Sync build-definitions

redhat-appstudio · Dec 13, 2024 · cb9b893 · cb9b893
1 parent 1166739
commit cb9b893
Show file tree

Hide file tree

Showing 11 changed files with 653 additions and 25 deletions.
diff --git a/pac/docker-build-rhtap/docker-pull-request.yaml b/pac/docker-build-rhtap/docker-pull-request.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/docker-build-rhtap/docker-push.yaml b/pac/docker-build-rhtap/docker-push.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/pipelines/docker-build-rhtap.yaml b/pac/pipelines/docker-build-rhtap.yaml
@@ -143,6 +143,62 @@ spec:
       workspaces:
         - name: source
           workspace: workspace
+    - name: sast-unicode-check
+      params:
+        - name: image-url
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: sast-unicode-check
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
+      workspaces:
+        - name: workspace
+          workspace: workspace
+    - name: apply-tags
+      params:
+        - name: IMAGE
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: apply-tags
+    - name: push-dockerfile
+      params:
+        - name: IMAGE
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+        - name: IMAGE_DIGEST
+          value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+        - name: DOCKERFILE
+          value: $(params.dockerfile)
+        - name: CONTEXT
+          value: $(params.path-context)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: push-dockerfile
+      workspaces:
+        - name: workspace
+          workspace: workspace
+    - name: rpms-signature-scan
+      params:
+        - name: image-url
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+        - name: image-digest
+          value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: rpms-signature-scan
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
     - name: acs-image-check
       params:
         - name: rox-secret-name

diff --git a/pac/source-repo/docker-pull-request.yaml b/pac/source-repo/docker-pull-request.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/source-repo/docker-push.yaml b/pac/source-repo/docker-push.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/tasks/apply-tags.yaml b/pac/tasks/apply-tags.yaml
@@ -0,0 +1,85 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "konflux"
+  name: apply-tags
+spec:
+  description: >-
+    Applies additional tags to the built image.
+  params:
+  - name: IMAGE
+    description: Reference of image that was pushed to registry in the buildah task.
+    type: string
+  - name: ADDITIONAL_TAGS
+    description: Additional tags that will be applied to the image in the registry.
+    type: array
+    default: []
+  - name: CA_TRUST_CONFIG_MAP_NAME
+    type: string
+    description: The name of the ConfigMap to read CA bundle data from.
+    default: trusted-ca
+  - name: CA_TRUST_CONFIG_MAP_KEY
+    type: string
+    description: The name of the key in the ConfigMap that contains the CA bundle data.
+    default: ca-bundle.crt
+  stepTemplate:
+    volumeMounts:
+      - name: trusted-ca
+        mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+        subPath: ca-bundle.crt
+        readOnly: true
+  steps:
+    - name: apply-additional-tags-from-parameter
+      image: registry.access.redhat.com/ubi9/skopeo:9.4-14.1728984400@sha256:891ee232a9319ed0f675c318f9605422bde7436328e7faec7dc896a206a78e54
+      args:
+        - $(params.ADDITIONAL_TAGS[*])
+      env:
+      - name: IMAGE
+        value: $(params.IMAGE)
+      script: |
+        #!/bin/bash
+
+        if [ "$#" -ne 0 ]; then
+          IMAGE_WITHOUT_TAG=$(echo "$IMAGE" | sed 's/:[^:]*$//')
+          for tag in "$@"; do
+            echo "Applying tag $tag"
+            skopeo copy --multi-arch index-only docker://"$IMAGE" docker://"$IMAGE_WITHOUT_TAG:$tag"
+          done
+        else
+          echo "No additional tags parameter specified"
+        fi
+
+    - name: apply-additional-tags-from-image-label
+      image: registry.access.redhat.com/ubi9/skopeo:9.4-14.1728984400@sha256:891ee232a9319ed0f675c318f9605422bde7436328e7faec7dc896a206a78e54
+      env:
+      - name: IMAGE
+        value: $(params.IMAGE)
+      script: |
+        #!/bin/bash
+
+        ADDITIONAL_TAGS_FROM_IMAGE_LABEL=$(skopeo inspect --no-tags --format '{{ index .Labels "konflux.additional-tags" }}' "docker://$IMAGE")
+
+        if [ -n "${ADDITIONAL_TAGS_FROM_IMAGE_LABEL}" ]; then
+          IFS=', ' read -r -a tags_array <<< "$ADDITIONAL_TAGS_FROM_IMAGE_LABEL"
+
+          IMAGE_WITHOUT_TAG=$(echo "$IMAGE" | sed 's/:[^:]*$//')
+          for tag in "${tags_array[@]}"
+          do
+              echo "Applying tag $tag"
+              skopeo copy --multi-arch index-only docker://"$IMAGE" docker://"$IMAGE_WITHOUT_TAG:$tag"
+          done
+        else
+          echo "No additional tags specified in the image labels"
+        fi
+  volumes:
+  - name: trusted-ca
+    configMap:
+      name: $(params.CA_TRUST_CONFIG_MAP_NAME)
+      items:
+        - key: $(params.CA_TRUST_CONFIG_MAP_KEY)
+          path: ca-bundle.crt
+      optional: true
diff --git a/pac/tasks/buildah-rhtap.yaml b/pac/tasks/buildah-rhtap.yaml
@@ -103,6 +103,13 @@ spec:
         --digestfile /tmp/files/image-digest $IMAGE \
         docker://$IMAGE
 
+      # Push the image to a unique tag to avoid race conditions
+      buildah push \
+        --tls-verify="$TLSVERIFY" \
+        --retry=5 \
+        --digestfile /tmp/files/image-digest "$IMAGE" \
+        "docker://${IMAGE%:*}:$(context.taskRun.name)"
+
       # Set task results
       buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
       cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path)

diff --git a/pac/tasks/init.yaml b/pac/tasks/init.yaml
@@ -41,7 +41,7 @@ spec:
         echo "Determine if Image Already Exists"
         # Build the image when rebuild is set to true or image does not exist
         # The image check comes last to avoid unnecessary, slow API calls
-        if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! skopeo inspect --raw docker://$IMAGE_URL &>/dev/null; then
+        if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! skopeo inspect --no-tags --raw "docker://$IMAGE_URL" &>/dev/null; then
           echo -n "true" > $(results.build.path)
         else
           echo -n "false" > $(results.build.path)

diff --git a/pac/tasks/push-dockerfile.yaml b/pac/tasks/push-dockerfile.yaml
@@ -0,0 +1,100 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+    build.appstudio.redhat.com/build_type: "docker"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "image-build, appstudio"
+  name: push-dockerfile
+spec:
+  description: |-
+    Discover Dockerfile from source code and push it to registry as an OCI artifact.
+  params:
+  - name: IMAGE
+    description: The built binary image. The Dockerfile is pushed to the same image repository alongside.
+    type: string
+  - name: IMAGE_DIGEST
+    description: The built binary image digest, which is used to construct the tag of Dockerfile image.
+    type: string
+  - name: DOCKERFILE
+    description: Path to the Dockerfile.
+    type: string
+    default: ./Dockerfile
+  - name: CONTEXT
+    description: Path to the directory to use as context.
+    type: string
+    default: .
+  - name: TAG_SUFFIX
+    description: Suffix of the Dockerfile image tag.
+    type: string
+    default: .dockerfile
+  - name: ARTIFACT_TYPE
+    description: Artifact type of the Dockerfile image.
+    type: string
+    default: application/vnd.konflux.dockerfile
+  results:
+  - name: IMAGE_REF
+    description: Digest-pinned image reference to the Dockerfile image.
+  steps:
+  - name: push
+    image: quay.io/konflux-ci/oras:latest@sha256:b7e810730d97fe862826a048773a7539e469453df3681fd22de9754722266c69
+    workingDir: $(workspaces.workspace.path)
+    env:
+    - name: IMAGE
+      value: $(params.IMAGE)
+    - name: IMAGE_DIGEST
+      value: $(params.IMAGE_DIGEST)
+    - name: TAG_SUFFIX
+      value: $(params.TAG_SUFFIX)
+    - name: DOCKERFILE
+      value: $(params.DOCKERFILE)
+    - name: CONTEXT
+      value: $(params.CONTEXT)
+    - name: ARTIFACT_TYPE
+      value: $(params.ARTIFACT_TYPE)
+    - name: IMAGE_REF_RESULT
+      value: $(results.IMAGE_REF.path)
+    script: |
+      set -eu
+      set -o pipefail
+
+      # Same discovery logic used in buildah task
+      SOURCE_CODE_DIR=source
+      if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
+        dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
+      elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
+        dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
+      elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
+        echo "Fetch Dockerfile from $DOCKERFILE"
+        dockerfile_path=$(mktemp --suffix=-dockerfile)
+        http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
+        if [ $http_code != 200 ]; then
+          echo "No Dockerfile is fetched. Server responds $http_code"
+          exit 1
+        fi
+      else
+        echo "Cannot find Dockerfile $DOCKERFILE"
+        exit 1
+      fi
+
+      echo "Selecting auth for $IMAGE"
+      auth_json=$(mktemp)
+      select-oci-auth $IMAGE >"$auth_json"
+
+      dockerfile_image=${IMAGE%:*}:${IMAGE_DIGEST/:/-}${TAG_SUFFIX}
+
+      dockerfile_for_upload_path=/tmp/Dockerfile
+      cp "$dockerfile_path" "$dockerfile_for_upload_path"
+      cd "$(dirname $dockerfile_for_upload_path)"
+      retry oras push --no-tty \
+        --format json \
+        --registry-config "$auth_json" \
+        --artifact-type "$ARTIFACT_TYPE" \
+        "$dockerfile_image" "$(basename $dockerfile_for_upload_path)" \
+        | yq '.reference' | tr -d '\r\n' >"$IMAGE_REF_RESULT"
+
+  workspaces:
+  - name: workspace
+    description: Workspace containing the source code from where the Dockerfile is discovered.