + rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ + rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ + rsync -ra "$SSH_HOST:$BUILD_DIR/results/" "/tekton/results/" + buildah pull "oci:konflux-final-image:$IMAGE" + else + bash scripts/script-build.sh + fi buildah images - buildah tag localhost/rhtap-final-image "$IMAGE" container=$(buildah from --pull-never "$IMAGE") buildah mount "$container" | tee /shared/container_path echo $container > /shared/container_name diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 150d00c883..dbf09c61db 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -127,6 +127,11 @@ spec: - description: The platform to build on name: PLATFORM type: string + - default: "false" + description: Whether to append a sanitized platform architecture on the IMAGE + tag + name: IMAGE_APPEND_PLATFORM + type: string results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -189,6 +194,8 @@ spec: value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 - name: PLATFORM value: $(params.PLATFORM) + - name: IMAGE_APPEND_PLATFORM + value: $(params.IMAGE_APPEND_PLATFORM) volumeMounts: - mountPath: /shared name: shared @@ -225,38 +232,49 @@ spec: #no server could be provisioned cat /ssh/error exit 1 + fi + export SSH_HOST=$(cat /ssh/host) + [ "$SSH_HOST" == "localhost" ] && IS_LOCALHOST=true + + if [[ $IS_LOCALHOST ]]; then + echo "Localhost detected; running build in cluster" elif [ -e "/ssh/otp" ]; then - curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa + echo "" >> ~/.ssh/id_rsa else cp /ssh/id_rsa ~/.ssh fi - chmod 0400 ~/.ssh/id_rsa - export SSH_HOST=$(cat /ssh/host) - export BUILD_DIR=$(cat /ssh/user-dir) - export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + mkdir -p scripts - echo "$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" - - PORT_FORWARD="" - PODMAN_PORT_FORWARD="" - if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then - PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" - PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + + if ! [[ $IS_LOCALHOST ]]; then + chmod 0400 ~/.ssh/id_rsa + export BUILD_DIR=$(cat /ssh/user-dir) + export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + echo "$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" + + PORT_FORWARD="" + PODMAN_PORT_FORWARD="" + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then + PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" + PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + fi + + rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" + rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" + rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" + rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" + rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" + rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" + rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/results/" fi - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi - rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" - rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" - rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" - rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" - rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" - rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" - rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" - rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' #!/bin/bash set -e @@ -438,48 +456,52 @@ spec: # Needed to generate base images SBOM echo "$BASE_IMAGES" >/shared/base_images_from_dockerfile - buildah push "$IMAGE" oci:rhtap-final-image + buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh - rsync -ra scripts "$SSH_HOST:$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ - --tmpfs /run/secrets \ - -e ACTIVATION_KEY="$ACTIVATION_KEY" \ - -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ - -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ - -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ - -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ - -e CONTEXT="$CONTEXT" \ - -e DOCKERFILE="$DOCKERFILE" \ - -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ - -e HERMETIC="$HERMETIC" \ - -e IMAGE="$IMAGE" \ - -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ - -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ - -e SQUASH="$SQUASH" \ - -e STORAGE_DRIVER="$STORAGE_DRIVER" \ - -e TARGET_STAGE="$TARGET_STAGE" \ - -e TLSVERIFY="$TLSVERIFY" \ - -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ - -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ - -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ - -e COMMIT_SHA="$COMMIT_SHA" \ - -v "$BUILD_DIR/volumes/shared:/shared:Z" \ - -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ - -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ - -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ - -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ - -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ - -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ - -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ - -v $BUILD_DIR/scripts:/script:Z \ - --user=0 --rm "$BUILDER_IMAGE" /script/script-build.sh - rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ - rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ - rsync -ra "$SSH_HOST:$BUILD_DIR/tekton-results/" "/tekton/results/" - buildah pull oci:rhtap-final-image + + if ! [[ $IS_LOCALHOST ]]; then + rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ + -e ACTIVATION_KEY="$ACTIVATION_KEY" \ + -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ + -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ + -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ + -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ + -e CONTEXT="$CONTEXT" \ + -e DOCKERFILE="$DOCKERFILE" \ + -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e HERMETIC="$HERMETIC" \ + -e IMAGE="$IMAGE" \ + -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e SQUASH="$SQUASH" \ + -e STORAGE_DRIVER="$STORAGE_DRIVER" \ + -e TARGET_STAGE="$TARGET_STAGE" \ + -e TLSVERIFY="$TLSVERIFY" \ + -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ + -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ + -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ + -e COMMIT_SHA="$COMMIT_SHA" \ + -v "$BUILD_DIR/volumes/shared:/shared:Z" \ + -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ + -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ + -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ + -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ + -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ + -v "$BUILD_DIR/results/:/tekton/results:Z" \ + -v "$BUILD_DIR/scripts:/scripts:Z" \ + --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh + rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ + rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ + rsync -ra "$SSH_HOST:$BUILD_DIR/results/" "/tekton/results/" + buildah pull "oci:konflux-final-image:$IMAGE" + else + bash scripts/script-build.sh + fi buildah images - buildah tag localhost/rhtap-final-image "$IMAGE" container=$(buildah from --pull-never "$IMAGE") buildah mount "$container" | tee /shared/container_path echo $container > /shared/container_name @@ -515,8 +537,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi echo "Running syft on the source directory" syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json @@ -541,8 +564,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi if [ -f /var/lib/containers/java ]; then /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) @@ -569,8 +593,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" python3 /scripts/merge_syft_sboms.py @@ -604,8 +629,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt @@ -681,8 +707,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index aa3cdb0ceb..fca8faf5c8 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -208,35 +208,45 @@ spec: #no server could be provisioned cat /ssh/error exit 1 + fi + export SSH_HOST=$(cat /ssh/host) + [ "$SSH_HOST" == "localhost" ] && IS_LOCALHOST=true + + if [[ $IS_LOCALHOST ]]; then + echo "Localhost detected; running build in cluster" elif [ -e "/ssh/otp" ]; then - curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa + echo "" >> ~/.ssh/id_rsa else cp /ssh/id_rsa ~/.ssh fi - chmod 0400 ~/.ssh/id_rsa - export SSH_HOST=$(cat /ssh/host) - export BUILD_DIR=$(cat /ssh/user-dir) - export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + mkdir -p scripts - echo "$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" - - PORT_FORWARD="" - PODMAN_PORT_FORWARD="" - if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then - PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" - PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + + if ! [[ $IS_LOCALHOST ]]; then + chmod 0400 ~/.ssh/id_rsa + export BUILD_DIR=$(cat /ssh/user-dir) + export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + echo "$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" + + PORT_FORWARD="" + PODMAN_PORT_FORWARD="" + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then + PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" + PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + fi + + rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" + rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" + rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" + rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" + rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" + rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" + rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/results/" fi - rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" - rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" - rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" - rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" - rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" - rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" - rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" - rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' #!/bin/bash set -o verbose @@ -420,48 +430,52 @@ spec: # Needed to generate base images SBOM echo "$BASE_IMAGES" > $(workspaces.source.path)/base_images_from_dockerfile - buildah push "$IMAGE" oci:rhtap-final-image + buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh - rsync -ra scripts "$SSH_HOST:$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ - --tmpfs /run/secrets \ - -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ - -e STORAGE_DRIVER="$STORAGE_DRIVER" \ - -e HERMETIC="$HERMETIC" \ - -e CONTEXT="$CONTEXT" \ - -e DOCKERFILE="$DOCKERFILE" \ - -e IMAGE="$IMAGE" \ - -e TLSVERIFY="$TLSVERIFY" \ - -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ - -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ - -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ - -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ - -e TARGET_STAGE="$TARGET_STAGE" \ - -e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \ - -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ - -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ - -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ - -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ - -e SQUASH="$SQUASH" \ - -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ - -e COMMIT_SHA="$COMMIT_SHA" \ - -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ - -v "$BUILD_DIR/volumes/shared:/shared:Z" \ - -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ - -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ - -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ - -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ - -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ - -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ - -v $BUILD_DIR/scripts:/script:Z \ - --user=0 --rm "$BUILDER_IMAGE" /script/script-build.sh - rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" - rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ - rsync -ra "$SSH_HOST:$BUILD_DIR/tekton-results/" "/tekton/results/" - buildah pull oci:rhtap-final-image + + if ! [[ $IS_LOCALHOST ]]; then + rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ + -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ + -e STORAGE_DRIVER="$STORAGE_DRIVER" \ + -e HERMETIC="$HERMETIC" \ + -e CONTEXT="$CONTEXT" \ + -e DOCKERFILE="$DOCKERFILE" \ + -e IMAGE="$IMAGE" \ + -e TLSVERIFY="$TLSVERIFY" \ + -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ + -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ + -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ + -e TARGET_STAGE="$TARGET_STAGE" \ + -e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \ + -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ + -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ + -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ + -e SQUASH="$SQUASH" \ + -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e COMMIT_SHA="$COMMIT_SHA" \ + -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ + -v "$BUILD_DIR/volumes/shared:/shared:Z" \ + -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ + -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ + -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ + -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ + -v "$BUILD_DIR/results/:/tekton/results:Z" \ + -v "$BUILD_DIR/scripts:/scripts:Z" \ + --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh + rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" + rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ + rsync -ra "$SSH_HOST:$BUILD_DIR/results/" "/tekton/results/" + buildah pull "oci:konflux-final-image:$IMAGE" + else + bash scripts/script-build.sh + fi buildah images - buildah tag localhost/rhtap-final-image "$IMAGE" container=$(buildah from --pull-never "$IMAGE") buildah mount "$container" | tee /shared/container_path echo $container > /shared/container_name diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 5b89063723..cad91a4002 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -118,6 +118,11 @@ spec: - description: The platform to build on name: PLATFORM type: string + - default: "false" + description: Whether to append a sanitized platform architecture on the IMAGE + tag + name: IMAGE_APPEND_PLATFORM + type: string results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -180,6 +185,8 @@ spec: value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 - name: PLATFORM value: $(params.PLATFORM) + - name: IMAGE_APPEND_PLATFORM + value: $(params.IMAGE_APPEND_PLATFORM) volumeMounts: - mountPath: /shared name: shared @@ -207,38 +214,49 @@ spec: #no server could be provisioned cat /ssh/error exit 1 + fi + export SSH_HOST=$(cat /ssh/host) + [ "$SSH_HOST" == "localhost" ] && IS_LOCALHOST=true + + if [[ $IS_LOCALHOST ]]; then + echo "Localhost detected; running build in cluster" elif [ -e "/ssh/otp" ]; then - curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa + echo "" >> ~/.ssh/id_rsa else cp /ssh/id_rsa ~/.ssh fi - chmod 0400 ~/.ssh/id_rsa - export SSH_HOST=$(cat /ssh/host) - export BUILD_DIR=$(cat /ssh/user-dir) - export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + mkdir -p scripts - echo "$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" - - PORT_FORWARD="" - PODMAN_PORT_FORWARD="" - if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then - PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" - PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + + if ! [[ $IS_LOCALHOST ]]; then + chmod 0400 ~/.ssh/id_rsa + export BUILD_DIR=$(cat /ssh/user-dir) + export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" + echo "$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" + + PORT_FORWARD="" + PODMAN_PORT_FORWARD="" + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then + PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" + PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" + fi + + rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" + rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" + rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" + rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" + rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" + rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" + rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/results/" fi - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi - rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" - rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" - rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" - rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" - rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" - rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" - rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" - rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' #!/bin/bash set -e @@ -420,48 +438,52 @@ spec: # Needed to generate base images SBOM echo "$BASE_IMAGES" > /shared/base_images_from_dockerfile - buildah push "$IMAGE" oci:rhtap-final-image + buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh - rsync -ra scripts "$SSH_HOST:$BUILD_DIR" - ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ - --tmpfs /run/secrets \ - -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ - -e STORAGE_DRIVER="$STORAGE_DRIVER" \ - -e HERMETIC="$HERMETIC" \ - -e CONTEXT="$CONTEXT" \ - -e DOCKERFILE="$DOCKERFILE" \ - -e IMAGE="$IMAGE" \ - -e TLSVERIFY="$TLSVERIFY" \ - -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ - -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ - -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ - -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ - -e TARGET_STAGE="$TARGET_STAGE" \ - -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ - -e ACTIVATION_KEY="$ACTIVATION_KEY" \ - -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ - -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ - -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ - -e SQUASH="$SQUASH" \ - -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ - -e COMMIT_SHA="$COMMIT_SHA" \ - -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ - -v "$BUILD_DIR/volumes/shared:/shared:Z" \ - -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ - -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ - -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ - -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ - -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ - -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ - -v $BUILD_DIR/scripts:/script:Z \ - --user=0 --rm "$BUILDER_IMAGE" /script/script-build.sh - rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" - rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ - rsync -ra "$SSH_HOST:$BUILD_DIR/tekton-results/" "/tekton/results/" - buildah pull oci:rhtap-final-image + + if ! [[ $IS_LOCALHOST ]]; then + rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ + -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ + -e STORAGE_DRIVER="$STORAGE_DRIVER" \ + -e HERMETIC="$HERMETIC" \ + -e CONTEXT="$CONTEXT" \ + -e DOCKERFILE="$DOCKERFILE" \ + -e IMAGE="$IMAGE" \ + -e TLSVERIFY="$TLSVERIFY" \ + -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ + -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \ + -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ + -e TARGET_STAGE="$TARGET_STAGE" \ + -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e ACTIVATION_KEY="$ACTIVATION_KEY" \ + -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ + -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ + -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ + -e SQUASH="$SQUASH" \ + -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e COMMIT_SHA="$COMMIT_SHA" \ + -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ + -v "$BUILD_DIR/volumes/shared:/shared:Z" \ + -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ + -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ + -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ + -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ + -v "$BUILD_DIR/results/:/tekton/results:Z" \ + -v "$BUILD_DIR/scripts:/scripts:Z" \ + --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh + rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" + rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ + rsync -ra "$SSH_HOST:$BUILD_DIR/results/" "/tekton/results/" + buildah pull "oci:konflux-final-image:$IMAGE" + else + bash scripts/script-build.sh + fi buildah images - buildah tag localhost/rhtap-final-image "$IMAGE" container=$(buildah from --pull-never "$IMAGE") buildah mount "$container" | tee /shared/container_path echo $container > /shared/container_name @@ -497,8 +519,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi echo "Running syft on the source directory" syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json @@ -523,8 +546,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi if [ -f /var/lib/containers/java ]; then /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) @@ -551,8 +575,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" python3 /scripts/merge_syft_sboms.py @@ -586,8 +611,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt @@ -663,8 +689,9 @@ spec: script: | #!/bin/bash set -e - if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then - export IMAGE="${IMAGE}-${PLATFORM##*/}" + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then