From 38b5623080bca834b5ed688acd37378ec2dc0bcc Mon Sep 17 00:00:00 2001 From: Brian Cook Date: Wed, 17 Jul 2024 22:30:04 -0400 Subject: [PATCH 1/3] This commit adds support for subscription activation keys to trusted artifacts tasks, including buildah-remoate-oci-ta. It also disables podman subscription-manager integration on all remote builders so that subscripition-manager commands can be used to configure which repos are enabled. --- task-generator/remote/main.go | 11 ++++++--- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 19 +++++++++++++++ .../0.1/buildah-remote-oci-ta.yaml | 23 +++++++++++++++++++ task/buildah-remote/0.1/buildah-remote.yaml | 1 + 4 files changed, 51 insertions(+), 3 deletions(-) diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index 7c8932ba08..6ef8346f59 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -16,6 +16,10 @@ package main import ( "bytes" "flag" + "os" + "path/filepath" + "strings" + tektonapi "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -23,10 +27,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/cli-runtime/pkg/printers" klog "k8s.io/klog/v2" - "os" - "path/filepath" "sigs.k8s.io/controller-runtime/pkg/log/zap" - "strings" ) func main() { @@ -127,6 +128,10 @@ fi ` env := "$PODMAN_PORT_FORWARD \\\n" + + // disable podman subscription-manager integration + env += " --tmpfs /run/secrets \\\n" + // Before the build we sync the contents of the workspace to the remote host for _, workspace := range task.Spec.Workspaces { ret += "\nrsync -ra $(workspaces." + workspace.Name + ".path)/ \"$SSH_HOST:$BUILD_DIR/workspaces/" + workspace.Name + "/\"" diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index e63c334f0a..a4eda6b621 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -59,6 +59,10 @@ spec: description: Name of secret which contains the entitlement certificates type: string default: etc-pki-entitlement + - name: ACTIVATION_KEY + default: activation-key + description: Name of secret which contains subscription activation key + type: string - name: HERMETIC description: Determines if build will be executed without network access. type: string @@ -148,6 +152,10 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: shared emptyDir: {} - name: trusted-ca @@ -177,6 +185,8 @@ spec: value: $(params.DOCKERFILE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: HERMETIC value: $(params.HERMETIC) - name: IMAGE @@ -221,6 +231,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -353,6 +365,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 6fce7565a2..acc937727e 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -59,6 +59,10 @@ spec: description: Name of secret which contains the entitlement certificates name: ENTITLEMENT_SECRET type: string + - default: activation-key + description: Name of secret which contains subscription activation key + name: ACTIVATION_KEY + type: string - default: "false" description: Determines if build will be executed without network access. name: HERMETIC @@ -157,6 +161,8 @@ spec: value: $(params.DOCKERFILE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: HERMETIC value: $(params.HERMETIC) - name: IMAGE @@ -238,6 +244,7 @@ spec: rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" @@ -370,6 +377,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -413,6 +427,7 @@ spec: chmod +x scripts/script-build.sh rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ @@ -420,6 +435,7 @@ spec: -e CONTEXT="$CONTEXT" \ -e DOCKERFILE="$DOCKERFILE" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e HERMETIC="$HERMETIC" \ -e IMAGE="$IMAGE" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ @@ -435,6 +451,7 @@ spec: -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ @@ -459,6 +476,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -644,6 +663,10 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) + - name: activation-key + secret: + optional: false + secretName: $(params.ACTIVATION_KEY) - emptyDir: {} name: shared - configMap: diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 0525273b36..ab14f6ed4d 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -405,6 +405,7 @@ spec: chmod +x scripts/script-build.sh rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ + --tmpfs /run/secrets \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e HERMETIC="$HERMETIC" \ From 305fedb04bcfcbd547dc8038f19fbede4bcd0d1c Mon Sep 17 00:00:00 2001 From: Brian Cook Date: Thu, 18 Jul 2024 11:04:09 +0000 Subject: [PATCH 2/3] move changes from buildah-oci-ta to buildah --- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 20 +------------------- task/buildah/0.1/buildah.yaml | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index a4eda6b621..38d9ad4e8e 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -59,10 +59,6 @@ spec: description: Name of secret which contains the entitlement certificates type: string default: etc-pki-entitlement - - name: ACTIVATION_KEY - default: activation-key - description: Name of secret which contains subscription activation key - type: string - name: HERMETIC description: Determines if build will be executed without network access. type: string @@ -152,10 +148,7 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) - - name: activation-key - secret: - optional: true - secretName: $(params.ACTIVATION_KEY) + - name: shared emptyDir: {} - name: trusted-ca @@ -185,8 +178,6 @@ spec: value: $(params.DOCKERFILE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - - name: ACTIVATION_KEY - value: $(params.ACTIVATION_KEY) - name: HERMETIC value: $(params.HERMETIC) - name: IMAGE @@ -231,8 +222,6 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement - - mountPath: /activation-key - name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -365,13 +354,6 @@ spec: echo "Adding the entitlement to the build" fi - ACTIVATION_KEY_PATH="/activation-key" - if [ -d "$ACTIVATION_KEY_PATH" ]; then - cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key - VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" - echo "Adding activation key to the build" - fi - ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 04e493dd3f..dec1ad4b44 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -71,6 +71,10 @@ spec: description: Name of secret which contains the entitlement certificates type: string default: "etc-pki-entitlement" + - name: ACTIVATION_KEY + default: activation-key + description: Name of secret which contains subscription activation key + type: string - name: ADDITIONAL_SECRET description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET type: string @@ -153,6 +157,8 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: BUILD_ARGS_FILE @@ -306,6 +312,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -353,6 +366,8 @@ spec: name: varlibcontainers - mountPath: "/entitlement" name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: "/additional-secret" name: additional-secret - name: trusted-ca @@ -543,6 +558,10 @@ spec: secret: secretName: $(params.ENTITLEMENT_SECRET) optional: true + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: secretName: $(params.ADDITIONAL_SECRET) From 3f58e750e1c47ce3b89be0aac0e0e54f3cc3383c Mon Sep 17 00:00:00 2001 From: Brian Cook Date: Thu, 18 Jul 2024 07:53:37 -0400 Subject: [PATCH 3/3] generated TA and remote tasks --- task/buildah-oci-ta/0.1/README.md | 1 + task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 20 ++++++++++++- .../0.1/buildah-remote-oci-ta.yaml | 30 +++++++++---------- task/buildah-remote/0.1/buildah-remote.yaml | 22 ++++++++++++++ 4 files changed, 57 insertions(+), 16 deletions(-) diff --git a/task/buildah-oci-ta/0.1/README.md b/task/buildah-oci-ta/0.1/README.md index 6cb12c142b..6e96867d20 100644 --- a/task/buildah-oci-ta/0.1/README.md +++ b/task/buildah-oci-ta/0.1/README.md @@ -8,6 +8,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b ## Parameters |name|description|default value|required| |---|---|---|---| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| |ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| |ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| |BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 38d9ad4e8e..5320a52d3c 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -16,6 +16,10 @@ spec: When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. params: + - name: ACTIVATION_KEY + description: Name of secret which contains subscription activation key + type: string + default: activation-key - name: ADDITIONAL_SECRET description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET @@ -140,6 +144,10 @@ spec: description: The counting of Java components by publisher in JSON format type: string volumes: + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: optional: true @@ -148,7 +156,6 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) - - name: shared emptyDir: {} - name: trusted-ca @@ -164,6 +171,8 @@ spec: emptyDir: {} stepTemplate: env: + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES @@ -222,6 +231,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -354,6 +365,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index acc937727e..559702b308 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -16,6 +16,10 @@ spec: When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. params: + - default: activation-key + description: Name of secret which contains subscription activation key + name: ACTIVATION_KEY + type: string - default: does-not-exist description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET @@ -59,10 +63,6 @@ spec: description: Name of secret which contains the entitlement certificates name: ENTITLEMENT_SECRET type: string - - default: activation-key - description: Name of secret which contains subscription activation key - name: ACTIVATION_KEY - type: string - default: "false" description: Determines if build will be executed without network access. name: HERMETIC @@ -147,6 +147,8 @@ spec: stepTemplate: computeResources: {} env: + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES @@ -161,8 +163,6 @@ spec: value: $(params.DOCKERFILE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - - name: ACTIVATION_KEY - value: $(params.ACTIVATION_KEY) - name: HERMETIC value: $(params.HERMETIC) - name: IMAGE @@ -378,10 +378,10 @@ spec: fi ACTIVATION_KEY_PATH="/activation-key" - if [ -d "$ACTIVATION_KEY_PATH" ]; then - cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key - VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" - echo "Adding activation key to the build" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" fi ADDITIONAL_SECRET_PATH="/additional-secret" @@ -428,6 +428,7 @@ spec: rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ + -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ @@ -435,7 +436,6 @@ spec: -e CONTEXT="$CONTEXT" \ -e DOCKERFILE="$DOCKERFILE" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ - -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e HERMETIC="$HERMETIC" \ -e IMAGE="$IMAGE" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ @@ -655,6 +655,10 @@ spec: name: upload-sbom workingDir: /var/workdir volumes: + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: optional: true @@ -663,10 +667,6 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) - - name: activation-key - secret: - optional: false - secretName: $(params.ACTIVATION_KEY) - emptyDir: {} name: shared - configMap: diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index ab14f6ed4d..bb8a4e5a15 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -78,6 +78,10 @@ spec: description: Name of secret which contains the entitlement certificates name: ENTITLEMENT_SECRET type: string + - default: activation-key + description: Name of secret which contains subscription activation key + name: ACTIVATION_KEY + type: string - default: does-not-exist description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET @@ -166,6 +170,8 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: BUILD_ARGS_FILE @@ -226,6 +232,7 @@ spec: rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" rsync -ra /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" @@ -362,6 +369,13 @@ spec: echo "Adding the entitlement to the build" fi + ACTIVATION_KEY_PATH="/activation-key" + if [ -d "$ACTIVATION_KEY_PATH" ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key" + echo "Adding activation key to the build" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -420,6 +434,7 @@ spec: -e TARGET_STAGE="$TARGET_STAGE" \ -e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ @@ -429,6 +444,7 @@ spec: -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/activation-key:/activation-key:Z" \ -v "$BUILD_DIR/volumes/additional-secret:/additional-secret:Z" \ -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ @@ -453,6 +469,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key - mountPath: /additional-secret name: additional-secret - mountPath: /mnt/trusted-ca @@ -642,6 +660,10 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: additional-secret secret: optional: true