76 lines
2.6 KiB
YAML
76 lines
2.6 KiB
YAML
---
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: j7s-buildah
|
|
spec:
|
|
description: Build and push a container image.
|
|
params:
|
|
- name: registry
|
|
description: Registry to push to.
|
|
- name: name
|
|
description: Name of the image.
|
|
- name: version
|
|
description: Version for the image.
|
|
- name: containerfile
|
|
description: Path of the Containerfile relative to source.
|
|
- name: registry-login-secret-name
|
|
description: Name of the secret containing the credentials to push to the registry.
|
|
- name: cosign-secret-name
|
|
description: Name of the secret container the credentials for cosign.
|
|
workspaces:
|
|
- name: source
|
|
steps:
|
|
- name: build
|
|
image: harbor.internal.jpace121.net/k8s/buildah:latest
|
|
workingDir: $(workspaces.source.path)
|
|
script: |
|
|
set -x
|
|
# Login
|
|
buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
|
|
# Setup cosign.
|
|
cp /etc/cosign-credentials/* ~/.sigstore
|
|
cat <<EOF > ~/.sigstore/param-file.yaml
|
|
privateKeyFile: "$HOME/.sigstore/cosign.key"
|
|
privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
|
|
EOF
|
|
mkdir -p /etc/containers/registries.d/
|
|
cat <<EOF > /etc/containers/registries.d/james-registry.yaml
|
|
docker:
|
|
$(params.registry):
|
|
use-sigstore-attachments: true
|
|
EOF
|
|
# Build
|
|
buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
|
|
-f $(params.containerfile) -t $(params.name):$(params.version) .
|
|
# Push
|
|
skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
|
|
containers-storage:localhost/$(params.name):$(params.version) \
|
|
docker://$(params.registry)/$(params.name):$(params.version)
|
|
skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
|
|
containers-storage:localhost/$(params.name):$(params.version) \
|
|
docker://$(params.registry)/$(params.name):latest
|
|
env:
|
|
- name: USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: $(params.registry-login-secret-name)
|
|
key: username
|
|
- name: PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: $(params.registry-login-secret-name)
|
|
key: password
|
|
volumeMounts:
|
|
- name: varlibcontainers
|
|
mountPath: /var/lib/containers
|
|
- name: cosign-credentials
|
|
mountPath: /etc/cosign-credentials
|
|
securityContext:
|
|
privileged: true
|
|
volumes:
|
|
- name: varlibcontainers
|
|
emptyDir: {}
|
|
- name: cosign-credentials
|
|
secret:
|
|
secretName: $(params.cosign-secret-name) |