diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 1a33cfa7b4..8aad878962 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -7,7 +7,7 @@ metadata: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/tags: image-build, konflux labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: 0.2.1 build.appstudio.redhat.com/build_type: docker spec: description: |- @@ -546,6 +546,75 @@ spec: capabilities: add: - SETFCAP + - name: push + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + workingDir: /var/workdir + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + #!/bin/bash + set -e + + retry() { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "/var/workdir/image-digest" "$IMAGE" \ + "docker://$IMAGE"; then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0 - name: sbom-syft-generate image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f workingDir: /var/workdir/source @@ -610,6 +679,18 @@ spec: --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests + + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" + + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json + + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json computeResources: limits: cpu: 200m @@ -619,75 +700,6 @@ spec: memory: 256Mi securityContext: runAsUser: 0 - - name: push - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - workingDir: /var/workdir - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /mnt/trusted-ca - name: trusted-ca - readOnly: true - script: | - #!/bin/bash - set -e - - retry() { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "/var/workdir/image-digest" "$IMAGE" \ - "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi - - cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "/var/workdir/image-digest" - } >"$(results.IMAGE_REF.path)" - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi - securityContext: - capabilities: - add: - - SETFCAP - runAsUser: 0 - name: upload-sbom image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 workingDir: /var/workdir diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index eb08f657e7..eca92b21f1 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -6,7 +6,7 @@ metadata: tekton.dev/tags: image-build, konflux creationTimestamp: null labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: 0.2.1 build.appstudio.redhat.com/build_type: docker name: buildah-remote-oci-ta spec: @@ -642,6 +642,79 @@ spec: name: ssh readOnly: true workingDir: /var/workdir + - computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + name: push + script: | + #!/bin/bash + set -e + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE + fi + + retry() { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "/var/workdir/image-digest" "$IMAGE" \ + "docker://$IMAGE"; then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0 + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + workingDir: /var/workdir - computeResources: limits: cpu: "2" @@ -730,81 +803,20 @@ spec: --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests - securityContext: - runAsUser: 0 - workingDir: /var/workdir - - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - name: push - script: | - #!/bin/bash - set -e - if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then - IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" - export IMAGE - fi - retry() { - status=-1 - max_run=5 - sleep_sec=10 + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "/var/workdir/image-digest" "$IMAGE" \ - "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi - - cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "/var/workdir/image-digest" - } >"$(results.IMAGE_REF.path)" + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json securityContext: - capabilities: - add: - - SETFCAP runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /mnt/trusted-ca - name: trusted-ca - readOnly: true workingDir: /var/workdir - computeResources: limits: diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 1a377df967..fb5244f6bb 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -6,7 +6,7 @@ metadata: tekton.dev/tags: image-build, konflux creationTimestamp: null labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: 0.2.1 build.appstudio.redhat.com/build_type: docker name: buildah-remote spec: @@ -620,6 +620,81 @@ spec: name: ssh readOnly: true workingDir: $(workspaces.source.path) + - computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + name: push + script: | + #!/bin/bash + set -e + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE + fi + + retry () { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; + then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ + "docker://$IMAGE"; + then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0 + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + workingDir: $(workspaces.source.path) - computeResources: limits: cpu: "2" @@ -708,83 +783,20 @@ spec: --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests - securityContext: - runAsUser: 0 - workingDir: $(workspaces.source.path) - - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - name: push - script: | - #!/bin/bash - set -e - if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then - IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" - export IMAGE - fi - retry () { - status=-1 - max_run=5 - sleep_sec=10 + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; - then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ - "docker://$IMAGE"; - then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi - - cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "$(workspaces.source.path)/image-digest" - } > "$(results.IMAGE_REF.path)" + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json securityContext: - capabilities: - add: - - SETFCAP runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /mnt/trusted-ca - name: trusted-ca - readOnly: true workingDir: $(workspaces.source.path) - computeResources: limits: diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index 4ad54020df..6be68eb10e 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -6,43 +6,49 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. ## Parameters -|name|description|default value|required| -|---|---|---|---| -|IMAGE|Reference of the image buildah will produce.||true| -|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| -|CONTEXT|Path to the directory to use as context.|.|false| -|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|HERMETIC|Determines if build will be executed without network access.|false|false| -|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| -|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|COMMIT_SHA|The image is built from this commit.|""|false| -|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| -|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| -|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| -|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| -|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| -|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| -|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| -|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| -|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| -|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| -|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| -|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| -|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| -|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| -|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +| name | description | default value | required | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | -------- | +| IMAGE | Reference of the image buildah will produce. | | true | +| DOCKERFILE | Path to the Dockerfile to build. | ./Dockerfile | false | +| CONTEXT | Path to the directory to use as context. | . | false | +| TLSVERIFY | Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) | true | false | +| HERMETIC | Determines if build will be executed without network access. | false | false | +| PREFETCH_INPUT | In case it is not empty, the prefetched content should be made available to the build. | "" | false | +| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | "" | false | +| COMMIT_SHA | The image is built from this commit. | "" | false | +| YUM_REPOS_D_SRC | Path in the git repository in which yum repository files are stored | repos.d | false | +| YUM_REPOS_D_FETCHED | Path in source workspace where dynamically-fetched repos are present | fetched.repos.d | false | +| YUM_REPOS_D_TARGET | Target path on the container in which yum repository files should be made available | /etc/yum.repos.d | false | +| TARGET_STAGE | Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage. | "" | false | +| ENTITLEMENT_SECRET | Name of secret which contains the entitlement certificates | etc-pki-entitlement | false | +| ACTIVATION_KEY | Name of secret which contains subscription activation key | activation-key | false | +| ADDITIONAL_SECRET | Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET | does-not-exist | false | +| BUILD_ARGS | Array of --build-arg values ("arg=value" strings) | [] | false | +| BUILD_ARGS_FILE | Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file | "" | false | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false | +| ADD_CAPABILITIES | Comma separated list of extra capabilities to add when running 'buildah build' | "" | false | +| SQUASH | Squash all new and previous layers added as a part of this build, as per --squash | false | false | +| STORAGE_DRIVER | Storage driver to configure for buildah | vfs | false | +| SKIP_UNUSED_STAGES | Whether to skip stages in Containerfile that seem unused by subsequent stages | true | false | ## Results -|name|description| -|---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository and tag where the built image was pushed| -|IMAGE_REF|Image reference of the built image| -|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| -|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| -|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +| name | description | +| --------------------------- | --------------------------------------------------------------------------------- | +| IMAGE_DIGEST | Digest of the image just built | +| IMAGE_URL | Image repository and tag where the built image was pushed | +| IMAGE_REF | Image reference of the built image | +| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | +| SBOM_JAVA_COMPONENTS_COUNT | The counting of Java components by publisher in JSON format | +| JAVA_COMMUNITY_DEPENDENCIES | The Java dependencies that came from community sources such as Maven central. | ## Workspaces -|name|description|optional| -|---|---|---| -|source|Workspace containing the source code to build.|false| +| name | description | optional | +| ------ | ---------------------------------------------- | -------- | +| source | Workspace containing the source code to build. | false | + + +## Changes in 0.2.1 +- Added image reference to the SBOM output file. +- Re-arranged steps to push image first and then generate and push SBOM file. +- Remove SBOM file stored in the image under `/root/buildinfo/content_manifests/` diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 2a886be108..a766c4754a 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -2,7 +2,7 @@ apiVersion: tekton.dev/v1 kind: Task metadata: labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: "0.2.1" build.appstudio.redhat.com/build_type: "docker" annotations: tekton.dev/pipelines.minVersion: "0.12.1" @@ -487,6 +487,79 @@ spec: readOnly: true workingDir: $(workspaces.source.path) + - name: push + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + computeResources: + limits: + memory: 4Gi + cpu: '4' + requests: + memory: 1Gi + cpu: '1' + script: | + #!/bin/bash + set -e + + retry () { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; + then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ + "docker://$IMAGE"; + then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" + + securityContext: + runAsUser: 0 + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true + workingDir: $(workspaces.source.path) + - name: sbom-syft-generate image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f # Respect Syft configuration if the user has it in the root of their repository @@ -560,82 +633,21 @@ spec: --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests - workingDir: $(workspaces.source.path) - securityContext: - runAsUser: 0 - - - name: push - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - computeResources: - limits: - memory: 4Gi - cpu: '4' - requests: - memory: 1Gi - cpu: '1' - script: | - #!/bin/bash - set -e - - retry () { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; - then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ - "docker://$IMAGE"; - then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" - cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "$(workspaces.source.path)/image-digest" - } > "$(results.IMAGE_REF.path)" + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json + workingDir: $(workspaces.source.path) securityContext: runAsUser: 0 - capabilities: - add: - - SETFCAP - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - name: trusted-ca - mountPath: /mnt/trusted-ca - readOnly: true - workingDir: $(workspaces.source.path) - name: upload-sbom image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8