diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index b6ebd68d3a..e3844a7959 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -26,7 +26,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:f745749e498fe1542b91129db743abf959b07c8a + image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:efcb425bd32dcf61b82b1214c45e58f68f6f445d command: ["/konflux-e2e/konflux-e2e.test"] # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag @@ -44,7 +44,7 @@ spec: - name: APP_SUFFIX value: "$(params.app_suffix)" - name: COMPONENT_REPO_URLS - value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo" + value: "https://github.com/konflux-qe-bd/devfile-sample-python-basic,https://github.com/konflux-qe-bd/retrodep,https://github.com/konflux-qe-bd/pip-e2e-test,https://github.com/konflux-qe-bd/fbc-sample-repo" - name: QUAY_E2E_ORGANIZATION value: konflux-ci - name: E2E_APPLICATIONS_NAMESPACE @@ -60,7 +60,7 @@ spec: name: quay-push-secret-konflux-ci key: .dockerconfigjson - name: MY_GITHUB_ORG - value: redhat-appstudio-appdata + value: konflux-qe-bd - name: EC_PIPELINES_REPO_URL value: $(params.ec_pipelines_repo_url) - name: EC_PIPELINES_REPO_REVISION diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index a6bc85fd28..3ab04602b3 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -23,7 +23,7 @@ spec: $(all_tasks_dir all_tasks-ec) - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:662648a893b2403fe6604655a7c98dd561705865e29239198e18f689ee7ae242 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:a63668adc33c513b455dcd494d556e43fdab95ce8e06bfc74ac6f104af11116a script: | set -euo pipefail @@ -37,7 +37,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:662648a893b2403fe6604655a7c98dd561705865e29239198e18f689ee7ae242 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:a63668adc33c513b455dcd494d556e43fdab95ce8e06bfc74ac6f104af11116a script: | set -euo pipefail diff --git a/hack/generate-buildah-remote.sh b/hack/generate-buildah-remote.sh index da061ed821..27ea1fdcfb 100755 --- a/hack/generate-buildah-remote.sh +++ b/hack/generate-buildah-remote.sh @@ -8,7 +8,7 @@ go build -o /tmp/remote-generator ./remote/main.go for version in 0.1 0.2; do /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah/${version}/buildah.yaml" \ - --remote-task="${SCRIPTDIR}/../task/buildah-remote/${version}/buildah-remote.yaml" + --remote-task="${SCRIPTDIR}/../task/buildah-remote/${version}/buildah-remote.yaml" --task-version="$version" /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah-oci-ta/${version}/buildah-oci-ta.yaml" \ - --remote-task="${SCRIPTDIR}/../task/buildah-remote-oci-ta/${version}/buildah-remote-oci-ta.yaml" + --remote-task="${SCRIPTDIR}/../task/buildah-remote-oci-ta/${version}/buildah-remote-oci-ta.yaml" --task-version="$version" done diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml index 677281306d..2a294b5809 100644 --- a/pipelines/docker-build-oci-ta/patch.yaml +++ b/pipelines/docker-build-oci-ta/patch.yaml @@ -64,6 +64,8 @@ value: $(params.image-expires-after) - op: remove path: /spec/tasks/2/workspaces/0 +- op: remove + path: /spec/tasks/2/when # build-container - op: replace diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 90c5576d03..0a456f7fe1 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -79,7 +79,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:7a8e4c27716c1c5653cf4338f58cb2838e2712984c6c29204a28a9bee730df07 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:294b14582fa0e44f42c7e0651915ca67425488527fa7d9ecb49c3974ede028fc - name: name value: verify-enterprise-contract - name: kind diff --git a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/README.md b/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/README.md index 5fd5196183..4e3147c95c 100644 --- a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/README.md +++ b/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/README.md @@ -9,9 +9,10 @@ This StepAction provisions an ephemeral cluster using Hypershift with 3 worker n |version|The version of OpenShift to install. Container images will be pulled from: `quay.io/openshift-release-dev/ocp-release:${version}-multi`.||true| |instanceType|AWS EC2 instance type for worker nodes. Supported values: `m5.large`, `m5.xlarge`, `m5.2xlarge`, `m6g.large`, `m6g.xlarge`, `m6g.2xlarge`|m6g.large|false| |insecureSkipTLSVerify|Skip TLS verification when accessing the EaaS hub cluster. This should not be set to "true" in a production environment.|false|false| +|timeout|How long to wait for cluster provisioning to complete.|30m|false| ## Results |name|description| |---|---| -|clusterName|The name of the generated ClusterTemplateInstance resource| +|clusterName|The name of the generated ClusterTemplateInstance resource.| diff --git a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml b/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml index 1dfde052c2..cde56d3ca6 100644 --- a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml +++ b/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml @@ -28,6 +28,10 @@ spec: description: >- Skip TLS verification when accessing the EaaS hub cluster. This should not be set to "true" in a production environment. + - name: timeout + type: string + default: 30m + description: How long to wait for cluster provisioning to complete. results: - name: clusterName description: The name of the generated ClusterTemplateInstance resource. @@ -45,6 +49,8 @@ spec: key: kubeconfig - name: INSECURE_SKIP_TLS_VERIFY value: "$(params.insecureSkipTLSVerify)" + - name: TIMEOUT + value: "$(params.timeout)" script: | #!/bin/bash set -eo pipefail @@ -61,6 +67,8 @@ spec: value: $INSTANCE_TYPE - name: version value: $VERSION + - name: timeout + value: $TIMEOUT EOF trap 'rm -f "$KUBECONFIG"' EXIT @@ -71,12 +79,12 @@ spec: echo "Created ClusterTemplateInstance $CTI_NAME" echo -n $CTI_NAME > $(step.results.clusterName.path) - echo "Waiting for ClusterTemplateInstance to be ready (20m timeout)" - if "${OC[@]}" wait cti $CTI_NAME --for=jsonpath='{.status.phase}'=Ready --timeout=20m; then + echo "Waiting for ClusterTemplateInstance to be ready ($TIMEOUT timeout)" + if "${OC[@]}" wait cti "$CTI_NAME" --for=jsonpath='{.status.phase}'=Ready --timeout="$TIMEOUT"; then echo "Successfully provisioned $CTI_NAME" exit 0 else - "${OC[@]}" get cti $CTI_NAME -o yaml + "${OC[@]}" get cti "$CTI_NAME" -o yaml echo "Failed to provision $CTI_NAME" exit 1 fi diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index d03c0e4359..7dc5e6ce4c 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -18,6 +18,7 @@ import ( "flag" "os" "path/filepath" + "regexp" "strings" tektonapi "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" @@ -33,9 +34,11 @@ import ( func main() { var buildahTask string var buildahRemoteTask string + var taskVersion string flag.StringVar(&buildahTask, "buildah-task", "", "The location of the buildah task") flag.StringVar(&buildahRemoteTask, "remote-task", "", "The location of the buildah-remote task to overwrite") + flag.StringVar(&taskVersion, "task-version", "", "The version of the task to overwrite") opts := zap.Options{ Development: true, @@ -43,8 +46,8 @@ func main() { opts.BindFlags(flag.CommandLine) klog.InitFlags(flag.CommandLine) flag.Parse() - if buildahTask == "" || buildahRemoteTask == "" { - println("Must specify both buildah-task and remote-task params") + if buildahTask == "" || buildahRemoteTask == "" || taskVersion == "" { + println("Must specify both buildah-task, remote-task, and task-version params") os.Exit(1) } @@ -53,7 +56,7 @@ func main() { decodingScheme := runtime.NewScheme() utilruntime.Must(tektonapi.AddToScheme(decodingScheme)) - convertToSsh(&task) + convertToSsh(&task, taskVersion) y := printers.YAMLPrinter{} b := bytes.Buffer{} _ = y.PrintObj(&task, &b) @@ -87,7 +90,7 @@ func streamFileYamlToTektonObj(path string, obj runtime.Object) runtime.Object { return decodeBytesToTektonObjbytes(bytes, obj) } -func convertToSsh(task *tektonapi.Task) { +func convertToSsh(task *tektonapi.Task, taskVersion string) { builderImage := "" syncVolumes := map[string]bool{} @@ -96,14 +99,44 @@ func convertToSsh(task *tektonapi.Task) { syncVolumes[i.Name] = true } } + // The images produced in multi-platform builds need to have unique tags in order + // to prevent them from getting garbage collected before generating the image index. + // We can simplify this process, preventing the need for users to manually specify + // the image by auto-appending the architecture from the PLATFORM parameter. For + // example, this will append -arm64 if PLATFORM is linux/arm64 if not present. Since + // we cannot modify the parameter itself, this replacement needs to happen in any task + // step where the IMAGE parameter is used. + // If a user defines the IMAGE parameter with an -arm64 suffix, the arm64 suffix will + // not be appended again based on the PLATFORM. + adjustRemoteImage := `if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" +fi +` + for stepPod := range task.Spec.Steps { + ret := "" step := &task.Spec.Steps[stepPod] - if step.Name != "build" { + if step.Script != "" && taskVersion != "0.1" && step.Name != "build" { + scriptHeaderRE := regexp.MustCompile(`^#!/bin/bash\nset -e\n`) + if scriptHeaderRE.FindString(step.Script) != "" { + ret = scriptHeaderRE.ReplaceAllString(step.Script, "") + } else { + ret = step.Script + } + if !strings.HasPrefix(ret, "#!") { + // If there is a shebang, it is explicitly non-bash, so don't adjust the image + ret = "#!/bin/bash\nset -e\n" + adjustRemoteImage + ret + } + step.Script = ret + continue + } else if step.Name != "build" { continue } podmanArgs := "" - ret := `set -o verbose + ret = `#!/bin/bash +set -e +set -o verbose mkdir -p ~/.ssh if [ -e "/ssh/error" ]; then #no server could be provisioned @@ -130,7 +163,9 @@ PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" fi ` - + if taskVersion != "0.1" { + ret += adjustRemoteImage + } env := "$PODMAN_PORT_FORWARD \\\n" // disable podman subscription-manager integration @@ -160,9 +195,19 @@ fi script := "scripts/script-" + step.Name + ".sh" ret += "\ncat >" + script + " <<'REMOTESSHEOF'\n" - if !strings.HasPrefix(step.Script, "#!") { + + // The base task might now be using a bash shell, so we need to make sure + // that we only have one shebang declaration. If there is a shebang declaration, + // we should also consolidate the set declarations. + reShebang := regexp.MustCompile(`(#!.*\n)(set -.*\n)*`) + shebangMatch := reShebang.FindString(step.Script) + if shebangMatch != "" { + ret += shebangMatch + step.Script = strings.TrimPrefix(step.Script, shebangMatch) + } else { ret += "#!/bin/bash\nset -o verbose\nset -e\n" } + if step.WorkingDir != "" { ret += "cd " + step.WorkingDir + "\n" } @@ -229,4 +274,7 @@ fi }, }) task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "BUILDER_IMAGE", Value: builderImage}) + if taskVersion != "0.1" { + task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "PLATFORM", Value: "$(params.PLATFORM)"}) + } } diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml index 64c1bb3d55..57ba3c3a90 100644 --- a/task/build-image-manifest/0.1/build-image-manifest.yaml +++ b/task/build-image-manifest/0.1/build-image-manifest.yaml @@ -54,7 +54,7 @@ spec: - name: COMMIT_SHA value: $(params.COMMIT_SHA) steps: - - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent name: build diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 44ee3a7efa..d4e6ea3710 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -171,8 +171,6 @@ spec: emptyDir: {} stepTemplate: env: - - name: ACTIVATION_KEY - value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES @@ -222,7 +220,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: build - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 args: - $(params.BUILD_ARGS[*]) workingDir: /var/workdir @@ -366,15 +364,13 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. - - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -532,7 +528,7 @@ spec: securityContext: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 workingDir: /var/workdir volumeMounts: - mountPath: /var/lib/containers diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 17fbd72da0..5259d29da0 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -222,7 +222,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: build - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 args: - $(params.BUILD_ARGS[*]) workingDir: /var/workdir @@ -242,6 +242,8 @@ spec: - name: COMMIT_SHA value: $(params.COMMIT_SHA) script: | + #!/bin/bash + set -e ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -367,14 +369,16 @@ spec: ENTITLEMENT_PATH="/entitlement" # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. + # when activation keys are used an empty directory on shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced container + # To use activation key file 'org' must exist, which means the key 'org' must exist in the key/value secret - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -531,7 +535,7 @@ spec: securityContext: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 workingDir: /var/workdir volumeMounts: - mountPath: /var/lib/containers @@ -598,18 +602,18 @@ spec: - SETFCAP runAsUser: 0 - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: /var/workdir volumeMounts: - - mountPath: /etc/ssl/certs/ca-bundle.crt + - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true - subPath: ca-bundle.crt + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index ef7fd89b01..c2f5605461 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -147,8 +147,6 @@ spec: stepTemplate: computeResources: {} env: - - name: ACTIVATION_KEY - value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES @@ -186,7 +184,7 @@ spec: - name: YUM_REPOS_D_TARGET value: $(params.YUM_REPOS_D_TARGET) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 volumeMounts: - mountPath: /shared name: shared @@ -214,6 +212,8 @@ spec: image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 name: build script: |- + #!/bin/bash + set -e set -o verbose mkdir -p ~/.ssh if [ -e "/ssh/error" ]; then @@ -378,15 +378,13 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. - - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -436,7 +434,6 @@ spec: rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ - -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ @@ -606,7 +603,7 @@ spec: runAsUser: 0 workingDir: /var/workdir - computeResources: {} - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: inject-sbom-and-push script: | base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index ceea84f544..68f202b4c0 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -186,7 +186,9 @@ spec: - name: YUM_REPOS_D_TARGET value: $(params.YUM_REPOS_D_TARGET) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + - name: PLATFORM + value: $(params.PLATFORM) volumeMounts: - mountPath: /shared name: shared @@ -214,6 +216,8 @@ spec: image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 name: build script: |- + #!/bin/bash + set -e set -o verbose mkdir -p ~/.ssh if [ -e "/ssh/error" ]; then @@ -240,6 +244,9 @@ spec: PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" fi + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" @@ -251,7 +258,6 @@ spec: rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' #!/bin/bash - set -o verbose set -e cd /var/workdir ca_bundle=/mnt/trusted-ca/ca-bundle.crt @@ -379,14 +385,16 @@ spec: ENTITLEMENT_PATH="/entitlement" # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. + # when activation keys are used an empty directory on shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced container + # To use activation key file 'org' must exist, which means the key 'org' must exist in the key/value secret - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -498,6 +506,11 @@ spec: image: quay.io/redhat-appstudio/syft:v0.105.1@sha256:1910b829997650c696881e5fc2fc654ddf3184c27edb1b2024e9cb2ba51ac431 name: sbom-syft-generate script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi echo "Running syft on the source directory" syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json find $(cat /shared/container_path) -xtype l -delete @@ -513,6 +526,11 @@ spec: image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 name: analyse-dependencies-java-sbom script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi if [ -f /var/lib/containers/java ]; then /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 @@ -565,6 +583,11 @@ spec: image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json @@ -597,6 +620,11 @@ spec: image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840 name: create-base-images-sbom script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi python3 /app/base_images_sbom_script.py \ --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ @@ -605,11 +633,14 @@ spec: runAsUser: 0 workingDir: /var/workdir - computeResources: {} - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: inject-sbom-and-push script: | #!/bin/bash set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then @@ -672,22 +703,27 @@ spec: name: trusted-ca readOnly: true workingDir: /var/workdir - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - computeResources: {} - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 + - computeResources: {} + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom + script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumeMounts: - - mountPath: /etc/ssl/certs/ca-bundle.crt + - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true - subPath: ca-bundle.crt workingDir: /var/workdir volumes: - name: activation-key diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 2a95276fe5..f33216b025 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -170,8 +170,6 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - - name: ACTIVATION_KEY - value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: BUILD_ARGS_FILE @@ -183,7 +181,7 @@ spec: - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 volumeMounts: - mountPath: /shared name: shared @@ -202,6 +200,8 @@ spec: image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 name: build script: |- + #!/bin/bash + set -e set -o verbose mkdir -p ~/.ssh if [ -e "/ssh/error" ]; then @@ -370,15 +370,13 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. - - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -442,7 +440,6 @@ spec: -e TARGET_STAGE="$TARGET_STAGE" \ -e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ - -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ @@ -599,7 +596,7 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: inject-sbom-and-push script: | if [ -n "${PARAM_BUILDER_IMAGE}" ]; then diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 1cc15d4d7f..6e9f563083 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -177,7 +177,9 @@ spec: - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + - name: PLATFORM + value: $(params.PLATFORM) volumeMounts: - mountPath: /shared name: shared @@ -196,6 +198,8 @@ spec: image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 name: build script: |- + #!/bin/bash + set -e set -o verbose mkdir -p ~/.ssh if [ -e "/ssh/error" ]; then @@ -222,6 +226,9 @@ spec: PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" fi + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" @@ -233,7 +240,6 @@ spec: rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' #!/bin/bash - set -o verbose set -e cd $(workspaces.source.path) ca_bundle=/mnt/trusted-ca/ca-bundle.crt @@ -361,14 +367,16 @@ spec: ENTITLEMENT_PATH="/entitlement" # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. + # when activation keys are used an empty directory on shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced container + # To use activation key file 'org' must exist, which means the key 'org' must exist in the key/value secret - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -480,6 +488,11 @@ spec: image: quay.io/redhat-appstudio/syft:v0.105.1@sha256:1910b829997650c696881e5fc2fc654ddf3184c27edb1b2024e9cb2ba51ac431 name: sbom-syft-generate script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi echo "Running syft on the source directory" syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json find $(cat /shared/container_path) -xtype l -delete @@ -495,6 +508,11 @@ spec: image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 name: analyse-dependencies-java-sbom script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi if [ -f /var/lib/containers/java ]; then /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 @@ -547,6 +565,11 @@ spec: image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json @@ -579,6 +602,11 @@ spec: image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840 name: create-base-images-sbom script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi python3 /app/base_images_sbom_script.py \ --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ @@ -587,11 +615,14 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: inject-sbom-and-push script: | #!/bin/bash set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then @@ -654,22 +685,27 @@ spec: name: trusted-ca readOnly: true workingDir: $(workspaces.source.path) - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - computeResources: {} - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 + - computeResources: {} + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom + script: | + #!/bin/bash + set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumeMounts: - - mountPath: /etc/ssl/certs/ca-bundle.crt + - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true - subPath: ca-bundle.crt workingDir: $(workspaces.source.path) volumes: - emptyDir: {} diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index ee8f0f7cbf..87cac02954 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -157,8 +157,6 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - - name: ACTIVATION_KEY - value: $(params.ACTIVATION_KEY) - name: ADDITIONAL_SECRET value: $(params.ADDITIONAL_SECRET) - name: BUILD_ARGS_FILE @@ -171,7 +169,7 @@ spec: value: $(params.SKIP_UNUSED_STAGES) steps: - - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: build computeResources: limits: @@ -313,15 +311,13 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. - - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -495,7 +491,7 @@ spec: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 computeResources: {} script: | if [ -n "${PARAM_BUILDER_IMAGE}" ]; then diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index a8dec6ae2f..8f2d13ec50 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -164,7 +164,7 @@ spec: value: $(params.SKIP_UNUSED_STAGES) steps: - - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: build computeResources: limits: @@ -178,6 +178,8 @@ spec: args: - $(params.BUILD_ARGS[*]) script: | + #!/bin/bash + set -e ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -303,14 +305,16 @@ spec: ENTITLEMENT_PATH="/entitlement" # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. - # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container. + # when activation keys are used an empty directory on shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced container + # To use activation key file 'org' must exist, which means the key 'org' must exist in the key/value secret - if [ -d "$ACTIVATION_KEY_PATH" ]; then + if [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir /shared/rhsm-tmp VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z" echo "Adding activation key to the build" - elif [ -d "$ENTITLEMENT_PATH" ]; then + + elif find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement" echo "Adding the entitlement to the build" @@ -483,7 +487,7 @@ spec: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db + image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 computeResources: {} script: | #!/bin/bash @@ -552,19 +556,19 @@ spec: workingDir: $(workspaces.source.path) - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 + script: | + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumeMounts: - name: trusted-ca - mountPath: /etc/ssl/certs/ca-bundle.crt - subPath: ca-bundle.crt + mountPath: /mnt/trusted-ca readOnly: true workingDir: $(workspaces.source.path) diff --git a/task/opm-get-bundle-version/0.1/README.md b/task/opm-get-bundle-version/0.1/README.md new file mode 100644 index 0000000000..8a6e236784 --- /dev/null +++ b/task/opm-get-bundle-version/0.1/README.md @@ -0,0 +1,18 @@ +# opm-get-bundle-version task + +Fetch the current version of the provided OLM bundle image + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|bundle-image|OLM bundle image to query||true| + +## Results +|name|description| +|---|---| +|bundle-version|olm.package version| + +## Workspaces +|name|description|optional| +|---|---|---| +|workspace|The shared workspace between steps|false| diff --git a/task/opm-get-bundle-version/0.1/opm-get-bundle-version.yaml b/task/opm-get-bundle-version/0.1/opm-get-bundle-version.yaml new file mode 100644 index 0000000000..98e17dfad2 --- /dev/null +++ b/task/opm-get-bundle-version/0.1/opm-get-bundle-version.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: opm-get-bundle-version +spec: + description: Fetch the current version of the provided OLM bundle image + params: + - name: bundle-image + description: OLM bundle image to query + results: + - name: bundle-version + description: olm.package version + workspaces: + - name: workspace + description: The shared workspace between steps + steps: + - name: opm-render-bundle + image: "registry.redhat.io/openshift4/ose-operator-registry:latest" + securityContext: + runAsUser: 0 + env: + - name: BUNDLE_IMAGE + value: $(params.bundle-image) + script: | + #!/usr/bin/env bash + set -xe + opm render "${BUNDLE_IMAGE}" > "$(workspaces.workspace.path)/bundle.json" + - name: jq-get-olm-package-version + image: "quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14" + script: | + #!/usr/bin/env bash + set -xe + + jq -jr \ + '.properties | .[] | select(.type == "olm.package") | .value.version' \ + "$(workspaces.workspace.path)/bundle.json" \ + > "$(results.bundle-version.path)" diff --git a/task/opm-get-bundle-version/OWNERS b/task/opm-get-bundle-version/OWNERS new file mode 100644 index 0000000000..54bf30ad65 --- /dev/null +++ b/task/opm-get-bundle-version/OWNERS @@ -0,0 +1,6 @@ +approvers: +- jbpratt +- gurnben +reviewers: +- jbpratt +- gurnben