Skip to content

Commit

Permalink
chore: run hack/generate-buidlah-remote.sh and hack/generate-ta-tasks.sh
Browse files Browse the repository at this point in the history
  • Loading branch information
ralphbean committed Jul 1, 2024
1 parent 93778de commit f350f4f
Show file tree
Hide file tree
Showing 4 changed files with 67 additions and 0 deletions.
1 change: 1 addition & 0 deletions task/buildah-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|HERMETIC|Determines if build will be executed without network access.|false|false|
|IMAGE|Reference of the image buildah will produce.||true|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|OPTIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET|""|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false|
Expand Down
20 changes: 20 additions & 0 deletions task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,11 @@ spec:
hours, days, and weeks, respectively.
type: string
default: ""
- name: OPTIONAL_SECRET
description: Name of a secret which will be made available to the build
with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET
type: string
default: ""
- name: PREFETCH_INPUT
description: In case it is not empty, the prefetched content should
be made available to the build.
Expand Down Expand Up @@ -125,6 +130,10 @@ spec:
secret:
optional: true
secretName: $(params.ENTITLEMENT_SECRET)
- name: optional-secret
secret:
optional: true
secretName: $(params.OPTIONAL_SECRET)
- name: shared
emptyDir: {}
- name: trusted-ca
Expand Down Expand Up @@ -158,6 +167,8 @@ spec:
value: $(params.IMAGE)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: OPTIONAL_SECRET
value: $(params.OPTIONAL_SECRET)
- name: STORAGE_DRIVER
value: vfs
- name: TARGET_STAGE
Expand Down Expand Up @@ -192,6 +203,8 @@ spec:
name: varlibcontainers
- mountPath: /entitlement
name: etc-pki-entitlement
- mountPath: /optional-secret
name: optional-secret
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
Expand Down Expand Up @@ -314,6 +327,13 @@ spec:
echo "Adding the entitlement to the build"
fi
OPTIONAL_SECRET_PATH="/optional-secret"
if [ -d "$OPTIONAL_SECRET_PATH" ]; then
cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret
BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret")
echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}"
fi
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
Expand Down
23 changes: 23 additions & 0 deletions task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,11 @@ spec:
respectively.
name: IMAGE_EXPIRES_AFTER
type: string
- default: ""
description: Name of a secret which will be made available to the build with 'buildah
build --secret' at /run/secrets/$OPTIONAL_SECRET
name: OPTIONAL_SECRET
type: string
- default: ""
description: In case it is not empty, the prefetched content should be made available
to the build.
Expand Down Expand Up @@ -142,6 +147,8 @@ spec:
value: $(params.IMAGE)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: OPTIONAL_SECRET
value: $(params.OPTIONAL_SECRET)
- name: STORAGE_DRIVER
value: vfs
- name: TARGET_STAGE
Expand Down Expand Up @@ -213,6 +220,7 @@ spec:
rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/"
rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/"
rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/"
rsync -ra /optional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/optional-secret/"
rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/"
rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/"
rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/"
Expand Down Expand Up @@ -336,6 +344,13 @@ spec:
echo "Adding the entitlement to the build"
fi
OPTIONAL_SECRET_PATH="/optional-secret"
if [ -d "$OPTIONAL_SECRET_PATH" ]; then
cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret
BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret")
echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}"
fi
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
Expand Down Expand Up @@ -378,6 +393,7 @@ spec:
-e HERMETIC="$HERMETIC" \
-e IMAGE="$IMAGE" \
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
-e OPTIONAL_SECRET="$OPTIONAL_SECRET" \
-e STORAGE_DRIVER="$STORAGE_DRIVER" \
-e TARGET_STAGE="$TARGET_STAGE" \
-e TLSVERIFY="$TLSVERIFY" \
Expand All @@ -388,6 +404,7 @@ spec:
-v "$BUILD_DIR/volumes/shared:/shared:Z" \
-v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \
-v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \
-v "$BUILD_DIR/volumes/optional-secret:/optional-secret:Z" \
-v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \
-v "$BUILD_DIR/.docker/:/root/.docker:Z" \
-v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \
Expand All @@ -411,6 +428,8 @@ spec:
name: varlibcontainers
- mountPath: /entitlement
name: etc-pki-entitlement
- mountPath: /optional-secret
name: optional-secret
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
Expand Down Expand Up @@ -584,6 +603,10 @@ spec:
secret:
optional: true
secretName: $(params.ENTITLEMENT_SECRET)
- name: optional-secret
secret:
optional: true
secretName: $(params.OPTIONAL_SECRET)
- emptyDir: {}
name: shared
- configMap:
Expand Down
23 changes: 23 additions & 0 deletions task/buildah-remote/0.1/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,11 @@ spec:
description: Name of secret which contains the entitlement certificates
name: ENTITLEMENT_SECRET
type: string
- default: ""
description: Name of a secret which will be made available to the build with 'buildah
build --secret' at /run/secrets/$OPTIONAL_SECRET
name: OPTIONAL_SECRET
type: string
- default: []
description: Array of --build-arg values ("arg=value" strings)
name: BUILD_ARGS
Expand Down Expand Up @@ -147,6 +152,8 @@ spec:
value: $(params.BUILDER_IMAGE)
- name: ENTITLEMENT_SECRET
value: $(params.ENTITLEMENT_SECRET)
- name: OPTIONAL_SECRET
value: $(params.OPTIONAL_SECRET)
- name: BUILD_ARGS_FILE
value: $(params.BUILD_ARGS_FILE)
- name: ADD_CAPABILITIES
Expand Down Expand Up @@ -201,6 +208,7 @@ spec:
rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/"
rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/"
rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/"
rsync -ra /optional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/optional-secret/"
rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/"
rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/"
rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/"
Expand Down Expand Up @@ -328,6 +336,13 @@ spec:
echo "Adding the entitlement to the build"
fi
OPTIONAL_SECRET_PATH="/optional-secret"
if [ -d "$OPTIONAL_SECRET_PATH" ]; then
cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret
BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret")
echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}"
fi
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
Expand Down Expand Up @@ -375,12 +390,14 @@ spec:
-e TARGET_STAGE="$TARGET_STAGE" \
-e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \
-e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \
-e OPTIONAL_SECRET="$OPTIONAL_SECRET" \
-e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \
-e ADD_CAPABILITIES="$ADD_CAPABILITIES" \
-e COMMIT_SHA="$COMMIT_SHA" \
-v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \
-v "$BUILD_DIR/volumes/shared:/shared:Z" \
-v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \
-v "$BUILD_DIR/volumes/optional-secret:/optional-secret:Z" \
-v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \
-v "$BUILD_DIR/.docker/:/root/.docker:Z" \
-v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \
Expand All @@ -404,6 +421,8 @@ spec:
name: varlibcontainers
- mountPath: /entitlement
name: etc-pki-entitlement
- mountPath: /optional-secret
name: optional-secret
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
Expand Down Expand Up @@ -585,6 +604,10 @@ spec:
secret:
optional: true
secretName: $(params.ENTITLEMENT_SECRET)
- name: optional-secret
secret:
optional: true
secretName: $(params.OPTIONAL_SECRET)
- configMap:
items:
- key: $(params.caTrustConfigMapKey)
Expand Down

0 comments on commit f350f4f

Please sign in to comment.