diff --git a/tekton/README.md b/tekton/README.md new file mode 100644 index 0000000..9a8ddd6 --- /dev/null +++ b/tekton/README.md @@ -0,0 +1,80 @@ +# Multi-architecture Tekton Pipeline + +## Share RHEL SCA entitlement with Tekton Pipelines + +```sh +oc create -f - < gitconfig < Buildah" + buildah version + echo + echo "---> bash" + bash --version + echo + echo "---> OS" + cat /etc/redhat-release + echo + echo "---> Host" + uname -a + echo + echo "---> Current user" + id + echo + + # Checks if etc-pki-entitlement workspace is bound + if [[ "$(workspaces.etc-pki-entitlement.bound)" == "true" ]]; then + echo "---> Entitlement certificates" + ls -lL /etc/pki/entitlement/*.pem + echo + fi + + # Handle registry credentials + if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then + if test -f "$(workspaces.dockerconfig.path)/config.json"; then + export DOCKER_CONFIG="$(workspaces.dockerconfig.path)" + elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then + cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json" + export DOCKER_CONFIG="$HOME/.docker" + else + echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root" + exit 1 + fi + fi + + echo "=== Build ===" + echo "---> Building image for $(uname -m)" + declare -a BUILDAH_OPTS=( ) + BUILDAH_OPTS+=( "-f" "$(workspaces.source-workspace.path)/$(params.containerfile-path)" ) + BUILDAH_OPTS+=( "--no-cache" ) + BUILDAH_OPTS+=( "-t" "localhost/image:$(uname -m)" ) + BUILDAH_OPTS+=( "$(workspaces.source-workspace.path)/$(params.context-dir)" ) + if [ -n "${OVERRIDE_FROM:-}" ]; then + echo "Overriding FROM instruction with: $OVERRIDE_FROM" + BUILDAH_OPTS+=( "--from" "$OVERRIDE_FROM" ) + fi + buildah build "${BUILDAH_OPTS[@]}" + + echo "=== Export as tar archive ===" + buildah push localhost/image:$(uname -m) oci-archive:/srv/oci-images/$(uname -m).tar + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - name: container-storage + mountPath: /var/lib/containers diff --git a/tekton/common/task-buildah-push.yaml b/tekton/common/task-buildah-push.yaml new file mode 100644 index 0000000..81a34bf --- /dev/null +++ b/tekton/common/task-buildah-push.yaml @@ -0,0 +1,87 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + annotations: + io.openshift.builder: 'true' + name: buildah-push +spec: + params: + - name: image-name + type: string + - name: architectures + type: array + results: + - name: image-digest + description: The digest of the built image + workspaces: + - name: oci-images + mountPath: /srv/oci-images + - description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson. + name: dockerconfig + optional: true + volumes: + - name: container-storage + emptyDir: {} + steps: + - name: push + image: registry.redhat.io/rhel9/buildah:9.6 + env: + - name: STORAGE_DRIVER + value: vfs + args: + - "$(params.architectures[*])" + script: | + #!/bin/bash + set -Eeuo pipefail + + # If debug is enabled, print out command that are executed + if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then + set -x + fi + + # Print versions of the program we use + echo "=== Environment ===" + echo "---> Buildah" + buildah version + echo + echo "---> bash" + bash --version + echo + echo "---> OS" + cat /etc/redhat-release + echo + echo "---> Current user" + id + echo + + # Handle registry credentials + if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then + if test -f "$(workspaces.dockerconfig.path)/config.json"; then + export DOCKER_CONFIG="$(workspaces.dockerconfig.path)" + elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then + cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json" + export DOCKER_CONFIG="$HOME/.docker" + else + echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root" + exit 1 + fi + fi + + echo "=== Load container images from tar archives ===" + declare -a iids=() + for arch; do + echo "Loading image for architecture $arch..." + iid=$(buildah pull oci-archive:/srv/oci-images/$arch.tar) + iids+=("$iid") + done + + echo "=== Create and push multi-arch manifest ===" + buildah manifest create localhost/multi-arch-image "${iids[@]}" + buildah manifest push --all localhost/multi-arch-image "--digestfile=$(results.image-digest.path)" docker://$(params.image-name) + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - name: container-storage + mountPath: /var/lib/containers diff --git a/tekton/common/task-flightctl-update-digest.yaml b/tekton/common/task-flightctl-update-digest.yaml new file mode 100644 index 0000000..b17dbeb --- /dev/null +++ b/tekton/common/task-flightctl-update-digest.yaml @@ -0,0 +1,83 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: flightctl-update-digest +spec: + params: + - name: new-image-digest + type: string + - description: The label selector to identify the fleet(s) to update. + name: fleet-label-selector + type: string + default: "" + workspaces: + - description: An optional workspace that contains the flightctl configuration file (client.yaml). + name: flightctl-config + optional: true + steps: + - name: flightctl-update-digest + image: quay.io/nmasse-redhat/flightctl:latest + env: + - name: SCRIPT_DEBUG + value: "false" + - name: FLEET_LABEL_SELECTOR + value: "$(params.fleet-label-selector)" + script: | + #!/bin/bash + set -Eeuo pipefail + + # If debug is enabled, print out command that are executed + if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then + set -x + fi + + # Check if the fleet label selector is set + if [ -z "${FLEET_LABEL_SELECTOR}" ]; then + echo "FLEET_LABEL_SELECTOR is not set. No action taken." + exit 0 + fi + + # Print versions of the program we use + echo "=== Environment ===" + echo "---> flightctl" + flightctl version + echo + echo "---> bash" + bash --version + echo + echo "---> OS" + cat /etc/redhat-release + echo + echo "---> yq" + yq --version + echo + echo "---> Current user" + id + echo + echo "---> flightctl" + flightctl version + echo + + # List fleets matching the label selector and update their image to the new digest + flightctl --config-dir $(workspaces.flightctl-config.path) get fleets --limit 0 -l "${FLEET_LABEL_SELECTOR}" -o name | while read -r fleet; do + echo "Updating fleet $fleet to image digest $(params.new-image-digest)" + + # Get the current fleet definition + flightctl --config-dir $(workspaces.flightctl-config.path) get fleet/$fleet -o yaml > /tmp/fleet.yaml + + # Extract the current image from the fleet definition + CURRENT_IMAGE="$(yq eval '.spec.template.spec.os.image' /tmp/fleet.yaml)" + + # Splits the CURRENT_IMAGE on the "@" or ":" character and takes the first part (the image name without tag or digest) + # Using only bash built-in features to avoid dependencies on other tools + IMAGE_NAME="${CURRENT_IMAGE%%[@:]*}" + + # Construct the new image with the new digest + NEW_IMAGE="${IMAGE_NAME}@$(params.new-image-digest)" + + # Update the fleet definition with the new image + yq eval -i ".spec.template.spec.os.image = \"$NEW_IMAGE\"" /tmp/fleet.yaml + + # Apply the updated fleet definition + flightctl --config-dir $(workspaces.flightctl-config.path) apply -f /tmp/fleet.yaml + done diff --git a/tekton/common/task-git.yaml b/tekton/common/task-git.yaml new file mode 100644 index 0000000..ca440e6 --- /dev/null +++ b/tekton/common/task-git.yaml @@ -0,0 +1,251 @@ +--- +# Source: task-git/templates/task.yaml +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: git + labels: + app.kubernetes.io/version: 0.2.0 + annotations: + tekton.dev/source: "https://github.com/openshift-pipelines/task-git" + tekton.dev/categories: Git + tekton.dev/displayName: git + tekton.dev/pipelines.minVersion: 0.41.0 + tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 + tekton.dev/tags: git +spec: + description: | + This Task represents Git and is able to initialize and clone a remote repository on the informed Workspace. It's likely to become the first `step` on a Pipeline. + + workspaces: + - name: output + description: | + The Git repository directory, data will be placed on the root of the + Workspace, or on the relative path defined by the SUBDIRECTORY + parameter. + - name: ssh-directory + optional: true + description: | + A `.ssh` directory with private key, `known_hosts`, `config`, etc. + Copied to the Git user's home before cloning the repository, in order to + server as authentication mechanismBinding a Secret to this Workspace is + strongly recommended over other volume types. + - name: basic-auth + optional: true + description: | + A Workspace containing a `.gitconfig` and `.git-credentials` files. + These will be copied to the user's home before Git commands run. All + other files in this Workspace are ignored. It is strongly recommended to + use `ssh-directory` over `basic-auth` whenever possible, and to bind a + Secret to this Workspace over other volume types. + - name: ssl-ca-directory + optional: true + description: | + A Workspace containing CA certificates, this will be used by Git to + verify the peer with when interacting with remote repositories using + HTTPS. + + params: + - name: URL + type: string + description: | + Git repository URL. + - name: REVISION + type: string + default: main + description: | + Revision to checkout, an branch, tag, sha, ref, etc... + - name: REFSPEC + default: "" + description: | + Repository `refspec` to fetch before checking out the revision. + - name: SUBMODULES + type: string + default: "true" + description: | + Initialize and fetch Git submodules. + - name: DEPTH + type: string + default: "1" + description: | + Number of commits to fetch, a "shallow clone" is a single commit. + - name: SSL_VERIFY + type: string + default: "true" + description: | + Sets the global `http.sslVerify` value, `false` is not advised unless + you trust the remote repository. + - name: CRT_FILENAME + type: string + default: ca-bundle.crt + description: | + Certificate Authority (CA) bundle filename on the `ssl-ca-directory` + Workspace. + - name: SUBDIRECTORY + type: string + default: "" + description: | + Relative path to the `output` Workspace where the repository will be + cloned. + - name: SPARSE_CHECKOUT_DIRECTORIES + type: string + default: "" + description: | + List of directory patterns split by comma to perform "sparse checkout". + - name: DELETE_EXISTING + type: string + default: "true" + description: | + Clean out the contents of the `output` Workspace before cloning the + repository, if data exists. + - name: HTTP_PROXY + type: string + default: "" + description: | + HTTP proxy server (non-TLS requests). + - name: HTTPS_PROXY + type: string + default: "" + description: | + HTTPS proxy server (TLS requests). + - name: NO_PROXY + type: string + default: "" + description: | + Opt out of proxying HTTP/HTTPS requests. + - name: VERBOSE + type: string + default: "false" + description: | + Log the commands executed. + - name: USER_HOME + type: string + default: "/home/git" + description: | + Absolute path to the Git user home directory. + + results: + - name: COMMIT + description: | + The precise commit SHA digest cloned. + - name: URL + description: | + The precise repository URL. + - name: COMMITTER_DATE + description: | + The epoch timestamp of the commit cloned. + + volumes: + - name: user-home + emptyDir: {} + - name: scripts-dir + emptyDir: {} + + stepTemplate: + env: + + - name: PARAMS_URL + value: "$(params.URL)" + - name: PARAMS_REVISION + value: "$(params.REVISION)" + - name: PARAMS_REFSPEC + value: "$(params.REFSPEC)" + - name: PARAMS_SUBMODULES + value: "$(params.SUBMODULES)" + - name: PARAMS_DEPTH + value: "$(params.DEPTH)" + - name: PARAMS_SSL_VERIFY + value: "$(params.SSL_VERIFY)" + - name: PARAMS_CRT_FILENAME + value: "$(params.CRT_FILENAME)" + - name: PARAMS_SUBDIRECTORY + value: "$(params.SUBDIRECTORY)" + - name: PARAMS_SPARSE_CHECKOUT_DIRECTORIES + value: "$(params.SPARSE_CHECKOUT_DIRECTORIES)" + - name: PARAMS_DELETE_EXISTING + value: "$(params.DELETE_EXISTING)" + - name: PARAMS_HTTP_PROXY + value: "$(params.HTTP_PROXY)" + - name: PARAMS_HTTPS_PROXY + value: "$(params.HTTPS_PROXY)" + - name: PARAMS_NO_PROXY + value: "$(params.NO_PROXY)" + - name: PARAMS_VERBOSE + value: "$(params.VERBOSE)" + - name: PARAMS_USER_HOME + value: "$(params.USER_HOME)" + - name: WORKSPACES_OUTPUT_PATH + value: "$(workspaces.output.path)" + - name: WORKSPACES_SSH_DIRECTORY_BOUND + value: "$(workspaces.ssh-directory.bound)" + - name: WORKSPACES_SSH_DIRECTORY_PATH + value: "$(workspaces.ssh-directory.path)" + - name: WORKSPACES_BASIC_AUTH_BOUND + value: "$(workspaces.basic-auth.bound)" + - name: WORKSPACES_BASIC_AUTH_PATH + value: "$(workspaces.basic-auth.path)" + - name: WORKSPACES_SSL_CA_DIRECTORY_BOUND + value: "$(workspaces.ssl-ca-directory.bound)" + - name: WORKSPACES_SSL_CA_DIRECTORY_PATH + value: "$(workspaces.ssl-ca-directory.path)" + - name: RESULTS_COMMITTER_DATE_PATH + value: "$(results.COMMITTER_DATE.path)" + - name: RESULTS_COMMIT_PATH + value: "$(results.COMMIT.path)" + - name: RESULTS_URL_PATH + value: "$(results.URL.path)" + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + runAsNonRoot: true + runAsUser: 65532 + + steps: + - name: load-scripts + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + workingDir: /scripts + script: | + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKCmV4cG9ydCBQQVJBTVNfVVJMPSIke1BBUkFNU19VUkw6LX0iCmV4cG9ydCBQQVJBTVNfUkVWSVNJT049IiR7UEFSQU1TX1JFVklTSU9OOi19IgpleHBvcnQgUEFSQU1TX1JFRlNQRUM9IiR7UEFSQU1TX1JFRlNQRUM6LX0iCmV4cG9ydCBQQVJBTVNfU1VCTU9EVUxFUz0iJHtQQVJBTVNfU1VCTU9EVUxFUzotfSIKZXhwb3J0IFBBUkFNU19ERVBUSD0iJHtQQVJBTVNfREVQVEg6LX0iCmV4cG9ydCBQQVJBTVNfU1NMX1ZFUklGWT0iJHtQQVJBTVNfU1NMX1ZFUklGWTotfSIKZXhwb3J0IFBBUkFNU19DUlRfRklMRU5BTUU9IiR7UEFSQU1TX0NSVF9GSUxFTkFNRTotfSIKZXhwb3J0IFBBUkFNU19TVUJESVJFQ1RPUlk9IiR7UEFSQU1TX1NVQkRJUkVDVE9SWTotfSIKZXhwb3J0IFBBUkFNU19TUEFSU0VfQ0hFQ0tPVVRfRElSRUNUT1JJRVM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFUzotfSIKZXhwb3J0IFBBUkFNU19ERUxFVEVfRVhJU1RJTkc9IiR7UEFSQU1TX0RFTEVURV9FWElTVElORzotfSIKZXhwb3J0IFBBUkFNU19IVFRQX1BST1hZPSIke1BBUkFNU19IVFRQX1BST1hZOi19IgpleHBvcnQgUEFSQU1TX0hUVFBTX1BST1hZPSIke1BBUkFNU19IVFRQU19QUk9YWTotfSIKZXhwb3J0IFBBUkFNU19OT19QUk9YWT0iJHtQQVJBTVNfTk9fUFJPWFk6LX0iCmV4cG9ydCBQQVJBTVNfVkVSQk9TRT0iJHtQQVJBTVNfVkVSQk9TRTotfSIKZXhwb3J0IFBBUkFNU19VU0VSX0hPTUU9IiR7UEFSQU1TX1VTRVJfSE9NRTotfSIKCmV4cG9ydCBXT1JLU1BBQ0VTX09VVFBVVF9QQVRIPSIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTSF9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfQk9VTkQ9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTTF9DQV9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg6LX0iCgpleHBvcnQgUkVTVUxUU19DT01NSVRURVJfREFURV9QQVRIPSIke1JFU1VMVFNfQ09NTUlUVEVSX0RBVEVfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfQ09NTUlUX1BBVEg9IiR7UkVTVUxUU19DT01NSVRfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfVVJMX1BBVEg9IiR7UkVTVUxUU19VUkxfUEFUSDotfSIKCiMgZnVsbCBwYXRoIHRvIHRoZSBjaGVja291dCBkaXJlY3RvcnksIHVzaW5nIHRoZSBvdXRwdXQgd29ya3NwYWNlIGFuZCBzdWJkaXJlY3RvciBwYXJhbWV0ZXIKZXhwb3J0IGNoZWNrb3V0X2Rpcj0iJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfS8ke1BBUkFNU19TVUJESVJFQ1RPUll9IgoKIwojIEZ1bmN0aW9ucwojCgpmYWlsKCkgewogICAgZWNobyAiRVJST1I6ICR7QH0iIDE+JjIKICAgIGV4aXQgMQp9CgpwaGFzZSgpIHsKICAgIGVjaG8gIi0tLT4gUGhhc2U6ICR7QH0uLi4iCn0KCiMgSW5zcGVjdCB0aGUgZW52aXJvbm1lbnQgdmFyaWFibGVzIHRvIGFzc2VydCB0aGUgbWluaW11bSBjb25maWd1cmF0aW9uIGlzIGluZm9ybWVkLgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsKCkgewogICAgW1sgLXogIiR7UEFSQU1TX1VSTH0iIF1dICYmCiAgICAgICAgZmFpbCAiUGFyYW1ldGVyIFVSTCBpcyBub3Qgc2V0ISIKCiAgICBbWyAteiAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIgXV0gJiYKICAgICAgICBmYWlsICJPdXRwdXQgV29ya3NwYWNlIGlzIG5vdCBzZXQhIgoKICAgIFtbICEgLWQgIiR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0iIF1dICYmCiAgICAgICAgZmFpbCAiT3V0cHV0IFdvcmtzcGFjZSBkaXJlY3RvcnkgJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nIG5vdCBmb3VuZCEiCgogICAgcmV0dXJuIDAKfQoKIyBDb3B5IHRoZSBmaWxlIGludG8gdGhlIGRlc3RpbmF0aW9uLCBjaGVja2luZyBpZiB0aGUgc291cmNlIGV4aXN0cy4KY29weV9vcl9mYWlsKCkgewogICAgbG9jYWwgX21vZGU9IiR7MX0iCiAgICBsb2NhbCBfc3JjPSIkezJ9IgogICAgbG9jYWwgX2RzdD0iJHszfSIKCiAgICBpZiBbWyAhIC1mICIke19zcmN9IiAmJiAhIC1kICIke19zcmN9IiBdXTsgdGhlbgogICAgICAgIGZhaWwgIlNvdXJjZSBmaWxlL2RpcmVjdG9yeSBpcyBub3QgZm91bmQgYXQgJyR7X3NyY30nIgogICAgZmkKCiAgICBpZiBbWyAtZCAiJHtfc3JjfSIgXV07IHRoZW4KICAgICAgICBjcCAtUnYgJHtfc3JjfSAke19kc3R9CiAgICAgICAgY2htb2QgLXYgJHtfbW9kZX0gJHtfZHN0fQogICAgZWxzZQogICAgICAgIGluc3RhbGwgLS12ZXJib3NlIC0tbW9kZT0ke19tb2RlfSAke19zcmN9ICR7X2RzdH0KICAgIGZpCn0KCiMgRGVsZXRlIGFueSBleGlzdGluZyBjb250ZW50cyBvZiB0aGUgcmVwbyBkaXJlY3RvcnkgaWYgaXQgZXhpc3RzLiBXZSBkb24ndCBqdXN0ICJybSAtcmYgPGRpcj4iCiMgYmVjYXVzZSBtaWdodCBiZSAiLyIgb3IgdGhlIHJvb3Qgb2YgYSBtb3VudGVkIHZvbHVtZS4KY2xlYW5fZGlyKCkgewogICAgbG9jYWwgX2Rpcj0iJHsxfSIKCiAgICBbWyAhIC1kICIke19kaXJ9IiBdXSAmJgogICAgICAgIHJldHVybiAwCgogICAgIyBEZWxldGUgbm9uLWhpZGRlbiBmaWxlcyBhbmQgZGlyZWN0b3JpZXMKICAgIHJtIC1yZnYgJHtfZGlyOj99LyoKICAgICMgRGVsZXRlIGZpbGVzIGFuZCBkaXJlY3RvcmllcyBzdGFydGluZyB3aXRoIC4gYnV0IGV4Y2x1ZGluZyAuLgogICAgcm0gLXJmdiAke19kaXJ9Ly5bIS5dKgogICAgIyBEZWxldGUgZmlsZXMgYW5kIGRpcmVjdG9yaWVzIHN0YXJ0aW5nIHdpdGggLi4gcGx1cyBhbnkgb3RoZXIgY2hhcmFjdGVyCiAgICBybSAtcmZ2ICR7X2Rpcn0vLi4/Kgp9CgojCiMgU2V0dGluZ3MKIwoKIyB3aGVuIHRoZSBrby1hcHAgZGlyZWN0b3J5IGlzIHByZXNlbnQsIG1ha2luZyBzdXJlIGl0J3MgcGFydCBvZiB0aGUgUEFUSApbWyAtZCAiL2tvLWFwcCIgXV0gJiYgZXhwb3J0IFBBVEg9IiR7UEFUSH06L2tvLWFwcCIKCiMgbWFraW5nIHRoZSBzaGVsbCB2ZXJib3NlIHdoZW4gdGhlIHBhcmFtdGVyIGlzIHNldApbWyAiJHtQQVJBTVNfVkVSQk9TRX0iID09ICJ0cnVlIiBdXSAmJiBzZXQgLXgKCnJldHVybiAw" |base64 -d >common.sh + chmod +x "common.sh" + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIEV4cG9ydHMgcHJveHkgYW5kIGN1c3RvbSBTU0wgQ0EgY2VydGlmaWNhdHMgaW4gdGhlIGVudmlyb21lbnQgYW5kIHJ1bnMgdGhlIGdpdC1pbml0IHdpdGggZmxhZ3MKIyBiYXNlZCBvbiB0aGUgdGFzayBwYXJhbWV0ZXJzLgojCgpzZXQgLWV1Cgpzb3VyY2UgJChDRFBBVEg9IGNkIC0tICIkKGRpcm5hbWUgLS0gJHswfSkiICYmIHB3ZCkvY29tbW9uLnNoCgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsCgojCiMgQ0EgKGBzc2wtY2EtZGlyZWN0b3J5YCBXb3Jrc3BhY2UpCiMKCmlmIFtbICIke1dPUktTUEFDRVNfU1NMX0NBX0RJUkVDVE9SWV9CT1VORH0iID09ICJ0cnVlIiAmJiAtbiAiJHtQQVJBTVNfQ1JUX0ZJTEVOQU1FfSIgXV07IHRoZW4KCXBoYXNlICJJbnNwZWN0aW5nICdzc2wtY2EtZGlyZWN0b3J5JyB3b3Jrc3BhY2UgbG9va2luZyBmb3IgJyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0nIGZpbGUiCgljcnQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEh9LyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0iCglbWyAhIC1mICIke2NydH0iIF1dICYmCgkJZmFpbCAiQ1JUIGZpbGUgKFBBUkFNU19DUlRfRklMRU5BTUUpIG5vdCBmb3VuZCBhdCAnJHtjcnR9JyIKCglwaGFzZSAiRXhwb3J0aW5nIGN1c3RvbSBDQSBjZXJ0aWZpY2F0ZSAnR0lUX1NTTF9DQUlORk89JHtjcnR9JyIKCWV4cG9ydCBHSVRfU1NMX0NBSU5GTz0ke2NydH0KZmkKCiMKIyBQcm94eSBTZXR0aW5ncwojCgpwaGFzZSAiU2V0dGluZyB1cCBIVFRQX1BST1hZPScke1BBUkFNU19IVFRQX1BST1hZfSciCltbIC1uICIke1BBUkFNU19IVFRQX1BST1hZfSIgXV0gJiYgZXhwb3J0IEhUVFBfUFJPWFk9IiR7UEFSQU1TX0hUVFBfUFJPWFl9IgoKcGhhc2UgIlNldHR0aW5nIHVwIEhUVFBTX1BST1hZPScke1BBUkFNU19IVFRQU19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfSFRUUFNfUFJPWFl9IiBdXSAmJiBleHBvcnQgSFRUUFNfUFJPWFk9IiR7UEFSQU1TX0hUVFBTX1BST1hZfSIKCnBoYXNlICJTZXR0aW5nIHVwIE5PX1BST1hZPScke1BBUkFNU19OT19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfTk9fUFJPWFl9IiBdXSAmJiBleHBvcnQgTk9fUFJPWFk9IiR7UEFSQU1TX05PX1BST1hZfSIKCiMKIyBHaXQgQ2xvbmUKIwoKcGhhc2UgIlNldHRpbmcgb3V0cHV0IHdvcmtzcGFjZSBhcyBzYWZlIGRpcmVjdG9yeSAoJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nKSIKZ2l0IGNvbmZpZyAtLWdsb2JhbCAtLWFkZCBzYWZlLmRpcmVjdG9yeSAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIKCnBoYXNlICJDbG9uaW5nICcke1BBUkFNU19VUkx9JyBpbnRvICcke2NoZWNrb3V0X2Rpcn0nIgpzZXQgLXgKZXhlYyBnaXQtaW5pdCBcCgktdXJsPSIke1BBUkFNU19VUkx9IiBcCgktcmV2aXNpb249IiR7UEFSQU1TX1JFVklTSU9OfSIgXAoJLXJlZnNwZWM9IiR7UEFSQU1TX1JFRlNQRUN9IiBcCgktcGF0aD0iJHtjaGVja291dF9kaXJ9IiBcCgktc3NsVmVyaWZ5PSIke1BBUkFNU19TU0xfVkVSSUZZfSIgXAoJLXN1Ym1vZHVsZXM9IiR7UEFSQU1TX1NVQk1PRFVMRVN9IiBcCgktZGVwdGg9IiR7UEFSQU1TX0RFUFRIfSIgXAoJLXNwYXJzZUNoZWNrb3V0RGlyZWN0b3JpZXM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFU30iCg==" |base64 -d >git-clone.sh + chmod +x "git-clone.sh" + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNldHMgdXAgdGhlIGJhc2ljIGFuZCBTU0ggYXV0aGVudGljYXRpb24gYmFzZWQgb24gaW5mb3JtZWQgd29ya3NwYWNlcywgYXMgd2VsbCBhcyBjbGVhbmluZyB1cCB0aGUKIyBwcmV2aW91cyBnaXQtY2xvbmUgc3RhbGUgZGF0YS4KIwoKc2V0IC1ldQoKc291cmNlICQoQ0RQQVRIPSBjZCAtLSAiJChkaXJuYW1lIC0tICR7MH0pIiAmJiBwd2QpL2NvbW1vbi5zaAoKYXNzZXJ0X3JlcXVpcmVkX2NvbmZpZ3VyYXRpb25fb3JfZmFpbAoKcGhhc2UgIlByZXBhcmluZyB0aGUgZmlsZXN5c3RlbSBiZWZvcmUgY2xvbmluZyB0aGUgcmVwb3NpdG9yeSIKCmlmIFtbICIke1dPUktTUEFDRVNfQkFTSUNfQVVUSF9CT1VORH0iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkNvbmZpZ3VyaW5nIEdpdCBhdXRoZW50aWNhdGlvbiB3aXRoICdiYXNpYy1hdXRoJyBXb3Jrc3BhY2UgZmlsZXMiCgoJZm9yIGYgaW4gLmdpdC1jcmVkZW50aWFscyAuZ2l0Y29uZmlnOyBkbwoJCXNyYz0iJHtXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfUEFUSH0vJHtmfSIKCQlwaGFzZSAiQ29weWluZyAnJHtzcmN9JyB0byAnJHtQQVJBTVNfVVNFUl9IT01FfSciCgkJY29weV9vcl9mYWlsIDQwMCAke3NyY30gIiR7UEFSQU1TX1VTRVJfSE9NRX0vIgoJZG9uZQpmaQoKaWYgW1sgIiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EfSIgPT0gInRydWUiIF1dOyB0aGVuCglwaGFzZSAiQ29weWluZyAnLnNzaCcgZnJvbSBzc2gtZGlyZWN0b3J5IHdvcmtzcGFjZSAoJyR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEh9JykiCgoJZG90X3NzaD0iJHtQQVJBTVNfVVNFUl9IT01FfS8uc3NoIgoJY29weV9vcl9mYWlsIDcwMCAke1dPUktTUEFDRVNfU1NIX0RJUkVDVE9SWV9QQVRIfSAke2RvdF9zc2h9CgljaG1vZCAtUnYgNDAwICR7ZG90X3NzaH0vKgpmaQoKaWYgW1sgIiR7UEFSQU1TX0RFTEVURV9FWElTVElOR30iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkRlbGV0aW5nIGFsbCBjb250ZW50cyBvZiBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgljbGVhbl9kaXIgJHtjaGVja291dF9kaXJ9IHx8IHRydWUKZmkKCmV4aXQgMA==" |base64 -d >prepare.sh + chmod +x "prepare.sh" + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNjYW4gdGhlIGNsb25lZCByZXBvc2l0b3J5IGluIG9yZGVyIHRvIHJlcG9ydCBkZXRhaWxzIHdyaXR0aW5nIHRoZSByZXN1bHQgZmlsZXMuCiMKCnNldCAtZXUKCnNvdXJjZSAkKENEUEFUSD0gY2QgLS0gIiQoZGlybmFtZSAtLSAkezB9KSIgJiYgcHdkKS9jb21tb24uc2gKCmFzc2VydF9yZXF1aXJlZF9jb25maWd1cmF0aW9uX29yX2ZhaWwKCnBoYXNlICJDb2xsZWN0aW5nIGNsb25lZCByZXBvc2l0b3J5IGluZm9ybWF0aW9uICgnJHtjaGVja291dF9kaXJ9JykiCgpjZCAiJHtjaGVja291dF9kaXJ9IiB8fCBmYWlsICJOb3QgYWJsZSB0byBlbnRlciBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgpwaGFzZSAiU2V0dGluZyBvdXRwdXQgd29ya3NwYWNlIGFzIHNhZmUgZGlyZWN0b3J5ICgnJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfScpIgpnaXQgY29uZmlnIC0tZ2xvYmFsIC0tYWRkIHNhZmUuZGlyZWN0b3J5ICIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEh9IgoKcmVzdWx0X3NoYT0iJChnaXQgcmV2LXBhcnNlIEhFQUQpIgpyZXN1bHRfY29tbWl0dGVyX2RhdGU9IiQoZ2l0IGxvZyAtMSAtLXByZXR0eT0lY3QpIgoKcGhhc2UgIlJlcG9ydGluZyBsYXN0IGNvbW1pdCBkYXRlICcke3Jlc3VsdF9jb21taXR0ZXJfZGF0ZX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfY29tbWl0dGVyX2RhdGV9IiA+JHtSRVNVTFRTX0NPTU1JVFRFUl9EQVRFX1BBVEh9CgpwaGFzZSAiUmVwb3J0aW5nIHBhcnNlZCByZXZpc2lvbiBTSEEgJyR7cmVzdWx0X3NoYX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfc2hhfSIgPiR7UkVTVUxUU19DT01NSVRfUEFUSH0KCnBoYXNlICJSZXBvcnRpbmcgcmVwb3NpdG9yeSBVUkwgJyR7UEFSQU1TX1VSTH0nIgpwcmludGYgIiVzIiAiJHtQQVJBTVNfVVJMfSIgPiR7UkVTVUxUU19VUkxfUEFUSH0KCmV4aXQgMA==" |base64 -d >report.sh + chmod +x "report.sh" + volumeMounts: + - name: scripts-dir + mountPath: /scripts + + - name: prepare + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + command: + - /scripts/prepare.sh + volumeMounts: + - name: scripts-dir + mountPath: /scripts + - name: user-home + mountPath: $(params.USER_HOME) + + - name: git-clone + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + command: + - /scripts/git-clone.sh + volumeMounts: + - name: scripts-dir + mountPath: /scripts + - name: user-home + mountPath: $(params.USER_HOME) + + - name: report + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + command: + - /scripts/report.sh + volumeMounts: + - name: scripts-dir + mountPath: /scripts diff --git a/tekton/flightctl-image/Containerfile b/tekton/flightctl-image/Containerfile index 88cc0f4..a5184be 100644 --- a/tekton/flightctl-image/Containerfile +++ b/tekton/flightctl-image/Containerfile @@ -5,8 +5,10 @@ set -Eeuo pipefail echo "Disabling Subscription Manager..." echo -e "[main]\nenabled=0" > /etc/dnf/plugins/subscription-manager.conf echo "Installing flightctl..." -curl -sSfL -o /etc/yum.repos.d/flightctl-copr.repo https://copr.fedorainfracloud.org/coprs/g/redhat-et/flightctl/repo/rhel-9/group_redhat-et-flightctl-rhel-9.repo -dnf install -y flightctl +dnf install -y https://download.copr.fedorainfracloud.org/results/%40redhat-et/flightctl/epel-9-$(arch)/09523645-flightctl/flightctl-cli-0.9.3-1.el9.$(arch).rpm +echo "Installing yq (from EPEL)..." +dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm +dnf install -y yq echo "Cleaning up..." dnf clean all EOF diff --git a/tekton/flightctl-image/build.sh b/tekton/flightctl-image/build.sh old mode 100644 new mode 100755 index 5179ca8..ee3e1af --- a/tekton/flightctl-image/build.sh +++ b/tekton/flightctl-image/build.sh @@ -2,13 +2,39 @@ set -euo pipefail +TARGET_IMAGE="quay.io/nmasse-redhat/flightctl:latest" +SOURCE_IMAGE="registry.access.redhat.com/ubi9/ubi:latest" +SOURCE_REF=ubi9 +TARGET_REF=flightctl + echo "Logging into quay.io..." podman login quay.io -echo "Building and pushing the flightctl image..." -podman build -t quay.io/nmasse-redhat/flightctl:latest . -podman push quay.io/nmasse-redhat/flightctl:latest +echo "Pulling source image $SOURCE_IMAGE for x86_64..." +podman rmi -i "$SOURCE_IMAGE" +podman pull --platform linux/amd64 "$SOURCE_IMAGE" +podman tag "$SOURCE_IMAGE" "localhost/$SOURCE_REF-x86_64" +podman rmi -i "$SOURCE_IMAGE" + +echo "Pulling source image $SOURCE_IMAGE for aarch64..." +podman pull --platform linux/arm64/v8 "$SOURCE_IMAGE" +podman tag "$SOURCE_IMAGE" "localhost/$SOURCE_REF-aarch64" +podman rmi -i "$SOURCE_IMAGE" + +echo "Building target image $TARGET_IMAGE for x86_64 architecture..." +buildah build --platform linux/amd64 -t localhost/$TARGET_REF-x86_64 --from "localhost/$SOURCE_REF-x86_64" . + +echo "Building target image $TARGET_IMAGE for aarch64 architecture..." +buildah build --platform linux/arm64/v8 -t localhost/$TARGET_REF-aarch64 --from "localhost/$SOURCE_REF-aarch64" . + +echo "Creating multi-arch manifest..." +if podman manifest exists localhost/$TARGET_REF; then + podman manifest rm localhost/$TARGET_REF +fi +podman manifest create localhost/$TARGET_REF +podman manifest add localhost/$TARGET_REF localhost/$TARGET_REF-x86_64 +podman manifest add localhost/$TARGET_REF localhost/$TARGET_REF-aarch64 -echo "Build and push completed successfully." -echo "Image available at: https://quay.io/repository/nmasse-redhat/flightctl?tab=tags" -exit 0 +echo "pushing to $TARGET_IMAGE..." +read -p "Press enter to continue " +podman manifest push --all --format v2s2 localhost/$TARGET_REF "docker://$TARGET_IMAGE" diff --git a/tekton/pipeline.yaml b/tekton/pipeline.yaml new file mode 100644 index 0000000..55b7811 --- /dev/null +++ b/tekton/pipeline.yaml @@ -0,0 +1,138 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: bootc +spec: + + workspaces: + - name: source-workspace + description: Workspace containing source code (from git) + - name: oci-images + description: Workspace for storing OCI images temporarily as tar files before pushing to a registry + - name: registry-token + description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson. + optional: true + - name: git-auth + description: An optional workspace that allows providing SSH keys or .gitconfig file for git authentication. The SSH keys should be placed at the root of the Workspace with names id_rsa and id_rsa.pub. The .gitconfig file should also be placed at the root of the Workspace with name .gitconfig. + optional: true + - name: flightctl-config + description: An optional workspace that contains the flightctl configuration file (client.yaml). + optional: true + - name: etc-pki-entitlement-x86_64 + description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images, for x86_64 architecture. + optional: true + - name: etc-pki-entitlement-aarch64 + description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images, for aarch64 architecture. + optional: true + + params: + - name: git-url + type: string + - name: git-revision + type: string + default: main + - name: image-name + type: string + - name: override-from + description: Replaces the "FROM" instruction in the Containerfile with this value if set. + type: string + default: "" + - name: context-dir + type: string + default: "." + - name: containerfile-path + type: string + default: "Containerfile" + - name: fleet-label-selector + description: The label selector to identify the fleet(s) to update. If not provided, no fleets will be updated! + type: string + default: "" + + tasks: + + - name: clone-repo + taskRef: + kind: Task + name: git + params: + - name: URL + value: $(params.git-url) + - name: REVISION + value: $(params.git-revision) + workspaces: + - name: output + workspace: source-workspace + - name: basic-auth + workspace: git-auth + + - name: build-x86-64 + runAfter: ["clone-repo"] + taskRef: + name: buildah-build + params: + - name: context-dir + value: $(params.context-dir) + - name: containerfile-path + value: $(params.containerfile-path) + - name: override-from + value: $(params.override-from) + workspaces: + - name: source-workspace + workspace: source-workspace + - name: oci-images + workspace: oci-images + - name: dockerconfig + workspace: registry-token + - name: etc-pki-entitlement + workspace: etc-pki-entitlement-x86_64 + + - name: build-aarch64 + runAfter: ["clone-repo"] + taskRef: + name: buildah-build + params: + - name: context-dir + value: $(params.context-dir) + - name: containerfile-path + value: $(params.containerfile-path) + - name: override-from + value: $(params.override-from) + workspaces: + - name: source-workspace + workspace: source-workspace + - name: oci-images + workspace: oci-images + - name: dockerconfig + workspace: registry-token + - name: etc-pki-entitlement + workspace: etc-pki-entitlement-aarch64 + + - name: push-image + runAfter: ["build-x86-64", "build-aarch64"] + taskRef: + name: buildah-push + params: + - name: image-name + value: $(params.image-name) + - name: architectures + value: + - x86_64 + - aarch64 + workspaces: + - name: oci-images + workspace: oci-images + - name: dockerconfig + workspace: registry-token + + - name: flightctl-update-digest + runAfter: ["push-image"] + taskRef: + name: flightctl-update-digest + params: + - name: new-image-digest + value: $(tasks.push-image.results.image-digest) + - name: fleet-label-selector + value: "$(params.fleet-label-selector)" + workspaces: + - name: flightctl-config + workspace: flightctl-config diff --git a/tekton/pipelinerun1.yaml b/tekton/pipelinerun1.yaml new file mode 100644 index 0000000..3172100 --- /dev/null +++ b/tekton/pipelinerun1.yaml @@ -0,0 +1,73 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: bootc-base- +spec: + pipelineRef: + name: bootc + params: + - name: git-url + value: https://github.com/nmasse-itix/demo-edge-retail.git + - name: git-revision + value: main + - name: image-name + value: quay.io/nmasse-redhat/demo-edge-retail/base:latest + - name: context-dir + value: bootc/base + - name: containerfile-path + value: "bootc/base/Containerfile" + workspaces: + - name: oci-images + volumeClaimTemplate: + spec: + storageClassName: efs-csi + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + - name: source-workspace + volumeClaimTemplate: + spec: + storageClassName: efs-csi + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + - name: registry-token + secret: + secretName: quay-authentication + - name: git-auth + secret: + secretName: github-authentication + - name: flightctl-config + secret: + secretName: flightctl-config + - name: etc-pki-entitlement-x86_64 + secret: + secretName: etc-pki-entitlement + items: + - key: x86_64.pem + path: x86_64.pem + - key: x86_64-key.pem + path: x86_64-key.pem + - name: etc-pki-entitlement-aarch64 + secret: + secretName: etc-pki-entitlement + items: + - key: aarch64.pem + path: aarch64.pem + - key: aarch64-key.pem + path: aarch64-key.pem + taskRunTemplate: + serviceAccountName: buildbot + taskRunSpecs: + - pipelineTaskName: build-aarch64 + podTemplate: + nodeSelector: + beta.kubernetes.io/arch: arm64 + tolerations: + - key: "emea-open-demo.redhat.com/arm64-architecture" + operator: "Exists" + effect: "NoSchedule" diff --git a/tekton/pipelinerun2.yaml b/tekton/pipelinerun2.yaml new file mode 100644 index 0000000..4f930f5 --- /dev/null +++ b/tekton/pipelinerun2.yaml @@ -0,0 +1,155 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: bootc-baremetal- +spec: + pipelineRef: + name: bootc + params: + - name: git-url + value: https://github.com/nmasse-itix/demo-edge-retail.git + - name: git-revision + value: main + - name: image-name + value: quay.io/nmasse-redhat/demo-edge-retail/baremetal:latest + - name: context-dir + value: bootc/baremetal + - name: containerfile-path + value: "bootc/baremetal/Containerfile" + - name: override-from + value: "quay.io/nmasse-redhat/demo-edge-retail/base:latest" + - name: fleet-label-selector + value: "fleet=store-baremetal" + workspaces: + - name: oci-images + volumeClaimTemplate: + spec: + storageClassName: efs-csi + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + - name: source-workspace + volumeClaimTemplate: + spec: + storageClassName: efs-csi + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + - name: registry-token + secret: + secretName: quay-authentication + - name: git-auth + secret: + secretName: github-authentication + - name: flightctl-config + secret: + secretName: flightctl-config + - name: etc-pki-entitlement-x86_64 + secret: + secretName: etc-pki-entitlement + items: + - key: x86_64.pem + path: x86_64.pem + - key: x86_64-key.pem + path: x86_64-key.pem + - name: etc-pki-entitlement-aarch64 + secret: + secretName: etc-pki-entitlement + items: + - key: aarch64.pem + path: aarch64.pem + - key: aarch64-key.pem + path: aarch64-key.pem + taskRunTemplate: + serviceAccountName: buildbot + taskRunSpecs: + - pipelineTaskName: build-aarch64 + podTemplate: + nodeSelector: + beta.kubernetes.io/arch: arm64 + tolerations: + - key: "emea-open-demo.redhat.com/arm64-architecture" + operator: "Exists" + effect: "NoSchedule" +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: bootc-virtualmachine- +spec: + pipelineRef: + name: bootc + params: + - name: git-url + value: https://github.com/nmasse-itix/demo-edge-retail.git + - name: git-revision + value: main + - name: image-name + value: quay.io/nmasse-redhat/demo-edge-retail/virtualmachine:latest + - name: context-dir + value: bootc/virtualmachine + - name: containerfile-path + value: "bootc/virtualmachine/Containerfile" + - name: override-from + value: "quay.io/nmasse-redhat/demo-edge-retail/base:latest" + - name: fleet-label-selector + value: "fleet=store-vm-nextcloud" + workspaces: + - name: oci-images + volumeClaimTemplate: + spec: + storageClassName: efs-csi + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + - name: source-workspace + volumeClaimTemplate: + spec: + storageClassName: efs-csi + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + - name: registry-token + secret: + secretName: quay-authentication + - name: git-auth + secret: + secretName: github-authentication + - name: flightctl-config + secret: + secretName: flightctl-config + - name: etc-pki-entitlement-x86_64 + secret: + secretName: etc-pki-entitlement + items: + - key: x86_64.pem + path: x86_64.pem + - key: x86_64-key.pem + path: x86_64-key.pem + - name: etc-pki-entitlement-aarch64 + secret: + secretName: etc-pki-entitlement + items: + - key: aarch64.pem + path: aarch64.pem + - key: aarch64-key.pem + path: aarch64-key.pem + taskRunTemplate: + serviceAccountName: buildbot + taskRunSpecs: + - pipelineTaskName: build-aarch64 + podTemplate: + nodeSelector: + beta.kubernetes.io/arch: arm64 + tolerations: + - key: "emea-open-demo.redhat.com/arm64-architecture" + operator: "Exists" + effect: "NoSchedule" diff --git a/tekton/taskrun.yaml b/tekton/taskrun.yaml new file mode 100644 index 0000000..8f2bbed --- /dev/null +++ b/tekton/taskrun.yaml @@ -0,0 +1,16 @@ +apiVersion: tekton.dev/v1beta1 +kind: TaskRun +metadata: + generateName: flightctl-update-digest- +spec: + taskRef: + name: flightctl-update-digest + params: + - name: new-image-digest + value: "sha256:792784b2fd2ee28e96ed4e73a22814afbb46075cdf352f3487df34bc16e8c166" + - name: fleet-label-selector + value: "fleet=store-baremetal" + workspaces: + - name: flightctl-config + secret: + secretName: flightctl-config