cd
/
k8s-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Signed containers with provenance and integration with simple-ros example.

This commit is contained in:
James Pace 2023-02-10 21:31:58 -05:00
parent e09db5ae37
commit e14fa932fa
7 changed files with 196 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
chains/chains-config.yaml
View File

@ -14,5 +14,5 @@ data:
artifacts.pipelinerun.storage: tekton artifacts.pipelinerun.storage: tekton
artifacts.pipelinerun.signer: x509 artifacts.pipelinerun.signer: x509
artifacts.oci.storage: tekton artifacts.oci.storage: tekton
artifacts.oci.signer: x509 artifacts.oci.signer: ""
builder.id: http://tekton.internal.jpace121.net builder.id: http://tekton.internal.jpace121.net

6
images/Dockerfile_buildah Normal file
View File

@ -0,0 +1,6 @@
FROM quay.io/buildah/upstream:latest
# Add skopeo.
RUN dnf install -y skopeo \
--exclude container-selinux \
--enablerepo=updates-testing

63
pipelines/simple-ros-pipeline.yaml Normal file
View File

@ -0,0 +1,63 @@
# A pipeline to build the simple ros test containers.
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: simple-ros-pipeline
namespace: j7s-ci
spec:
description: Build a image with a simple ros image.
workspaces:
- name: shared-data
- name: git-credentials
- name: cosign-credentials
tasks:
- name: ros-clone
workspaces:
- name: output
workspace: shared-data
- name: ssh-directory
workspace: git-credentials
params:
- name: url
value: ssh://git.jpace121.net:2222/tests/j7s-simple-ws
- name: branch
value: master
- name: repos-file
value: source.repos
taskRef:
name: j7s-ros-clone
- name: image-build
runAfter: ["ros-clone"]
workspaces:
- name: source
workspace: shared-data
- name: cosign-credentials
workspace: cosign-credentials
params:
- name: registry
value: 192.168.1.149:8443
- name: name
value: simple-ros
- name: version
value: 0.1
- name: containerfile
value: ./docker/Dockerfile
taskRef:
name: j7s-buildah
results:
- name: image-ARTIFACT_OUTPUTS
type: object
value:
uri: $(tasks.image-build.results.image-ARTIFACT_OUTPUTS.uri)
digest: $(tasks.image-build.results.image-ARTIFACT_OUTPUTS.digest)
- name: commit-ARTIFACT_INPUTS
type: object
value:
uri: $(tasks.ros-clone.results.workspace-git-commit-ARTIFACT_OUTPUTS.uri)
digest: $(tasks.ros-clone.results.workspace-git-commit-ARTIFACT_OUTPUTS.digest)
- name: vcs-exact-file-ARTIFACT_INPUTS
type: object
value:
uri: $(tasks.ros-clone.results.vcs-exact-file-ARTIFACT_OUTPUTS.uri)
digest: $(tasks.ros-clone.results.vcs-exact-file-ARTIFACT_OUTPUTS.digest)

23
runs/simple-ros-pipeline.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: simple-ros-pipeline-
namespace: j7s-ci
spec:
pipelineRef:
name: simple-ros-pipeline
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: git-credentials
secret:
secretName: git-credentials
- name: cosign-credentials
secret:
secretName: container-signing-secret

18
scripts/debug-pod.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: jimmy-debug-pod
namespace: j7s-ci
spec:
containers:
- image: docker.io/debian:bullseye-slim
name: jimmy-debug-pod
command: ["tail"]
args: ["-f", "/dev/null"]
volumeMounts:
- mountPath: /pvc
name: pvc-mount
volumes:
- name: pvc-mount
persistentVolumeClaim:
claimName: pvc-3244e44354

2
scripts/registry/list-tags.sh
View File

@ -1 +1 @@
skopeo list-tags docker://192.168.1.128:8443/j7s-os-deploy skopeo list-tags docker://192.168.1.149:8443/simple-ros

84
tasks/j7s-buildah.yaml Normal file
View File

@ -0,0 +1,84 @@
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-buildah
namespace: j7s-ci
spec:
description: Build and push a container image.
params:
- name: registry
description: Registry to push to.
- name: name
description: Name of the image.
- name: version
description: Version for the image.
- name: containerfile
description: Path of the Containerfile relative to source.
workspaces:
- name: source
- name: cosign-credentials
steps:
- name: build
image: 192.168.1.149:8443/buildah:latest
workingDir: $(workspaces.source.path)
script: |
set -x
# Login
buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
mkdir ~/.sigstore
cp $(workspaces.cosign-credentials.path)/* ~/.sigstore
cat <<EOF > ~/.sigstore/param-file.yaml
privateKeyFile: "$HOME/.sigstore/cosign.key"
privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
EOF
mkdir -p /etc/containers/registries.d/
cat <<EOF > /etc/containers/registries.d/james-registry.yaml
docker:
$(params.registry):
use-sigstore-attachments: true
EOF
# Build
buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
-f $(params.containerfile) -t $(params.name):$(params.version) .
# Push
skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):$(params.version)
skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):latest
# Indicate results.
HASH=`skopeo inspect containers-storage:localhost/$(params.name):$(params.version) --format={{.Digest}}`
cat <<EOF > $(results.image-ARTIFACT_OUTPUTS.path)
{
"uri": "$(params.registry)/$(params.name):$(params.version)",
"digest": "$HASH"
}
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: registry-login-secret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: registry-login-secret
key: password
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
securityContext:
privileged: true
volumes:
- name: varlibcontainers
emptyDir: {}
results:
- name: image-ARTIFACT_OUTPUTS
type: object
properties:
uri:
type: string
digest:
type: string