-
Notifications
You must be signed in to change notification settings - Fork 133
Expand file tree
/
Copy pathpublish-index-image-task.yaml
More file actions
186 lines (170 loc) · 6.8 KB
/
Copy pathpublish-index-image-task.yaml
File metadata and controls
186 lines (170 loc) · 6.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: publish-index-image-task
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: |-
Tekton task to publish a built FBC index image using skopeo
params:
- name: sourceIndex
type: string
description: sourceIndex signing image
- name: targetIndex
type: string
description: targetIndex signing image
- name: targetOcpVersion
description: OCP Version this image was built to
type: string
default: ""
- name: retries
type: string
default: "0"
description: Number of skopeo retries
- name: publishingCredentials
type: string
default: "fbc-publishing-credentials"
description: The credentials used to access the registries
- name: requestUpdateTimeout
type: string
default: "360"
description: Max seconds waiting for the status update
- name: caTrustConfigMapName
type: string
description: The name of the ConfigMap to read CA bundle data from
default: trusted-ca
- name: caTrustConfigMapKey
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data
default: ca-bundle.crt
results:
- name: requestMessage
volumes:
- name: publishing-credentials
secret:
secretName: $(params.publishingCredentials)
defaultMode: 0444
- name: trusted-ca
configMap:
name: $(params.caTrustConfigMapName)
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
optional: true
stepTemplate:
volumeMounts:
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
steps:
- name: publish-index-image
volumeMounts:
- name: publishing-credentials
mountPath: /mnt/publishingCredentials
securityContext:
runAsUser: 1001
image: >-
quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
computeResources:
limits:
memory: 64Mi
requests:
memory: 64Mi
cpu: 400m
script: |
#!/usr/bin/env bash
set -euo pipefail
#function getIndexVersion() {
# # if dest- and src- string is given, remove them from the auth param
# if [[ "$#" -gt 1 ]]; then
# shift
# indexVersion="$(skopeo inspect --config --creds "$@" \
# | jq -r '.config.Labels."com.redhat.index.delivery.version"')"
# else
# # no auth given
# indexVersion="$(skopeo inspect --config "$@" \
# | jq -r '.config.Labels."com.redhat.index.delivery.version"')"
# fi
# echo "$indexVersion"
#}
function getIndexVersion() {
local image_url=$1
local creds=${2:-}
local creds_args=()
if [ -n "${creds}" ]; then
creds_args=(--creds "${creds}")
fi
indexVersion="$(skopeo inspect --config "${creds_args[@]}" "${image_url}" \
| jq -r '.config.Labels."com.redhat.index.delivery.version"')"
echo "$indexVersion"
}
SOURCE_INDEX_CREDENTIAL="$(cat /mnt/publishingCredentials/sourceIndexCredential)"
TARGET_INDEX_CREDENTIAL="$(cat /mnt/publishingCredentials/targetIndexCredential)"
PATH=/bin:/usr/bin:/usr/local/bin
export PATH
#SOURCE_AUTH_ARGS=()
#if [[ ! "$(params.sourceIndex)" =~ ^registry-proxy(\-stage)?.engineering.redhat.com ]]; then
# SOURCE_AUTH_ARGS=("--src-creds" "${SOURCE_INDEX_CREDENTIAL}")
#fi
SKOPEO_COPY_AUTH_ARGS=("--dest-creds" "${TARGET_INDEX_CREDENTIAL}")
if [[ "$(params.sourceIndex)" =~ ^registry-proxy(\-stage)?.engineering.redhat.com ]]; then
SOURCE_INDEX_CREDENTIAL=""
else
SKOPEO_COPY_AUTH_ARGS+=("--src-creds" "${SOURCE_INDEX_CREDENTIAL}")
fi
TARGET_AUTH_ARGS=("--dest-creds" "${TARGET_INDEX_CREDENTIAL}")
# Extract digest from pull spec
SOURCE_INDEX="$(params.sourceIndex)"
SOURCE_DIGEST="${SOURCE_INDEX##*@}"
echo "Getting target image digest: $(params.targetIndex)"
if TARGET_DIGEST=$(skopeo inspect \
"docker://$(params.targetIndex)" \
--format '{{.Digest}}' \
--retry-times "$(params.retries)"); then
echo "Target image exists."
echo "DEBUG: Source Digest - $SOURCE_DIGEST"
echo "DEBUG: Target Digest - $TARGET_DIGEST"
if [ "$SOURCE_DIGEST" == "$TARGET_DIGEST" ]; then
echo "Image already exists with the same digest, skipping copy." | tee "$(results.requestMessage.path)"
exit 0
else
echo "Image exists in target registry but digests do not match." \
"Proceeding to copy the image."
fi
else
echo "Target image does not exist. Proceeding to copy the image."
fi
# check to make sure the image to be published is for the intended ocpVersion
targetOcpVersion="$(params.targetOcpVersion)"
sourceVer=$(getIndexVersion "${SOURCE_AUTH_ARGS[@]}" "docker://$(params.sourceIndex)")
if [[ "${sourceVer}" != "${targetOcpVersion}" ]]; then
echo -n "The source index does not match its targetOcpVersion ($sourceVer != $targetOcpVersion)" \
| tee "$(results.requestMessage.path)"
exit 0
fi
# hotfix and pre-ga targetIndex should be skip the next check, as they don't exist in the upstream quay
# until skopeo copy runs.
if [[ "$(params.targetIndex)" =~ .*\:v[0-9]{1}\.[0-9]{2}$ ]]; then
targetVer=$(getIndexVersion "${TARGET_AUTH_ARGS[@]}" "docker://$(params.targetIndex)")
# check if both indexes are of the same OCP version and exit in case they mismatch.
if [ "${sourceVer}" != "${targetVer}" ]; then
echo -n "The indexes versions does not match ($sourceVer != $targetVer)" \
| tee "$(results.requestMessage.path)"
exit 0
fi
fi
# Proceed with copying the image
echo "Copying image from $(params.sourceIndex) to $(params.targetIndex)"
(skopeo copy \
--all \
--preserve-digests \
--retry-times "$(params.retries)" \
--src-tls-verify=false "${SKOPEO_COPY_AUTH_ARGS[@]}" \
"docker://$(params.sourceIndex)" \
"${TARGET_AUTH_ARGS[@]}" \
"docker://$(params.targetIndex)" && \
echo -n "Index Image Published successfully" || \
echo -n "Error: Failed publishing Index Image" ) | tee "$(results.requestMessage.path)"