-
Notifications
You must be signed in to change notification settings - Fork 149
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #729 from brunoapimentel/buildah-dance
New buildah task for RHTAP
- Loading branch information
Showing
3 changed files
with
176 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
apiVersion: tekton.dev/v1 | ||
kind: Task | ||
metadata: | ||
labels: | ||
app.kubernetes.io/version: "0.1" | ||
build.appstudio.redhat.com/build_type: "docker" | ||
annotations: | ||
tekton.dev/pipelines.minVersion: "0.12.1" | ||
tekton.dev/tags: "containers, rhtap" | ||
name: buildah-rhtap | ||
spec: | ||
description: |- | ||
Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. | ||
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. | ||
params: | ||
- description: Reference of the image buildah will produce. | ||
name: IMAGE | ||
type: string | ||
- default: ./Dockerfile | ||
description: Path to the Dockerfile to build. | ||
name: DOCKERFILE | ||
type: string | ||
- default: . | ||
description: Path to the directory to use as context. | ||
name: CONTEXT | ||
type: string | ||
- default: "true" | ||
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) | ||
name: TLSVERIFY | ||
type: string | ||
results: | ||
- description: Digest of the image just built | ||
name: IMAGE_DIGEST | ||
- description: Image repository where the built image was pushed | ||
name: IMAGE_URL | ||
- description: Digests of the base images used for build | ||
name: BASE_IMAGES_DIGESTS | ||
stepTemplate: | ||
env: | ||
- name: STORAGE_DRIVER | ||
value: vfs | ||
- name: CONTEXT | ||
value: $(params.CONTEXT) | ||
- name: DOCKERFILE | ||
value: $(params.DOCKERFILE) | ||
- name: IMAGE | ||
value: $(params.IMAGE) | ||
- name: TLSVERIFY | ||
value: $(params.TLSVERIFY) | ||
steps: | ||
- name: build | ||
image: registry.access.redhat.com/ubi9/buildah@sha256:04fde77ea72c25b56efb3f71db809c5d7b09938130df2da9175a3c888b94043d | ||
script: | | ||
# Check if the Dockerfile exists | ||
SOURCE_CODE_DIR=source | ||
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then | ||
dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" | ||
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then | ||
dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE" | ||
else | ||
echo "Cannot find Dockerfile $DOCKERFILE" | ||
exit 1 | ||
fi | ||
# Build the image | ||
buildah build \ | ||
--tls-verify=$TLSVERIFY \ | ||
--ulimit nofile=4096:4096 \ | ||
-f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT | ||
# Push the image | ||
buildah push \ | ||
--tls-verify=$TLSVERIFY \ | ||
--retry=5 \ | ||
--digestfile /tmp/files/image-digest $IMAGE \ | ||
docker://$IMAGE | ||
# Set task results | ||
buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path) | ||
cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path) | ||
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) | ||
# Save the image so it can be used in the generate-sbom step | ||
buildah push "$IMAGE" oci:/tmp/files/image | ||
securityContext: | ||
capabilities: | ||
add: | ||
# this is needed so that buildah can write to the mounted /var/lib/containers directory | ||
- SETFCAP | ||
volumeMounts: | ||
- mountPath: /var/lib/containers | ||
name: varlibcontainers | ||
- mountPath: /tmp/files | ||
name: tmpfiles | ||
workingDir: $(workspaces.source.path) | ||
|
||
- name: generate-sboms | ||
image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede | ||
script: | | ||
syft dir:$(workspaces.source.path)/source --output cyclonedx-json@1.5=/tmp/files/sbom-source.json | ||
syft oci-dir:/tmp/files/image --output cyclonedx-json@1.5=/tmp/files/sbom-image.json | ||
volumeMounts: | ||
- mountPath: /var/lib/containers | ||
name: varlibcontainers | ||
- mountPath: /tmp/files | ||
name: tmpfiles | ||
|
||
- name: merge-sboms | ||
image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f | ||
script: | | ||
#!/bin/python3 | ||
import json | ||
### load SBOMs ### | ||
with open("./sbom-image.json") as f: | ||
image_sbom = json.load(f) | ||
with open("./sbom-source.json") as f: | ||
source_sbom = json.load(f) | ||
### attempt to deduplicate components ### | ||
component_list = image_sbom.get("components", []) | ||
existing_purls = [c["purl"] for c in component_list if "purl" in c] | ||
for component in source_sbom.get("components", []): | ||
if "purl" in component: | ||
if component["purl"] not in existing_purls: | ||
component_list.append(component) | ||
existing_purls.append(component["purl"]) | ||
else: | ||
# We won't try to deduplicate components that lack a purl. | ||
# This should only happen with operating-system type components, | ||
# which are only reported in the image SBOM. | ||
component_list.append(component) | ||
component_list.sort(key=lambda c: c["type"] + c["name"]) | ||
image_sbom["components"] = component_list | ||
### write the CycloneDX unified SBOM ### | ||
with open("./sbom-cyclonedx.json", "w") as f: | ||
json.dump(image_sbom, f, indent=4) | ||
volumeMounts: | ||
- mountPath: /tmp/files | ||
name: tmpfiles | ||
workingDir: /tmp/files | ||
|
||
- name: upload-sbom | ||
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 | ||
args: | ||
- attach | ||
- sbom | ||
- --sbom | ||
- sbom-cyclonedx.json | ||
- --type | ||
- cyclonedx | ||
- $(params.IMAGE) | ||
volumeMounts: | ||
- mountPath: /tmp/files | ||
name: tmpfiles | ||
workingDir: /tmp/files | ||
|
||
volumes: | ||
- emptyDir: {} | ||
name: varlibcontainers | ||
- emptyDir: {} | ||
name: tmpfiles | ||
workspaces: | ||
- name: source | ||
description: Workspace containing the source code to build. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Konflux Build Team |