konflux-ci · tkdchen · Nov 29, 2024 · Nov 14, 2024
@@ -28,3 +28,6 @@ aliases:
     - joejstuart
     - robnester-rh
     - cuipinghuo
+  spmm-team:
+    - ligangty
+    - yma96
@@ -0,0 +1,25 @@
+# build-maven-zip-oci-ta task
+
+Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle  and pushes the OCI-artifact into container registry.
+In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool.
+Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task.
+
+## Parameters
+|name|description|default value|required|
+|---|---|---|---|
+|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
+|FILE_NAME|The zip bundle file name of archived artifacts|maven-repository|false|
+|IMAGE|Reference of the OCI-Artifact this build task will produce.||true|
+|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
+|PREFETCH_ROOT|The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.|maven-repository|false|
+|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
+|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
+
+## Results
+|name|description|
+|---|---|
+|IMAGE_DIGEST|Digest of the OCI-Artifact just built|
+|IMAGE_REF|OCI-Artifact reference of the built OCI-Artifact|
+|IMAGE_URL|OCI-Artifact repository and tag where the built OCI-Artifact was pushed|
+|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance|
+
@@ -0,0 +1,209 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: build-maven-zip-oci-ta
+  annotations:
+    tekton.dev/pipelines.minVersion: 0.12.1
+    tekton.dev/tags: maven-build, konflux
+  labels:
+    app.kubernetes.io/version: "0.1"
+    build.appstudio.redhat.com/build_type: maven-zip
+spec:
+  description: |-
+    Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle  and pushes the OCI-artifact into container registry.
+    In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool.
+    Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task.
+  params:
+    - name: CACHI2_ARTIFACT
+      description: The Trusted Artifact URI pointing to the artifact with
+        the prefetched dependencies.
+      type: string
+      default: ""
+    - name: FILE_NAME
+      description: The zip bundle file name of archived artifacts
+      type: string
+      default: maven-repository
+    - name: IMAGE
+      description: Reference of the OCI-Artifact this build task will produce.
+      type: string
+    - name: IMAGE_EXPIRES_AFTER
+      description: Delete image tag after specified time. Empty means to keep
+        the image tag. Time values could be something like 1h, 2d, 3w for
+        hours, days, and weeks, respectively.
+      type: string
+      default: ""
+    - name: PREFETCH_ROOT
+      description: The root directory of the artifacts under the prefetched
+        directory. Will be kept in the maven zip as the top directory for
+        all artifacts.
+      type: string
+      default: maven-repository
+    - name: caTrustConfigMapKey
+      description: The name of the key in the ConfigMap that contains the
+        CA bundle data.
+      type: string
+      default: ca-bundle.crt
+    - name: caTrustConfigMapName
+      description: The name of the ConfigMap to read CA bundle data from.
+      type: string
+      default: trusted-ca
+  results:
+    - name: IMAGE_DIGEST
+      description: Digest of the OCI-Artifact just built
+    - name: IMAGE_REF
+      description: OCI-Artifact reference of the built OCI-Artifact
+    - name: IMAGE_URL
+      description: OCI-Artifact repository and tag where the built OCI-Artifact
+        was pushed
+    - name: SBOM_BLOB_URL
+      description: Reference of SBOM blob digest to enable digest-based verification
+        from provenance
+      type: string
+  volumes:
+    - name: shared
+      emptyDir: {}
+    - name: trusted-ca
+      configMap:
+        items:
+          - key: $(params.caTrustConfigMapKey)
+            path: ca-bundle.crt
+        name: $(params.caTrustConfigMapName)
+        optional: true
+    - name: workdir
+      emptyDir: {}
+  stepTemplate:
+    env:
+      - name: FILE_NAME
+        value: $(params.FILE_NAME)
+      - name: IMAGE
+        value: $(params.IMAGE)
+      - name: IMAGE_EXPIRES_AFTER
+        value: $(params.IMAGE_EXPIRES_AFTER)
+      - name: PKG_ROOT
+        value: $(params.PREFETCH_ROOT)
+    volumeMounts:
+      - mountPath: /shared
+        name: shared
+      - mountPath: /var/workdir
+        name: workdir
+  steps:
+    - name: use-trusted-artifact
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
+      args:
+        - use
+        - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+    - name: prepare
+      image: quay.io/konflux-ci/appstudio-utils@sha256:d0fecb67dd98d874704f2e3d20686363de7cbb42c15ad2b1d8e8c38118c50078
+      workingDir: /var/workdir
+      script: |
+        #!/bin/bash
+        set -euo pipefail
+        # Generate checksums for all maven artifact files. It will ignore the checksum files
+        # and signature files if they existed there
+        pkgpath="/var/workdir/cachi2/output/deps/generic"
+        if [ -d "$pkgpath/${PKG_ROOT}" ]; then
+          echo "Generating checksums for artifacts"
+          while IFS= read -r -d '' f; do
+            md5sum "$f" | awk '{print $1}' >"$f.md5"
+            sha1sum "$f" | awk '{print $1}' >"$f.sha1"
+            sha256sum "$f" | awk '{print $1}' >"$f.sha256"
+          done < <(find "$pkgpath/${PKG_ROOT}" -type f ! -name "*.md5" \
+            ! -name "*.sha1" ! -name "*.sha128" ! -name "*.sha256" \
+            ! -name "*.sha512" ! -name "*.asc" -print0)
+          # Bundle the artifacts and checksums together into a zip file
+          cd "$pkgpath"
+          echo "create maven zip to /var/workdir/cachi2/output/${FILE_NAME}.zip"
+          zip -rq "${FILE_NAME}.zip" "${PKG_ROOT}"
+          mv "${FILE_NAME}.zip" "/shared/${FILE_NAME}.zip"
+        else
+          echo "No ${PKG_ROOT} dir found, can not generate maven zip!"
+          exit 1
+        fi
+      computeResources:
+        limits:
+          cpu: "4"
+          memory: 8Gi
+        requests:
+          cpu: "1"
+          memory: 2Gi
+      securityContext:
+        capabilities:
+          add:
+            - SETFCAP
+    - name: build
+      image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9
+      workingDir: /var/workdir
+      volumeMounts:
+        - mountPath: /mnt/trusted-ca
+          name: trusted-ca
+          readOnly: true
+      script: |
+        #!/bin/bash
+        set -euo pipefail
+        if [ -f "/shared/${FILE_NAME}.zip" ]; then
+          mv "/shared/${FILE_NAME}.zip" "./${FILE_NAME}.zip"
+          select-oci-auth "$IMAGE" >auth.json
+          [ -n "$IMAGE_EXPIRES_AFTER" ] && EXPIRE_LABEL=("--annotation" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
+          oras push "$IMAGE" \
+            --registry-config auth.json \
+            "${EXPIRE_LABEL[@]}" \
+            --artifact-type application/vnd.maven+zip "${FILE_NAME}.zip"
+          RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
+          echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
+          echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
+          echo -n "${IMAGE}@${RESULTING_DIGEST}" | tee "$(results.IMAGE_REF.path)"
+        else
+          echo "The maven zip file is not found!"
+          exit 1
+        fi
+
+        # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
+        if [ -f "/var/workdir/cachi2/output/bom.json" ]; then
+          cp -vf "/var/workdir/cachi2/output/bom.json" ./sbom-cyclonedx.json
+        else
+          echo "The SBOM file for fetched artifacts is not found!"
+          exit 1
+        fi
+      computeResources:
+        limits:
+          cpu: "4"
+          memory: 8Gi
+        requests:
+          cpu: "1"
+          memory: 2Gi
+      securityContext:
+        capabilities:
+          add:
+            - SETFCAP
+    - name: upload-sbom
+      image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+      workingDir: /var/workdir
+      volumeMounts:
+        - mountPath: /mnt/trusted-ca
+          name: trusted-ca
+          readOnly: true
+      script: |
+        #!/bin/bash
+        set -euo pipefail
+        ca_bundle=/mnt/trusted-ca/ca-bundle.crt
+        if [ -f "$ca_bundle" ]; then
+          echo "INFO: Using mounted CA bundle: $ca_bundle"
+          cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
+          update-ca-trust
+        fi
+
+        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE"
+
+        # Remove tag from IMAGE while allowing registry to contain a port number.
+        sbom_repo="${IMAGE%:*}"
+        sbom_tag="sha256-$(                                <"$(results.IMAGE_DIGEST.path)" cut -d: -f2).sbom"
+        # The SBOM_BLOB_URL is created by `cosign attach sbom`.
+        echo -n "${sbom_repo}:${sbom_tag}" | tee "$(results.SBOM_BLOB_URL.path)"
+      computeResources:
+        limits:
+          cpu: 200m
+          memory: 512Mi
+        requests:
+          cpu: 100m
+          memory: 256Mi
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- build-maven-zip-oci-ta.yaml
@@ -0,0 +1,14 @@
+---
+base: ../../build-maven-zip/0.1/build-maven-zip.yaml
+add:
+  - use-cachi2
+removeWorkspaces:
+  - source
+replacements:
+  workspaces.source.path: /var/workdir
+regexReplacements:
+  "/workspace(/.*)": /var/workdir$1
+description: |-
+    Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle  and pushes the OCI-artifact into container registry.
+    In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool.
+    Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task.
@@ -0,0 +1,5 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+approvers:
+  - spmm-team
+reviewers:
+  - spmm-team
@@ -0,0 +1,28 @@
+# build-maven-zip task
+
+Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle  and pushes the OCI-artifact into container registry.
+In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool.
+Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task.
+
+## Parameters
+|name|description|default value|required|
+|---|---|---|---|
+|IMAGE|Reference of the OCI-Artifact this build task will produce.||true|
+|PREFETCH_ROOT|The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.|maven-repository|false|
+|FILE_NAME|The zip bundle file name of archived artifacts|maven-repository|false|
+|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
+|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
+|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
+
+## Results
+|name|description|
+|---|---|
+|IMAGE_DIGEST|Digest of the OCI-Artifact just built|
+|IMAGE_URL|OCI-Artifact repository and tag where the built OCI-Artifact was pushed|
+|IMAGE_REF|OCI-Artifact reference of the built OCI-Artifact|
+|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance|
+
+## Workspaces
+|name|description|optional|
+|---|---|---|
+|source|Workspace containing the source code to build.|false|