From 2e4c7e483a10c9fe1e34c988e8d6053f694af5ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Wed, 24 Apr 2024 10:12:49 +0200 Subject: [PATCH] it works! --- README.md | 21 +++++++ tekton/kustomization.yaml | 5 ++ ...ine-build-multiarch.yaml => pipeline.yaml} | 41 ++++++------- tekton/pipelinerun.yaml | 11 ++-- tekton/quay-authentication.yaml | 7 --- ...man-build.yaml => task-buildah-build.yaml} | 20 ++++--- tekton/task-buildah-push.yaml | 59 +++++++++++++++++++ tekton/task-podman-push.yaml | 22 ------- 8 files changed, 126 insertions(+), 60 deletions(-) create mode 100644 tekton/kustomization.yaml rename tekton/{pipeline-build-multiarch.yaml => pipeline.yaml} (62%) delete mode 100644 tekton/quay-authentication.yaml rename tekton/{task-podman-build.yaml => task-buildah-build.yaml} (53%) create mode 100644 tekton/task-buildah-push.yaml delete mode 100644 tekton/task-podman-push.yaml diff --git a/README.md b/README.md index 25e1d91..f9cf472 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,27 @@ parameters: fileSystemId: fs-123456 directoryPerms: "700" basePath: "/pv" + uid: "0" + gid: "0" ``` - [Create and configure access to EFS volumes in AWS](https://docs.openshift.com/container-platform/4.15/storage/container_storage_interface/persistent-storage-csi-aws-efs.html#efs-create-volume_persistent-storage-csi-aws-efs) + +## Authentication to the registry + +```sh +oc create secret docker-registry quay-authentication --docker-email=nmasse@redhat.com --docker-username=nmasse --docker-password=REDACTED --docker-server=quay.io +oc annotate secret/quay-authentication tekton.dev/docker-0=https://quay.io +``` + +## Pipeline manifests + +```sh +oc apply -k tekton/ +``` + +## Run it! + +```sh +oc create -f tekton/pipelinerun.yaml +``` diff --git a/tekton/kustomization.yaml b/tekton/kustomization.yaml new file mode 100644 index 0000000..3b26425 --- /dev/null +++ b/tekton/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- pipeline.yaml +- serviceaccount-buildbot.yaml +- task-buildah-build.yaml +- task-buildah-push.yaml diff --git a/tekton/pipeline-build-multiarch.yaml b/tekton/pipeline.yaml similarity index 62% rename from tekton/pipeline-build-multiarch.yaml rename to tekton/pipeline.yaml index 5aa2c53..8a5d9f0 100644 --- a/tekton/pipeline-build-multiarch.yaml +++ b/tekton/pipeline.yaml @@ -6,12 +6,13 @@ spec: workspaces: - name: source-workspace - - name: container-storage + - name: oci-images + - name: registry-token params: - name: git-url type: string - - name: docker-image-name + - name: image-name type: string - name: manifest-name type: string @@ -35,45 +36,45 @@ spec: - name: output workspace: source-workspace - - name: podman-build-amd64 + - name: build-x86-64 runAfter: ["clone-repo"] taskRef: - name: podman-build + name: buildah-build params: - - name: manifest-name - value: $(params.manifest-name) - name: context-dir value: $(params.context-dir) workspaces: - name: source-workspace workspace: source-workspace - - name: container-storage - workspace: container-storage + - name: oci-images + workspace: oci-images - - name: podman-build-arm64 + - name: build-aarch64 runAfter: ["clone-repo"] taskRef: - name: podman-build + name: buildah-build params: - - name: manifest-name - value: $(params.manifest-name) - name: context-dir value: $(params.context-dir) workspaces: - name: source-workspace workspace: source-workspace - - name: container-storage - workspace: container-storage + - name: oci-images + workspace: oci-images - name: push-image - runAfter: ["podman-build-amd64", "podman-build-arm64"] + runAfter: ["build-x86-64", "build-aarch64"] taskRef: name: buildah-push params: - name: image-name - value: $(params.docker-image-name) - - name: manifest-name - value: $(params.manifest-name) + value: $(params.image-name) + - name: architectures + value: + - x86_64 + - aarch64 workspaces: - - name: container-storage - workspace: container-storage + - name: oci-images + workspace: oci-images + - name: dockerconfig + workspace: registry-token diff --git a/tekton/pipelinerun.yaml b/tekton/pipelinerun.yaml index 8ed9d58..f948ece 100644 --- a/tekton/pipelinerun.yaml +++ b/tekton/pipelinerun.yaml @@ -8,12 +8,12 @@ spec: params: - name: git-url value: https://github.com/nmasse-itix/tekton-pipeline-multiarch.git - - name: docker-image-name + - name: image-name value: quay.io/nmasse_itix/htop-multiarch - name: context-dir value: src workspaces: - - name: container-storage + - name: oci-images volumeClaimTemplate: spec: storageClassName: efs-csi @@ -31,14 +31,17 @@ spec: resources: requests: storage: 1Gi + - name: registry-token + secret: + secretName: quay-authentication taskRunTemplate: serviceAccountName: buildbot taskRunSpecs: - - pipelineTaskName: podman-build-amd64 + - pipelineTaskName: build-x86-64 podTemplate: nodeSelector: beta.kubernetes.io/arch: amd64 - - pipelineTaskName: podman-build-arm64 + - pipelineTaskName: build-aarch64 podTemplate: nodeSelector: beta.kubernetes.io/arch: arm64 diff --git a/tekton/quay-authentication.yaml b/tekton/quay-authentication.yaml deleted file mode 100644 index 7b4833c..0000000 --- a/tekton/quay-authentication.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: quay-authentication -data: - .dockerconfigjson: REDACTED -type: kubernetes.io/dockerconfigjson diff --git a/tekton/task-podman-build.yaml b/tekton/task-buildah-build.yaml similarity index 53% rename from tekton/task-podman-build.yaml rename to tekton/task-buildah-build.yaml index 62d83cc..0cbcc10 100644 --- a/tekton/task-podman-build.yaml +++ b/tekton/task-buildah-build.yaml @@ -1,29 +1,35 @@ apiVersion: tekton.dev/v1beta1 kind: Task metadata: - name: podman-build + name: buildah-build spec: params: - - name: manifest-name - type: string - name: context-dir type: string default: . workspaces: - name: source-workspace description: Workspace containing source code + - name: oci-images + mountPath: /srv/oci-images + volumes: - name: container-storage - description: Persistent volume to store container images - mountPath: /var/lib/containers + emptyDir: {} steps: - name: build image: registry.redhat.io/rhel8/buildah@sha256:b48f410efa0ff8ab0db6ead420a5d8d866d64af846fece5efb185230d7ecf591 + env: + - name: STORAGE_DRIVER + value: vfs script: | #!/bin/bash set -Eeuo pipefail - buildah bud --storage-driver=vfs --no-cache --manifest $(params.manifest-name) $(workspaces.source-workspace.path)/$(params.context-dir) - #podman build --no-cache --manifest $(params.manifest-name) $(workspaces.source-workspace.path)/$(params.context-dir) + buildah bud -t localhost/image:$(uname -m) $(workspaces.source-workspace.path)/$(params.context-dir) + buildah push localhost/image:$(uname -m) oci-archive:/srv/oci-images/$(uname -m).tar securityContext: capabilities: add: - SETFCAP + volumeMounts: + - name: container-storage + mountPath: /var/lib/containers diff --git a/tekton/task-buildah-push.yaml b/tekton/task-buildah-push.yaml new file mode 100644 index 0000000..fc5cf30 --- /dev/null +++ b/tekton/task-buildah-push.yaml @@ -0,0 +1,59 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: buildah-push +spec: + params: + - name: image-name + type: string + - name: architectures + type: array + workspaces: + - name: oci-images + mountPath: /srv/oci-images + - description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson. + name: dockerconfig + optional: true + volumes: + - name: container-storage + emptyDir: {} + steps: + - name: push + image: registry.redhat.io/rhel8/buildah@sha256:b48f410efa0ff8ab0db6ead420a5d8d866d64af846fece5efb185230d7ecf591 + env: + - name: STORAGE_DRIVER + value: vfs + args: + - "$(params.architectures[*])" + script: | + #!/bin/bash + set -Eeuo pipefail + + # Handle registry credentials + if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then + if test -f "$(workspaces.dockerconfig.path)/config.json"; then + export DOCKER_CONFIG="$(workspaces.dockerconfig.path)" + elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then + cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json" + export DOCKER_CONFIG="$HOME/.docker" + else + echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root" + exit 1 + fi + fi + + declare -a iids=() + for arch; do + echo "Loading image for architecture $arch..." + iid=$(buildah pull oci-archive:/srv/oci-images/$arch.tar) + iids+=("$iid") + done + buildah manifest create localhost/multi-arch-image "${iids[@]}" + buildah manifest push --all localhost/multi-arch-image docker://$(params.image-name) + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - name: container-storage + mountPath: /var/lib/containers diff --git a/tekton/task-podman-push.yaml b/tekton/task-podman-push.yaml deleted file mode 100644 index d956776..0000000 --- a/tekton/task-podman-push.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: buildah-push -spec: - params: - - name: image-name - type: string - - name: manifest-name - type: string - workspaces: - - name: container-storage - description: Persistent volume to store container images - mountPath: /var/lib/containers - steps: - - name: push - image: quay.io/podman/stable - script: | - #!/bin/bash - set -Eeuo pipefail - export STORAGE_DRIVER=vfs - buildah manifest push --all $(params.manifest-name) docker://$(params.image-name)