diff --git a/task/buildah-oci-ta/0.1/README.md b/task/buildah-oci-ta/0.1/README.md index 12edc79044..551b0dc8b9 100644 --- a/task/buildah-oci-ta/0.1/README.md +++ b/task/buildah-oci-ta/0.1/README.md @@ -8,6 +8,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b ## Parameters |name|description|default value|required| |---|---|---|---| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| |ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| |BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| |BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| @@ -20,7 +21,6 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |HERMETIC|Determines if build will be executed without network access.|false|false| |IMAGE|Reference of the image buildah will produce.||true| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |SQUASH|Squash new layers added as a part of this build, as per --squash|false|false| diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index a61aabe7af..f3e38c902f 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -16,6 +16,11 @@ spec: When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. params: + - name: ADDITIONAL_SECRET + description: Name of a secret which will be made available to the build + with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET + type: string + default: does-not-exist - name: ADD_CAPABILITIES description: Comma separated list of extra capabilities to add when running 'buildah build' @@ -67,11 +72,6 @@ spec: hours, days, and weeks, respectively. type: string default: "" - - name: ADDITIONAL_SECRET - description: Name of a secret which will be made available to the build - with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET - type: string - default: does-not-exist - name: PREFETCH_INPUT description: In case it is not empty, the prefetched content should be made available to the build. @@ -136,14 +136,14 @@ spec: description: The counting of Java components by publisher in JSON format type: string volumes: - - name: etc-pki-entitlement - secret: - optional: true - secretName: $(params.ENTITLEMENT_SECRET) - name: additional-secret secret: optional: true secretName: $(params.ADDITIONAL_SECRET) + - name: etc-pki-entitlement + secret: + optional: true + secretName: $(params.ENTITLEMENT_SECRET) - name: shared emptyDir: {} - name: trusted-ca @@ -159,6 +159,8 @@ spec: emptyDir: {} stepTemplate: env: + - name: ADDITIONAL_SECRET + value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES value: $(params.ADD_CAPABILITIES) - name: BUILDAH_FORMAT @@ -181,8 +183,6 @@ spec: value: $(params.SQUASH) - name: SQUASH_ALL value: $(params.SQUASH_ALL) - - name: ADDITIONAL_SECRET - value: $(params.ADDITIONAL_SECRET) - name: STORAGE_DRIVER value: vfs - name: TARGET_STAGE diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 3ab36b72b0..036a7b5bd4 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -16,6 +16,11 @@ spec: When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. params: + - default: does-not-exist + description: Name of a secret which will be made available to the build with 'buildah + build --secret' at /run/secrets/$ADDITIONAL_SECRET + name: ADDITIONAL_SECRET + type: string - default: "" description: Comma separated list of extra capabilities to add when running 'buildah build' @@ -67,11 +72,6 @@ spec: respectively. name: IMAGE_EXPIRES_AFTER type: string - - default: does-not-exist - description: Name of a secret which will be made available to the build with 'buildah - build --secret' at /run/secrets/$ADDITIONAL_SECRET - name: ADDITIONAL_SECRET - type: string - default: "" description: In case it is not empty, the prefetched content should be made available to the build. @@ -138,6 +138,8 @@ spec: stepTemplate: computeResources: {} env: + - name: ADDITIONAL_SECRET + value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES value: $(params.ADD_CAPABILITIES) - name: BUILDAH_FORMAT @@ -160,8 +162,6 @@ spec: value: $(params.SQUASH) - name: SQUASH_ALL value: $(params.SQUASH_ALL) - - name: ADDITIONAL_SECRET - value: $(params.ADDITIONAL_SECRET) - name: STORAGE_DRIVER value: vfs - name: TARGET_STAGE @@ -405,6 +405,7 @@ spec: chmod +x scripts/script-build.sh rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ @@ -416,7 +417,6 @@ spec: -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ -e SQUASH="$SQUASH" \ -e SQUASH_ALL="$SQUASH_ALL" \ - -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e TARGET_STAGE="$TARGET_STAGE" \ -e TLSVERIFY="$TLSVERIFY" \ @@ -622,14 +622,14 @@ spec: name: upload-sbom workingDir: /var/workdir volumes: - - name: etc-pki-entitlement - secret: - optional: true - secretName: $(params.ENTITLEMENT_SECRET) - name: additional-secret secret: optional: true secretName: $(params.ADDITIONAL_SECRET) + - name: etc-pki-entitlement + secret: + optional: true + secretName: $(params.ENTITLEMENT_SECRET) - emptyDir: {} name: shared - configMap: