From c5e05c0e79dbc244a0bbe2479193ca7a6a16507a Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 20 Dec 2024 09:25:14 -0500 Subject: [PATCH] Move this to its own step --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 53 +++++++----------- .../0.2/buildah-remote-oci-ta.yaml | 53 +++++++----------- task/buildah-remote/0.2/buildah-remote.yaml | 54 +++++++------------ task/buildah/0.2/buildah.yaml | 54 +++++++------------ 4 files changed, 75 insertions(+), 139 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index c060258608..4a9cc809f6 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -523,40 +523,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json <content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -584,6 +550,25 @@ spec: capabilities: add: - SETFCAP + - name: icm + image: quay.io/rbean/testing:icm-injection-scripts + args: + - $(params.IMAGE) + workingDir: /var/workdir + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + securityContext: + capabilities: + add: + - SETFCAP - name: push image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c workingDir: /var/workdir diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 2788b3de6e..089d0f2f18 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -557,40 +557,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json <content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -680,6 +646,25 @@ spec: name: ssh readOnly: true workingDir: /var/workdir + - args: + - $(params.IMAGE) + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/rbean/testing:icm-injection-scripts + name: icm + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: /var/workdir - computeResources: limits: cpu: "4" diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 1b3b66f755..89356faa51 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -534,41 +534,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json < content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -658,6 +623,25 @@ spec: name: ssh readOnly: true workingDir: $(workspaces.source.path) + - args: + - $(params.IMAGE) + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/rbean/testing:icm-injection-scripts + name: icm + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: $(workspaces.source.path) - computeResources: limits: cpu: "4" diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 692aa9b835..e96402f677 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -455,41 +455,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json < content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -524,7 +489,24 @@ spec: mountPath: /mnt/trusted-ca readOnly: true workingDir: $(workspaces.source.path) - + - name: icm + image: quay.io/rbean/testing:icm-injection-scripts + computeResources: + limits: + memory: 4Gi + cpu: '4' + requests: + memory: 1Gi + cpu: '1' + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: $(workspaces.source.path) + args: [$(params.IMAGE)] - name: push image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c computeResources: