diff --git a/.tekton/tasks/buildah.yaml b/.tekton/tasks/buildah.yaml index e3634f238c..1b39869b00 100644 --- a/.tekton/tasks/buildah.yaml +++ b/.tekton/tasks/buildah.yaml @@ -42,7 +42,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL steps: - image: $(params.BUILDER_IMAGE) diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md new file mode 100644 index 0000000000..fb338ec1d6 --- /dev/null +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -0,0 +1,277 @@ +# "docker-build-multi-platform-oci-ta pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-images:0.2:BUILD_ARGS| +|build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-images:0.2:BUILD_ARGS_FILE| +|build-image-index| Add built image into an OCI image index| true| build-image-index:0.1:ALWAYS_BUILD_INDEX| +|build-platforms| List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller.| ['linux/x86_64', 'linux/arm64']| | +|build-source-image| Build a source image.| false| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-images:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|hermetic| Execute the build with network isolation| false| build-images:0.2:HERMETIC| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-images:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| +|java| Java build| false| | +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-images:0.2:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-images:0.2:CONTEXT ; push-dockerfile:0.1:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-images:0.2:PREFETCH_INPUT| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| +## Available params from tasks +### apply-tags:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-images.results.IMAGE_REF[*])']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +### buildah-remote-oci-ta:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | +|ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| +|IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|IMAGE_APPEND_PLATFORM| Whether to append a sanitized platform architecture on the IMAGE tag| false| 'true'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PLATFORM| The platform to build on| None| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +### clair-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|docker-auth| unused, should be removed in next task version.| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### clamav-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|docker-auth| unused| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### deprecated-image-check:0.4 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | +|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | +### ecosystem-cert-preflight-checks:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### git-clone-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).git'| +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### prefetch-dependencies-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).prefetch'| +### push-dockerfile-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### sast-snyk-check-oci-ta:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +### sbom-json-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### show-sbom:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | +### source-build-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES| By default, the task inspects the SBOM of the binary image to find the base image. With this parameter, you can override that behavior and pass the base image directly. The value should be a newline-separated list of images, in the same order as the FROM instructions specified in a multistage Dockerfile.| | | +|BINARY_IMAGE| Binary image name from which to generate the source image name.| None| '$(params.output-image)'| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| +|JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-images.results.JAVA_COMMUNITY_DEPENDENCIES[0])| +## Available results from tasks +### build-image-index:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES| List of all referenced image manifests| | +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### buildah-remote-oci-ta:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_REF| Image reference of the built image| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| | +|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | +|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | +### clair-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CLAIR_SCAN_RESULT| Clair scan result.| | +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### clamav-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### deprecated-image-check:0.4 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### ecosystem-cert-preflight-checks:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Preflight pass or fail outcome.| | +### git-clone-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| +|commit| The precise commit SHA that was fetched by this Task.| build-images:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| +|commit-timestamp| The commit timestamp of the checkout| | +|url| The precise URL that was fetched by this Task.| | +### init:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### prefetch-dependencies-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; ecosystem-cert-preflight-checks:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.2:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +### push-dockerfile-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### sast-snyk-check-oci-ta:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sbom-json-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### source-build-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BUILD_RESULT| Build result.| | +|IMAGE_REF| Image reference of the built image| | +|SOURCE_IMAGE_DIGEST| The source image digest.| | +|SOURCE_IMAGE_URL| The source image url.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|netrc| |True| prefetch-dependencies:0.1:netrc| +## Available workspaces from tasks +### git-clone-oci-ta:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### prefetch-dependencies-oci-ta:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| diff --git a/pipelines/docker-build-multi-platform-oci-ta/kustomization.yaml b/pipelines/docker-build-multi-platform-oci-ta/kustomization.yaml new file mode 100644 index 0000000000..c9dd14f3c0 --- /dev/null +++ b/pipelines/docker-build-multi-platform-oci-ta/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../docker-build-oci-ta + +patches: +- path: patch.yaml + target: + kind: Pipeline diff --git a/pipelines/docker-build-multi-platform-oci-ta/patch.yaml b/pipelines/docker-build-multi-platform-oci-ta/patch.yaml new file mode 100644 index 0000000000..9009a618bc --- /dev/null +++ b/pipelines/docker-build-multi-platform-oci-ta/patch.yaml @@ -0,0 +1,87 @@ +--- +- op: replace + path: /metadata/name + value: docker-build-multi-platform-oci-ta +# Order of Tasks from the base docker-build Pipeline: +# $ kustomize build pipelines/docker-build-oci-ta | yq ".spec.tasks.[].name" | nl -v 0 +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile + +# Order of pipeline parameters +# $ kustomize build pipelines/docker-build-oci-ta | yq ".spec.params.[].name" | nl -v 0 +# 0 git-url +# 1 revision +# 2 output-image +# 3 path-context +# 4 dockerfile +# 5 rebuild +# 6 skip-checks +# 7 hermetic +# 8 prefetch-input +# 9 java +# 10 image-expires-after +# 11 build-source-image +# 12 build-image-index +# 13 build-args +# 14 build-args-file + +# build-container +- op: replace + path: /spec/tasks/3/name + value: build-images +- op: replace + path: /spec/tasks/3/taskRef/name + value: buildah-remote-oci-ta +- op: add + path: /spec/tasks/3/matrix + value: + params: + - name: PLATFORM + value: ["$(params.build-platforms)"] +- op: add + path: /spec/tasks/3/params/- + value: + name: IMAGE_APPEND_PLATFORM + value: "true" + +# build-image-index +- op: replace + path: /spec/tasks/4/params/4/value # IMAGES + value: + - $(tasks.build-images.results.IMAGE_REF[*]) +- op: replace + path: /spec/tasks/4/runAfter + value: + - build-images +# We want to always build the image index by default +- op: replace + path: /spec/params/12/default # build-image-index + value: "true" + +# Add a pipeline definition parameter to customize the build platforms +- op: add + path: /spec/params/- + value: + name: build-platforms + description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. + type: array + default: + - "linux/x86_64" + - "linux/arm64" + +# Just use the first container built for the JAVA_COMMUNITY_DEPENDENCIES result +- op: replace + path: /spec/results/4/value + value: $(tasks.build-images.results.JAVA_COMMUNITY_DEPENDENCIES[0]) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 3ff4e5b590..e685555523 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -4,13 +4,14 @@ |---|---|---|---| |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.2:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.2:BUILD_ARGS_FILE| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| build-container:0.2:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-container:0.2:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-container:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-container:0.2:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-container:0.2:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.2:CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-container:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -23,7 +24,17 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### buildah-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -58,24 +69,24 @@ |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -83,7 +94,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -129,32 +140,32 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### sast-snyk-check-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build-oci-ta:0.1 task parameters |name|description|default value|already set by| @@ -169,16 +180,22 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| |JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| ## Available results from tasks -### buildah-oci-ta:0.2 task results +### build-image-index:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| +|IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### buildah-oci-ta:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -206,7 +223,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| | ### init:0.2 task results @@ -216,7 +233,7 @@ ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.2:CACHI2_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; ecosystem-cert-preflight-checks:0.1:CACHI2_ARTIFACT| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.2:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml index 35fbbcded4..fc7e060ee5 100644 --- a/pipelines/docker-build-oci-ta/patch.yaml +++ b/pipelines/docker-build-oci-ta/patch.yaml @@ -12,19 +12,20 @@ path: /spec/workspaces/0 # Order of Tasks from the base docker-build Pipeline: # $ kustomize build pipelines/docker-build | yq .spec.tasks.[].name | nl -v 0 -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check -# 11 apply-tags -# 12 push-dockerfile +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile # clone-repository Task - op: replace @@ -86,29 +87,29 @@ # build-source-image - op: replace - path: /spec/tasks/4/taskRef/name + path: /spec/tasks/5/taskRef/name value: source-build-oci-ta - op: add - path: /spec/tasks/4/params/- + path: /spec/tasks/5/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: add - path: /spec/tasks/4/params/- + path: /spec/tasks/5/params/- value: name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove - path: /spec/tasks/4/workspaces/0 + path: /spec/tasks/5/workspaces/0 # sast-snyk-check - op: replace - path: /spec/tasks/8/taskRef/name + path: /spec/tasks/9/taskRef/name value: sast-snyk-check-oci-ta - op: add # In the docker-build Pipeline, the snyk Task does not receive any parameters, so we cannot # append to it. - path: /spec/tasks/8/params/- + path: /spec/tasks/9/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) @@ -118,19 +119,19 @@ name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove - path: /spec/tasks/8/workspaces/0 + path: /spec/tasks/9/workspaces/0 # push-dockerfile - op: replace - path: /spec/tasks/12/taskRef/name + path: /spec/tasks/13/taskRef/name value: push-dockerfile-oci-ta - op: add - path: /spec/tasks/12/params/- + path: /spec/tasks/13/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: remove - path: /spec/tasks/12/workspaces/0 + path: /spec/tasks/13/workspaces/0 # Order of finally Tasks from the base docker-build Pipeline: # $ kustomize build pipelines/docker-build | yq .spec.finally.[].name | nl -v 0 diff --git a/pipelines/docker-build-rhtap/README.md b/pipelines/docker-build-rhtap/README.md index 2ae9ac516a..e1046e21d7 100644 --- a/pipelines/docker-build-rhtap/README.md +++ b/pipelines/docker-build-rhtap/README.md @@ -4,20 +4,15 @@ |---|---|---|---| |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.1:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.1:BUILD_ARGS_FILE| -|build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| |event-type| Event that triggered the pipeline run, e.g. push, pull_request| push| | |git-url| Source Repository URL| None| clone-repository:0.1:url ; acs-deploy-check:0.1:gitops-repo-url ; update-deployment:0.1:gitops-repo-url| |gitops-auth-secret-name| Secret name to enable this pipeline to update the gitops repo with the new image. | gitops-auth-secret| update-deployment:0.1:gitops-auth-secret-name| -|hermetic| Execute the build with network isolation| false| | |image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| -|java| Java build| false| | |output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; acs-image-check:0.1:image ; acs-image-scan:0.1:image| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | | |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| -|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| |stackrox-secret| | rox-api-token| acs-image-check:0.1:rox-secret-name ; acs-image-scan:0.1:rox-secret-name ; acs-deploy-check:0.1:rox-secret-name| ## Available params from tasks ### acs-deploy-check:0.1 task parameters @@ -78,7 +73,7 @@ |---|---|---|---| |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| -|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +|skip-checks| Skip checks against built image| false| | ### show-sbom-rhdh:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -86,7 +81,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.results.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -116,7 +111,7 @@ |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | |IMAGE_DIGEST| Digest of the image just built| acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest| -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; update-deployment:0.1:image| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; update-deployment:0.1:image| |SBOM_BLOB_URL| Link to the SBOM layer pushed to the registry as part of an OCI artifact.| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 55d2981f38..b59cef62a8 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -8,6 +8,37 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "generic" "pipelines.openshift.io/strategy": "docker" +# Remove unused parameters from the template +# yq ".spec.params.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# 0 git-url +# 1 revision +# 2 output-image +# 3 path-context +# 4 dockerfile +# 5 rebuild +# 6 skip-checks +# 7 hermetic +# 8 prefetch-input +# 9 java +# 10 image-expires-after +# 11 build-source-image +# 12 build-image-index + +- op: remove + path: /spec/params/12 # build-image-index +- op: remove + path: /spec/params/11 # build-source-image +- op: remove + path: /spec/params/9 # java +- op: remove + path: /spec/params/8 # prefetch-input +- op: remove + path: /spec/params/7 # hermetic +- op: remove + path: /spec/params/6 # skip-checks +- op: remove + path: /spec/tasks/0/params/2 # remove the skip-checks param +# Add additional parameters - op: add path: /spec/params/- value: @@ -42,11 +73,13 @@ description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file type: string default: "" +# Add additional results - op: add path: /spec/results/- value: name: ACS_SCAN_OUTPUT value: $(tasks.acs-image-scan.results.SCAN_OUTPUT) +# Configure build-container task - op: replace path: /spec/tasks/3/taskRef value: @@ -70,43 +103,60 @@ - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: "$(params.build-args-file)" -# Remove tasks +# Change references from build-image-index to build-container +- op: replace + path: /spec/finally/0/params/0/value # show-sbom.params.IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) +- op: replace + path: /spec/finally/1/params/3/value # show-summary.params.build-task-status + value: $(tasks.build-container.results.status) +- op: replace + path: /spec/results/0/value # IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) +- op: replace + path: /spec/results/1/value # IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + +# Remove unused tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check -# 11 apply-tags -# 12 push-dockerfile +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile - op: replace path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/12 # push-dockerfile + path: /spec/tasks/13 # push-dockerfile +- op: remove + path: /spec/tasks/12 # apply-tags - op: remove - path: /spec/tasks/11 # apply-tags + path: /spec/tasks/11 # sbom-json-check - op: remove - path: /spec/tasks/10 # sbom-json-check + path: /spec/tasks/10 # clamav-scan - op: remove - path: /spec/tasks/9 # clamav-scan + path: /spec/tasks/9 # sast-snyk-check - op: remove - path: /spec/tasks/8 # sast-snyk-check + path: /spec/tasks/8 # ecosystem-cert-preflight-checks - op: remove - path: /spec/tasks/7 # ecosystem-cert-preflight-checks + path: /spec/tasks/7 # clair-scan - op: remove - path: /spec/tasks/6 # clair-scan + path: /spec/tasks/6 # deprecated-base-image-check - op: remove - path: /spec/tasks/5 # deprecated-base-image-check + path: /spec/tasks/5 # build-source-image - op: remove - path: /spec/tasks/4 # build-source-image + path: /spec/tasks/4 # build-image-index - op: remove path: /spec/tasks/2 # prefetch-dependencies - op: remove diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 17fcd32006..3ed0a56f36 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -4,13 +4,14 @@ |---|---|---|---| |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.2:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.2:BUILD_ARGS_FILE| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| build-container:0.2:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.2:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.2:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.2:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.2:CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-container:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -23,7 +24,17 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### buildah:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -56,24 +67,24 @@ |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -81,7 +92,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -125,29 +136,29 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### sast-snyk-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build:0.1 task parameters |name|description|default value|already set by| @@ -157,7 +168,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -167,16 +178,22 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| |JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| ## Available results from tasks -### buildah:0.2 task results +### build-image-index:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| +|IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### buildah:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -203,7 +220,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results diff --git a/pipelines/docker-build/patch.yaml b/pipelines/docker-build/patch.yaml index 560b76342f..7bae2266ca 100644 --- a/pipelines/docker-build/patch.yaml +++ b/pipelines/docker-build/patch.yaml @@ -8,6 +8,23 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "generic" "pipelines.openshift.io/strategy": "docker" +# yq ".spec.tasks.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile + +# build-container - op: replace path: /spec/tasks/3/taskRef value: @@ -49,6 +66,7 @@ - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: "$(params.build-args-file)" + - op: add path: /spec/results/- value: diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 5d8662661d..228e2d96ce 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -2,14 +2,15 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.2:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT ; push-dockerfile:0.1:CONTEXT| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.2:IMAGE ; build-image-index:0.1:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.2:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | | |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| @@ -21,20 +22,28 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| -### buildah:0.1 task parameters +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +### buildah:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | -|BUILDER_IMAGE| Deprecated. Has no effect. Will be removed in the future.| | | |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| | |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | | |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| -|DOCKER_AUTH| unused, should be removed in next task version| | | |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | |HERMETIC| Determines if build will be executed without network access.| false| 'true'| |IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| @@ -56,16 +65,16 @@ |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### fbc-validation:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGE| Fully qualified base image name.| None| '$(tasks.inspect-image.results.BASE_IMAGE)'| -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -98,35 +107,26 @@ |name|description|default value|already set by| |---|---|---|---| |DOCKER_AUTH| unused, should be removed in next task version| | | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| -### push-dockerfile:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | -|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| -|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -136,16 +136,23 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| ## Available results from tasks -### buildah:0.1 task results +### build-image-index:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES| List of all referenced image manifests| | +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; sbom-json-check:0.1:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL| +### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL| +|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_REF| Image reference of the built image| | +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | ### deprecated-image-check:0.4 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -163,7 +170,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results @@ -176,10 +183,6 @@ |BASE_IMAGE| Base image source image is built from.| fbc-validate:0.1:BASE_IMAGE| |BASE_IMAGE_REPOSITORY| Base image repository URL.| | |TEST_OUTPUT| Tekton task test output.| | -### push-dockerfile:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | ### sbom-json-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -191,9 +194,9 @@ |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth| |netrc| |True| | -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source ; push-dockerfile:0.1:workspace ; inspect-image:0.1:source ; fbc-validate:0.1:workspace ; fbc-related-image-check:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.2:source ; inspect-image:0.1:source ; fbc-validate:0.1:workspace ; fbc-related-image-check:0.1:workspace| ## Available workspaces from tasks -### buildah:0.1 task workspaces +### buildah:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| @@ -215,10 +218,6 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |source| | False| workspace| -### push-dockerfile:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/fbc-builder/patch.yaml b/pipelines/fbc-builder/patch.yaml index 9f139a8ce4..d267cd28cf 100644 --- a/pipelines/fbc-builder/patch.yaml +++ b/pipelines/fbc-builder/patch.yaml @@ -12,7 +12,7 @@ path: /spec/tasks/3/taskRef value: name: buildah - version: "0.1" + version: "0.2" - op: add path: /spec/tasks/3/params value: @@ -29,32 +29,37 @@ - name: COMMIT_SHA value: "$(tasks.clone-repository.results.commit)" # Remove tasks -# Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 +# yq ".spec.params.[].name" pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile - op: replace path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/9 # clamav-scan + path: /spec/tasks/13 # push-dockerfile - op: remove - path: /spec/tasks/8 # sast-snyk-check + path: /spec/tasks/10 # clamav-scan - op: remove - path: /spec/tasks/7 # ecosystem-cert-preflight-checks + path: /spec/tasks/9 # sast-snyk-check - op: remove - path: /spec/tasks/6 # clair-scan + path: /spec/tasks/8 # ecosystem-cert-preflight-checks - op: remove - path: /spec/tasks/4 # build-source-image + path: /spec/tasks/7 # clair-scan +- op: remove + path: /spec/tasks/5 # build-source-image - op: remove path: /spec/tasks/2 # prefetch-dependencies - op: add @@ -66,15 +71,15 @@ operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: inspect-image version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) workspaces: - name: source workspace: workspace @@ -93,9 +98,9 @@ version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: BASE_IMAGE value: $(tasks.inspect-image.results.BASE_IMAGE) workspaces: diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index a4a882c2ab..2b709fd345 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -2,13 +2,14 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -21,31 +22,41 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### clair-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -53,7 +64,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -97,8 +108,8 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### s2i-java:0.1 task parameters |name|description|default value|already set by| @@ -117,21 +128,21 @@ |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build:0.1 task parameters |name|description|default value|already set by| @@ -141,7 +152,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -151,10 +162,16 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| |JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| ## Available results from tasks +### build-image-index:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES| List of all referenced image manifests| | +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -178,7 +195,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results @@ -193,9 +210,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | ### sast-snyk-check:0.2 task results diff --git a/pipelines/kustomization.yaml b/pipelines/kustomization.yaml index 9413ccb12c..729930f1ee 100644 --- a/pipelines/kustomization.yaml +++ b/pipelines/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - docker-build - docker-build-oci-ta +- docker-build-multi-platform-oci-ta - java-builder - nodejs-builder - enterprise-contract.yaml diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 5ebf34b6ed..d151a07588 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -2,13 +2,14 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -21,31 +22,41 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### clair-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -53,7 +64,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -97,8 +108,8 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### s2i-nodejs:0.1 task parameters |name|description|default value|already set by| @@ -118,21 +129,21 @@ |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build:0.1 task parameters |name|description|default value|already set by| @@ -142,7 +153,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -152,9 +163,15 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| ## Available results from tasks +### build-image-index:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES| List of all referenced image manifests| | +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -178,7 +195,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results @@ -193,9 +210,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| ### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 751dd857a4..e4d4efaedc 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -2,6 +2,7 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| | |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| @@ -21,21 +22,39 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clair-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### clamav-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|docker-auth| unused| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### deprecated-image-check:0.4 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | +|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -79,27 +98,20 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### sast-snyk-check:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | -|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -116,8 +128,8 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| ## Available results from tasks ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -125,6 +137,16 @@ |CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | +### clamav-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### deprecated-image-check:0.4 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | ### ecosystem-cert-preflight-checks:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -143,10 +165,6 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### sast-snyk-check:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Tekton task test output.| | ### sbom-json-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -155,16 +173,16 @@ ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| | ## Workspaces |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -182,10 +200,6 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### sast-snyk-check:0.2 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 55531fc185..48079ebc55 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -56,6 +56,10 @@ spec: description: Build a source image. type: string default: "false" + - name: build-image-index + description: Add built image into an OCI image index + type: string + default: "false" tasks: - name: init params: @@ -121,6 +125,28 @@ spec: workspaces: - name: source workspace: workspace + - name: build-image-index + when: + - input: $(tasks.init.results.build) + operator: in + values: ["true"] + runAfter: + - build-container + taskRef: + name: build-image-index + version: "0.1" + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) - name: build-source-image when: - input: $(tasks.init.results.build) @@ -130,7 +156,7 @@ spec: operator: in values: ["true"] runAfter: - - build-container + - build-image-index taskRef: name: source-build version: "0.1" @@ -150,46 +176,46 @@ spec: version: "0.4" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index - name: clair-scan when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: clair-scan version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: ecosystem-cert-preflight-checks when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: ecosystem-cert-preflight-checks version: "0.1" params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: sast-snyk-check when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: sast-snyk-check version: "0.2" @@ -198,59 +224,59 @@ spec: workspace: workspace params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: clamav-scan when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: clamav-scan version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: sbom-json-check when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: sbom-json-check version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: apply-tags runAfter: - - build-container + - build-image-index taskRef: name: apply-tags version: "0.1" params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: push-dockerfile runAfter: - - build-container + - build-image-index taskRef: name: push-dockerfile version: "0.1" params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT @@ -266,7 +292,7 @@ spec: version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: show-summary taskRef: name: summary @@ -279,15 +305,15 @@ spec: - name: image-url value: $(params.output-image) - name: build-task-status - value: $(tasks.build-container.status) + value: $(tasks.build-image-index.status) workspaces: - name: workspace workspace: workspace results: - name: IMAGE_URL - value: "$(tasks.build-container.results.IMAGE_URL)" + value: "$(tasks.build-image-index.results.IMAGE_URL)" - name: IMAGE_DIGEST - value: "$(tasks.build-container.results.IMAGE_DIGEST)" + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" - name: CHAINS-GIT_URL value: "$(tasks.clone-repository.results.url)" - name: CHAINS-GIT_COMMIT diff --git a/ta-generator/golden/buildah/base.yaml b/ta-generator/golden/buildah/base.yaml index 5b6d4d19af..82d95e4a4f 100644 --- a/ta-generator/golden/buildah/base.yaml +++ b/ta-generator/golden/buildah/base.yaml @@ -83,7 +83,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS diff --git a/ta-generator/golden/buildah/ta.yaml b/ta-generator/golden/buildah/ta.yaml index ca29e30f1d..7d22285bd8 100644 --- a/ta-generator/golden/buildah/ta.yaml +++ b/ta-generator/golden/buildah/ta.yaml @@ -87,7 +87,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS diff --git a/task/build-image-index/0.1/README.md b/task/build-image-index/0.1/README.md new file mode 100644 index 0000000000..fb6a891194 --- /dev/null +++ b/task/build-image-index/0.1/README.md @@ -0,0 +1,22 @@ +# build-image-index task + +This takes existing Image Manifests and combines them in an Image Index. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|The target image and tag where the image will be pushed to.||true| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|COMMIT_SHA|The commit the image is built from.|""|false| +|IMAGES|List of Image Manifests to be referenced by the Image Index||true| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|ALWAYS_BUILD_INDEX|Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.|true|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGES|List of all referenced image manifests| + diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-index/0.1/build-image-index.yaml similarity index 59% rename from task/build-image-manifest/0.1/build-image-manifest.yaml rename to task/build-image-index/0.1/build-image-index.yaml index 26b0456588..f2c9c5d658 100644 --- a/task/build-image-manifest/0.1/build-image-manifest.yaml +++ b/task/build-image-index/0.1/build-image-index.yaml @@ -7,29 +7,33 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "image-build, konflux" - name: build-image-manifest + name: build-image-index spec: description: |- - This takes existing images and stiches them together into a multi platform image. + This takes existing Image Manifests and combines them in an Image Index. params: - - description: Reference of the image buildah will produce. - name: IMAGE + - name: IMAGE + description: The target image and tag where the image will be pushed to. type: string - - default: "true" + - name: TLSVERIFY description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - name: TLSVERIFY type: string + default: "true" - name: COMMIT_SHA - description: The image is built from this commit. + description: The commit the image is built from. type: string default: "" - name: IMAGES - description: List of images that are to be merged into the multi platform image + description: List of Image Manifests to be referenced by the Image Index type: array - - default: "" - description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. - name: IMAGE_EXPIRES_AFTER + - name: IMAGE_EXPIRES_AFTER + description: Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. type: string + default: "" + - name: ALWAYS_BUILD_INDEX + description: Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter. + type: string + default: "true" - name: STORAGE_DRIVER description: Storage driver to configure for buildah type: string @@ -37,7 +41,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: List of all referenced image manifests name: IMAGES @@ -45,14 +49,16 @@ spec: env: - name: BUILDAH_FORMAT value: oci - - name: STORAGE_DRIVER - value: $(params.STORAGE_DRIVER) + - name: COMMIT_SHA + value: $(params.COMMIT_SHA) - name: IMAGE value: $(params.IMAGE) - name: TLSVERIFY value: $(params.TLSVERIFY) - - name: COMMIT_SHA - value: $(params.COMMIT_SHA) + - name: ALWAYS_BUILD_INDEX + value: $(params.ALWAYS_BUILD_INDEX) + - name: STORAGE_DRIVER + value: $(params.STORAGE_DRIVER) steps: - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting @@ -74,15 +80,31 @@ spec: sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf + if [[ $# -ne 1 && "$ALWAYS_BUILD_INDEX" != "true" ]]; then + echo "Skipping image index generation while supplying multiple image inputs is unsupported." + exit 2 + fi + image_manifests="" buildah manifest create "$IMAGE" for i in $@ do TOADD="$i" - if [[ $(echo $i | tr -cd ":" | wc -c) == 2 ]]; then + TOADD_URL="$(echo "$i" | cut -d@ -f1)" + TOADD_DIGEST="$(echo "$i" | cut -d@ -f2)" + if [[ $(echo "$i" | tr -cd ":" | wc -c) == 2 ]]; then + #format is repository:tag@sha256:digest #we need to remove the tag, and just reference the digest #as tag + digest is not supported - TOADD="$(echo $i | cut -d: -f1)@sha256:$(echo $i | cut -d: -f3)" + TOADD_REPOSITORY="$(echo "$i" | cut -d: -f1)" + TOADD="${TOADD_REPOSITORY}@${TOADD_DIGEST}" + fi + if [[ "$ALWAYS_BUILD_INDEX" != "true" ]]; then + echo "Skipping image index generation. Returning results for $TOADD" + echo -n "${TOADD_URL}" > "$(results.IMAGE_URL.path)" + echo -n "${TOADD_DIGEST}" > "$(results.IMAGE_DIGEST.path)" + echo -n "${TOADD}" > "$(results.IMAGES.path)" + exit 0 fi echo "Adding $TOADD" image_manifests="${image_manifests} ${TOADD}," diff --git a/task/build-image-index/0.1/kustomization.yaml b/task/build-image-index/0.1/kustomization.yaml new file mode 100644 index 0000000000..0d42381423 --- /dev/null +++ b/task/build-image-index/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- build-image-index.yaml diff --git a/task/build-image-index/OWNERS b/task/build-image-index/OWNERS new file mode 100644 index 0000000000..d3f0ff4a7e --- /dev/null +++ b/task/build-image-index/OWNERS @@ -0,0 +1,5 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - build-team +reviewers: + - build-team diff --git a/task/build-image-manifest/0.1/README.md b/task/build-image-manifest/0.1/README.md index acb4aa3498..65a0f15113 100644 --- a/task/build-image-manifest/0.1/README.md +++ b/task/build-image-manifest/0.1/README.md @@ -1,5 +1,7 @@ # build-image-manifest task +WARNING: Usage of this task is deprecated. You should use the `build-image-index` task instead. + This task generates an image index from a collection of existing single platform images to create a multi-platform image. ## Parameters @@ -15,5 +17,5 @@ This task generates an image index from a collection of existing single platform |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| diff --git a/task/build-image-manifest/0.1/kustomization.yaml b/task/build-image-manifest/0.1/kustomization.yaml new file mode 100644 index 0000000000..fcb6a419b5 --- /dev/null +++ b/task/build-image-manifest/0.1/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../build-image-index/0.1 + +patches: +- path: patch.yaml + target: + kind: Task diff --git a/task/build-image-manifest/0.1/patch.yaml b/task/build-image-manifest/0.1/patch.yaml new file mode 100644 index 0000000000..ce0ef9e8b2 --- /dev/null +++ b/task/build-image-manifest/0.1/patch.yaml @@ -0,0 +1,4 @@ +--- +- op: replace + path: /metadata/name + value: build-image-manifest diff --git a/task/build-image-manifest/README.md b/task/build-image-manifest/README.md deleted file mode 100644 index 01648ed61a..0000000000 --- a/task/build-image-manifest/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# build-image-manifest task - -This takes existing images and stiches them together into a multi platform image. - -## Parameters -|name|description|default value|required| -|---|---|---|---| -|IMAGE|Reference of the image buildah will produce.||true| -|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|COMMIT_SHA|The image is built from this commit.|""|false| -|IMAGES|List of images that are to be merged into the multi platform image||true| -|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| - -## Results -|name|description| -|---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| -|IMAGES|List of all referenced image manifests| - diff --git a/task/buildah-oci-ta/0.1/README.md b/task/buildah-oci-ta/0.1/README.md index 6e96867d20..4b80dffc49 100644 --- a/task/buildah-oci-ta/0.1/README.md +++ b/task/buildah-oci-ta/0.1/README.md @@ -40,7 +40,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 45f0f325fa..2bcc7bab65 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -136,7 +136,7 @@ spec: - name: IMAGE_DIGEST description: Digest of the image just built - name: IMAGE_URL - description: Image repository where the built image was pushed + description: Image repository and tag where the built image was pushed - name: JAVA_COMMUNITY_DEPENDENCIES description: The Java dependencies that came from community sources such as Maven central. diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 5f3a1fe947..ff1099db5a 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -39,7 +39,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_REF|Image reference of the built image| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index e9958b4961..f5ae85958e 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -132,7 +132,7 @@ spec: - name: IMAGE_REF description: Image reference of the built image - name: IMAGE_URL - description: Image repository where the built image was pushed + description: Image repository and tag where the built image was pushed - name: JAVA_COMMUNITY_DEPENDENCIES description: The Java dependencies that came from community sources such as Maven central. diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 1b846e70e9..e867e8d668 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -136,7 +136,7 @@ spec: name: BASE_IMAGES_DIGESTS - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: The Java dependencies that came from community sources such as Maven central. diff --git a/task/buildah-remote-oci-ta/0.2/README.md b/task/buildah-remote-oci-ta/0.2/README.md index 31a521038a..2a1df3de99 100644 --- a/task/buildah-remote-oci-ta/0.2/README.md +++ b/task/buildah-remote-oci-ta/0.2/README.md @@ -40,7 +40,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_REF|Image reference of the built image| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index e46c8c5935..0e981d190f 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -137,7 +137,7 @@ spec: name: IMAGE_DIGEST - description: Image reference of the built image name: IMAGE_REF - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: The Java dependencies that came from community sources such as Maven central. diff --git a/task/buildah-remote/0.1/README.md b/task/buildah-remote/0.1/README.md index 2fe50dd4c1..439c6687ee 100644 --- a/task/buildah-remote/0.1/README.md +++ b/task/buildah-remote/0.1/README.md @@ -26,7 +26,7 @@ This task has an additional `PLATFORM` param that is used by the Multi Arch Cont |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index a31b912631..be348a2dca 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -129,7 +129,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS diff --git a/task/buildah-remote/0.2/README.md b/task/buildah-remote/0.2/README.md index f9ffb1e873..d89a4972bd 100644 --- a/task/buildah-remote/0.2/README.md +++ b/task/buildah-remote/0.2/README.md @@ -37,7 +37,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |IMAGE_REF|Image reference of the built image| |SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 05562e787a..8209877b6f 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -126,7 +126,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index 7a07e5c058..a5aa37b6c3 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -43,7 +43,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS diff --git a/task/buildah/0.1/README.md b/task/buildah/0.1/README.md index 7e773783b0..e2ab9f4331 100644 --- a/task/buildah/0.1/README.md +++ b/task/buildah/0.1/README.md @@ -38,7 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 5771a08f00..ed630d7cc0 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -115,7 +115,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index 510a1a7664..4ad54020df 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -36,7 +36,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |IMAGE_REF|Image reference of the built image| |SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index a5793f3325..14931c9341 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -107,7 +107,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF diff --git a/task/inspect-image/0.1/inspect-image.yaml b/task/inspect-image/0.1/inspect-image.yaml index ae4d6372f1..4d7210444c 100644 --- a/task/inspect-image/0.1/inspect-image.yaml +++ b/task/inspect-image/0.1/inspect-image.yaml @@ -93,7 +93,7 @@ spec: skopeo inspect --no-tags --raw docker://"${IMAGE_URL}" > $RAW_IMAGE_INSPECT || status=$? if [ "$status" -eq 0 ] && [ "$(jq 'has("manifests")' ${RAW_IMAGE_INSPECT})" = "true" ]; then - echo "Found an index image, lookup for amd64 manifest" + echo "Found an image index, lookup for amd64 manifest" INDEX_IMAGE_MANIFESTS=$(jq ' .manifests | map ( {(.platform.architecture|tostring|ascii_downcase): .digest} ) | add' "${RAW_IMAGE_INSPECT}" || true) AMD64_MANIFEST_DIGEST=$(jq -r '.amd64' <<< "${INDEX_IMAGE_MANIFESTS}" || true ) diff --git a/task/rpm-ostree/0.1/README.md b/task/rpm-ostree/0.1/README.md index 44b86d3fc0..119f395772 100644 --- a/task/rpm-ostree/0.1/README.md +++ b/task/rpm-ostree/0.1/README.md @@ -20,7 +20,7 @@ RPM Ostree |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_BLOB_URL|Reference, including digest to the SBOM blob| diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index b86f48a496..7fc4cd2bad 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -58,7 +58,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF diff --git a/task/rpm-ostree/0.2/rpm-ostree.yaml b/task/rpm-ostree/0.2/rpm-ostree.yaml index 641351f3cb..87b3811018 100644 --- a/task/rpm-ostree/0.2/rpm-ostree.yaml +++ b/task/rpm-ostree/0.2/rpm-ostree.yaml @@ -58,7 +58,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF diff --git a/task/s2i-java/0.1/README.md b/task/s2i-java/0.1/README.md index 617012f20d..96354f22c8 100644 --- a/task/s2i-java/0.1/README.md +++ b/task/s2i-java/0.1/README.md @@ -21,7 +21,7 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index e39f38c668..31f17f942c 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -54,7 +54,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF diff --git a/task/s2i-nodejs/0.1/README.md b/task/s2i-nodejs/0.1/README.md index dca3d57a4d..f129dfaf71 100644 --- a/task/s2i-nodejs/0.1/README.md +++ b/task/s2i-nodejs/0.1/README.md @@ -21,7 +21,7 @@ In addition it generates a SBOM file, injects the SBOM file into final container |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index bd1f1b5990..da00eebf23 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -72,7 +72,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed + - description: Image repository and tag where the built image was pushed name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index eb636069ca..192ece213d 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -79,7 +79,7 @@ spec: raw_inspect=$(skopeo inspect --raw "docker://$BINARY_IMAGE") if manifest_digest=$(jq -e -r '.manifests[0].digest' <<<"$raw_inspect"); then - # The BINARY_IMAGE is an index image, each manifest in the list has its own SBOM. + # The BINARY_IMAGE is an image index, each manifest in the list has its own SBOM. # We're gonna assume the base images are the same or similar enough in all the SBOMs. echo "BINARY_IMAGE ($BINARY_IMAGE) is a manifest list, picking an arbitrary image from the list" image_without_digest=${BINARY_IMAGE%@*} diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index 15ad65c47f..bcafc41110 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -66,7 +66,7 @@ spec: raw_inspect=$(skopeo inspect --raw "docker://$BINARY_IMAGE") if manifest_digest=$(jq -e -r '.manifests[0].digest' <<< "$raw_inspect"); then - # The BINARY_IMAGE is an index image, each manifest in the list has its own SBOM. + # The BINARY_IMAGE is an image index, each manifest in the list has its own SBOM. # We're gonna assume the base images are the same or similar enough in all the SBOMs. echo "BINARY_IMAGE ($BINARY_IMAGE) is a manifest list, picking an arbitrary image from the list" image_without_digest=${BINARY_IMAGE%@*} diff --git a/task/tkn-bundle/0.1/README.md b/task/tkn-bundle/0.1/README.md index 2c317a2db5..dc2f262321 100644 --- a/task/tkn-bundle/0.1/README.md +++ b/task/tkn-bundle/0.1/README.md @@ -47,6 +47,6 @@ The task emits the following results. | Name | Example | Description | |--------------|---------------------------------------|-----------------------------------------------------------------| -| IMAGE_URL | registry.io/my-task:tag | Image repository where the built image was pushed with tag only | +| IMAGE_URL | registry.io/my-task:tag | Image repository and tag where the built image was pushed with tag only | | IMAGE_DIGEST | abc... | Digest of the image just built | | IMAGE_REF | registry.io/my-task:tag@sha256:abc... | Image reference of the built image | diff --git a/task/tkn-bundle/0.1/tkn-bundle.yaml b/task/tkn-bundle/0.1/tkn-bundle.yaml index b70874c795..30225003dd 100644 --- a/task/tkn-bundle/0.1/tkn-bundle.yaml +++ b/task/tkn-bundle/0.1/tkn-bundle.yaml @@ -30,7 +30,7 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST - - description: Image repository where the built image was pushed with tag only + - description: Image repository and tag where the built image was pushed with tag only name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF