diff --git a/content/en/blog/posts/2022-04-14-build-release-v0.9.0.md b/content/en/blog/posts/2022-04-14-build-release-v0.9.0.md index a359052a6..312563107 100644 --- a/content/en/blog/posts/2022-04-14-build-release-v0.9.0.md +++ b/content/en/blog/posts/2022-04-14-build-release-v0.9.0.md @@ -117,7 +117,7 @@ And that's not all, we have some smaller items that are worth to explore: - We improved our sample build strategies to expose more parameters: - Buildpacks now has a [`platform-api-version` parameter that allows to configure the `CNB_PLATFORM_API` version](https://github.com/shipwright-io/build/blob/v0.9.0/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml#L8-L10) which is relevant to use features of newer Buildpacks implementations - - The BuildAh sample strategy now exposes its [parameters to configure default, blocked, and insecure registries as arrays](https://github.com/shipwright-io/build/blob/v0.9.0/samples/buildstrategy/buildah/buildstrategy_buildah_cr.yaml#L180-L193). It also supports [build-args](https://github.com/shipwright-io/build/blob/v0.9.0/samples/buildstrategy/buildah/buildstrategy_buildah_cr.yaml#L176-L179) in the same way as the BuildKit strategy. + - The BuildAh sample strategy now exposes its [parameters to configure default, blocked, and insecure registries as arrays](https://github.com/shipwright-io/build/blob/v0.9.0/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml#L180-L193). It also supports [build-args](https://github.com/shipwright-io/build/blob/v0.9.0/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml#L176-L179) in the same way as the BuildKit strategy. - The BuildKit strategy now supports to build multi-platform images. - We added [documentation about how to securely reference build strategy parameters in steps without allowing users to inject code in inline scripts](https://github.com/shipwright-io/build/blob/v0.9.0/docs/buildstrategies.md#securely-referencing-string-parameters). All sample build strategies are now secure. - We added the `shp version` command to easily figure out which version of the command line interface is installed. diff --git a/content/en/docs/build/build.md b/content/en/docs/build/build.md index 953cf46e6..6c9bf8bc7 100644 --- a/content/en/docs/build/build.md +++ b/content/en/docs/build/build.md @@ -99,7 +99,7 @@ The `Build` definition supports the following fields: - [`kind`](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields) - Specifies the Kind type, for example `Build`. - [`metadata`](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields) - Metadata that identify the custom resource instance, especially the name of the `Build`, and in which [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) you place it. **Note**: You should use your own namespace, and not put your builds into the shipwright-build namespace where Shipwright's system components run. - `spec.source` - Refers to the location of the source code, for example a Git repository or OCI artifact image. - - `spec.strategy` - Refers to the `BuildStrategy` to be used, see the [examples](../samples/v1beta1/buildstrategy) + - `spec.strategy` - Refers to the `BuildStrategy` to be used, see the [examples](./buildstrategies.md#available-clusterbuildstrategies) - `spec.output`- Refers to the location where the generated image would be pushed. - `spec.output.pushSecret`- Reference an existing secret to get access to the container registry. @@ -299,7 +299,7 @@ In general, _paramValues_ are tightly bound to Strategy _parameters_. Please mak #### Example -The [BuildKit sample `BuildStrategy`](../samples/v1beta1/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml) contains various parameters. Two of them are outlined here: +The [BuildKit sample BuildStrategy](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml) contains various parameters. Two of them are outlined here: ```yaml apiVersion: shipwright.io/v1beta1 diff --git a/content/en/docs/build/buildstrategies.md b/content/en/docs/build/buildstrategies.md index c1f14b341..96e36308b 100644 --- a/content/en/docs/build/buildstrategies.md +++ b/content/en/docs/build/buildstrategies.md @@ -54,17 +54,17 @@ A `ClusterBuildStrategy` is available cluster-wide, while a `BuildStrategy` is a ## Available ClusterBuildStrategies -Well-known strategies can be bootstrapped from [here](../samples/v1beta1/buildstrategy). The currently supported Cluster BuildStrategy are: +Well-known strategies can be bootstrapped from [here](https://github.com/shipwright-io/website//tree/main/content/en/docs/samples/buildstrategy). The currently supported Cluster BuildStrategy are: | Name | Supported platforms | | ---- | ------------------- | -| [buildah](../samples/v1beta1/buildstrategy/buildah) | all | -| [BuildKit](../samples/v1beta1/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml) | all | -| [buildpacks-v3-heroku](../samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_cr.yaml) | linux/amd64 only | -| [buildpacks-v3](../samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml) | linux/amd64 only | -| [kaniko](../samples/v1beta1/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml) | all | -| [ko](../samples/v1beta1/buildstrategy/ko/buildstrategy_ko_cr.yaml) | all | -| [source-to-image](../samples/v1beta1/buildstrategy/source-to-image/buildstrategy_source-to-image_cr.yaml) | linux/amd64 only | +| [buildah](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/buildah/) | all | +| [BuildKit](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/buildkit/) | all | +| [buildpacks-v3-heroku](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_cr.yaml) | linux/amd64 only | +| [buildpacks-v3](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml) | linux/amd64 only | +| [kaniko](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/kaniko/) | all | +| [ko](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/ko/) | all | +| [source-to-image](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/source-to-image/) | linux/amd64 only | ## Available BuildStrategies @@ -72,8 +72,8 @@ The current supported namespaces BuildStrategy are: | Name | Supported platforms | | ---- | ------------------- | -| [buildpacks-v3-heroku](../samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml) | linux/amd64 only | -| [buildpacks-v3](../samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml) | linux/amd64 only | +| [buildpacks-v3-heroku](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml) | linux/amd64 only | +| [buildpacks-v3](https://github.com/shipwright-io/website/tree/main/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml) | linux/amd64 only | --- @@ -83,18 +83,18 @@ The `buildah` ClusterBuildStrategy uses [`buildah`](https://github.com/container The strategy is available in two formats: -- [`buildah-shipwright-managed-push`](../samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push%20copy_cr.yaml) -- [`buildah-strategy-managed-push`](../samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml) +- [`buildah-shipwright-managed-push`](../samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml) +- [`buildah-strategy-managed-push`](../samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml) Learn more about the differences of [shipwright-, or strategy-managed push](#output-directory-vs-output-image) ### Installing Buildah Strategy -To install use: +To install use (expects the above referenced strategy yamls to be available locally): ```sh -kubectl apply -f samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml -kubectl apply -f samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml +kubectl apply -f buildstrategy_buildah_shipwright_managed_push_cr.yaml +kubectl apply -f buildstrategy_buildah_strategy_managed_push_cr.yaml ``` --- @@ -109,22 +109,28 @@ You can install the `BuildStrategy` in your namespace or install the `ClusterBui To install the cluster scope strategy, you can chose between the Paketo and Heroku buildpacks family: +- [`buildstrategy_buildpacks-v3-paketo`](../samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml) +- [`buildstrategy_buildpacks-v3-heroku`](../samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_cr.yaml) + ```sh # Paketo -kubectl apply -f samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml +kubectl apply -f buildstrategy_buildpacks-v3_cr.yaml # Heroku -kubectl apply -f samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_cr.yaml +kubectl apply -f buildstrategy_buildpacks-v3-heroku_cr.yaml ``` To install the namespaced scope strategy, you can chose between the Paketo and Heroku buildpacks family: +- [`buildstrategy_buildpacks-v3-paketo_namespaced`](../samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml) +- [`buildstrategy_buildpacks-v3-heroku_namespaced`](../samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml) + ```sh # Paketo -kubectl apply -f samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml +kubectl apply -f samples//buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml # Heroku -kubectl apply -f samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml +kubectl apply -f samples//buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml ``` --- @@ -137,8 +143,10 @@ The `kaniko` ClusterBuildStrategy is composed by Kaniko's `executor` [kaniko], w To install the cluster scope strategy, use: +- [`buildstrategy_kaniko`](../samples/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml) + ```sh -kubectl apply -f samples/v1beta1/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml +kubectl apply -f buildstrategy_kaniko_cr.yaml ``` #### Scanning with Trivy @@ -147,8 +155,10 @@ You can also incorporate scanning into the ClusterBuildStrategy. The `kaniko-tri To install the cluster scope strategy, use: +- [`buildstrategy_kaniko-trivy`](../samples/buildstrategy/kaniko/buildstrategy_kaniko-trivy_cr.yaml) + ```sh -kubectl apply -f samples/v1beta1/buildstrategy/kaniko/buildstrategy_kaniko-trivy_cr.yaml +kubectl apply -f buildstrategy_kaniko-trivy_cr.yaml ``` *Note: doing image scanning is not a substitute for trusting the Dockerfile you are building. The build process itself is also susceptible if the Dockerfile has a vulnerability. Frameworks/strategies such as build-packs or source-to-image (which avoid directly building a Dockerfile) should be considered if you need guardrails around the code you want to build.* @@ -193,8 +203,10 @@ _Please note:_ At this point in time, there is no way to run `rootlesskit` to st To install the cluster scope strategy, use: +- [`buildstrategy_buildkit`](../samples/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml) + ```sh -kubectl apply -f samples/v1beta1/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml +kubectl apply -f buildstrategy_buildkit_cr.yaml ``` --- @@ -207,8 +219,10 @@ The `ko` ClusterBuilderStrategy is using [ko](https://github.com/ko-build/ko)'s To install the cluster scope strategy, use: +- [`buildstrategy_ko`](../samples/buildstrategy/ko/buildstrategy_ko_cr.yaml) + ```sh -kubectl apply -f samples/v1beta1/buildstrategy/ko/buildstrategy_ko_cr.yaml +kubectl apply -f buildstrategy_ko_cr.yaml ``` ### Parameters @@ -239,8 +253,10 @@ This BuildStrategy is composed by [`source-to-image`][s2i] and [`kaniko`][kaniko To install the cluster scope strategy use: +- [`buildstrategy_source-to-image`](../samples/buildstrategy/source-to-image/buildstrategy_source-to-image_cr.yaml) + ```sh -kubectl apply -f samples/v1beta1/buildstrategy/source-to-image/buildstrategy_source-to-image_cr.yaml +kubectl apply -f buildstrategy_source-to-image_cr.yaml ``` ### Build Steps @@ -265,7 +281,7 @@ Users defining _parameters_ under their strategies require to understand the fol - **Definition**: A list of parameters should be defined under `spec.parameters`. Each list item should consist of a _name_, a _description_, a _type_ (either `"array"` or `"string"`) and optionally a _default_ value (for type=string), or _defaults_ values (for type=array). If no default(s) are provided, then the user must define a value in the Build or BuildRun. - **Usage**: In order to use a parameter in the strategy steps, use the following syntax for type=string: `$(params.your-parameter-name)`. String parameters can be used in all places in the `buildSteps`. Some example scenarios are: - - `image`: to use a custom tag, for example `golang:$(params.go-version)` as it is done in the [ko sample build strategy](../samples/v1beta1/buildstrategy/ko/buildstrategy_ko_cr.yaml)) + - `image`: to use a custom tag, for example `golang:$(params.go-version)` as it is done in the [ko sample build strategy](../samples/buildstrategy/ko/buildstrategy_ko_cr.yaml)) - `args`: to pass data into your builder command - `env`: to force a user to provide a value for an environment variable. @@ -301,7 +317,7 @@ Users defining _parameters_ under their strategies require to understand the fol **Note**: Users can provide parameter values as simple strings or as references to keys in [ConfigMaps](https://kubernetes.io/docs/concepts/configuration/configmap/) and [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). If they use a ConfigMap or Secret, then the value can only be used if the parameter is used in the `command`, `args`, or `env` section of the `buildSteps`. For example, the above mentioned scenario to set a step's `image` to `golang:$(params.go-version)` does not allow the usage of ConfigMaps or Secrets. -The following example is from the [BuildKit sample build strategy](../samples/v1beta1/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml). It defines and uses several parameters: +The following example is from the [BuildKit sample build strategy](../samples/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml). It defines and uses several parameters: ```yaml --- @@ -446,7 +462,7 @@ When you use the `$(params.shp-output-directory)` parameter, then Shipwright wil If you are uncertain about how to implement your build strategy, then follow this guidance: -1. If your build strategy tool cannot locally store an image but always pushes it, then you must do the push operation. An example is the [Buildpacks strategy](../samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml). You SHOULD respect the `$(params.shp-output-insecure)` parameter. +1. If your build strategy tool cannot locally store an image but always pushes it, then you must do the push operation. An example is the [Buildpacks strategy](../samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml). You SHOULD respect the `$(params.shp-output-insecure)` parameter. 2. If your build strategy tool can locally store an image, then the choice depends on how you expect your build users to make use of your strategy, and the nature of your strategy. 1. Some build strategies do not produce all layers of an image, but use a common base image and put one or more layers on top with the application. An example is `ko`. Such base image layers are often already present in the destination registry (like in rebuilds). If the strategy can perform the push operation, then it can optimize the process and can omit the download of the base image when it is not required to push it. In the case of a shipwright-managed push, the complete image must be locally stored in `$(params.shp-output-directory)`, which implies that a base image must always be downloaded. 2. Some build strategy tools do not make it easy to determine the digest or size of the image, which can make it complex for your to set the [strategy results](#system-results). In the case of a shipwright-managed push, Shipwright has the responsibility to set them. @@ -493,7 +509,7 @@ This opens the door to script injection, for example if the user sets the `sampl To securely pass a parameter value into a script-style argument, you can chose between these two approaches: -1. Using environment variables. This is used in some of our sample strategies, for example [ko](../samples/v1beta1/buildstrategy/ko/buildstrategy_ko_cr.yaml), or [buildpacks](../samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml). Basically, instead of directly using the parameter inside the script, you pass it via environment variable. Using quoting, shells ensure that no command injection is possible: +1. Using environment variables. This is used in some of our sample strategies, for example [ko](../samples/buildstrategy/ko/buildstrategy_ko_cr.yaml), or [buildpacks](../samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml). Basically, instead of directly using the parameter inside the script, you pass it via environment variable. Using quoting, shells ensure that no command injection is possible: ```yaml spec: @@ -516,7 +532,7 @@ To securely pass a parameter value into a script-style argument, you can chose b some-tool --sample-argument "${PARAM_SAMPLE_PARAMETER}" ``` -2. Using arguments. This is used in some of our sample build strategies, for example [buildah](../samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_cr.yaml). Here, you use arguments to your own inline script. Appropriate shell quoting guards against command injection. +2. Using arguments. This is used in some of our sample build strategies, for example [buildah](../samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml). Here, you use arguments to your own inline script. Appropriate shell quoting guards against command injection. ```yaml spec: @@ -549,7 +565,7 @@ If you are using a strategy-managed push, see [output directory vs output image] | `$(results.shp-image-digest.path)` | File to store the digest of the image. | | `$(results.shp-image-size.path)` | File to store the compressed size of the image. | -You can look at sample build strategies, such as [Buildpacks](../samples/v1beta1/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml), to see how they fill some or all of the results files. +You can look at sample build strategies, such as [Buildpacks](../samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml), to see how they fill some or all of the results files. This information will be available in the `.status.output` section of the BuildRun. @@ -756,13 +772,13 @@ For a more concrete example, let´s take a look on the following scenarios: If we will apply the following resources: -- [buildahBuild](../samples/build/build_buildah_cr.yaml) +- [buildahBuild](../samples/build/build_buildah_shipwright_managed_push_cr.yaml) - [buildahBuildRun](../samples/buildrun/buildrun_buildah_cr.yaml) -- [buildahClusterBuildStrategy](../samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_cr.yaml) +- [buildahClusterBuildStrategy](../samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml) We will see some differences between the `TaskRun` definition and the `pod` definition. -For the `TaskRun`, as expected we can see the resources on each `step`, as we previously define on our [strategy](../samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_cr.yaml). +For the `TaskRun`, as expected we can see the resources on each `step`, as we previously define on our [strategy](../samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml). ```sh $ kubectl -n test-build get tr buildah-golang-buildrun-9gmcx-pod-lhzbc -o json | jq '.spec.taskSpec.steps[] | select(.name == "step-buildah-bud" ) | .resources' diff --git a/content/en/docs/build/configuration.md b/content/en/docs/build/configuration.md index c03c8b736..d81558bdd 100644 --- a/content/en/docs/build/configuration.md +++ b/content/en/docs/build/configuration.md @@ -9,7 +9,7 @@ SPDX-License-Identifier: Apache-2.0 --> ## Controller Settings -The controller is installed into Kubernetes with reasonable defaults. However, there are some settings that can be overridden using environment variables in [`controller.yaml`](../deploy/500-controller.yaml). +The controller is installed into Kubernetes with reasonable defaults. However, there are some settings that can be overridden using environment variables in [`controller.yaml`](https://github.com/shipwright-io/build/blob/main/deploy/500-controller.yaml). The following environment variables are available: diff --git a/content/en/docs/build/metrics.md b/content/en/docs/build/metrics.md index 0abc58904..4abf2f641 100644 --- a/content/en/docs/build/metrics.md +++ b/content/en/docs/build/metrics.md @@ -43,7 +43,7 @@ export PROMETHEUS_BR_COMP_DUR_BUCKETS=30,60,90,120,180,240,300,360,420,480 make local ``` -When you deploy the build controller in a Kubernetes cluster, you need to extend the `spec.containers[0].spec.env` section of the sample deployment file, [controller.yaml](../deploy/500-controller.yaml). Add an additional entry: +When you deploy the build controller in a Kubernetes cluster, you need to extend the `spec.containers[0].spec.env` section of the sample deployment file, [controller.yaml](https://github.com/shipwright-io/build/blob/main/deploy/500-controller.yaml). Add an additional entry: ```yaml [...] @@ -76,7 +76,7 @@ export PROMETHEUS_ENABLED_LABELS=buildstrategy,namespace,build make local ``` -When you deploy the build controller in a Kubernetes cluster, you need to extend the `spec.containers[0].spec.env` section of the sample deployment file, [controller.yaml](../deploy/controller.yaml). Add an additional entry: +When you deploy the build controller in a Kubernetes cluster, you need to extend the `spec.containers[0].spec.env` section of the sample deployment file, [controller.yaml](https://github.com/shipwright-io/build/blob/main/deploy/500-controller.yaml). Add an additional entry: ```yaml [...] diff --git a/content/en/docs/samples/build/build_buildah_shipwright_managed_push_cr.yaml b/content/en/docs/samples/build/build_buildah_shipwright_managed_push_cr.yaml new file mode 100644 index 000000000..d866e9541 --- /dev/null +++ b/content/en/docs/samples/build/build_buildah_shipwright_managed_push_cr.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: buildah-golang-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-go + contextDir: docker-build + strategy: + name: buildah-shipwright-managed-push + kind: ClusterBuildStrategy + paramValues: + - name: dockerfile + value: Dockerfile + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app diff --git a/content/en/docs/samples/build/build_buildah_strategy_managed_push_cr.yaml b/content/en/docs/samples/build/build_buildah_strategy_managed_push_cr.yaml new file mode 100644 index 000000000..f74444ada --- /dev/null +++ b/content/en/docs/samples/build/build_buildah_strategy_managed_push_cr.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: buildah-golang-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-go + contextDir: docker-build + strategy: + name: buildah-strategy-managed-push + kind: ClusterBuildStrategy + paramValues: + - name: dockerfile + value: Dockerfile + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app diff --git a/content/en/docs/samples/build/build_buildkit_cr.yaml b/content/en/docs/samples/build/build_buildkit_cr.yaml new file mode 100644 index 000000000..44117c5aa --- /dev/null +++ b/content/en/docs/samples/build/build_buildkit_cr.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: buildkit-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-go + contextDir: docker-build + paramValues: + - name: platforms + values: + - value: linux/amd64 + - value: linux/arm64 + strategy: + name: buildkit + kind: ClusterBuildStrategy + retention: + atBuildDeletion: true + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app + diff --git a/content/en/docs/samples/build/build_buildpacks-v3-heroku_cr.yaml b/content/en/docs/samples/build/build_buildpacks-v3-heroku_cr.yaml new file mode 100644 index 000000000..f938e7640 --- /dev/null +++ b/content/en/docs/samples/build/build_buildpacks-v3-heroku_cr.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: buildpack-nodejs-build-heroku +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-nodejs + contextDir: source-build-heroku + strategy: + name: buildpacks-v3-heroku + kind: ClusterBuildStrategy + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app diff --git a/content/en/docs/samples/build/build_buildpacks-v3-heroku_namespaced_cr.yaml b/content/en/docs/samples/build/build_buildpacks-v3-heroku_namespaced_cr.yaml new file mode 100644 index 000000000..85416b69a --- /dev/null +++ b/content/en/docs/samples/build/build_buildpacks-v3-heroku_namespaced_cr.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: buildpack-nodejs-build-namespaced-heroku +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-nodejs + contextDir: source-build-heroku + strategy: + name: buildpacks-v3-heroku + kind: BuildStrategy + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app diff --git a/content/en/docs/samples/build/build_buildpacks-v3_cr.yaml b/content/en/docs/samples/build/build_buildpacks-v3_cr.yaml new file mode 100644 index 000000000..b8f95620a --- /dev/null +++ b/content/en/docs/samples/build/build_buildpacks-v3_cr.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: buildpack-nodejs-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-nodejs + contextDir: source-build + strategy: + name: buildpacks-v3 + kind: ClusterBuildStrategy + retention: + atBuildDeletion: false + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app diff --git a/content/en/docs/samples/build/build_buildpacks-v3_namespaced_cr.yaml b/content/en/docs/samples/build/build_buildpacks-v3_namespaced_cr.yaml new file mode 100644 index 000000000..b68710fa2 --- /dev/null +++ b/content/en/docs/samples/build/build_buildpacks-v3_namespaced_cr.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: buildpack-nodejs-build-namespaced +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-nodejs + contextDir: source-build + strategy: + name: buildpacks-v3 + kind: BuildStrategy + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app diff --git a/content/en/docs/samples/build/build_kaniko-trivy-bad_cr.yaml b/content/en/docs/samples/build/build_kaniko-trivy-bad_cr.yaml new file mode 100644 index 000000000..d56754205 --- /dev/null +++ b/content/en/docs/samples/build/build_kaniko-trivy-bad_cr.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: kaniko-trivy-bad-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-scanning + strategy: + name: kaniko-trivy + kind: ClusterBuildStrategy + retention: + atBuildDeletion: true + paramValues: + - name: dockerfile + value: "Dockerfile.bad" + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/bad-trivy diff --git a/content/en/docs/samples/build/build_kaniko-trivy-good_cr.yaml b/content/en/docs/samples/build/build_kaniko-trivy-good_cr.yaml new file mode 100644 index 000000000..b280e364e --- /dev/null +++ b/content/en/docs/samples/build/build_kaniko-trivy-good_cr.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: kaniko-trivy-good-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-scanning + strategy: + name: kaniko-trivy + kind: ClusterBuildStrategy + retention: + atBuildDeletion: true + paramValues: + - name: dockerfile + value: "Dockerfile.good" + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/good-trivy diff --git a/content/en/docs/samples/build/build_kaniko_cr.yaml b/content/en/docs/samples/build/build_kaniko_cr.yaml new file mode 100644 index 000000000..6746b2a38 --- /dev/null +++ b/content/en/docs/samples/build/build_kaniko_cr.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: kaniko-golang-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-go + contextDir: docker-build + strategy: + name: kaniko + kind: ClusterBuildStrategy + retention: + atBuildDeletion: true + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app diff --git a/content/en/docs/samples/build/build_ko_cr.yaml b/content/en/docs/samples/build/build_ko_cr.yaml new file mode 100644 index 000000000..037c84c8a --- /dev/null +++ b/content/en/docs/samples/build/build_ko_cr.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: ko-build +spec: + paramValues: + - name: go-flags + value: "-v -mod=vendor -ldflags=-w" + - name: go-version + value: "1.21" + - name: package-directory + value: ./cmd/shipwright-build-controller + source: + type: Git + git: + url: https://github.com/shipwright-io/build + strategy: + name: ko + kind: ClusterBuildStrategy + retention: + atBuildDeletion: false + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/shipwright-build diff --git a/content/en/docs/samples/build/build_source-to-image_cr.yaml b/content/en/docs/samples/build/build_source-to-image_cr.yaml new file mode 100644 index 000000000..de05c3d5f --- /dev/null +++ b/content/en/docs/samples/build/build_source-to-image_cr.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: Build +metadata: + name: s2i-nodejs-build +spec: + source: + type: Git + git: + url: https://github.com/shipwright-io/sample-nodejs + contextDir: source-build/ + strategy: + name: source-to-image + kind: ClusterBuildStrategy + paramValues: + - name: builder-image + value: "docker.io/centos/nodejs-10-centos7" + output: + image: image-registry.openshift-image-registry.svc:5000/build-examples/nodejs-ex diff --git a/content/en/docs/samples/buildrun/buildrun_buildah_cr.yaml b/content/en/docs/samples/buildrun/buildrun_buildah_cr.yaml new file mode 100644 index 000000000..9100e6f0d --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_buildah_cr.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: buildah-golang-buildrun +spec: + build: + name: buildah-golang-build diff --git a/content/en/docs/samples/buildrun/buildrun_buildkit_cr.yaml b/content/en/docs/samples/buildrun/buildrun_buildkit_cr.yaml new file mode 100644 index 000000000..1a551f1c6 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_buildkit_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: buildkit-buildrun +spec: + build: + name: buildkit-build + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_buildpacks-v3-heroku_cr.yaml b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3-heroku_cr.yaml new file mode 100644 index 000000000..074f6dea5 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3-heroku_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: buildpack-nodejs-buildrun-heroku +spec: + build: + name: buildpack-nodejs-build-heroku + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_buildpacks-v3-heroku_namespaced_cr.yaml b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3-heroku_namespaced_cr.yaml new file mode 100644 index 000000000..9eab04226 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3-heroku_namespaced_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: buildpack-nodejs-buildrun-namespaced-heroku +spec: + build: + name: buildpack-nodejs-build-namespaced-heroku + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_buildpacks-v3_cr.yaml b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3_cr.yaml new file mode 100644 index 000000000..66f7babc2 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: buildpack-nodejs-buildrun +spec: + build: + name: buildpack-nodejs-build + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_buildpacks-v3_namespaced_cr.yaml b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3_namespaced_cr.yaml new file mode 100644 index 000000000..14f0902d5 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_buildpacks-v3_namespaced_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: buildpack-nodejs-buildrun-namespaced +spec: + build: + name: buildpack-nodejs-build-namespaced + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_kaniko-trivy-bad_cr.yaml b/content/en/docs/samples/buildrun/buildrun_kaniko-trivy-bad_cr.yaml new file mode 100644 index 000000000..89cd6a33e --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_kaniko-trivy-bad_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: kaniko-trivy-bad-buildrun +spec: + build: + name: kaniko-trivy-bad-build + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_kaniko-trivy-good_cr.yaml b/content/en/docs/samples/buildrun/buildrun_kaniko-trivy-good_cr.yaml new file mode 100644 index 000000000..08af9ad37 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_kaniko-trivy-good_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: kaniko-trivy-good-buildrun +spec: + build: + name: kaniko-trivy-good-build + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_kaniko_cr.yaml b/content/en/docs/samples/buildrun/buildrun_kaniko_cr.yaml new file mode 100644 index 000000000..d47411b28 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_kaniko_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: kaniko-golang-buildrun +spec: + build: + name: kaniko-golang-build + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_ko_cr.yaml b/content/en/docs/samples/buildrun/buildrun_ko_cr.yaml new file mode 100644 index 000000000..eab0b15f9 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_ko_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: ko-buildrun +spec: + build: + name: ko-build + serviceAccount: ".generate" diff --git a/content/en/docs/samples/buildrun/buildrun_source-to-image_cr.yaml b/content/en/docs/samples/buildrun/buildrun_source-to-image_cr.yaml new file mode 100644 index 000000000..768ba6a60 --- /dev/null +++ b/content/en/docs/samples/buildrun/buildrun_source-to-image_cr.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildRun +metadata: + name: s2i-nodejs-buildrun +spec: + build: + name: s2i-nodejs-build diff --git a/content/en/docs/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml b/content/en/docs/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml new file mode 100644 index 000000000..b361e13a5 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml @@ -0,0 +1,208 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: buildah-shipwright-managed-push +spec: + steps: + - name: build + image: quay.io/containers/buildah:v1.34.0 + workingDir: $(params.shp-source-root) + securityContext: + privileged: true + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + # Parse parameters + context= + dockerfile= + image= + target= + buildArgs=() + inBuildArgs=false + registriesBlock="" + inRegistriesBlock=false + registriesInsecure="" + inRegistriesInsecure=false + registriesSearch="" + inRegistriesSearch=false + while [[ $# -gt 0 ]]; do + arg="$1" + shift + + if [ "${arg}" == "--context" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + context="$1" + shift + elif [ "${arg}" == "--dockerfile" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + dockerfile="$1" + shift + elif [ "${arg}" == "--image" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + image="$1" + shift + elif [ "${arg}" == "--target" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + target="$1" + shift + elif [ "${arg}" == "--build-args" ]; then + inBuildArgs=true + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-block" ]; then + inRegistriesBlock=true + inBuildArgs=false + inRegistriesInsecure=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-insecure" ]; then + inRegistriesInsecure=true + inBuildArgs=false + inRegistriesBlock=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-search" ]; then + inRegistriesSearch=true + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + elif [ "${inBuildArgs}" == "true" ]; then + buildArgs+=("--build-arg" "${arg}") + elif [ "${inRegistriesBlock}" == "true" ]; then + registriesBlock="${registriesBlock}'${arg}', " + elif [ "${inRegistriesInsecure}" == "true" ]; then + registriesInsecure="${registriesInsecure}'${arg}', " + elif [ "${inRegistriesSearch}" == "true" ]; then + registriesSearch="${registriesSearch}'${arg}', " + else + echo "Invalid usage" + exit 1 + fi + done + + # Verify the existence of the context directory + if [ ! -d "${context}" ]; then + echo -e "The context directory '${context}' does not exist." + echo -n "ContextDirNotFound" > '$(results.shp-error-reason.path)' + echo -n "The context directory '${context}' does not exist." > '$(results.shp-error-message.path)' + exit 1 + fi + cd "${context}" + + # Verify the existence of the Dockerfile + if [ ! -f "${dockerfile}" ]; then + echo -e "The Dockerfile '${dockerfile}' does not exist." + echo -n "DockerfileNotFound" > '$(results.shp-error-reason.path)' + echo -n "The Dockerfile '${dockerfile}' does not exist." > '$(results.shp-error-message.path)' + exit 1 + fi + + echo "[INFO] Creating registries config file..." + if [ "${registriesSearch}" != "" ]; then + cat <>/tmp/registries.conf + [registries.search] + registries = [${registriesSearch::-2}] + + EOF + fi + if [ "${registriesInsecure}" != "" ]; then + cat <>/tmp/registries.conf + [registries.insecure] + registries = [${registriesInsecure::-2}] + + EOF + fi + if [ "${registriesBlock}" != "" ]; then + cat <>/tmp/registries.conf + [registries.block] + registries = [${registriesBlock::-2}] + + EOF + fi + + # Building the image + echo "[INFO] Building image ${image}" + buildah --storage-driver=$(params.storage-driver) \ + bud "${buildArgs[@]}" \ + --registries-conf=/tmp/registries.conf \ + --tag="${image}" \ + --file="${dockerfile}" \ + . + + # Write the image + echo "[INFO] Writing image ${image}" + buildah --storage-driver=$(params.storage-driver) push \ + "${image}" \ + "oci:${target}" + # That's the separator between the shell script and its args + - -- + - --context + - $(params.shp-source-context) + - --dockerfile + - $(params.dockerfile) + - --image + - $(params.shp-output-image) + - --build-args + - $(params.build-args[*]) + - --registries-block + - $(params.registries-block[*]) + - --registries-insecure + - $(params.registries-insecure[*]) + - --registries-search + - $(params.registries-search[*]) + - --target + - $(params.shp-output-directory) + resources: + limits: + cpu: "1" + memory: 2Gi + requests: + cpu: 250m + memory: 65Mi + parameters: + - name: build-args + description: "The values for the args in the Dockerfile. Values must be in the format KEY=VALUE." + type: array + defaults: [] + - name: registries-block + description: The registries that need to block pull access. + type: array + defaults: [] + - name: registries-insecure + description: The fully-qualified name of insecure registries. An insecure registry is one that does not have a valid SSL certificate or only supports HTTP. + type: array + defaults: [] + - name: registries-search + description: The registries for searching short name images such as `golang:latest`. + type: array + defaults: + - docker.io + - quay.io + - name: dockerfile + description: The path to the Dockerfile to be used for building the image. + type: string + default: "Dockerfile" + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'." + type: string + default: "vfs" + # For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options + securityContext: + runAsUser: 0 + runAsGroup: 0 diff --git a/content/en/docs/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml b/content/en/docs/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml new file mode 100644 index 000000000..44d9b965d --- /dev/null +++ b/content/en/docs/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml @@ -0,0 +1,208 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: buildah-strategy-managed-push +spec: + steps: + - name: build-and-push + image: quay.io/containers/buildah:v1.34.0 + workingDir: $(params.shp-source-root) + securityContext: + capabilities: + add: + - "SETFCAP" + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + # Parse parameters + context= + dockerfile= + image= + buildArgs=() + inBuildArgs=false + registriesBlock="" + inRegistriesBlock=false + registriesInsecure="" + inRegistriesInsecure=false + registriesSearch="" + inRegistriesSearch=false + tlsVerify=true + while [[ $# -gt 0 ]]; do + arg="$1" + shift + + if [ "${arg}" == "--context" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + context="$1" + shift + elif [ "${arg}" == "--dockerfile" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + dockerfile="$1" + shift + elif [ "${arg}" == "--image" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + image="$1" + shift + elif [ "${arg}" == "--build-args" ]; then + inBuildArgs=true + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-block" ]; then + inRegistriesBlock=true + inBuildArgs=false + inRegistriesInsecure=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-insecure" ]; then + inRegistriesInsecure=true + inBuildArgs=false + inRegistriesBlock=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-search" ]; then + inRegistriesSearch=true + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + elif [ "${inBuildArgs}" == "true" ]; then + buildArgs+=("--build-arg" "${arg}") + elif [ "${inRegistriesBlock}" == "true" ]; then + registriesBlock="${registriesBlock}'${arg}', " + elif [ "${inRegistriesInsecure}" == "true" ]; then + registriesInsecure="${registriesInsecure}'${arg}', " + + # This assumes that the image is passed before the insecure registries which is fair in this context + if [[ ${image} == ${arg}/* ]]; then + tlsVerify=false + fi + elif [ "${inRegistriesSearch}" == "true" ]; then + registriesSearch="${registriesSearch}'${arg}', " + else + echo "Invalid usage" + exit 1 + fi + done + + # Verify the existence of the context directory + if [ ! -d "${context}" ]; then + echo -e "The context directory '${context}' does not exist." + echo -n "ContextDirNotFound" > '$(results.shp-error-reason.path)' + echo -n "The context directory '${context}' does not exist." > '$(results.shp-error-message.path)' + exit 1 + fi + cd "${context}" + + # Verify the existence of the Dockerfile + if [ ! -f "${dockerfile}" ]; then + echo -e "The Dockerfile '${dockerfile}' does not exist." + echo -n "DockerfileNotFound" > '$(results.shp-error-reason.path)' + echo -n "The Dockerfile '${dockerfile}' does not exist." > '$(results.shp-error-message.path)' + exit 1 + fi + + echo "[INFO] Creating registries config file..." + if [ "${registriesSearch}" != "" ]; then + cat <>/tmp/registries.conf + [registries.search] + registries = [${registriesSearch::-2}] + + EOF + fi + if [ "${registriesInsecure}" != "" ]; then + cat <>/tmp/registries.conf + [registries.insecure] + registries = [${registriesInsecure::-2}] + + EOF + fi + if [ "${registriesBlock}" != "" ]; then + cat <>/tmp/registries.conf + [registries.block] + registries = [${registriesBlock::-2}] + + EOF + fi + + # Building the image + echo "[INFO] Building image ${image}" + buildah --storage-driver=$(params.storage-driver) \ + bud "${buildArgs[@]}" \ + --registries-conf=/tmp/registries.conf \ + --tag="${image}" \ + --file="${dockerfile}" \ + . + + # Push the image + echo "[INFO] Pushing image ${image}" + buildah --storage-driver=$(params.storage-driver) push \ + --digestfile='$(results.shp-image-digest.path)' \ + --tls-verify="${tlsVerify}" \ + "${image}" \ + "docker://${image}" + # That's the separator between the shell script and its args + - -- + - --context + - $(params.shp-source-context) + - --dockerfile + - $(params.dockerfile) + - --image + - $(params.shp-output-image) + - --build-args + - $(params.build-args[*]) + - --registries-block + - $(params.registries-block[*]) + - --registries-insecure + - $(params.registries-insecure[*]) + - --registries-search + - $(params.registries-search[*]) + resources: + limits: + cpu: "1" + memory: 2Gi + requests: + cpu: 250m + memory: 65Mi + parameters: + - name: build-args + description: "The values for the args in the Dockerfile. Values must be in the format KEY=VALUE." + type: array + defaults: [] + - name: registries-block + description: The registries that need to block pull access. + type: array + defaults: [] + - name: registries-insecure + description: The fully-qualified name of insecure registries. An insecure registry is one that does not have a valid SSL certificate or only supports HTTP. + type: array + defaults: [] + - name: registries-search + description: The registries for searching short name images such as `golang:latest`. + type: array + defaults: + - docker.io + - quay.io + - name: dockerfile + description: The path to the Dockerfile to be used for building the image. + type: string + default: "Dockerfile" + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'" + type: string + default: "vfs" + # For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options + securityContext: + runAsUser: 0 + runAsGroup: 0 diff --git a/content/en/docs/samples/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml b/content/en/docs/samples/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml new file mode 100644 index 000000000..2469cf3e8 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml @@ -0,0 +1,174 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: buildkit + annotations: + # See https://github.com/moby/buildkit/blob/master/docs/rootless.md#about---oci-worker-no-process-sandbox for more information + container.apparmor.security.beta.kubernetes.io/step-build-and-push: unconfined + # The usage of seccomp annotation will be deprecate in k8s v1.22.0, see + # https://kubernetes.io/docs/tutorials/clusters/seccomp/#create-a-pod-with-a-seccomp-profile-for-syscall-auditing for more information + container.seccomp.security.alpha.kubernetes.io/step-build-and-push: unconfined +spec: + parameters: + - name: build-args + description: "The values for the ARGs in the Dockerfile. Values must be in the format KEY=VALUE." + type: array + defaults: [] + - name: cache + description: "Configure BuildKit's cache usage. Allowed values are 'disabled' and 'registry'. The default is 'registry'." + type: string + default: registry + - name: platforms + description: "Build the image for different platforms. By default, the image is built for the platform used by the FROM image. If that is present for multiple platforms, then it is built for the environment's platform." + type: array + defaults: [] + - name: secrets + description: "The secrets to pass to the build. Values must be in the format ID=FILE_CONTENT." + type: array + defaults: [] + - name: dockerfile + description: The path to the Dockerfile to be used for building the image. + type: string + default: "Dockerfile" + steps: + - name: build-and-push + image: moby/buildkit:nightly-rootless + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SETGID + - SETUID + workingDir: $(params.shp-source-root) + env: + - name: DOCKER_CONFIG + value: /tekton/home/.docker + - name: HOME + value: /tekton/home + # See https://github.com/moby/buildkit/blob/master/docs/rootless.md#about---oci-worker-no-process-sandbox for more information + - name: BUILDKITD_FLAGS + value: --oci-worker-no-process-sandbox + - name: PARAM_SOURCE_CONTEXT + value: $(params.shp-source-context) + - name: PARAM_DOCKERFILE + value: $(params.dockerfile) + - name: PARAM_OUTPUT_DIRECTORY + value: $(params.shp-output-directory) + - name: PARAM_OUTPUT_IMAGE + value: $(params.shp-output-image) + - name: PARAM_OUTPUT_INSECURE + value: $(params.shp-output-insecure) + - name: PARAM_CACHE + value: $(params.cache) + command: + - /bin/ash + args: + - -c + - | + set -euo pipefail + + # Verify the existence of the context directory + if [ ! -d "${PARAM_SOURCE_CONTEXT}" ]; then + echo -e "The context directory '${PARAM_SOURCE_CONTEXT}' does not exist." + echo -n "ContextDirNotFound" > '$(results.shp-error-reason.path)' + echo -n "The context directory '${PARAM_SOURCE_CONTEXT}' does not exist." > '$(results.shp-error-message.path)' + exit 1 + fi + + # Prepare the file arguments + DOCKERFILE_PATH="${PARAM_SOURCE_CONTEXT}/${PARAM_DOCKERFILE}" + DOCKERFILE_DIR="$(dirname "${DOCKERFILE_PATH}")" + DOCKERFILE_NAME="$(basename "${DOCKERFILE_PATH}")" + + # Verify the existence of the Dockerfile + if [ ! -f "${DOCKERFILE_PATH}" ]; then + echo -e "The Dockerfile '${DOCKERFILE_PATH}' does not exist." + echo -n "DockerfileNotFound" > '$(results.shp-error-reason.path)' + echo -n "The Dockerfile '${DOCKERFILE_PATH}' does not exist." > '$(results.shp-error-message.path)' + exit 1 + fi + + # We only have ash here and therefore no bash arrays to help add dynamic arguments (the build-args) to the build command. + + echo "#!/bin/ash" > /tmp/run.sh + echo "set -euo pipefail" >> /tmp/run.sh + echo "buildctl-daemonless.sh \\" >> /tmp/run.sh + echo "build \\" >> /tmp/run.sh + echo "--frontend=dockerfile.v0 \\" >> /tmp/run.sh + echo "--opt=filename=\"${DOCKERFILE_NAME}\" \\" >> /tmp/run.sh + echo "--local=context=\"${PARAM_SOURCE_CONTEXT}\" \\" >> /tmp/run.sh + echo "--local=dockerfile=\"${DOCKERFILE_DIR}\" \\" >> /tmp/run.sh + echo "--output=type=oci,tar=false,dest=\"${PARAM_OUTPUT_DIRECTORY}\" \\" >> /tmp/run.sh + if [ "${PARAM_CACHE}" == "registry" ]; then + echo "--export-cache=type=inline \\" >> /tmp/run.sh + echo "--import-cache=type=registry,ref=\"${PARAM_OUTPUT_IMAGE}\",registry.insecure=\"${PARAM_OUTPUT_INSECURE}\" \\" >> /tmp/run.sh + elif [ "${PARAM_CACHE}" == "disabled" ]; then + echo "--no-cache \\" >> /tmp/run.sh + else + echo -e "An invalid value for the parameter 'cache' has been provided: '${PARAM_CACHE}'. Allowed values are 'disabled' and 'registry'." + echo -n "InvalidParameterValue" > '$(results.shp-error-reason.path)' + echo -n "An invalid value for the parameter 'cache' has been provided: '${PARAM_CACHE}'. Allowed values are 'disabled' and 'registry'." > '$(results.shp-error-message.path)' + exit 1 + fi + + stage="" + platforms="" + for a in "$@" + do + if [ "${a}" == "--build-args" ]; then + stage=build-args + elif [ "${a}" == "--platforms" ]; then + stage=platforms + elif [ "${a}" == "--secrets" ]; then + stage=secrets + elif [ "${stage}" == "build-args" ]; then + echo "--opt=\"build-arg:${a}\" \\" >> /tmp/run.sh + elif [ "${stage}" == "platforms" ]; then + if [ "${platforms}" == "" ]; then + platforms="${a}" + else + platforms="${platforms},${a}" + fi + elif [ "${stage}" == "secrets" ]; then + # Split ID=FILE_CONTENT into variables id and data + + # using head because the data could be multiline + id="$(echo "${a}" | head -1 | sed 's/=.*//')" + + # This is hacky, we remove the suffix ${id}= from all lines of the data. + # If the data would be multiple lines and a line would start with ${id}= + # then we would remove it. We could force users to give us the secret + # base64 encoded. But ultimately, the best solution might be if the user + # mounts the secret and just gives us the path here. + data="$(echo "${a}" | sed "s/^${id}=//")" + + # Write the secret data into a temporary file, once we have volume support + # in the build strategy, we should use a memory based emptyDir for this. + echo -n "${data}" > "/tmp/secret_${id}" + + # Add the secret argument + echo "--secret id=${id},src="/tmp/secret_${id}" \\" >> /tmp/run.sh + fi + done + + if [ "${platforms}" != "" ]; then + echo "--opt=\"platform=${platforms}\" \\" >> /tmp/run.sh + fi + + echo "--progress=plain" >> /tmp/run.sh + + chmod +x /tmp/run.sh + /tmp/run.sh + # That's the separator between the shell script and its args + - -- + - --build-args + - $(params.build-args[*]) + - --platforms + - $(params.platforms[*]) + - --secrets + - $(params.secrets[*]) + securityContext: + runAsUser: 1000 + runAsGroup: 1000 diff --git a/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_cr.yaml b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_cr.yaml new file mode 100644 index 000000000..c0c39cb50 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_cr.yaml @@ -0,0 +1,110 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: buildpacks-v3-heroku +spec: + volumes: + - name: platform-env + emptyDir: {} + parameters: + - name: operating-system + description: The target operating system for the buildpacks build. + default: "linux" + - name: system-architecture + description: The target system architecture for the buildpacks build. + default: "x86_64" + - name: platform-api-version + description: The referenced version is the minimum version that all relevant buildpack implementations support. + default: "0.12" + steps: + - name: build-and-push + image: heroku/builder:22 + env: + - name: CNB_TARGET_OS + value: $(params.operating-system) + - name: CNB_TARGET_ARCH + value: $(params.system-architecture) + - name: CNB_PLATFORM_API + value: $(params.platform-api-version) + - name: PARAM_SOURCE_CONTEXT + value: $(params.shp-source-context) + - name: PARAM_OUTPUT_IMAGE + value: $(params.shp-output-image) + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + echo "> Processing environment variables..." + ENV_DIR="/platform/env" + + envs=($(env)) + + # Denying the creation of non required files from system environments. + # The creation of a file named PATH (corresponding to PATH system environment) + # caused failure for python source during pip install (https://github.com/Azure-Samples/python-docs-hello-world) + block_list=("PATH" "HOSTNAME" "PWD" "_" "SHLVL" "HOME" "") + + for env in "${envs[@]}"; do + blocked=false + + IFS='=' read -r key value string <<< "$env" + + for str in "${block_list[@]}"; do + if [[ "$key" == "$str" ]]; then + blocked=true + break + fi + done + + if [ "$blocked" == "false" ]; then + path="${ENV_DIR}/${key}" + echo -n "$value" > "$path" + fi + done + + LAYERS_DIR=/tmp/.shp/layers + CACHE_DIR=/tmp/.shp/cache + + mkdir -p "$CACHE_DIR" "$LAYERS_DIR" + + function announce_phase { + printf "===> %s\n" "$1" + } + + announce_phase "ANALYZING" + /cnb/lifecycle/analyzer -layers="$LAYERS_DIR" "${PARAM_OUTPUT_IMAGE}" + + announce_phase "DETECTING" + /cnb/lifecycle/detector -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + announce_phase "RESTORING" + /cnb/lifecycle/restorer -cache-dir="$CACHE_DIR" -layers="$LAYERS_DIR" + + announce_phase "BUILDING" + /cnb/lifecycle/builder -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + exporter_args=( -layers="$LAYERS_DIR" -report=/tmp/report.toml -cache-dir="$CACHE_DIR" -app="${PARAM_SOURCE_CONTEXT}") + grep -q "buildpack-default-process-type" "$LAYERS_DIR/config/metadata.toml" || exporter_args+=( -process-type web ) + + announce_phase "EXPORTING" + /cnb/lifecycle/exporter "${exporter_args[@]}" "${PARAM_OUTPUT_IMAGE}" + + # Store the image digest + grep digest /tmp/report.toml | tail -n 1 | tr -d ' \"\n' | sed s/digest=// > "$(results.shp-image-digest.path)" + volumeMounts: + - mountPath: /platform/env + name: platform-env + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + securityContext: + runAsUser: 1000 + runAsGroup: 1000 diff --git a/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml new file mode 100644 index 000000000..249c071fa --- /dev/null +++ b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3-heroku_namespaced_cr.yaml @@ -0,0 +1,110 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildStrategy +metadata: + name: buildpacks-v3-heroku +spec: + volumes: + - name: platform-env + emptyDir: {} + parameters: + - name: operating-system + description: The target operating system for the buildpacks build. + default: "linux" + - name: system-architecture + description: The target system architecture for the buildpacks build. + default: "x86_64" + - name: platform-api-version + description: The referenced version is the minimum version that all relevant buildpack implementations support. + default: "0.12" + steps: + - name: build-and-push + image: heroku/builder:22 + env: + - name: CNB_TARGET_OS + value: $(params.operating-system) + - name: CNB_TARGET_ARCH + value: $(params.system-architecture) + - name: CNB_PLATFORM_API + value: $(params.platform-api-version) + - name: PARAM_SOURCE_CONTEXT + value: $(params.shp-source-context) + - name: PARAM_OUTPUT_IMAGE + value: $(params.shp-output-image) + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + echo "> Processing environment variables..." + ENV_DIR="/platform/env" + + envs=($(env)) + + # Denying the creation of non required files from system environments. + # The creation of a file named PATH (corresponding to PATH system environment) + # caused failure for python source during pip install (https://github.com/Azure-Samples/python-docs-hello-world) + block_list=("PATH" "HOSTNAME" "PWD" "_" "SHLVL" "HOME" "") + + for env in "${envs[@]}"; do + blocked=false + + IFS='=' read -r key value string <<< "$env" + + for str in "${block_list[@]}"; do + if [[ "$key" == "$str" ]]; then + blocked=true + break + fi + done + + if [ "$blocked" == "false" ]; then + path="${ENV_DIR}/${key}" + echo -n "$value" > "$path" + fi + done + + LAYERS_DIR=/tmp/.shp/layers + CACHE_DIR=/tmp/.shp/cache + + mkdir -p "$CACHE_DIR" "$LAYERS_DIR" + + function announce_phase { + printf "===> %s\n" "$1" + } + + announce_phase "ANALYZING" + /cnb/lifecycle/analyzer -layers="$LAYERS_DIR" "${PARAM_OUTPUT_IMAGE}" + + announce_phase "DETECTING" + /cnb/lifecycle/detector -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + announce_phase "RESTORING" + /cnb/lifecycle/restorer -cache-dir="$CACHE_DIR" -layers="$LAYERS_DIR" + + announce_phase "BUILDING" + /cnb/lifecycle/builder -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + exporter_args=( -layers="$LAYERS_DIR" -report=/tmp/report.toml -cache-dir="$CACHE_DIR" -app="${PARAM_SOURCE_CONTEXT}") + grep -q "buildpack-default-process-type" "$LAYERS_DIR/config/metadata.toml" || exporter_args+=( -process-type web ) + + announce_phase "EXPORTING" + /cnb/lifecycle/exporter "${exporter_args[@]}" "${PARAM_OUTPUT_IMAGE}" + + # Store the image digest + grep digest /tmp/report.toml | tail -n 1 | tr -d ' \"\n' | sed s/digest=// > "$(results.shp-image-digest.path)" + volumeMounts: + - mountPath: /platform/env + name: platform-env + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + securityContext: + runAsUser: 1000 + runAsGroup: 1000 diff --git a/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml new file mode 100644 index 000000000..d6d9fd664 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml @@ -0,0 +1,100 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: buildpacks-v3 +spec: + volumes: + - name: platform-env + emptyDir: {} + parameters: + - name: platform-api-version + description: The referenced version is the minimum version that all relevant buildpack implementations support. + default: "0.12" + steps: + - name: build-and-push + image: docker.io/paketobuildpacks/builder-jammy-full:latest + env: + - name: CNB_PLATFORM_API + value: $(params.platform-api-version) + - name: PARAM_SOURCE_CONTEXT + value: $(params.shp-source-context) + - name: PARAM_OUTPUT_IMAGE + value: $(params.shp-output-image) + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + echo "> Processing environment variables..." + ENV_DIR="/platform/env" + + envs=($(env)) + + # Denying the creation of non required files from system environments. + # The creation of a file named PATH (corresponding to PATH system environment) + # caused failure for python source during pip install (https://github.com/Azure-Samples/python-docs-hello-world) + block_list=("PATH" "HOSTNAME" "PWD" "_" "SHLVL" "HOME" "") + + for env in "${envs[@]}"; do + blocked=false + + IFS='=' read -r key value string <<< "$env" + + for str in "${block_list[@]}"; do + if [[ "$key" == "$str" ]]; then + blocked=true + break + fi + done + + if [ "$blocked" == "false" ]; then + path="${ENV_DIR}/${key}" + echo -n "$value" > "$path" + fi + done + + LAYERS_DIR=/tmp/.shp/layers + CACHE_DIR=/tmp/.shp/cache + + mkdir -p "$CACHE_DIR" "$LAYERS_DIR" + + function announce_phase { + printf "===> %s\n" "$1" + } + + announce_phase "ANALYZING" + /cnb/lifecycle/analyzer -layers="$LAYERS_DIR" "${PARAM_OUTPUT_IMAGE}" + + announce_phase "DETECTING" + /cnb/lifecycle/detector -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + announce_phase "RESTORING" + /cnb/lifecycle/restorer -cache-dir="$CACHE_DIR" -layers="$LAYERS_DIR" + + announce_phase "BUILDING" + /cnb/lifecycle/builder -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + exporter_args=( -layers="$LAYERS_DIR" -report=/tmp/report.toml -cache-dir="$CACHE_DIR" -app="${PARAM_SOURCE_CONTEXT}") + grep -q "buildpack-default-process-type" "$LAYERS_DIR/config/metadata.toml" || exporter_args+=( -process-type web ) + + announce_phase "EXPORTING" + /cnb/lifecycle/exporter "${exporter_args[@]}" "${PARAM_OUTPUT_IMAGE}" + + # Store the image digest + grep digest /tmp/report.toml | tail -n 1 | tr -d ' \"\n' | sed s/digest=// > "$(results.shp-image-digest.path)" + volumeMounts: + - mountPath: /platform/env + name: platform-env + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + securityContext: + runAsUser: 1001 + runAsGroup: 1000 diff --git a/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml new file mode 100644 index 000000000..2374f8a13 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_namespaced_cr.yaml @@ -0,0 +1,100 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: BuildStrategy +metadata: + name: buildpacks-v3 +spec: + volumes: + - name: platform-env + emptyDir: {} + parameters: + - name: platform-api-version + description: The referenced version is the minimum version that all relevant buildpack implementations support. + default: "0.12" + steps: + - name: build-and-push + image: docker.io/paketobuildpacks/builder-jammy-full:latest + env: + - name: CNB_PLATFORM_API + value: $(params.platform-api-version) + - name: PARAM_SOURCE_CONTEXT + value: $(params.shp-source-context) + - name: PARAM_OUTPUT_IMAGE + value: $(params.shp-output-image) + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + echo "> Processing environment variables..." + ENV_DIR="/platform/env" + + envs=($(env)) + + # Denying the creation of non required files from system environments. + # The creation of a file named PATH (corresponding to PATH system environment) + # caused failure for python source during pip install (https://github.com/Azure-Samples/python-docs-hello-world) + block_list=("PATH" "HOSTNAME" "PWD" "_" "SHLVL" "HOME" "") + + for env in "${envs[@]}"; do + blocked=false + + IFS='=' read -r key value string <<< "$env" + + for str in "${block_list[@]}"; do + if [[ "$key" == "$str" ]]; then + blocked=true + break + fi + done + + if [ "$blocked" == "false" ]; then + path="${ENV_DIR}/${key}" + echo -n "$value" > "$path" + fi + done + + LAYERS_DIR=/tmp/.shp/layers + CACHE_DIR=/tmp/.shp/cache + + mkdir -p "$CACHE_DIR" "$LAYERS_DIR" + + function announce_phase { + printf "===> %s\n" "$1" + } + + announce_phase "ANALYZING" + /cnb/lifecycle/analyzer -layers="$LAYERS_DIR" "${PARAM_OUTPUT_IMAGE}" + + announce_phase "DETECTING" + /cnb/lifecycle/detector -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + announce_phase "RESTORING" + /cnb/lifecycle/restorer -cache-dir="$CACHE_DIR" -layers="$LAYERS_DIR" + + announce_phase "BUILDING" + /cnb/lifecycle/builder -app="${PARAM_SOURCE_CONTEXT}" -layers="$LAYERS_DIR" + + exporter_args=( -layers="$LAYERS_DIR" -report=/tmp/report.toml -cache-dir="$CACHE_DIR" -app="${PARAM_SOURCE_CONTEXT}") + grep -q "buildpack-default-process-type" "$LAYERS_DIR/config/metadata.toml" || exporter_args+=( -process-type web ) + + announce_phase "EXPORTING" + /cnb/lifecycle/exporter "${exporter_args[@]}" "${PARAM_OUTPUT_IMAGE}" + + # Store the image digest + grep digest /tmp/report.toml | tail -n 1 | tr -d ' \"\n' | sed s/digest=// > "$(results.shp-image-digest.path)" + volumeMounts: + - mountPath: /platform/env + name: platform-env + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + securityContext: + runAsUser: 1001 + runAsGroup: 1000 diff --git a/content/en/docs/samples/buildstrategy/kaniko/buildstrategy_kaniko-trivy_cr.yaml b/content/en/docs/samples/buildstrategy/kaniko/buildstrategy_kaniko-trivy_cr.yaml new file mode 100644 index 000000000..7071758a9 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/kaniko/buildstrategy_kaniko-trivy_cr.yaml @@ -0,0 +1,87 @@ +# This Build Strategy will intentionally fail if the image has any +# critical CVEs. It will not be pushed into the destination registry +# if any critical vulnerabilities are found. +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: kaniko-trivy +spec: + volumes: + - name: layout + emptyDir: {} + - name: tar + emptyDir: {} + steps: + - name: kaniko-build + image: gcr.io/kaniko-project/executor:v1.21.1 + workingDir: $(params.shp-source-root) + securityContext: + capabilities: + add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + - SETFCAP + - KILL + env: + - name: HOME + value: /tekton/home + - name: AWS_ACCESS_KEY_ID + value: NOT_SET + - name: AWS_SECRET_KEY + value: NOT_SET + command: + - /kaniko/executor + args: + - --dockerfile + - $(params.dockerfile) + - --context + - $(params.shp-source-context) + - --destination + - $(params.shp-output-image) + - --snapshot-mode + - redo + - --no-push + - --tar-path + - $(params.shp-output-directory)/image.tar + # https://github.com/GoogleContainerTools/kaniko/issues/2164 + - --ignore-path + - /product_uuid + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + - name: trivy-scan + image: docker.io/aquasec/trivy:0.49.1 + command: + - trivy + args: + - image + - --exit-code=1 + - --severity=CRITICAL + - --input + - $(params.shp-output-directory)/image.tar + env: + - name: HOME + value: /tekton/home + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + parameters: + - name: dockerfile + description: The path to the Dockerfile to be used for building the image. + type: string + default: "Dockerfile" + securityContext: + runAsUser: 0 + runAsGroup: 0 diff --git a/content/en/docs/samples/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml b/content/en/docs/samples/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml new file mode 100644 index 000000000..c9a6b0234 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: kaniko +spec: + steps: + - name: build-and-push + image: gcr.io/kaniko-project/executor:v1.21.1 + workingDir: $(params.shp-source-root) + securityContext: + capabilities: + add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + - SETFCAP + - KILL + env: + - name: HOME + value: /tekton/home + - name: DOCKER_CONFIG + value: /tekton/home/.docker + - name: AWS_ACCESS_KEY_ID + value: NOT_SET + - name: AWS_SECRET_KEY + value: NOT_SET + command: + - /kaniko/executor + args: + - --dockerfile + - $(params.dockerfile) + - --context + - $(params.shp-source-context) + - --destination + - $(params.shp-output-image) + - --snapshot-mode + - redo + - --no-push + - --tar-path + - $(params.shp-output-directory)/image.tar + # https://github.com/GoogleContainerTools/kaniko/issues/2164 + - --ignore-path + - /product_uuid + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + parameters: + - name: dockerfile + description: The path to the Dockerfile to be used for building the image. + type: string + default: "Dockerfile" + securityContext: + runAsUser: 0 + runAsGroup: 0 diff --git a/content/en/docs/samples/buildstrategy/ko/buildstrategy_ko_cr.yaml b/content/en/docs/samples/buildstrategy/ko/buildstrategy_ko_cr.yaml new file mode 100644 index 000000000..922ac28de --- /dev/null +++ b/content/en/docs/samples/buildstrategy/ko/buildstrategy_ko_cr.yaml @@ -0,0 +1,116 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: ko +spec: + parameters: + - name: go-flags + description: "Value for the GOFLAGS environment variable." + default: "" + - name: go-version + description: "Version of Go, must match a tag from https://hub.docker.com/_/golang?tab=tags" + default: "1.21" + - name: ko-version + description: "Version of ko, must be either 'latest', or a release name from https://github.com/ko-build/ko/releases" + default: latest + - name: package-directory + description: "The directory inside the context directory containing the main package." + default: "." + - name: target-platform + description: "Target platform to be built. For example: 'linux/arm64'. Multiple platforms can be provided separated by comma, for example: 'linux/arm64,linux/amd64'. The value 'all' will build all platforms supported by the base image. The value 'current' will build the platform on which the build runs." + default: current + volumes: + - name: gocache + description: "Volume to contain the GOCACHE. Can be set to a persistent volume to optimize compilation performance for rebuilds." + overridable: true + emptyDir: {} + steps: + - name: build + image: golang:$(params.go-version) + imagePullPolicy: Always + workingDir: $(params.shp-source-root) + volumeMounts: + - mountPath: /gocache + name: gocache + readOnly: false + env: + - name: DOCKER_CONFIG + value: /tekton/home/.docker + - name: HOME + value: /tekton/home + - name: GOFLAGS + value: $(params.go-flags) + - name: GOCACHE + value: /gocache + - name: PARAM_OUTPUT_IMAGE + value: $(params.shp-output-image) + - name: PARAM_OUTPUT_DIRECTORY + value: $(params.shp-output-directory) + - name: PARAM_SOURCE_CONTEXT + value: $(params.shp-source-context) + - name: PARAM_SOURCE_ROOT + value: $(params.shp-source-root) + - name: PARAM_TARGET_PLATFORM + value: $(params.target-platform) + - name: PARAM_PACKAGE_DIRECTORY + value: $(params.package-directory) + - name: PARAM_KO_VERSION + value: $(params.ko-version) + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + # Determine the ko version + KO_VERSION="${PARAM_KO_VERSION}" + if [ "${KO_VERSION}" == "latest" ]; then + KO_VERSION=$(curl --silent "https://api.github.com/repos/ko-build/ko/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/') + fi + + # Create one variable with v-suffix and one without as we need both for the download URL + if [[ ${KO_VERSION} = v* ]]; then + KO_VERSION_WITH_V=${KO_VERSION} + KO_VERSION_WITHOUT_V=${KO_VERSION:1} + else + KO_VERSION_WITH_V=v${KO_VERSION} + KO_VERSION_WITHOUT_V=${KO_VERSION} + fi + + # Download ko to the temp directory + curl -f -s -L "https://github.com/ko-build/ko/releases/download/${KO_VERSION_WITH_V}/ko_${KO_VERSION_WITHOUT_V}_$(uname)_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | tar xzf - -C /tmp ko + + # Determine the platform + PLATFORM="${PARAM_TARGET_PLATFORM}" + if [ "${PLATFORM}" == "current" ]; then + PLATFORM="$(uname | tr '[:upper:]' '[:lower:]')/$(uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')" + fi + + # Print version information + go version + echo "ko version $(/tmp/ko version)" + + # Allow directory to be owned by other user which is normal for a volume-mounted directory. + # This allows Go to run git commands to access repository metadata. + # Documentation: https://git-scm.com/docs/git-config/2.39.0#Documentation/git-config.txt-safedirectory + git config --global --add safe.directory "${PARAM_SOURCE_ROOT}" + + # Run ko + + export GOROOT="$(go env GOROOT)" + + pushd "${PARAM_SOURCE_CONTEXT}" > /dev/null + /tmp/ko build "${PARAM_PACKAGE_DIRECTORY}" --oci-layout-path="${PARAM_OUTPUT_DIRECTORY}" --platform="${PLATFORM}" --push=false + popd > /dev/null + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 65Mi + securityContext: + runAsUser: 1000 + runAsGroup: 1000 diff --git a/content/en/docs/samples/buildstrategy/source-to-image/buildstrategy_source-to-image-redhat_cr.yaml b/content/en/docs/samples/buildstrategy/source-to-image/buildstrategy_source-to-image-redhat_cr.yaml new file mode 100644 index 000000000..80d9254e3 --- /dev/null +++ b/content/en/docs/samples/buildstrategy/source-to-image/buildstrategy_source-to-image-redhat_cr.yaml @@ -0,0 +1,163 @@ +--- +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: source-to-image-redhat +spec: + volumes: + - name: s2i + emptyDir: {} + steps: + - name: s2i-generate + image: registry.redhat.io/ocp-tools-43-tech-preview/source-to-image-rhel8:latest + workingDir: $(params.shp-source-root) + command: + - /usr/local/bin/s2i + args: + - build + - $(params.shp-source-context) + - $(params.builder-image) + - $(params.shp-output-image) + - --as-dockerfile=/s2i/Dockerfile + volumeMounts: + - name: s2i + mountPath: /s2i + - name: buildah + image: quay.io/containers/buildah:v1.34.0 + workingDir: /s2i + securityContext: + capabilities: + add: + - "SETFCAP" + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + + # Parse parameters + image= + target= + registriesBlock="" + inRegistriesBlock=false + registriesInsecure="" + inRegistriesInsecure=false + registriesSearch="" + inRegistriesSearch=false + while [[ $# -gt 0 ]]; do + arg="$1" + shift + + if [ "${arg}" == "--image" ]; then + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + image="$1" + shift + elif [ "${arg}" == "--target" ]; then + inBuildArgs=false + inRegistriesBlock=false + inRegistriesInsecure=false + inRegistriesSearch=false + target="$1" + shift + elif [ "${arg}" == "--registries-block" ]; then + inRegistriesBlock=true + inRegistriesInsecure=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-insecure" ]; then + inRegistriesInsecure=true + inRegistriesBlock=false + inRegistriesSearch=false + elif [ "${arg}" == "--registries-search" ]; then + inRegistriesSearch=true + inRegistriesBlock=false + inRegistriesInsecure=false + elif [ "${inRegistriesBlock}" == "true" ]; then + registriesBlock="${registriesBlock}'${arg}', " + elif [ "${inRegistriesInsecure}" == "true" ]; then + registriesInsecure="${registriesInsecure}'${arg}', " + elif [ "${inRegistriesSearch}" == "true" ]; then + registriesSearch="${registriesSearch}'${arg}', " + else + echo "Invalid usage" + exit 1 + fi + done + + echo "[INFO] Creating registries config file..." + if [ "${registriesSearch}" != "" ]; then + cat <>/tmp/registries.conf + [registries.search] + registries = [${registriesSearch::-2}] + + EOF + fi + if [ "${registriesInsecure}" != "" ]; then + cat <>/tmp/registries.conf + [registries.insecure] + registries = [${registriesInsecure::-2}] + + EOF + fi + if [ "${registriesBlock}" != "" ]; then + cat <>/tmp/registries.conf + [registries.block] + registries = [${registriesBlock::-2}] + + EOF + fi + + # Building the image + echo "[INFO] Building image ${image}" + buildah --storage-driver=$(params.storage-driver) bud \ + --registries-conf=/tmp/registries.conf \ + --tag="${image}" + + # Write the image + echo "[INFO] Writing image ${image}" + buildah --storage-driver=$(params.storage-driver) push \ + "${image}" \ + "oci:${target}" + # That's the separator between the shell script and its args + - -- + - --image + - $(params.shp-output-image) + - --registries-block + - $(params.registries-block[*]) + - --registries-insecure + - $(params.registries-insecure[*]) + - --registries-search + - $(params.registries-search[*]) + - --target + - $(params.shp-output-directory) + volumeMounts: + - name: s2i + mountPath: /s2i + parameters: + - name: registries-block + description: The registries that need to block pull access. + type: array + defaults: [] + - name: registries-insecure + description: The fully-qualified name of insecure registries. An insecure registry is one that does not have a valid SSL certificate or only supports HTTP. + type: array + defaults: [] + - name: registries-search + description: The registries for searching short name images such as `golang:latest`. + type: array + defaults: + - docker.io + - quay.io + - name: builder-image + description: The builder image. + type: string + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'." + type: string + default: "vfs" + # For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options + securityContext: + runAsUser: 0 + runAsGroup: 0 diff --git a/content/en/docs/samples/buildstrategy/source-to-image/buildstrategy_source-to-image_cr.yaml b/content/en/docs/samples/buildstrategy/source-to-image/buildstrategy_source-to-image_cr.yaml new file mode 100644 index 000000000..73b659ebb --- /dev/null +++ b/content/en/docs/samples/buildstrategy/source-to-image/buildstrategy_source-to-image_cr.yaml @@ -0,0 +1,73 @@ +apiVersion: shipwright.io/v1beta1 +kind: ClusterBuildStrategy +metadata: + name: source-to-image +spec: + volumes: + - name: gen-source + emptyDir: {} + steps: + - command: + - /usr/local/bin/s2i + - build + - $(params.shp-source-context) + - $(params.builder-image) + - '--as-dockerfile' + - /gen-source/Dockerfile.gen + image: quay.io/openshift-pipeline/s2i:nightly + imagePullPolicy: Always + name: s2i-build-as-dockerfile + volumeMounts: + - mountPath: /gen-source + name: gen-source + workingDir: $(params.shp-source-root) + - name: build-and-push + image: gcr.io/kaniko-project/executor:v1.21.1 + command: + - /kaniko/executor + args: + - --dockerfile + - /gen-source/Dockerfile.gen + - --context + - /gen-source + - --destination + - $(params.shp-output-image) + - --snapshot-mode + - redo + - --no-push + - --tar-path + - $(params.shp-output-directory)/image.tar + # https://github.com/GoogleContainerTools/kaniko/issues/2164 + - --ignore-path + - /product_uuid + env: + - name: DOCKER_CONFIG + value: /tekton/home/.docker + - name: HOME + value: /tekton/home + - name: AWS_ACCESS_KEY_ID + value: NOT_SET + - name: AWS_SECRET_KEY + value: NOT_SET + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + - SETFCAP + - KILL + volumeMounts: + - mountPath: /gen-source + name: gen-source + workingDir: /gen-source + parameters: + - name: builder-image + description: The builder image. + type: string + securityContext: + runAsUser: 0 + runAsGroup: 0 diff --git a/themes/docsy b/themes/docsy index ef3398f5e..1929a65cc 160000 --- a/themes/docsy +++ b/themes/docsy @@ -1 +1 @@ -Subproject commit ef3398f5e55789ec09b0cbc0285ed476a8f3d6e0 +Subproject commit 1929a65ccffb316006de9c0daaee631a7d8fc225