-
Notifications
You must be signed in to change notification settings - Fork 141
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Copy rpm-ostree/0.1 -> rpm-ostree/0.2
This is preparation for creating version 0.2 of rpm-ostree. Start by creating a 1:1 copy to make reviews and rebasing easier. Signed-off-by: Adam Cmiel <[email protected]>
- Loading branch information
Showing
1 changed file
with
307 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,307 @@ | ||
apiVersion: tekton.dev/v1 | ||
kind: Task | ||
metadata: | ||
annotations: | ||
tekton.dev/pipelines.minVersion: 0.12.1 | ||
tekton.dev/tags: image-build, konflux | ||
labels: | ||
app.kubernetes.io/version: "0.1" | ||
build.appstudio.redhat.com/build_type: rpm-ostree | ||
build.appstudio.redhat.com/multi-platform-required: "true" | ||
name: rpm-ostree | ||
spec: | ||
description: RPM Ostree | ||
params: | ||
- description: Reference of the image rpm-ostree will produce. | ||
name: IMAGE | ||
type: string | ||
- default: quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7 | ||
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
# the cluster will set imagePullPolicy to IfNotPresent | ||
description: The location of the rpm-ostree builder image. | ||
name: BUILDER_IMAGE | ||
type: string | ||
- default: . | ||
description: Path to the directory to use as context. | ||
name: CONTEXT | ||
type: string | ||
- description: The file to use to build the image | ||
name: IMAGE_FILE | ||
type: string | ||
- default: "true" | ||
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS | ||
registry) | ||
name: TLSVERIFY | ||
type: string | ||
- default: "" | ||
description: Delete image tag after specified time. Empty means to keep the image | ||
tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, | ||
respectively. | ||
name: IMAGE_EXPIRES_AFTER | ||
type: string | ||
- default: "" | ||
description: The image is built from this commit. | ||
name: COMMIT_SHA | ||
type: string | ||
- description: The platform to build on | ||
name: PLATFORM | ||
type: string | ||
- description: The relative path of the file used to configure the rpm-ostree tool found in source control. | ||
See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration | ||
name: CONFIG_FILE | ||
type: string | ||
default: "" | ||
- default: "false" | ||
description: Determines if build will be executed without network access. | ||
name: HERMETIC | ||
type: string | ||
results: | ||
- description: Digest of the image just built | ||
name: IMAGE_DIGEST | ||
- description: Image repository where the built image was pushed | ||
name: IMAGE_URL | ||
- description: Image reference of the built image | ||
name: IMAGE_REF | ||
- description: Digests of the base images used for build | ||
name: BASE_IMAGES_DIGESTS | ||
- name: SBOM_BLOB_URL | ||
description: Reference, including digest to the SBOM blob | ||
stepTemplate: | ||
env: | ||
- name: CONTEXT | ||
value: $(params.CONTEXT) | ||
- name: IMAGE_FILE | ||
value: $(params.IMAGE_FILE) | ||
- name: IMAGE | ||
value: $(params.IMAGE) | ||
- name: TLSVERIFY | ||
value: $(params.TLSVERIFY) | ||
- name: IMAGE_EXPIRES_AFTER | ||
value: $(params.IMAGE_EXPIRES_AFTER) | ||
- name: BUILDER_IMAGE | ||
value: $(params.BUILDER_IMAGE) | ||
- name: CONFIG_FILE | ||
value: $(params.CONFIG_FILE) | ||
- name: HERMETIC | ||
value: $(params.HERMETIC) | ||
computeResources: {} | ||
steps: | ||
- env: | ||
- name: COMMIT_SHA | ||
value: $(params.COMMIT_SHA) | ||
image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 | ||
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
# the cluster will set imagePullPolicy to IfNotPresent | ||
name: build | ||
computeResources: | ||
limits: | ||
memory: 512Mi | ||
requests: | ||
cpu: 250m | ||
memory: 128Mi | ||
script: |- | ||
set -o verbose | ||
set -eu | ||
set -o pipefail | ||
mkdir -p ~/.ssh | ||
if [ -e "/ssh/error" ]; then | ||
#no server could be provisioned | ||
cat /ssh/error | ||
exit 1 | ||
elif [ -e "/ssh/otp" ]; then | ||
curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa | ||
echo "" >> ~/.ssh/id_rsa | ||
else | ||
cp /ssh/id_rsa ~/.ssh | ||
fi | ||
chmod 0400 ~/.ssh/id_rsa | ||
export SSH_HOST=$(cat /ssh/host) | ||
export BUILD_DIR=$(cat /ssh/user-dir) | ||
export SSH_ARGS="-o StrictHostKeyChecking=no" | ||
mkdir -p scripts | ||
echo "$BUILD_DIR" | ||
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/tmp" | ||
rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" | ||
cat >scripts/script-build.sh <<'REMOTESSHEOF' | ||
#!/bin/sh | ||
set -o verbose | ||
cd $(workspaces.source.path) | ||
if [ -z "$CONFIG_FILE" ] ; then | ||
CONFIG_FILE_ARG="" | ||
else | ||
CONFIG_FILE_ARG=" --image-config=source/$CONFIG_FILE " | ||
fi | ||
prefetched_rpms_for_my_arch="./cachi2/output/deps/rpm/$(uname -m)" | ||
if [ -d "$prefetched_rpms_for_my_arch" ]; then | ||
# move all repo files out of the source repository to avoid conflicts with the cachi2.repo | ||
mkdir /tmp/original-repos | ||
find ./source -maxdepth 1 -name '*.repo' -exec mv {} /tmp/original-repos \; | ||
# copy the platform-specific cachi2.repo into the source repository | ||
cp "$prefetched_rpms_for_my_arch/repos.d/cachi2.repo" ./source | ||
# set up cleanup handler | ||
trap 'rm ./source/cachi2.repo; cp -r /tmp/original-repos/. ./source' EXIT | ||
# link the cachi2 output dir to the expected location | ||
# (the prefetch task expects the output to be at /cachi2/output during the build) | ||
mkdir /cachi2 | ||
ln -s "$(realpath ./cachi2/output)" /cachi2/output | ||
fi | ||
rpm-ostree compose image --initialize --format oci $CONFIG_FILE_ARG "source/$IMAGE_FILE" rhtap-final-image | ||
REMOTESSHEOF | ||
if [ "$HERMETIC" = "true" ]; then | ||
network_opt="--network=none" | ||
else | ||
network_opt="" | ||
fi | ||
chmod +x scripts/script-build.sh | ||
rsync -ra scripts "$SSH_HOST:$BUILD_DIR" | ||
ssh $SSH_ARGS "$SSH_HOST" \ | ||
podman run \ | ||
$network_opt \ | ||
--mount type=bind,source=$BUILD_DIR/tmp,target=/var/tmp,relabel=shared \ | ||
--privileged \ | ||
-e CONTEXT="$CONTEXT" \ | ||
-e IMAGE_FILE="$IMAGE_FILE" \ | ||
-e CONFIG_FILE="$CONFIG_FILE" \ | ||
-e IMAGE="$IMAGE" \ | ||
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ | ||
-e COMMIT_SHA="$COMMIT_SHA" \ | ||
--rm \ | ||
-v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ | ||
-v $BUILD_DIR/scripts:/script:Z \ | ||
--user=0 \ | ||
--entrypoint bash \ | ||
"$BUILDER_IMAGE" \ | ||
/script/script-build.sh | ||
rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" | ||
cp -r rhtap-final-image /var/lib/containers/rhtap-final-image | ||
buildah pull oci:rhtap-final-image | ||
buildah images | ||
buildah tag localhost/rhtap-final-image "$IMAGE" | ||
securityContext: | ||
capabilities: | ||
add: | ||
- SETFCAP | ||
volumeMounts: | ||
- mountPath: /var/lib/containers | ||
name: varlibcontainers | ||
- mountPath: /ssh | ||
name: ssh | ||
readOnly: true | ||
workingDir: $(workspaces.source.path) | ||
- image: quay.io/redhat-appstudio/syft:v0.105.1@sha256:1910b829997650c696881e5fc2fc654ddf3184c27edb1b2024e9cb2ba51ac431 | ||
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
# the cluster will set imagePullPolicy to IfNotPresent | ||
name: sbom-syft-generate | ||
computeResources: | ||
limits: | ||
memory: 6Gi | ||
requests: | ||
memory: 6Gi | ||
# Respect Syft configuration if the user has it in the root of their repository | ||
# (need to set the workdir, see https://github.com/anchore/syft/issues/2465) | ||
workingDir: $(workspaces.source.path)/source | ||
script: | | ||
syft oci-dir:/var/lib/containers/rhtap-final-image --output cyclonedx-json=$(workspaces.source.path)/sbom-cyclonedx.json | ||
volumeMounts: | ||
- mountPath: /var/lib/containers | ||
name: varlibcontainers | ||
- name: merge-cachi2-sbom | ||
image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad | ||
script: | | ||
cachi2_sbom=./cachi2/output/bom.json | ||
if [ -f "$cachi2_sbom" ]; then | ||
echo "Merging contents of $cachi2_sbom into sbom-cyclonedx.json" | ||
merge_syft_sbom "$cachi2_sbom" sbom-cyclonedx.json > sbom-temp.json | ||
mv sbom-temp.json sbom-cyclonedx.json | ||
else | ||
echo "Skipping step since no Cachi2 SBOM was produced" | ||
fi | ||
workingDir: $(workspaces.source.path) | ||
securityContext: | ||
runAsUser: 0 | ||
- image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f | ||
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
# the cluster will set imagePullPolicy to IfNotPresent | ||
name: inject-sbom-and-push | ||
computeResources: {} | ||
script: | | ||
#!/bin/bash | ||
# Expose base image digests | ||
buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path) | ||
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') | ||
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) | ||
container=$(buildah from --pull-never $IMAGE) | ||
buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container | ||
buildah commit $container $IMAGE | ||
status=-1 | ||
max_run=5 | ||
sleep_sec=10 | ||
for run in $(seq 1 $max_run); do | ||
status=0 | ||
[ "$run" -gt 1 ] && sleep $sleep_sec | ||
echo "Pushing sbom image to registry" | ||
buildah push \ | ||
--tls-verify=$TLSVERIFY \ | ||
--digestfile $(workspaces.source.path)/image-digest $IMAGE \ | ||
docker://$IMAGE && break || status=$? | ||
done | ||
if [ "$status" -ne 0 ]; then | ||
echo "Failed to push sbom image to registry after ${max_run} tries" | ||
exit 1 | ||
fi | ||
cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) | ||
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) | ||
{ | ||
echo -n "${IMAGE}@" | ||
cat "$(workspaces.source.path)/image-digest" | ||
} >"$(results.IMAGE_REF.path)" | ||
# Remove tag from IMAGE while allowing registry to contain a port number. | ||
sbom_repo="${IMAGE%:*}" | ||
sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" | ||
# The SBOM_BLOB_URL is created by `cosign attach sbom`. | ||
echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee $(results.SBOM_BLOB_URL.path) | ||
securityContext: | ||
capabilities: | ||
add: | ||
- SETFCAP | ||
runAsUser: 0 | ||
volumeMounts: | ||
- mountPath: /var/lib/containers | ||
name: varlibcontainers | ||
workingDir: $(workspaces.source.path) | ||
- args: | ||
- attach | ||
- sbom | ||
- --sbom | ||
- sbom-cyclonedx.json | ||
- --type | ||
- cyclonedx | ||
- $(params.IMAGE) | ||
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 | ||
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
# the cluster will set imagePullPolicy to IfNotPresent | ||
name: upload-sbom | ||
computeResources: {} | ||
workingDir: $(workspaces.source.path) | ||
volumes: | ||
- emptyDir: {} | ||
name: varlibcontainers | ||
- name: ssh | ||
secret: | ||
optional: false | ||
secretName: multi-platform-ssh-$(context.taskRun.name) | ||
workspaces: | ||
- description: Workspace containing the source code to build. | ||
name: source |