Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: introduce content manifest with content sets #1771

Merged
merged 6 commits into from
Dec 20, 2024
+142 −139
Merged

feat: introduce content manifest with content sets #1771

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
10ee11d
feat: (re)introduce content manifest with content sets
ralphbean Dec 19, 2024
7fe229b
Move this to its own step
ralphbean Dec 20, 2024
01b3f3e
Add new task to buildah-min
ralphbean Dec 20, 2024
81ecb43
Squeeze under the size limit
ralphbean Dec 20, 2024
7661de4
Use real step image
ralphbean Dec 20, 2024
7b98504
Shrink the buildah task some more
ralphbean Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 17 additions & 30 deletions task/buildah-min/0.2/patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,68 +14,55 @@
- op: replace
path: /spec/steps/0/computeResources/requests/cpu
value: 100m
# push step
# icm, push, and sbom-syft-generate steps
- op: replace
path: /spec/steps/1/computeResources/limits/memory
path: /spec/stepTemplate/computeResources/limits/memory
value: 2Gi
- op: replace
path: /spec/steps/1/computeResources/requests/memory
path: /spec/stepTemplate/computeResources/requests/memory
value: 512Mi
- op: replace
path: /spec/steps/1/computeResources/limits/cpu
path: /spec/stepTemplate/computeResources/limits/cpu
value: 500m
- op: replace
path: /spec/steps/1/computeResources/requests/cpu
path: /spec/stepTemplate/computeResources/requests/cpu
value: 100m
# sbom-syft-generate step
- op: replace
path: /spec/steps/2/computeResources/limits/memory
value: 2Gi
- op: replace
path: /spec/steps/2/computeResources/requests/memory
value: 512Mi
- op: replace
path: /spec/steps/2/computeResources/limits/cpu
value: 1
- op: replace
path: /spec/steps/2/computeResources/requests/cpu
value: 50m
# analyse-dependencies-java-sbom step
- op: replace
path: /spec/steps/3/computeResources/limits/memory
path: /spec/steps/4/computeResources/limits/memory
value: 256Mi
- op: replace
path: /spec/steps/3/computeResources/requests/memory
path: /spec/steps/4/computeResources/requests/memory
value: 128Mi
- op: replace
path: /spec/steps/3/computeResources/limits/cpu
path: /spec/steps/4/computeResources/limits/cpu
value: 100m
- op: replace
path: /spec/steps/3/computeResources/requests/cpu
path: /spec/steps/4/computeResources/requests/cpu
value: 10m
# prepare-sboms step
- op: replace
path: /spec/steps/4/computeResources/limits/memory
path: /spec/steps/5/computeResources/limits/memory
value: 256Mi
- op: replace
path: /spec/steps/4/computeResources/requests/memory
path: /spec/steps/5/computeResources/requests/memory
value: 128Mi
- op: replace
path: /spec/steps/4/computeResources/limits/cpu
path: /spec/steps/5/computeResources/limits/cpu
value: 100m
- op: replace
path: /spec/steps/4/computeResources/requests/cpu
path: /spec/steps/5/computeResources/requests/cpu
value: 10m
# upload-sbom step
- op: replace
path: /spec/steps/5/computeResources/limits/memory
path: /spec/steps/6/computeResources/limits/memory
value: 2Gi
- op: replace
path: /spec/steps/5/computeResources/requests/memory
path: /spec/steps/6/computeResources/requests/memory
value: 512Mi
- op: replace
path: /spec/steps/5/computeResources/limits/cpu
path: /spec/steps/6/computeResources/limits/cpu
value: 2
- op: replace
path: /spec/steps/5/computeResources/requests/cpu
path: /spec/steps/6/computeResources/requests/cpu
value: 100m
56 changes: 30 additions & 26 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,13 @@ spec:
- name: workdir
emptyDir: {}
stepTemplate:
computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
env:
- name: ACTIVATION_KEY
value: $(params.ACTIVATION_KEY)
Expand Down Expand Up @@ -266,8 +273,7 @@ spec:
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
# Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and also need to provide modified Dockerfile.
# Instrumented builds (SAST) use this custom dockerffile step as their base
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
Expand Down Expand Up @@ -323,7 +329,7 @@ spec:
shift
# Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being
# passed to buildah. In that case, the *last* occurrence takes precedence. This is why
# we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence.
# we append BUILD_ARGS after the content of the BUILD_ARGS_FILE
while [[ $# -gt 0 && $1 != --* ]]; do
build_args+=("$1")
shift
Expand Down Expand Up @@ -438,9 +444,8 @@ spec:
# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
# 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume
# to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on
# shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
# container.
# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on
# shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included

if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
Expand Down Expand Up @@ -474,8 +479,7 @@ spec:

if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then
# ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
# This is primarily used in instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and add some other tools.
# Instrumented builds (SAST) use this step as their base and add some other tools.
while read -r volume_mount; do
VOLUME_MOUNTS+=("--volume=$volume_mount")
done <<<"$ADDITIONAL_VOLUME_MOUNTS"
Expand Down Expand Up @@ -518,16 +522,18 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"

container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name

# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
fi

buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name

touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand All @@ -548,6 +554,18 @@ spec:
capabilities:
add:
- SETFCAP
- name: icm
image: quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1
args:
- $(params.IMAGE)
workingDir: /var/workdir
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
securityContext:
capabilities:
add:
- SETFCAP
- name: push
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
workingDir: /var/workdir
Expand Down Expand Up @@ -597,13 +615,6 @@ spec:
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"
computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
securityContext:
capabilities:
add:
Expand All @@ -622,13 +633,6 @@ spec:
syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
echo "Running syft on the image filesystem"
syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
computeResources:
limits:
cpu: "2"
memory: 4Gi
requests:
cpu: 500m
memory: 1Gi
- name: analyse-dependencies-java-sbom
image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
volumeMounts:
Expand Down
60 changes: 33 additions & 27 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,13 @@ spec:
name: SBOM_JAVA_COMPONENTS_COUNT
type: string
stepTemplate:
computeResources: {}
computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
env:
- name: ACTIVATION_KEY
value: $(params.ACTIVATION_KEY)
Expand Down Expand Up @@ -300,8 +306,7 @@ spec:
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
# Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and also need to provide modified Dockerfile.
# Instrumented builds (SAST) use this custom dockerffile step as their base
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
Expand Down Expand Up @@ -357,7 +362,7 @@ spec:
shift
# Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being
# passed to buildah. In that case, the *last* occurrence takes precedence. This is why
# we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence.
# we append BUILD_ARGS after the content of the BUILD_ARGS_FILE
while [[ $# -gt 0 && $1 != --* ]]; do
build_args+=("$1")
shift
Expand Down Expand Up @@ -472,9 +477,8 @@ spec:
# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
# 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume
# to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on
# shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
# container.
# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on
# shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included

if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
Expand Down Expand Up @@ -508,8 +512,7 @@ spec:

if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then
# ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
# This is primarily used in instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and add some other tools.
# Instrumented builds (SAST) use this step as their base and add some other tools.
while read -r volume_mount; do
VOLUME_MOUNTS+=("--volume=$volume_mount")
done <<<"$ADDITIONAL_VOLUME_MOUNTS"
Expand Down Expand Up @@ -552,16 +555,18 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"

container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name

# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
fi

buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name

touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand Down Expand Up @@ -644,13 +649,20 @@ spec:
name: ssh
readOnly: true
workingDir: /var/workdir
- computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
- args:
- $(params.IMAGE)
computeResources: {}
image: quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1
name: icm
securityContext:
capabilities:
add:
- SETFCAP
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
workingDir: /var/workdir
- computeResources: {}
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
name: push
script: |
Expand Down Expand Up @@ -709,13 +721,7 @@ spec:
name: trusted-ca
readOnly: true
workingDir: /var/workdir
- computeResources:
limits:
cpu: "2"
memory: 4Gi
requests:
cpu: 500m
memory: 1Gi
- computeResources: {}
image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f
name: sbom-syft-generate
script: |
Expand Down
Loading
Loading