From 36a8ba1b7d495b6b24b0aa8a2226b7c5252c1292 Mon Sep 17 00:00:00 2001 From: Mykola Morhun Date: Tue, 22 Oct 2024 17:26:31 +0300 Subject: [PATCH] Modify buildah task to allow creating SAST scan tasks via kustomize --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 17 +++++++++++++++-- .../0.2/buildah-remote-oci-ta.yaml | 19 ++++++++++++++++--- task/buildah-remote/0.2/buildah-remote.yaml | 19 ++++++++++++++++--- task/buildah/0.2/buildah.yaml | 17 +++++++++++++++-- 4 files changed, 62 insertions(+), 10 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 18fd101ef6..89b86331ea 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -188,8 +188,6 @@ spec: value: $(params.BUILD_ARGS_FILE) - name: CONTEXT value: $(params.CONTEXT) - - name: DOCKERFILE - value: $(params.DOCKERFILE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - name: HERMETIC @@ -251,6 +249,8 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) + - name: DOCKERFILE + value: $(params.DOCKERFILE) script: | #!/bin/bash set -e @@ -265,6 +265,10 @@ spec: dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" + elif [ -e "$DOCKERFILE" ]; then + # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" dockerfile_path=$(mktemp --suffix=-Dockerfile) @@ -463,6 +467,15 @@ spec: echo "Adding the entitlement to the build" fi + if [ -n "$ADDITIONAL_VOLUME_MOUNTS" ]; then + # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. + # This is primarily used in instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and add some other tools. + while read -r volume_mount; do + VOLUME_MOUNTS+=("--volume=$volume_mount") + done <<<"$ADDITIONAL_VOLUME_MOUNTS" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 3e9a052378..dfa2988b5b 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -168,8 +168,6 @@ spec: value: $(params.BUILD_ARGS_FILE) - name: CONTEXT value: $(params.CONTEXT) - - name: DOCKERFILE - value: $(params.DOCKERFILE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - name: HERMETIC @@ -230,6 +228,8 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) + - name: DOCKERFILE + value: $(params.DOCKERFILE) image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c name: build script: |- @@ -299,6 +299,10 @@ spec: dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" + elif [ -e "$DOCKERFILE" ]; then + # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" dockerfile_path=$(mktemp --suffix=-Dockerfile) @@ -497,6 +501,15 @@ spec: echo "Adding the entitlement to the build" fi + if [ -n "$ADDITIONAL_VOLUME_MOUNTS" ]; then + # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. + # This is primarily used in instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and add some other tools. + while read -r volume_mount; do + VOLUME_MOUNTS+=("--volume=$volume_mount") + done <<<"$ADDITIONAL_VOLUME_MOUNTS" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -568,7 +581,6 @@ spec: -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e CONTEXT="$CONTEXT" \ - -e DOCKERFILE="$DOCKERFILE" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ -e HERMETIC="$HERMETIC" \ -e IMAGE="$IMAGE" \ @@ -583,6 +595,7 @@ spec: -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \ -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \ -e COMMIT_SHA="$COMMIT_SHA" \ + -e DOCKERFILE="$DOCKERFILE" \ -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 465eb43c29..6df8d66149 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -157,8 +157,6 @@ spec: value: source - name: CONTEXT value: $(params.CONTEXT) - - name: DOCKERFILE - value: $(params.DOCKERFILE) - name: IMAGE value: $(params.IMAGE) - name: TLSVERIFY @@ -212,6 +210,8 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) + - name: DOCKERFILE + value: $(params.DOCKERFILE) image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c name: build script: |- @@ -281,6 +281,10 @@ spec: dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" + elif [ -e "$DOCKERFILE" ]; then + # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" dockerfile_path=$(mktemp --suffix=-Dockerfile) @@ -475,6 +479,15 @@ spec: echo "Adding the entitlement to the build" fi + if [ -n "$ADDITIONAL_VOLUME_MOUNTS" ]; then + # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. + # This is primarily used in instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and add some other tools. + while read -r volume_mount; do + VOLUME_MOUNTS+=("--volume=$volume_mount") + done <<< "$ADDITIONAL_VOLUME_MOUNTS" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then @@ -545,7 +558,6 @@ spec: -e HERMETIC="$HERMETIC" \ -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \ -e CONTEXT="$CONTEXT" \ - -e DOCKERFILE="$DOCKERFILE" \ -e IMAGE="$IMAGE" \ -e TLSVERIFY="$TLSVERIFY" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ @@ -561,6 +573,7 @@ spec: -e SQUASH="$SQUASH" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ -e COMMIT_SHA="$COMMIT_SHA" \ + -e DOCKERFILE="$DOCKERFILE" \ -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 65f34fee1d..00446717d5 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -138,8 +138,6 @@ spec: value: source - name: CONTEXT value: $(params.CONTEXT) - - name: DOCKERFILE - value: $(params.DOCKERFILE) - name: IMAGE value: $(params.IMAGE) - name: TLSVERIFY @@ -182,6 +180,8 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) + - name: DOCKERFILE + value: $(params.DOCKERFILE) args: - --build-args - $(params.BUILD_ARGS[*]) @@ -202,6 +202,10 @@ spec: dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" + elif [ -e "$DOCKERFILE" ]; then + # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" dockerfile_path=$(mktemp --suffix=-Dockerfile) @@ -396,6 +400,15 @@ spec: echo "Adding the entitlement to the build" fi + if [ -n "$ADDITIONAL_VOLUME_MOUNTS" ]; then + # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. + # This is primarily used in instrumented builds for SAST scanning and analyzing. + # Instrumented builds use this step as their base and add some other tools. + while read -r volume_mount; do + VOLUME_MOUNTS+=("--volume=$volume_mount") + done <<< "$ADDITIONAL_VOLUME_MOUNTS" + fi + ADDITIONAL_SECRET_PATH="/additional-secret" ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then