Skip to content

Commit

Permalink
Merge pull request #729 from brunoapimentel/buildah-dance
Browse files Browse the repository at this point in the history
New buildah task for RHTAP
  • Loading branch information
mmorhun authored Jan 26, 2024
2 parents c497cc4 + 1437d89 commit 39bc0e1
Show file tree
Hide file tree
Showing 3 changed files with 176 additions and 5 deletions.
6 changes: 1 addition & 5 deletions pipelines/docker-build-dance/patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
- op: replace
path: /spec/tasks/3/taskRef
value:
name: buildah
name: buildah-rhtap
version: "0.1"
- op: add
path: /spec/tasks/3/params
Expand All @@ -34,10 +34,6 @@
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: "$(params.hermetic)"
- name: PREFETCH_INPUT
value: "$(params.prefetch-input)"
- name: IMAGE_EXPIRES_AFTER
value: "$(params.image-expires-after)"
- name: COMMIT_SHA
Expand Down
174 changes: 174 additions & 0 deletions task/buildah-rhtap/0.1/buildah-rhtap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
labels:
app.kubernetes.io/version: "0.1"
build.appstudio.redhat.com/build_type: "docker"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: "containers, rhtap"
name: buildah-rhtap
spec:
description: |-
Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
params:
- description: Reference of the image buildah will produce.
name: IMAGE
type: string
- default: ./Dockerfile
description: Path to the Dockerfile to build.
name: DOCKERFILE
type: string
- default: .
description: Path to the directory to use as context.
name: CONTEXT
type: string
- default: "true"
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
name: TLSVERIFY
type: string
results:
- description: Digest of the image just built
name: IMAGE_DIGEST
- description: Image repository where the built image was pushed
name: IMAGE_URL
- description: Digests of the base images used for build
name: BASE_IMAGES_DIGESTS
stepTemplate:
env:
- name: STORAGE_DRIVER
value: vfs
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: IMAGE
value: $(params.IMAGE)
- name: TLSVERIFY
value: $(params.TLSVERIFY)
steps:
- name: build
image: registry.access.redhat.com/ubi9/buildah@sha256:04fde77ea72c25b56efb3f71db809c5d7b09938130df2da9175a3c888b94043d
script: |
# Check if the Dockerfile exists
SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE"
else
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
# Build the image
buildah build \
--tls-verify=$TLSVERIFY \
--ulimit nofile=4096:4096 \
-f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
# Push the image
buildah push \
--tls-verify=$TLSVERIFY \
--retry=5 \
--digestfile /tmp/files/image-digest $IMAGE \
docker://$IMAGE
# Set task results
buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
# Save the image so it can be used in the generate-sbom step
buildah push "$IMAGE" oci:/tmp/files/image
securityContext:
capabilities:
add:
# this is needed so that buildah can write to the mounted /var/lib/containers directory
- SETFCAP
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /tmp/files
name: tmpfiles
workingDir: $(workspaces.source.path)

- name: generate-sboms
image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
script: |
syft dir:$(workspaces.source.path)/source --output cyclonedx-json@1.5=/tmp/files/sbom-source.json
syft oci-dir:/tmp/files/image --output cyclonedx-json@1.5=/tmp/files/sbom-image.json
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /tmp/files
name: tmpfiles

- name: merge-sboms
image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
script: |
#!/bin/python3
import json
### load SBOMs ###
with open("./sbom-image.json") as f:
image_sbom = json.load(f)
with open("./sbom-source.json") as f:
source_sbom = json.load(f)
### attempt to deduplicate components ###
component_list = image_sbom.get("components", [])
existing_purls = [c["purl"] for c in component_list if "purl" in c]
for component in source_sbom.get("components", []):
if "purl" in component:
if component["purl"] not in existing_purls:
component_list.append(component)
existing_purls.append(component["purl"])
else:
# We won't try to deduplicate components that lack a purl.
# This should only happen with operating-system type components,
# which are only reported in the image SBOM.
component_list.append(component)
component_list.sort(key=lambda c: c["type"] + c["name"])
image_sbom["components"] = component_list
### write the CycloneDX unified SBOM ###
with open("./sbom-cyclonedx.json", "w") as f:
json.dump(image_sbom, f, indent=4)
volumeMounts:
- mountPath: /tmp/files
name: tmpfiles
workingDir: /tmp/files

- name: upload-sbom
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
args:
- attach
- sbom
- --sbom
- sbom-cyclonedx.json
- --type
- cyclonedx
- $(params.IMAGE)
volumeMounts:
- mountPath: /tmp/files
name: tmpfiles
workingDir: /tmp/files

volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: tmpfiles
workspaces:
- name: source
description: Workspace containing the source code to build.
1 change: 1 addition & 0 deletions task/buildah-rhtap/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Konflux Build Team

0 comments on commit 39bc0e1

Please sign in to comment.