From e14fa932fa0ad9c3f8ca3c61e18f7ef2a95a3e60 Mon Sep 17 00:00:00 2001 From: James Pace Date: Fri, 10 Feb 2023 21:31:58 -0500 Subject: [PATCH] Signed containers with provenance and integration with simple-ros example. --- chains/chains-config.yaml | 2 +- images/Dockerfile_buildah | 6 +++ pipelines/simple-ros-pipeline.yaml | 63 ++++++++++++++++++++++ runs/simple-ros-pipeline.yaml | 23 ++++++++ scripts/debug-pod.yaml | 18 +++++++ scripts/registry/list-tags.sh | 2 +- tasks/j7s-buildah.yaml | 84 ++++++++++++++++++++++++++++++ 7 files changed, 196 insertions(+), 2 deletions(-) create mode 100644 images/Dockerfile_buildah create mode 100644 pipelines/simple-ros-pipeline.yaml create mode 100644 runs/simple-ros-pipeline.yaml create mode 100644 scripts/debug-pod.yaml create mode 100644 tasks/j7s-buildah.yaml diff --git a/chains/chains-config.yaml b/chains/chains-config.yaml index 9088190..0f83722 100644 --- a/chains/chains-config.yaml +++ b/chains/chains-config.yaml @@ -14,5 +14,5 @@ data: artifacts.pipelinerun.storage: tekton artifacts.pipelinerun.signer: x509 artifacts.oci.storage: tekton - artifacts.oci.signer: x509 + artifacts.oci.signer: "" builder.id: http://tekton.internal.jpace121.net diff --git a/images/Dockerfile_buildah b/images/Dockerfile_buildah new file mode 100644 index 0000000..b557b05 --- /dev/null +++ b/images/Dockerfile_buildah @@ -0,0 +1,6 @@ +FROM quay.io/buildah/upstream:latest + +# Add skopeo. +RUN dnf install -y skopeo \ + --exclude container-selinux \ + --enablerepo=updates-testing \ No newline at end of file diff --git a/pipelines/simple-ros-pipeline.yaml b/pipelines/simple-ros-pipeline.yaml new file mode 100644 index 0000000..735a8f1 --- /dev/null +++ b/pipelines/simple-ros-pipeline.yaml @@ -0,0 +1,63 @@ +# A pipeline to build the simple ros test containers. +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: simple-ros-pipeline + namespace: j7s-ci +spec: + description: Build a image with a simple ros image. + workspaces: + - name: shared-data + - name: git-credentials + - name: cosign-credentials + tasks: + - name: ros-clone + workspaces: + - name: output + workspace: shared-data + - name: ssh-directory + workspace: git-credentials + params: + - name: url + value: ssh://git.jpace121.net:2222/tests/j7s-simple-ws + - name: branch + value: master + - name: repos-file + value: source.repos + taskRef: + name: j7s-ros-clone + - name: image-build + runAfter: ["ros-clone"] + workspaces: + - name: source + workspace: shared-data + - name: cosign-credentials + workspace: cosign-credentials + params: + - name: registry + value: 192.168.1.149:8443 + - name: name + value: simple-ros + - name: version + value: 0.1 + - name: containerfile + value: ./docker/Dockerfile + taskRef: + name: j7s-buildah + results: + - name: image-ARTIFACT_OUTPUTS + type: object + value: + uri: $(tasks.image-build.results.image-ARTIFACT_OUTPUTS.uri) + digest: $(tasks.image-build.results.image-ARTIFACT_OUTPUTS.digest) + - name: commit-ARTIFACT_INPUTS + type: object + value: + uri: $(tasks.ros-clone.results.workspace-git-commit-ARTIFACT_OUTPUTS.uri) + digest: $(tasks.ros-clone.results.workspace-git-commit-ARTIFACT_OUTPUTS.digest) + - name: vcs-exact-file-ARTIFACT_INPUTS + type: object + value: + uri: $(tasks.ros-clone.results.vcs-exact-file-ARTIFACT_OUTPUTS.uri) + digest: $(tasks.ros-clone.results.vcs-exact-file-ARTIFACT_OUTPUTS.digest) \ No newline at end of file diff --git a/runs/simple-ros-pipeline.yaml b/runs/simple-ros-pipeline.yaml new file mode 100644 index 0000000..00b5509 --- /dev/null +++ b/runs/simple-ros-pipeline.yaml @@ -0,0 +1,23 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: simple-ros-pipeline- + namespace: j7s-ci +spec: + pipelineRef: + name: simple-ros-pipeline + workspaces: + - name: shared-data + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + - name: git-credentials + secret: + secretName: git-credentials + - name: cosign-credentials + secret: + secretName: container-signing-secret \ No newline at end of file diff --git a/scripts/debug-pod.yaml b/scripts/debug-pod.yaml new file mode 100644 index 0000000..54fb138 --- /dev/null +++ b/scripts/debug-pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: jimmy-debug-pod + namespace: j7s-ci +spec: + containers: + - image: docker.io/debian:bullseye-slim + name: jimmy-debug-pod + command: ["tail"] + args: ["-f", "/dev/null"] + volumeMounts: + - mountPath: /pvc + name: pvc-mount + volumes: + - name: pvc-mount + persistentVolumeClaim: + claimName: pvc-3244e44354 \ No newline at end of file diff --git a/scripts/registry/list-tags.sh b/scripts/registry/list-tags.sh index 5fe4689..1a04f05 100644 --- a/scripts/registry/list-tags.sh +++ b/scripts/registry/list-tags.sh @@ -1 +1 @@ -skopeo list-tags docker://192.168.1.128:8443/j7s-os-deploy +skopeo list-tags docker://192.168.1.149:8443/simple-ros diff --git a/tasks/j7s-buildah.yaml b/tasks/j7s-buildah.yaml new file mode 100644 index 0000000..0a784bb --- /dev/null +++ b/tasks/j7s-buildah.yaml @@ -0,0 +1,84 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: j7s-buildah + namespace: j7s-ci +spec: + description: Build and push a container image. + params: + - name: registry + description: Registry to push to. + - name: name + description: Name of the image. + - name: version + description: Version for the image. + - name: containerfile + description: Path of the Containerfile relative to source. + workspaces: + - name: source + - name: cosign-credentials + steps: + - name: build + image: 192.168.1.149:8443/buildah:latest + workingDir: $(workspaces.source.path) + script: | + set -x + # Login + buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry) + mkdir ~/.sigstore + cp $(workspaces.cosign-credentials.path)/* ~/.sigstore + cat < ~/.sigstore/param-file.yaml + privateKeyFile: "$HOME/.sigstore/cosign.key" + privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password" + EOF + mkdir -p /etc/containers/registries.d/ + cat < /etc/containers/registries.d/james-registry.yaml + docker: + $(params.registry): + use-sigstore-attachments: true + EOF + # Build + buildah --storage-driver=overlay bud --tls-verify=false --no-cache \ + -f $(params.containerfile) -t $(params.name):$(params.version) . + # Push + skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \ + containers-storage:localhost/$(params.name):$(params.version) \ + docker://$(params.registry)/$(params.name):$(params.version) + skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \ + containers-storage:localhost/$(params.name):$(params.version) \ + docker://$(params.registry)/$(params.name):latest + # Indicate results. + HASH=`skopeo inspect containers-storage:localhost/$(params.name):$(params.version) --format={{.Digest}}` + cat < $(results.image-ARTIFACT_OUTPUTS.path) + { + "uri": "$(params.registry)/$(params.name):$(params.version)", + "digest": "$HASH" + } + env: + - name: USERNAME + valueFrom: + secretKeyRef: + name: registry-login-secret + key: username + - name: PASSWORD + valueFrom: + secretKeyRef: + name: registry-login-secret + key: password + volumeMounts: + - name: varlibcontainers + mountPath: /var/lib/containers + securityContext: + privileged: true + volumes: + - name: varlibcontainers + emptyDir: {} + results: + - name: image-ARTIFACT_OUTPUTS + type: object + properties: + uri: + type: string + digest: + type: string \ No newline at end of file