nicolas
/
demo-edge-retail
mirror of https://github.com/nmasse-itix/demo-edge-retail.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

wip

main
Nicolas Massé 2 months ago
parent
ccf8ed72ad
commit
df76feaf2f
13 changed files with 1069 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 80
      tekton/README.md
  2. 6
      tekton/common/kustomization.yaml
  3. 32
      tekton/common/serviceaccount-buildbot.yaml
  4. 112
      tekton/common/task-buildah-build.yaml
  5. 87
      tekton/common/task-buildah-push.yaml
  6. 83
      tekton/common/task-flightctl-update-digest.yaml
  7. 251
      tekton/common/task-git.yaml
  8. 6
      tekton/flightctl-image/Containerfile
  9. 38
      tekton/flightctl-image/build.sh
  10. 138
      tekton/pipeline.yaml
  11. 73
      tekton/pipelinerun1.yaml
  12. 155
      tekton/pipelinerun2.yaml
  13. 16
      tekton/taskrun.yaml

80
tekton/README.md
View File

@ -0,0 +1,80 @@
# Multi-architecture Tekton Pipeline
## Share RHEL SCA entitlement with Tekton Pipelines
```sh
oc create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: etc-pki-entitlement
type: Opaque
data:
aarch64.pem: $(base64 -w0 /etc/pki/entitlement/XXX.pem)
aarch64-key.pem: $(base64 -w0 /etc/pki/entitlement/XXX-key.pem)
x86_64.pem: $(base64 -w0 /etc/pki/entitlement/YYY.pem)
x86_64-key.pem: $(base64 -w0 /etc/pki/entitlement/YYY-key.pem)
EOF
```
## Flightctl CLI container image
```sh
cd flightctl-image
./build.sh
```
## Tekton configuration
```sh
oc patch tektonconfig/config -n openshift-pipelines --type=merge -p '{"spec":{"pipeline":{"coschedule":"disabled","disable-affinity-assistant":true}}}'
```
## Pipeline manifests
```sh
oc apply -k common/
oc apply -f pipeline.yaml
```
## Authentication to the registries
```sh
export REGISTRY_AUTH_FILE="$PWD/auth.json"
podman login quay.io
podman login registry.redhat.io
oc apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
annotations:
tekton.dev/docker-0: https://quay.io
tekton.dev/docker-1: https://registry.redhat.io
name: quay-authentication
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: $(base64 -w0 "$PWD/auth.json")
EOF
```
## Authentication to GitHub
```sh
cat > gitconfig <<EOF
[credential]
helper=store
EOF
oc create secret generic github-authentication --from-literal=.git-credentials=https://user:password@github.com --from-file=.gitconfig=gitconfig
```
## Authentication to Flightctl
```sh
oc create secret generic flightctl-config --from-file=client.yaml=$HOME/.config/flightctl/client.yaml
```
## Build the base image
```sh
oc create -f pipelinerun-base.yaml
```

6
tekton/common/kustomization.yaml
View File

@ -0,0 +1,6 @@
resources:
- serviceaccount-buildbot.yaml
- task-flightctl-update-digest.yaml
- task-buildah-build.yaml
- task-buildah-push.yaml
- task-git.yaml

32
tekton/common/serviceaccount-buildbot.yaml
View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: buildbot
imagePullSecrets:
- name: registry-authentication
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: buildbot-scc
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: buildbot-scc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: buildbot-scc
subjects:
- kind: ServiceAccount
name: buildbot

112
tekton/common/task-buildah-build.yaml
View File

@ -0,0 +1,112 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
annotations:
io.openshift.builder: 'true'
name: buildah-build
spec:
params:
- name: context-dir
type: string
default: .
- name: containerfile-path
type: string
default: Containerfile
- name: override-from
description: Replaces the "FROM" instruction in the Containerfile with this value if set.
type: string
default: ""
workspaces:
- name: source-workspace
description: Workspace containing source code
- name: oci-images
mountPath: /srv/oci-images
- description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson.
name: dockerconfig
optional: true
- name: etc-pki-entitlement
description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images.
mountPath: /etc/pki/entitlement
optional: true
volumes:
- name: container-storage
emptyDir: {}
steps:
- name: build
image: registry.redhat.io/rhel9/buildah:9.6
env:
- name: STORAGE_DRIVER
value: vfs
- name: SCRIPT_DEBUG
value: "false"
- name: OVERRIDE_FROM
value: "$(params.override-from)"
script: |
#!/bin/bash
set -Eeuo pipefail
# If debug is enabled, print out command that are executed
if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then
set -x
fi
# Print versions of the program we use
echo "=== Environment ==="
echo "---> Buildah"
buildah version
echo
echo "---> bash"
bash --version
echo
echo "---> OS"
cat /etc/redhat-release
echo
echo "---> Host"
uname -a
echo
echo "---> Current user"
id
echo
# Checks if etc-pki-entitlement workspace is bound
if [[ "$(workspaces.etc-pki-entitlement.bound)" == "true" ]]; then
echo "---> Entitlement certificates"
ls -lL /etc/pki/entitlement/*.pem
echo
fi
# Handle registry credentials
if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then
if test -f "$(workspaces.dockerconfig.path)/config.json"; then
export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then
cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json"
export DOCKER_CONFIG="$HOME/.docker"
else
echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root"
exit 1
fi
fi
echo "=== Build ==="
echo "---> Building image for $(uname -m)"
declare -a BUILDAH_OPTS=( )
BUILDAH_OPTS+=( "-f" "$(workspaces.source-workspace.path)/$(params.containerfile-path)" )
BUILDAH_OPTS+=( "--no-cache" )
BUILDAH_OPTS+=( "-t" "localhost/image:$(uname -m)" )
BUILDAH_OPTS+=( "$(workspaces.source-workspace.path)/$(params.context-dir)" )
if [ -n "${OVERRIDE_FROM:-}" ]; then
echo "Overriding FROM instruction with: $OVERRIDE_FROM"
BUILDAH_OPTS+=( "--from" "$OVERRIDE_FROM" )
fi
buildah build "${BUILDAH_OPTS[@]}"
echo "=== Export as tar archive ==="
buildah push localhost/image:$(uname -m) oci-archive:/srv/oci-images/$(uname -m).tar
securityContext:
capabilities:
add:
- SETFCAP
volumeMounts:
- name: container-storage
mountPath: /var/lib/containers

87
tekton/common/task-buildah-push.yaml
View File

@ -0,0 +1,87 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
annotations:
io.openshift.builder: 'true'
name: buildah-push
spec:
params:
- name: image-name
type: string
- name: architectures
type: array
results:
- name: image-digest
description: The digest of the built image
workspaces:
- name: oci-images
mountPath: /srv/oci-images
- description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson.
name: dockerconfig
optional: true
volumes:
- name: container-storage
emptyDir: {}
steps:
- name: push
image: registry.redhat.io/rhel9/buildah:9.6
env:
- name: STORAGE_DRIVER
value: vfs
args:
- "$(params.architectures[*])"
script: |
#!/bin/bash
set -Eeuo pipefail
# If debug is enabled, print out command that are executed
if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then
set -x
fi
# Print versions of the program we use
echo "=== Environment ==="
echo "---> Buildah"
buildah version
echo
echo "---> bash"
bash --version
echo
echo "---> OS"
cat /etc/redhat-release
echo
echo "---> Current user"
id
echo
# Handle registry credentials
if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then
if test -f "$(workspaces.dockerconfig.path)/config.json"; then
export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then
cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json"
export DOCKER_CONFIG="$HOME/.docker"
else
echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root"
exit 1
fi
fi
echo "=== Load container images from tar archives ==="
declare -a iids=()
for arch; do
echo "Loading image for architecture $arch..."
iid=$(buildah pull oci-archive:/srv/oci-images/$arch.tar)
iids+=("$iid")
done
echo "=== Create and push multi-arch manifest ==="
buildah manifest create localhost/multi-arch-image "${iids[@]}"
buildah manifest push --all localhost/multi-arch-image "--digestfile=$(results.image-digest.path)" docker://$(params.image-name)
securityContext:
capabilities:
add:
- SETFCAP
volumeMounts:
- name: container-storage
mountPath: /var/lib/containers

83
tekton/common/task-flightctl-update-digest.yaml
View File

@ -0,0 +1,83 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: flightctl-update-digest
spec:
params:
- name: new-image-digest
type: string
- description: The label selector to identify the fleet(s) to update.
name: fleet-label-selector
type: string
default: ""
workspaces:
- description: An optional workspace that contains the flightctl configuration file (client.yaml).
name: flightctl-config
optional: true
steps:
- name: flightctl-update-digest
image: quay.io/nmasse-redhat/flightctl:latest
env:
- name: SCRIPT_DEBUG
value: "false"
- name: FLEET_LABEL_SELECTOR
value: "$(params.fleet-label-selector)"
script: |
#!/bin/bash
set -Eeuo pipefail
# If debug is enabled, print out command that are executed
if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then
set -x
fi
# Check if the fleet label selector is set
if [ -z "${FLEET_LABEL_SELECTOR}" ]; then
echo "FLEET_LABEL_SELECTOR is not set. No action taken."
exit 0
fi
# Print versions of the program we use
echo "=== Environment ==="
echo "---> flightctl"
flightctl version
echo
echo "---> bash"
bash --version
echo
echo "---> OS"
cat /etc/redhat-release
echo
echo "---> yq"
yq --version
echo
echo "---> Current user"
id
echo
echo "---> flightctl"
flightctl version
echo
# List fleets matching the label selector and update their image to the new digest
flightctl --config-dir $(workspaces.flightctl-config.path) get fleets --limit 0 -l "${FLEET_LABEL_SELECTOR}" -o name | while read -r fleet; do
echo "Updating fleet $fleet to image digest $(params.new-image-digest)"
# Get the current fleet definition
flightctl --config-dir $(workspaces.flightctl-config.path) get fleet/$fleet -o yaml > /tmp/fleet.yaml
# Extract the current image from the fleet definition
CURRENT_IMAGE="$(yq eval '.spec.template.spec.os.image' /tmp/fleet.yaml)"
# Splits the CURRENT_IMAGE on the "@" or ":" character and takes the first part (the image name without tag or digest)
# Using only bash built-in features to avoid dependencies on other tools
IMAGE_NAME="${CURRENT_IMAGE%%[@:]*}"
# Construct the new image with the new digest
NEW_IMAGE="${IMAGE_NAME}@$(params.new-image-digest)"
# Update the fleet definition with the new image
yq eval -i ".spec.template.spec.os.image = \"$NEW_IMAGE\"" /tmp/fleet.yaml
# Apply the updated fleet definition
flightctl --config-dir $(workspaces.flightctl-config.path) apply -f /tmp/fleet.yaml
done

251
tekton/common/task-git.yaml
View File

@ -0,0 +1,251 @@
---
# Source: task-git/templates/task.yaml
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git
labels:
app.kubernetes.io/version: 0.2.0
annotations:
tekton.dev/source: "https://github.com/openshift-pipelines/task-git"
tekton.dev/categories: Git
tekton.dev/displayName: git
tekton.dev/pipelines.minVersion: 0.41.0
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
tekton.dev/tags: git
spec:
description: |
This Task represents Git and is able to initialize and clone a remote repository on the informed Workspace. It's likely to become the first `step` on a Pipeline.
workspaces:
- name: output
description: |
The Git repository directory, data will be placed on the root of the
Workspace, or on the relative path defined by the SUBDIRECTORY
parameter.
- name: ssh-directory
optional: true
description: |
A `.ssh` directory with private key, `known_hosts`, `config`, etc.
Copied to the Git user's home before cloning the repository, in order to
server as authentication mechanismBinding a Secret to this Workspace is
strongly recommended over other volume types.
- name: basic-auth
optional: true
description: |
A Workspace containing a `.gitconfig` and `.git-credentials` files.
These will be copied to the user's home before Git commands run. All
other files in this Workspace are ignored. It is strongly recommended to
use `ssh-directory` over `basic-auth` whenever possible, and to bind a
Secret to this Workspace over other volume types.
- name: ssl-ca-directory
optional: true
description: |
A Workspace containing CA certificates, this will be used by Git to
verify the peer with when interacting with remote repositories using
HTTPS.
params:
- name: URL
type: string
description: |
Git repository URL.
- name: REVISION
type: string
default: main
description: |
Revision to checkout, an branch, tag, sha, ref, etc...
- name: REFSPEC
default: ""
description: |
Repository `refspec` to fetch before checking out the revision.
- name: SUBMODULES
type: string
default: "true"
description: |
Initialize and fetch Git submodules.
- name: DEPTH
type: string
default: "1"
description: |
Number of commits to fetch, a "shallow clone" is a single commit.
- name: SSL_VERIFY
type: string
default: "true"
description: |
Sets the global `http.sslVerify` value, `false` is not advised unless
you trust the remote repository.
- name: CRT_FILENAME
type: string
default: ca-bundle.crt
description: |
Certificate Authority (CA) bundle filename on the `ssl-ca-directory`
Workspace.
- name: SUBDIRECTORY
type: string
default: ""
description: |
Relative path to the `output` Workspace where the repository will be
cloned.
- name: SPARSE_CHECKOUT_DIRECTORIES
type: string
default: ""
description: |
List of directory patterns split by comma to perform "sparse checkout".
- name: DELETE_EXISTING
type: string
default: "true"
description: |
Clean out the contents of the `output` Workspace before cloning the
repository, if data exists.
- name: HTTP_PROXY
type: string
default: ""
description: |
HTTP proxy server (non-TLS requests).
- name: HTTPS_PROXY
type: string
default: ""
description: |
HTTPS proxy server (TLS requests).
- name: NO_PROXY
type: string
default: ""
description: |
Opt out of proxying HTTP/HTTPS requests.
- name: VERBOSE
type: string
default: "false"
description: |
Log the commands executed.
- name: USER_HOME
type: string
default: "/home/git"
description: |
Absolute path to the Git user home directory.
results:
- name: COMMIT
description: |
The precise commit SHA digest cloned.
- name: URL
description: |
The precise repository URL.
- name: COMMITTER_DATE
description: |
The epoch timestamp of the commit cloned.
volumes:
- name: user-home
emptyDir: {}
- name: scripts-dir
emptyDir: {}
stepTemplate:
env:
- name: PARAMS_URL
value: "$(params.URL)"
- name: PARAMS_REVISION
value: "$(params.REVISION)"
- name: PARAMS_REFSPEC
value: "$(params.REFSPEC)"
- name: PARAMS_SUBMODULES
value: "$(params.SUBMODULES)"
- name: PARAMS_DEPTH
value: "$(params.DEPTH)"
- name: PARAMS_SSL_VERIFY
value: "$(params.SSL_VERIFY)"
- name: PARAMS_CRT_FILENAME
value: "$(params.CRT_FILENAME)"
- name: PARAMS_SUBDIRECTORY
value: "$(params.SUBDIRECTORY)"
- name: PARAMS_SPARSE_CHECKOUT_DIRECTORIES
value: "$(params.SPARSE_CHECKOUT_DIRECTORIES)"
- name: PARAMS_DELETE_EXISTING
value: "$(params.DELETE_EXISTING)"
- name: PARAMS_HTTP_PROXY
value: "$(params.HTTP_PROXY)"
- name: PARAMS_HTTPS_PROXY
value: "$(params.HTTPS_PROXY)"
- name: PARAMS_NO_PROXY
value: "$(params.NO_PROXY)"
- name: PARAMS_VERBOSE
value: "$(params.VERBOSE)"
- name: PARAMS_USER_HOME
value: "$(params.USER_HOME)"
- name: WORKSPACES_OUTPUT_PATH
value: "$(workspaces.output.path)"
- name: WORKSPACES_SSH_DIRECTORY_BOUND
value: "$(workspaces.ssh-directory.bound)"
- name: WORKSPACES_SSH_DIRECTORY_PATH
value: "$(workspaces.ssh-directory.path)"
- name: WORKSPACES_BASIC_AUTH_BOUND
value: "$(workspaces.basic-auth.bound)"
- name: WORKSPACES_BASIC_AUTH_PATH
value: "$(workspaces.basic-auth.path)"
- name: WORKSPACES_SSL_CA_DIRECTORY_BOUND
value: "$(workspaces.ssl-ca-directory.bound)"
- name: WORKSPACES_SSL_CA_DIRECTORY_PATH
value: "$(workspaces.ssl-ca-directory.path)"
- name: RESULTS_COMMITTER_DATE_PATH
value: "$(results.COMMITTER_DATE.path)"
- name: RESULTS_COMMIT_PATH
value: "$(results.COMMIT.path)"
- name: RESULTS_URL_PATH
value: "$(results.URL.path)"
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
runAsNonRoot: true
runAsUser: 65532
steps:
- name: load-scripts
image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
workingDir: /scripts
script: |
printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKCmV4cG9ydCBQQVJBTVNfVVJMPSIke1BBUkFNU19VUkw6LX0iCmV4cG9ydCBQQVJBTVNfUkVWSVNJT049IiR7UEFSQU1TX1JFVklTSU9OOi19IgpleHBvcnQgUEFSQU1TX1JFRlNQRUM9IiR7UEFSQU1TX1JFRlNQRUM6LX0iCmV4cG9ydCBQQVJBTVNfU1VCTU9EVUxFUz0iJHtQQVJBTVNfU1VCTU9EVUxFUzotfSIKZXhwb3J0IFBBUkFNU19ERVBUSD0iJHtQQVJBTVNfREVQVEg6LX0iCmV4cG9ydCBQQVJBTVNfU1NMX1ZFUklGWT0iJHtQQVJBTVNfU1NMX1ZFUklGWTotfSIKZXhwb3J0IFBBUkFNU19DUlRfRklMRU5BTUU9IiR7UEFSQU1TX0NSVF9GSUxFTkFNRTotfSIKZXhwb3J0IFBBUkFNU19TVUJESVJFQ1RPUlk9IiR7UEFSQU1TX1NVQkRJUkVDVE9SWTotfSIKZXhwb3J0IFBBUkFNU19TUEFSU0VfQ0hFQ0tPVVRfRElSRUNUT1JJRVM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFUzotfSIKZXhwb3J0IFBBUkFNU19ERUxFVEVfRVhJU1RJTkc9IiR7UEFSQU1TX0RFTEVURV9FWElTVElORzotfSIKZXhwb3J0IFBBUkFNU19IVFRQX1BST1hZPSIke1BBUkFNU19IVFRQX1BST1hZOi19IgpleHBvcnQgUEFSQU1TX0hUVFBTX1BST1hZPSIke1BBUkFNU19IVFRQU19QUk9YWTotfSIKZXhwb3J0IFBBUkFNU19OT19QUk9YWT0iJHtQQVJBTVNfTk9fUFJPWFk6LX0iCmV4cG9ydCBQQVJBTVNfVkVSQk9TRT0iJHtQQVJBTVNfVkVSQk9TRTotfSIKZXhwb3J0IFBBUkFNU19VU0VSX0hPTUU9IiR7UEFSQU1TX1VTRVJfSE9NRTotfSIKCmV4cG9ydCBXT1JLU1BBQ0VTX09VVFBVVF9QQVRIPSIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTSF9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfQk9VTkQ9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTTF9DQV9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg6LX0iCgpleHBvcnQgUkVTVUxUU19DT01NSVRURVJfREFURV9QQVRIPSIke1JFU1VMVFNfQ09NTUlUVEVSX0RBVEVfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfQ09NTUlUX1BBVEg9IiR7UkVTVUxUU19DT01NSVRfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfVVJMX1BBVEg9IiR7UkVTVUxUU19VUkxfUEFUSDotfSIKCiMgZnVsbCBwYXRoIHRvIHRoZSBjaGVja291dCBkaXJlY3RvcnksIHVzaW5nIHRoZSBvdXRwdXQgd29ya3NwYWNlIGFuZCBzdWJkaXJlY3RvciBwYXJhbWV0ZXIKZXhwb3J0IGNoZWNrb3V0X2Rpcj0iJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfS8ke1BBUkFNU19TVUJESVJFQ1RPUll9IgoKIwojIEZ1bmN0aW9ucwojCgpmYWlsKCkgewogICAgZWNobyAiRVJST1I6ICR7QH0iIDE+JjIKICAgIGV4aXQgMQp9CgpwaGFzZSgpIHsKICAgIGVjaG8gIi0tLT4gUGhhc2U6ICR7QH0uLi4iCn0KCiMgSW5zcGVjdCB0aGUgZW52aXJvbm1lbnQgdmFyaWFibGVzIHRvIGFzc2VydCB0aGUgbWluaW11bSBjb25maWd1cmF0aW9uIGlzIGluZm9ybWVkLgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsKCkgewogICAgW1sgLXogIiR7UEFSQU1TX1VSTH0iIF1dICYmCiAgICAgICAgZmFpbCAiUGFyYW1ldGVyIFVSTCBpcyBub3Qgc2V0ISIKCiAgICBbWyAteiAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIgXV0gJiYKICAgICAgICBmYWlsICJPdXRwdXQgV29ya3NwYWNlIGlzIG5vdCBzZXQhIgoKICAgIFtbICEgLWQgIiR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0iIF1dICYmCiAgICAgICAgZmFpbCAiT3V0cHV0IFdvcmtzcGFjZSBkaXJlY3RvcnkgJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nIG5vdCBmb3VuZCEiCgogICAgcmV0dXJuIDAKfQoKIyBDb3B5IHRoZSBmaWxlIGludG8gdGhlIGRlc3RpbmF0aW9uLCBjaGVja2luZyBpZiB0aGUgc291cmNlIGV4aXN0cy4KY29weV9vcl9mYWlsKCkgewogICAgbG9jYWwgX21vZGU9IiR7MX0iCiAgICBsb2NhbCBfc3JjPSIkezJ9IgogICAgbG9jYWwgX2RzdD0iJHszfSIKCiAgICBpZiBbWyAhIC1mICIke19zcmN9IiAmJiAhIC1kICIke19zcmN9IiBdXTsgdGhlbgogICAgICAgIGZhaWwgIlNvdXJjZSBmaWxlL2RpcmVjdG9yeSBpcyBub3QgZm91bmQgYXQgJyR7X3NyY30nIgogICAgZmkKCiAgICBpZiBbWyAtZCAiJHtfc3JjfSIgXV07IHRoZW4KICAgICAgICBjcCAtUnYgJHtfc3JjfSAke19kc3R9CiAgICAgICAgY2htb2QgLXYgJHtfbW9kZX0gJHtfZHN0fQogICAgZWxzZQogICAgICAgIGluc3RhbGwgLS12ZXJib3NlIC0tbW9kZT0ke19tb2RlfSAke19zcmN9ICR7X2RzdH0KICAgIGZpCn0KCiMgRGVsZXRlIGFueSBleGlzdGluZyBjb250ZW50cyBvZiB0aGUgcmVwbyBkaXJlY3RvcnkgaWYgaXQgZXhpc3RzLiBXZSBkb24ndCBqdXN0ICJybSAtcmYgPGRpcj4iCiMgYmVjYXVzZSBtaWdodCBiZSAiLyIgb3IgdGhlIHJvb3Qgb2YgYSBtb3VudGVkIHZvbHVtZS4KY2xlYW5fZGlyKCkgewogICAgbG9jYWwgX2Rpcj0iJHsxfSIKCiAgICBbWyAhIC1kICIke19kaXJ9IiBdXSAmJgogICAgICAgIHJldHVybiAwCgogICAgIyBEZWxldGUgbm9uLWhpZGRlbiBmaWxlcyBhbmQgZGlyZWN0b3JpZXMKICAgIHJtIC1yZnYgJHtfZGlyOj99LyoKICAgICMgRGVsZXRlIGZpbGVzIGFuZCBkaXJlY3RvcmllcyBzdGFydGluZyB3aXRoIC4gYnV0IGV4Y2x1ZGluZyAuLgogICAgcm0gLXJmdiAke19kaXJ9Ly5bIS5dKgogICAgIyBEZWxldGUgZmlsZXMgYW5kIGRpcmVjdG9yaWVzIHN0YXJ0aW5nIHdpdGggLi4gcGx1cyBhbnkgb3RoZXIgY2hhcmFjdGVyCiAgICBybSAtcmZ2ICR7X2Rpcn0vLi4/Kgp9CgojCiMgU2V0dGluZ3MKIwoKIyB3aGVuIHRoZSBrby1hcHAgZGlyZWN0b3J5IGlzIHByZXNlbnQsIG1ha2luZyBzdXJlIGl0J3MgcGFydCBvZiB0aGUgUEFUSApbWyAtZCAiL2tvLWFwcCIgXV0gJiYgZXhwb3J0IFBBVEg9IiR7UEFUSH06L2tvLWFwcCIKCiMgbWFraW5nIHRoZSBzaGVsbCB2ZXJib3NlIHdoZW4gdGhlIHBhcmFtdGVyIGlzIHNldApbWyAiJHtQQVJBTVNfVkVSQk9TRX0iID09ICJ0cnVlIiBdXSAmJiBzZXQgLXgKCnJldHVybiAw" |base64 -d >common.sh
chmod +x "common.sh"
printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIEV4cG9ydHMgcHJveHkgYW5kIGN1c3RvbSBTU0wgQ0EgY2VydGlmaWNhdHMgaW4gdGhlIGVudmlyb21lbnQgYW5kIHJ1bnMgdGhlIGdpdC1pbml0IHdpdGggZmxhZ3MKIyBiYXNlZCBvbiB0aGUgdGFzayBwYXJhbWV0ZXJzLgojCgpzZXQgLWV1Cgpzb3VyY2UgJChDRFBBVEg9IGNkIC0tICIkKGRpcm5hbWUgLS0gJHswfSkiICYmIHB3ZCkvY29tbW9uLnNoCgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsCgojCiMgQ0EgKGBzc2wtY2EtZGlyZWN0b3J5YCBXb3Jrc3BhY2UpCiMKCmlmIFtbICIke1dPUktTUEFDRVNfU1NMX0NBX0RJUkVDVE9SWV9CT1VORH0iID09ICJ0cnVlIiAmJiAtbiAiJHtQQVJBTVNfQ1JUX0ZJTEVOQU1FfSIgXV07IHRoZW4KCXBoYXNlICJJbnNwZWN0aW5nICdzc2wtY2EtZGlyZWN0b3J5JyB3b3Jrc3BhY2UgbG9va2luZyBmb3IgJyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0nIGZpbGUiCgljcnQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEh9LyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0iCglbWyAhIC1mICIke2NydH0iIF1dICYmCgkJZmFpbCAiQ1JUIGZpbGUgKFBBUkFNU19DUlRfRklMRU5BTUUpIG5vdCBmb3VuZCBhdCAnJHtjcnR9JyIKCglwaGFzZSAiRXhwb3J0aW5nIGN1c3RvbSBDQSBjZXJ0aWZpY2F0ZSAnR0lUX1NTTF9DQUlORk89JHtjcnR9JyIKCWV4cG9ydCBHSVRfU1NMX0NBSU5GTz0ke2NydH0KZmkKCiMKIyBQcm94eSBTZXR0aW5ncwojCgpwaGFzZSAiU2V0dGluZyB1cCBIVFRQX1BST1hZPScke1BBUkFNU19IVFRQX1BST1hZfSciCltbIC1uICIke1BBUkFNU19IVFRQX1BST1hZfSIgXV0gJiYgZXhwb3J0IEhUVFBfUFJPWFk9IiR7UEFSQU1TX0hUVFBfUFJPWFl9IgoKcGhhc2UgIlNldHR0aW5nIHVwIEhUVFBTX1BST1hZPScke1BBUkFNU19IVFRQU19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfSFRUUFNfUFJPWFl9IiBdXSAmJiBleHBvcnQgSFRUUFNfUFJPWFk9IiR7UEFSQU1TX0hUVFBTX1BST1hZfSIKCnBoYXNlICJTZXR0aW5nIHVwIE5PX1BST1hZPScke1BBUkFNU19OT19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfTk9fUFJPWFl9IiBdXSAmJiBleHBvcnQgTk9fUFJPWFk9IiR7UEFSQU1TX05PX1BST1hZfSIKCiMKIyBHaXQgQ2xvbmUKIwoKcGhhc2UgIlNldHRpbmcgb3V0cHV0IHdvcmtzcGFjZSBhcyBzYWZlIGRpcmVjdG9yeSAoJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nKSIKZ2l0IGNvbmZpZyAtLWdsb2JhbCAtLWFkZCBzYWZlLmRpcmVjdG9yeSAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIKCnBoYXNlICJDbG9uaW5nICcke1BBUkFNU19VUkx9JyBpbnRvICcke2NoZWNrb3V0X2Rpcn0nIgpzZXQgLXgKZXhlYyBnaXQtaW5pdCBcCgktdXJsPSIke1BBUkFNU19VUkx9IiBcCgktcmV2aXNpb249IiR7UEFSQU1TX1JFVklTSU9OfSIgXAoJLXJlZnNwZWM9IiR7UEFSQU1TX1JFRlNQRUN9IiBcCgktcGF0aD0iJHtjaGVja291dF9kaXJ9IiBcCgktc3NsVmVyaWZ5PSIke1BBUkFNU19TU0xfVkVSSUZZfSIgXAoJLXN1Ym1vZHVsZXM9IiR7UEFSQU1TX1NVQk1PRFVMRVN9IiBcCgktZGVwdGg9IiR7UEFSQU1TX0RFUFRIfSIgXAoJLXNwYXJzZUNoZWNrb3V0RGlyZWN0b3JpZXM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFU30iCg==" |base64 -d >git-clone.sh
chmod +x "git-clone.sh"
printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNldHMgdXAgdGhlIGJhc2ljIGFuZCBTU0ggYXV0aGVudGljYXRpb24gYmFzZWQgb24gaW5mb3JtZWQgd29ya3NwYWNlcywgYXMgd2VsbCBhcyBjbGVhbmluZyB1cCB0aGUKIyBwcmV2aW91cyBnaXQtY2xvbmUgc3RhbGUgZGF0YS4KIwoKc2V0IC1ldQoKc291cmNlICQoQ0RQQVRIPSBjZCAtLSAiJChkaXJuYW1lIC0tICR7MH0pIiAmJiBwd2QpL2NvbW1vbi5zaAoKYXNzZXJ0X3JlcXVpcmVkX2NvbmZpZ3VyYXRpb25fb3JfZmFpbAoKcGhhc2UgIlByZXBhcmluZyB0aGUgZmlsZXN5c3RlbSBiZWZvcmUgY2xvbmluZyB0aGUgcmVwb3NpdG9yeSIKCmlmIFtbICIke1dPUktTUEFDRVNfQkFTSUNfQVVUSF9CT1VORH0iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkNvbmZpZ3VyaW5nIEdpdCBhdXRoZW50aWNhdGlvbiB3aXRoICdiYXNpYy1hdXRoJyBXb3Jrc3BhY2UgZmlsZXMiCgoJZm9yIGYgaW4gLmdpdC1jcmVkZW50aWFscyAuZ2l0Y29uZmlnOyBkbwoJCXNyYz0iJHtXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfUEFUSH0vJHtmfSIKCQlwaGFzZSAiQ29weWluZyAnJHtzcmN9JyB0byAnJHtQQVJBTVNfVVNFUl9IT01FfSciCgkJY29weV9vcl9mYWlsIDQwMCAke3NyY30gIiR7UEFSQU1TX1VTRVJfSE9NRX0vIgoJZG9uZQpmaQoKaWYgW1sgIiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EfSIgPT0gInRydWUiIF1dOyB0aGVuCglwaGFzZSAiQ29weWluZyAnLnNzaCcgZnJvbSBzc2gtZGlyZWN0b3J5IHdvcmtzcGFjZSAoJyR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEh9JykiCgoJZG90X3NzaD0iJHtQQVJBTVNfVVNFUl9IT01FfS8uc3NoIgoJY29weV9vcl9mYWlsIDcwMCAke1dPUktTUEFDRVNfU1NIX0RJUkVDVE9SWV9QQVRIfSAke2RvdF9zc2h9CgljaG1vZCAtUnYgNDAwICR7ZG90X3NzaH0vKgpmaQoKaWYgW1sgIiR7UEFSQU1TX0RFTEVURV9FWElTVElOR30iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkRlbGV0aW5nIGFsbCBjb250ZW50cyBvZiBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgljbGVhbl9kaXIgJHtjaGVja291dF9kaXJ9IHx8IHRydWUKZmkKCmV4aXQgMA==" |base64 -d >prepare.sh
chmod +x "prepare.sh"
printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNjYW4gdGhlIGNsb25lZCByZXBvc2l0b3J5IGluIG9yZGVyIHRvIHJlcG9ydCBkZXRhaWxzIHdyaXR0aW5nIHRoZSByZXN1bHQgZmlsZXMuCiMKCnNldCAtZXUKCnNvdXJjZSAkKENEUEFUSD0gY2QgLS0gIiQoZGlybmFtZSAtLSAkezB9KSIgJiYgcHdkKS9jb21tb24uc2gKCmFzc2VydF9yZXF1aXJlZF9jb25maWd1cmF0aW9uX29yX2ZhaWwKCnBoYXNlICJDb2xsZWN0aW5nIGNsb25lZCByZXBvc2l0b3J5IGluZm9ybWF0aW9uICgnJHtjaGVja291dF9kaXJ9JykiCgpjZCAiJHtjaGVja291dF9kaXJ9IiB8fCBmYWlsICJOb3QgYWJsZSB0byBlbnRlciBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgpwaGFzZSAiU2V0dGluZyBvdXRwdXQgd29ya3NwYWNlIGFzIHNhZmUgZGlyZWN0b3J5ICgnJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfScpIgpnaXQgY29uZmlnIC0tZ2xvYmFsIC0tYWRkIHNhZmUuZGlyZWN0b3J5ICIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEh9IgoKcmVzdWx0X3NoYT0iJChnaXQgcmV2LXBhcnNlIEhFQUQpIgpyZXN1bHRfY29tbWl0dGVyX2RhdGU9IiQoZ2l0IGxvZyAtMSAtLXByZXR0eT0lY3QpIgoKcGhhc2UgIlJlcG9ydGluZyBsYXN0IGNvbW1pdCBkYXRlICcke3Jlc3VsdF9jb21taXR0ZXJfZGF0ZX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfY29tbWl0dGVyX2RhdGV9IiA+JHtSRVNVTFRTX0NPTU1JVFRFUl9EQVRFX1BBVEh9CgpwaGFzZSAiUmVwb3J0aW5nIHBhcnNlZCByZXZpc2lvbiBTSEEgJyR7cmVzdWx0X3NoYX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfc2hhfSIgPiR7UkVTVUxUU19DT01NSVRfUEFUSH0KCnBoYXNlICJSZXBvcnRpbmcgcmVwb3NpdG9yeSBVUkwgJyR7UEFSQU1TX1VSTH0nIgpwcmludGYgIiVzIiAiJHtQQVJBTVNfVVJMfSIgPiR7UkVTVUxUU19VUkxfUEFUSH0KCmV4aXQgMA==" |base64 -d >report.sh
chmod +x "report.sh"
volumeMounts:
- name: scripts-dir
mountPath: /scripts
- name: prepare
image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
command:
- /scripts/prepare.sh
volumeMounts:
- name: scripts-dir
mountPath: /scripts
- name: user-home
mountPath: $(params.USER_HOME)
- name: git-clone
image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
command:
- /scripts/git-clone.sh
volumeMounts:
- name: scripts-dir
mountPath: /scripts
- name: user-home
mountPath: $(params.USER_HOME)
- name: report
image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
command:
- /scripts/report.sh
volumeMounts:
- name: scripts-dir
mountPath: /scripts

6
tekton/flightctl-image/Containerfile
View File

@ -5,8 +5,10 @@ set -Eeuo pipefail
echo "Disabling Subscription Manager..."
echo -e "[main]\nenabled=0" > /etc/dnf/plugins/subscription-manager.conf
echo "Installing flightctl..."
curl -sSfL -o /etc/yum.repos.d/flightctl-copr.repo https://copr.fedorainfracloud.org/coprs/g/redhat-et/flightctl/repo/rhel-9/group_redhat-et-flightctl-rhel-9.repo
dnf install -y flightctl
dnf install -y https://download.copr.fedorainfracloud.org/results/%40redhat-et/flightctl/epel-9-$(arch)/09523645-flightctl/flightctl-cli-0.9.3-1.el9.$(arch).rpm
echo "Installing yq (from EPEL)..."
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
dnf install -y yq
echo "Cleaning up..."
dnf clean all
EOF

38
tekton/flightctl-image/build.sh
View File

@ -2,13 +2,39 @@
set -euo pipefail
TARGET_IMAGE="quay.io/nmasse-redhat/flightctl:latest"
SOURCE_IMAGE="registry.access.redhat.com/ubi9/ubi:latest"
SOURCE_REF=ubi9
TARGET_REF=flightctl
echo "Logging into quay.io..."
podman login quay.io
echo "Building and pushing the flightctl image..."
podman build -t quay.io/nmasse-redhat/flightctl:latest .
podman push quay.io/nmasse-redhat/flightctl:latest
echo "Pulling source image $SOURCE_IMAGE for x86_64..."
podman rmi -i "$SOURCE_IMAGE"
podman pull --platform linux/amd64 "$SOURCE_IMAGE"
podman tag "$SOURCE_IMAGE" "localhost/$SOURCE_REF-x86_64"
podman rmi -i "$SOURCE_IMAGE"
echo "Pulling source image $SOURCE_IMAGE for aarch64..."
podman pull --platform linux/arm64/v8 "$SOURCE_IMAGE"
podman tag "$SOURCE_IMAGE" "localhost/$SOURCE_REF-aarch64"
podman rmi -i "$SOURCE_IMAGE"
echo "Building target image $TARGET_IMAGE for x86_64 architecture..."
buildah build --platform linux/amd64 -t localhost/$TARGET_REF-x86_64 --from "localhost/$SOURCE_REF-x86_64" .
echo "Building target image $TARGET_IMAGE for aarch64 architecture..."
buildah build --platform linux/arm64/v8 -t localhost/$TARGET_REF-aarch64 --from "localhost/$SOURCE_REF-aarch64" .
echo "Creating multi-arch manifest..."
if podman manifest exists localhost/$TARGET_REF; then
podman manifest rm localhost/$TARGET_REF
fi
podman manifest create localhost/$TARGET_REF
podman manifest add localhost/$TARGET_REF localhost/$TARGET_REF-x86_64
podman manifest add localhost/$TARGET_REF localhost/$TARGET_REF-aarch64
echo "Build and push completed successfully."
echo "Image available at: https://quay.io/repository/nmasse-redhat/flightctl?tab=tags"
exit 0
echo "pushing to $TARGET_IMAGE..."
read -p "Press enter to continue "
podman manifest push --all --format v2s2 localhost/$TARGET_REF "docker://$TARGET_IMAGE"

138
tekton/pipeline.yaml
View File

@ -0,0 +1,138 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: bootc
spec:
workspaces:
- name: source-workspace
description: Workspace containing source code (from git)
- name: oci-images
description: Workspace for storing OCI images temporarily as tar files before pushing to a registry
- name: registry-token
description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson.
optional: true
- name: git-auth
description: An optional workspace that allows providing SSH keys or .gitconfig file for git authentication. The SSH keys should be placed at the root of the Workspace with names id_rsa and id_rsa.pub. The .gitconfig file should also be placed at the root of the Workspace with name .gitconfig.
optional: true
- name: flightctl-config
description: An optional workspace that contains the flightctl configuration file (client.yaml).
optional: true
- name: etc-pki-entitlement-x86_64
description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images, for x86_64 architecture.
optional: true
- name: etc-pki-entitlement-aarch64
description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images, for aarch64 architecture.
optional: true
params:
- name: git-url
type: string
- name: git-revision
type: string
default: main
- name: image-name
type: string
- name: override-from
description: Replaces the "FROM" instruction in the Containerfile with this value if set.
type: string
default: ""
- name: context-dir
type: string
default: "."
- name: containerfile-path
type: string
default: "Containerfile"
- name: fleet-label-selector
description: The label selector to identify the fleet(s) to update. If not provided, no fleets will be updated!
type: string
default: ""
tasks:
- name: clone-repo
taskRef:
kind: Task
name: git
params:
- name: URL
value: $(params.git-url)
- name: REVISION
value: $(params.git-revision)
workspaces:
- name: output
workspace: source-workspace
- name: basic-auth
workspace: git-auth
- name: build-x86-64
runAfter: ["clone-repo"]
taskRef:
name: buildah-build
params:
- name: context-dir
value: $(params.context-dir)
- name: containerfile-path
value: $(params.containerfile-path)
- name: override-from
value: $(params.override-from)
workspaces:
- name: source-workspace
workspace: source-workspace
- name: oci-images
workspace: oci-images
- name: dockerconfig
workspace: registry-token
- name: etc-pki-entitlement
workspace: etc-pki-entitlement-x86_64
- name: build-aarch64
runAfter: ["clone-repo"]
taskRef:
name: buildah-build
params:
- name: context-dir
value: $(params.context-dir)
- name: containerfile-path
value: $(params.containerfile-path)
- name: override-from
value: $(params.override-from)
workspaces:
- name: source-workspace
workspace: source-workspace
- name: oci-images
workspace: oci-images
- name: dockerconfig
workspace: registry-token
- name: etc-pki-entitlement
workspace: etc-pki-entitlement-aarch64
- name: push-image
runAfter: ["build-x86-64", "build-aarch64"]
taskRef:
name: buildah-push
params:
- name: image-name
value: $(params.image-name)
- name: architectures
value:
- x86_64
- aarch64
workspaces:
- name: oci-images
workspace: oci-images
- name: dockerconfig
workspace: registry-token
- name: flightctl-update-digest
runAfter: ["push-image"]
taskRef:
name: flightctl-update-digest
params:
- name: new-image-digest
value: $(tasks.push-image.results.image-digest)
- name: fleet-label-selector
value: "$(params.fleet-label-selector)"
workspaces:
- name: flightctl-config
workspace: flightctl-config

73
tekton/pipelinerun1.yaml
View File

@ -0,0 +1,73 @@
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
generateName: bootc-base-
spec:
pipelineRef:
name: bootc
params:
- name: git-url
value: https://github.com/nmasse-itix/demo-edge-retail.git
- name: git-revision
value: main
- name: image-name
value: quay.io/nmasse-redhat/demo-edge-retail/base:latest
- name: context-dir
value: bootc/base
- name: containerfile-path
value: "bootc/base/Containerfile"
workspaces:
- name: oci-images
volumeClaimTemplate:
spec:
storageClassName: efs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
- name: source-workspace
volumeClaimTemplate:
spec:
storageClassName: efs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
- name: registry-token
secret:
secretName: quay-authentication
- name: git-auth
secret:
secretName: github-authentication
- name: flightctl-config
secret:
secretName: flightctl-config
- name: etc-pki-entitlement-x86_64
secret:
secretName: etc-pki-entitlement
items:
- key: x86_64.pem
path: x86_64.pem
- key: x86_64-key.pem
path: x86_64-key.pem
- name: etc-pki-entitlement-aarch64
secret:
secretName: etc-pki-entitlement
items:
- key: aarch64.pem
path: aarch64.pem
- key: aarch64-key.pem
path: aarch64-key.pem
taskRunTemplate:
serviceAccountName: buildbot
taskRunSpecs:
- pipelineTaskName: build-aarch64
podTemplate:
nodeSelector:
beta.kubernetes.io/arch: arm64
tolerations:
- key: "emea-open-demo.redhat.com/arm64-architecture"
operator: "Exists"
effect: "NoSchedule"

155
tekton/pipelinerun2.yaml
View File

@ -0,0 +1,155 @@
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
generateName: bootc-baremetal-
spec:
pipelineRef:
name: bootc
params:
- name: git-url
value: https://github.com/nmasse-itix/demo-edge-retail.git
- name: git-revision
value: main
- name: image-name
value: quay.io/nmasse-redhat/demo-edge-retail/baremetal:latest
- name: context-dir
value: bootc/baremetal
- name: containerfile-path
value: "bootc/baremetal/Containerfile"
- name: override-from
value: "quay.io/nmasse-redhat/demo-edge-retail/base:latest"
- name: fleet-label-selector
value: "fleet=store-baremetal"
workspaces:
- name: oci-images
volumeClaimTemplate:
spec:
storageClassName: efs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
- name: source-workspace
volumeClaimTemplate:
spec:
storageClassName: efs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
- name: registry-token
secret:
secretName: quay-authentication
- name: git-auth
secret:
secretName: github-authentication
- name: flightctl-config
secret:
secretName: flightctl-config
- name: etc-pki-entitlement-x86_64
secret:
secretName: etc-pki-entitlement
items:
- key: x86_64.pem
path: x86_64.pem
- key: x86_64-key.pem
path: x86_64-key.pem
- name: etc-pki-entitlement-aarch64
secret:
secretName: etc-pki-entitlement
items:
- key: aarch64.pem
path: aarch64.pem
- key: aarch64-key.pem
path: aarch64-key.pem
taskRunTemplate:
serviceAccountName: buildbot
taskRunSpecs:
- pipelineTaskName: build-aarch64
podTemplate:
nodeSelector:
beta.kubernetes.io/arch: arm64
tolerations:
- key: "emea-open-demo.redhat.com/arm64-architecture"
operator: "Exists"
effect: "NoSchedule"
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
generateName: bootc-virtualmachine-
spec:
pipelineRef:
name: bootc
params:
- name: git-url
value: https://github.com/nmasse-itix/demo-edge-retail.git
- name: git-revision
value: main
- name: image-name
value: quay.io/nmasse-redhat/demo-edge-retail/virtualmachine:latest
- name: context-dir
value: bootc/virtualmachine
- name: containerfile-path
value: "bootc/virtualmachine/Containerfile"
- name: override-from
value: "quay.io/nmasse-redhat/demo-edge-retail/base:latest"
- name: fleet-label-selector
value: "fleet=store-vm-nextcloud"
workspaces:
- name: oci-images
volumeClaimTemplate:
spec:
storageClassName: efs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
- name: source-workspace
volumeClaimTemplate:
spec:
storageClassName: efs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
- name: registry-token
secret:
secretName: quay-authentication
- name: git-auth
secret:
secretName: github-authentication
- name: flightctl-config
secret:
secretName: flightctl-config
- name: etc-pki-entitlement-x86_64
secret:
secretName: etc-pki-entitlement
items:
- key: x86_64.pem
path: x86_64.pem
- key: x86_64-key.pem
path: x86_64-key.pem
- name: etc-pki-entitlement-aarch64
secret:
secretName: etc-pki-entitlement
items:
- key: aarch64.pem
path: aarch64.pem
- key: aarch64-key.pem
path: aarch64-key.pem
taskRunTemplate:
serviceAccountName: buildbot
taskRunSpecs:
- pipelineTaskName: build-aarch64
podTemplate:
nodeSelector:
beta.kubernetes.io/arch: arm64
tolerations:
- key: "emea-open-demo.redhat.com/arm64-architecture"
operator: "Exists"
effect: "NoSchedule"

16
tekton/taskrun.yaml
View File

@ -0,0 +1,16 @@
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
generateName: flightctl-update-digest-
spec:
taskRef:
name: flightctl-update-digest
params:
- name: new-image-digest
value: "sha256:792784b2fd2ee28e96ed4e73a22814afbb46075cdf352f3487df34bc16e8c166"
- name: fleet-label-selector
value: "fleet=store-baremetal"
workspaces:
- name: flightctl-config
secret:
secretName: flightctl-config
Write Preview
Loading…
Cancel
Save