1313 description : |-
1414 Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.
1515 In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
16- When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
1716 When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.
1817params :
1918 - name : ACTIVATION_KEY
8281 be made available to the build.
8382 type : string
8483 default : " "
84+ - name : PRIVILEGED_NESTED
85+ description : Whether to enable privileged mode
86+ type : string
87+ default : " false"
88+ - name : SKIP_SBOM_GENERATION
89+ description : Skip SBOM-related operations. This will likely cause EC
90+ policies to fail if enabled
91+ type : string
92+ default : " false"
8593 - name : SKIP_UNUSED_STAGES
8694 description : Whether to skip stages in Containerfile that seem unused
8795 by subsequent stages
@@ -206,16 +214,10 @@ spec:
206214 description : Image reference of the built image
207215 - name : IMAGE_URL
208216 description : Image repository and tag where the built image was pushed
209- - name : JAVA_COMMUNITY_DEPENDENCIES
210- description : The Java dependencies that came from community sources
211- such as Maven central.
212217 - name : SBOM_BLOB_URL
213218 description : Reference of SBOM blob digest to enable digest-based verification
214219 from provenance
215220 type : string
216- - name : SBOM_JAVA_COMPONENTS_COUNT
217- description : The counting of Java components by publisher in JSON format
218- type : string
219221 volumes :
220222 - name : activation-key
221223 secret :
@@ -254,6 +256,13 @@ spec:
254256 - name : workdir
255257 emptyDir : {}
256258 stepTemplate :
259+ computeResources :
260+ limits :
261+ cpu : " 4"
262+ memory : 4Gi
263+ requests :
264+ cpu : " 1"
265+ memory : 1Gi
257266 env :
258267 - name : ACTIVATION_KEY
259268 value : $(params.ACTIVATION_KEY)
@@ -275,6 +284,10 @@ spec:
275284 value : $(params.IMAGE)
276285 - name : IMAGE_EXPIRES_AFTER
277286 value : $(params.IMAGE_EXPIRES_AFTER)
287+ - name : PRIVILEGED_NESTED
288+ value : $(params.PRIVILEGED_NESTED)
289+ - name : SKIP_SBOM_GENERATION
290+ value : $(params.SKIP_SBOM_GENERATION)
278291 - name : SKIP_UNUSED_STAGES
279292 value : $(params.SKIP_UNUSED_STAGES)
280293 - name : SOURCE_CODE_DIR
@@ -326,7 +339,7 @@ spec:
326339 name : workdir
327340 steps :
328341 - name : use-trusted-artifact
329- image : quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
342+ image : quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:ff35e09ff5c89e54538b50abae241a765b2b7868f05d62c4835bebf0978f3659
330343 args :
331344 - use
332345 - $(params.SOURCE_ARTIFACT)=/var/workdir/source
@@ -371,8 +384,7 @@ spec:
371384 elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
372385 dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
373386 elif [ -e "$DOCKERFILE" ]; then
374- # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
375- # Instrumented builds use this step as their base and also need to provide modified Dockerfile.
387+ # Instrumented builds (SAST) use this custom dockerffile step as their base
376388 dockerfile_path="$DOCKERFILE"
377389 elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
378390 echo "Fetch Dockerfile from $DOCKERFILE"
@@ -395,11 +407,6 @@ spec:
395407 dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX")
396408 cp "$dockerfile_path" "$dockerfile_copy"
397409
398- if [ -n "${JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR-}" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then
399- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy"
400- touch /var/lib/containers/java
401- fi
402-
403410 # Fixing group permission on /var/lib/containers
404411 chown root:root /var/lib/containers
405412
@@ -428,7 +435,7 @@ spec:
428435 shift
429436 # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being
430437 # passed to buildah. In that case, the *last* occurrence takes precedence. This is why
431- # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence.
438+ # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE
432439 while [[ $# -gt 0 && $1 != --* ]]; do
433440 build_args+=("$1")
434441 shift
@@ -477,6 +484,12 @@ spec:
477484
478485 BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}")
479486
487+ if [ "${PRIVILEGED_NESTED}" == "true" ]; then
488+ BUILDAH_ARGS+=("--security-opt=label=disable")
489+ BUILDAH_ARGS+=("--cap-add=all")
490+ BUILDAH_ARGS+=("--device=/dev/fuse")
491+ fi
492+
480493 if [ -n "${ADD_CAPABILITIES}" ]; then
481494 BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
482495 fi
@@ -538,15 +551,15 @@ spec:
538551 ACTIVATION_KEY_PATH="/activation-key"
539552 ENTITLEMENT_PATH="/entitlement"
540553
554+ # 0. if hermetic=true, skip all subscription related stuff
541555 # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.
542556 # 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
543557 # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
544558 # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume
545- # to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on
546- # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
547- # container.
559+ # to buildah but don't pre-register for backwards compatibility. Mount an empty directory on
560+ # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included
548561
549- if [ -e /activation-key/org ]; then
562+ if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
550563 cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
551564 mkdir -p /shared/rhsm/etc/pki/entitlement
552565 mkdir -p /shared/rhsm/etc/pki/consumer
@@ -570,17 +583,15 @@ spec:
570583 VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)
571584 fi
572585
573- # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then
574- elif find /entitlement -name "*.pem" >>null; then
586+ elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then
575587 cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
576588 VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
577589 echo "Adding the entitlement to the build"
578590 fi
579591
580592 if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then
581593 # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
582- # This is primarily used in instrumented builds for SAST scanning and analyzing.
583- # Instrumented builds use this step as their base and add some other tools.
594+ # Instrumented builds (SAST) use this step as their base and add some other tools.
584595 while read -r volume_mount; do
585596 VOLUME_MOUNTS+=("--volume=$volume_mount")
586597 done <<<"$ADDITIONAL_VOLUME_MOUNTS"
@@ -665,23 +676,26 @@ spec:
665676 fi
666677
667678 container=$(buildah from --pull-never "$IMAGE")
668- buildah mount $container | tee /shared/container_path
669- # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
670- find $(cat /shared/container_path) -xtype l -delete
671- echo $container >/shared/container_name
672679
673680 # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
674681 if [ -f "/tmp/cachi2/output/bom.json" ]; then
682+ echo "Making copy of sbom-cachi2.json"
675683 cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
676684 fi
677685
686+ buildah mount $container | tee /shared/container_path
687+ # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
688+ find $(cat /shared/container_path) -xtype l -delete
689+ echo $container >/shared/container_name
690+
678691 touch /shared/base_images_digests
692+ echo "Recording base image digests used"
679693 for image in $BASE_IMAGES; do
680694 base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
681695 # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens
682696 # if buildah did not use that particular image during build because it was skipped
683697 if [ -n "$base_image_digest" ]; then
684- echo "$image $base_image_digest" >> /shared/base_images_digests
698+ echo "$image $base_image_digest" | tee -a /shared/base_images_digests
685699 fi
686700 done
687701computeResources :
@@ -695,6 +709,20 @@ spec:
695709 capabilities :
696710 add :
697711 - SETFCAP
712+ - name : icm
713+ image : quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1
714+ workingDir : /var/workdir
715+ volumeMounts :
716+ - mountPath : /var/lib/containers
717+ name : varlibcontainers
718+ script : |
719+ #!/bin/bash
720+ set -euo pipefail
721+ /scripts/inject-icm.sh "$IMAGE"
722+ securityContext :
723+ capabilities :
724+ add :
725+ - SETFCAP
698726 - name : push
699727 image : quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
700728 workingDir : /var/workdir
@@ -765,44 +793,22 @@ spec:
765793 - mountPath : /shared
766794 name : shared
767795 script : |
796+ if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
797+ echo "Skipping SBOM generation"
798+ exit 0
799+ fi
768800 echo "Running syft on the source directory"
769801 syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
770802 echo "Running syft on the image filesystem"
771803 syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
772- computeResources :
773- limits :
774- cpu : " 2"
775- memory : 4Gi
776- requests :
777- cpu : 500m
778- memory : 1Gi
779- - name : analyse-dependencies-java-sbom
780- image : quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
781- volumeMounts :
782- - mountPath : /var/lib/containers
783- name : varlibcontainers
784- - mountPath : /shared
785- name : shared
786- script : |
787- if [ -f /var/lib/containers/java ]; then
788- /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
789- sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
790- else
791- touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
792- fi
793- computeResources :
794- limits :
795- cpu : 200m
796- memory : 512Mi
797- requests :
798- cpu : 100m
799- memory : 256Mi
800- securityContext :
801- runAsUser : 0
802804name : prepare-sboms
803- image : quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:e1347023ef1e83d52813c26384f551e3a03e482539d17a647955603e7ea6b579
805+ image : quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:9f1fd11d9c3c517ecc112d192ad361d16ecf6ce00b83b109c93cf3d1c644a357
804806 workingDir : /var/workdir
805807 script : |
808+ if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
809+ echo "Skipping SBOM generation"
810+ exit 0
811+ fi
806812 echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
807813 python3 /scripts/merge_syft_sboms.py
808814
@@ -847,6 +853,10 @@ spec:
847853 readOnly : true
848854 script : |
849855 #!/bin/bash
856+ if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
857+ echo "Skipping SBOM generation"
858+ exit 0
859+ fi
850860
851861 ca_bundle=/mnt/trusted-ca/ca-bundle.crt
852862 if [ -f "$ca_bundle" ]; then
@@ -891,4 +901,4 @@ spec:
891901 export QUARKUS_OIDC_CLIENT_CLIENT_ID="$(params.INDY_PROXY_CLIENT_ID)"
892902 export QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET="$(params.INDY_PROXY_CLIENT_CREDENTIAL)"
893903 /deployment/start-service.sh
894- fi
904+ fi
0 commit comments