Skip to content

Instantly share code, notes, and snippets.

@arilivigni

arilivigni/app-sre-build-push.yaml

Created January 14, 2021 22:51
Show Gist options
  • Save arilivigni/9986e5b74cb31f1c78de588b37e7e6c3 to your computer and use it in GitHub Desktop.
Save arilivigni/9986e5b74cb31f1c78de588b37e7e6c3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
app-sre-build-push.yaml
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: extract-check-build-verify-push
spec:
workspaces:
- name: source
description: The image building will be done onto the volume backing this workspace
params:
- name: contextDir
description: Path to dockerfile
type: string
default: .
- name: dockerFile
description: Dockerfile name
type: string
default: "Dockerfile"
- name: sslVerify
type: string
description: tls verify
default: "false"
- name: imageRegistry
type: string
description: Image registry to push images to
default: "image-registry.openshift-image-registry.svc:5000"
- name: imageName
type: string
description: Image name
default: ""
- name: nameSpace
type: string
description: Cluster namespace to use for pipelines
default: "app-sre-cicd"
- name: remoteRegistry
type: string
description: Remote registry to push image to
default: "quay.io"
- name: remoteOrg
type: string
description: Remote registry organization or user registry namespace
default: "arilivigni"
steps:
- name: extract-container-info
image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:latest
workingDir: $(workspaces.source.path)
script: |
#!/bin/sh
set -e -o pipefail
# set image name
IMAGENAME=$(params.imageName)
if [ "$IMAGENAME" == "" ]; then
IMAGENAME=$( cat $(params.contextDir)/$(params.dockerFile) | grep -m1 "name=" | cut -d '"' -f 2 )
fi
echo "$IMAGENAME" | tee $(workspaces.source.path)/IMAGENAME.txt
# get git sha
git rev-parse --verify --short HEAD | tee $(workspaces.source.path)/SHA.txt
- name: check-image-tag
image: quay.io/openshift/origin-cli:latest
workingDir: $(workspaces.source.path)
script: |
IMAGENAME=$( cat $(workspaces.source.path)/IMAGENAME.txt )
GITSHA=$( cat $(workspaces.source.path)/SHA.txt )
oc get is/$IMAGENAME | grep -v NAME | awk '{print $3}' | sed 's/,*stable*,*//; s/,*latest*,*//' | tee > $(workspaces.source.path)/ISTAG.txt
ISTAG=$( cat $(workspaces.source.path)/ISTAG.txt )
echo "Image Name: $IMAGENAME"
echo "Git SHA: $GITSHA"
echo "Image Stream SHA: $ISTAG"
if [ "$GITSHA" == "$ISTAG" ]; then
echo "The git sha and the local image stream tag match - $GITSHA = $ISTAG"
touch $(workspaces.source.path)/MATCH
fi
- name: build-image
image: quay.io/buildah/stable
workingDir: $(workspaces.source.path)
script: |
#!/usr/bin/env bash
set -e -o pipefail
# check if local image stream tag already exists
MATCHFILE="$(workspaces.source.path)/MATCH"
if [ ! -f "$MATCHFILE" ]; then
echo "Local image registry does not have the image stream tag...continuing"
# unique id
uuidgen | cut -d '-' -f 1 | tee $(workspaces.source.path)/UUID.txt
IMAGENAME=$( cat $(workspaces.source.path)/IMAGENAME.txt )
GITSHA=$( cat $(workspaces.source.path)/SHA.txt )
ISTAG=$( cat $(workspaces.source.path)/ISTAG.txt )
echo "Image Name: $IMAGENAME"
echo "Git SHA: $GITSHA"
echo "Image Stream SHA: $ISTAG"
# build image
buildah bud --tls-verify=$(params.sslVerify) \
--layers \
-f $(params.contextDir)/$(params.dockerFile) \
-t $(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA .
else
echo "Local image registry contains the image stream tag...nothing to do"
fi
securityContext:
privileged: true
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
- name: push-image
image: quay.io/buildah/stable
workingDir: $(workspaces.source.path)/$(params.contextDir)
script: |
#!/usr/bin/env bash
set -e -o pipefail
# check if local image stream tag already exists
MATCHFILE="$(workspaces.source.path)/MATCH"
if [ ! -f "$MATCHFILE" ]; then
IMAGENAME=$( cat $(workspaces.source.path)/IMAGENAME.txt )
GITSHA=$( cat $(workspaces.source.path)/SHA.txt )
ISTAG=$( cat $(workspaces.source.path)/ISTAG.txt )
echo "Image Name: $IMAGENAME"
echo "Git SHA: $GITSHA"
echo "Image Stream SHA: $ISTAG"
# push image with with git SHA
buildah push --tls-verify=$(params.sslVerify) \
$(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA \
docker://$(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA
else
echo "Local image registry contains the image stream tag...nothing to do"
fi
securityContext:
privileged: true
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
- name: tag-image
image: quay.io/openshift/origin-cli:latest
workingDir: $(workspaces.source.path)
script: |
# check if local image stream tag already exists
MATCHFILE="$(workspaces.source.path)/MATCH"
if [ ! -f "$MATCHFILE" ]; then
IMAGENAME=$( cat $(workspaces.source.path)/IMAGENAME.txt )
GITSHA=$( cat $(workspaces.source.path)/SHA.txt )
ISTAG=$( cat $(workspaces.source.path)/ISTAG.txt )
echo "Image Name: $IMAGENAME"
echo "Git SHA: $GITSHA"
echo "Image Stream SHA: $ISTAG"
oc tag $(params.nameSpace)/$IMAGENAME:$GITSHA $(params.nameSpace)/$IMAGENAME:latest
else
echo "Local image registry contains the image stream tag...nothing to do"
fi
securityContext:
privileged: true
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
- name: push-image-to-remote-reg
env:
- name: REGISTRY_AUTH_FILE
value: /workspace/.docker/config.json
image: quay.io/buildah/stable
workingDir: $(workspaces.source.path)/$(params.contextDir)
script: |
#!/usr/bin/env bash
set -e -o pipefail
# check if local image stream tag already exists
MATCHFILE="$(workspaces.source.path)/MATCH"
if [ ! -f "$MATCHFILE" ]; then
IMAGENAME=$( cat $(workspaces.source.path)/IMAGENAME.txt )
GITSHA=$( cat $(workspaces.source.path)/SHA.txt )
ISTAG=$( cat $(workspaces.source.path)/ISTAG.txt )
echo "Image Name: $IMAGENAME"
echo "Git SHA: $GITSHA"
echo "Image Stream SHA: $ISTAG"
# pull down the local image we built and tagged
buildah pull --tls-verify=$(params.sslVerify) \
docker://$(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA
# push to remote registry and organization with GITSHA tag
echo ""
echo "Push $(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA to \
$(params.remoteRegistry)/$(params.remoteOrg)/$IMAGENAME:$GITSHA"
echo ""
buildah push --tls-verify=$(params.sslVerify) \
$(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA \
$(params.remoteRegistry)/$(params.remoteOrg)/$IMAGENAME:$GITSHA
# push to remote registry and organization with latest tag
echo ""
echo "Push $(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA to \
$(params.remoteRegistry)/$(params.remoteOrg)/$IMAGENAME:latest"
echo ""
buildah push --tls-verify=$(params.sslVerify) \
$(params.imageRegistry)/$(params.nameSpace)/$IMAGENAME:$GITSHA \
$(params.remoteRegistry)/$(params.remoteOrg)/$IMAGENAME:latest
else
echo "Local image registry contains the image stream tag...nothing to do"
fi
securityContext:
privileged: true
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
- name: docker-secret
mountPath: /workspace/.docker
volumes:
- name: varlibcontainers
emptyDir: {}
- name: docker-secret
secret:
secretName: regcreds
items:
- key: .dockerconfigjson
path: config.json
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: get-shared-workspace-info
spec:
workspaces:
- name: source
description: View files in the shared workspace used for the pipeline and underlying tasks
steps:
- name: cat-txt-files-workspace
image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:latest
workingDir: $(workspaces.source.path)
script: |
#!/bin/sh
set -e -o pipefail
ls $(workspaces.source.path)/*.txt | xargs -I{} cat {}
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: app-sre-build-push
spec:
description: |
Use clustertask git-clone, build image, push image
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: branch-name
description: The git branch to clone.
type: string
default: "master"
- name: context-dir
description: The relative path to the Dockerfile
type: string
default: "."
- name: docker-file
description: The name of the Dockerfile
type: string
default: "Dockerfile"
- name: tls-verify
type: string
description: tls verify
default: "false"
- name: image-registry
type: string
description: Image registry to push images to
default: "image-registry.openshift-image-registry.svc:5000"
- name: image-name
type: string
description: Image name
default: ""
- name: name-space
type: string
description: Cluster namespace to use for pipelines
default: ""
- name: remote-registry
type: string
description: Remote registry to push image to
default: ""
- name: remote-org
type: string
description: Remote registry organization or user registry namespace
default: ""
workspaces:
- name: shared-data
description: |
This workspace will receive the cloned git repo and be passed
to the next Task for verifying, building, and pushing files.
tasks:
- name: clone-repo
taskRef:
name: git-clone
kind: ClusterTask
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.branch-name)
- name: sslVerify
value: $(params.tls-verify)
- name: deleteExisting
value: "true"
- name: check-build-push
runAfter: ["clone-repo"] # Wait until the clone-repo is complete
taskRef:
name: extract-check-build-verify-push
workspaces:
- name: source
workspace: shared-data
params:
- name: contextDir
value: $(params.context-dir)
- name: dockerFile
value: $(params.docker-file)
- name: sslVerify
value: $(params.tls-verify)
- name: imageRegistry
value: $(params.image-registry)
- name: imageName
value: $(params.image-name)
- name: nameSpace
value: $(params.name-space)
- name: remoteRegistry
value: $(params.remote-registry)
- name: remoteOrg
value: $(params.remote-org)
- name: workspace-info
runAfter: ["check-build-push"] # Wait until check-build-push task is complete
taskRef:
name: get-shared-workspace-info
workspaces:
- name: source
workspace: shared-data
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: clone-build-push-
spec:
pipelineRef:
name: app-sre-build-push
params:
- name: repo-url
value: "https://github.com/app-sre/qontract-reconcile.git"
- name: context-dir
value: "dockerfiles"
- name: image-registry
value: "image-registry.openshift-image-registry.svc:5000"
- name: image-name
value: "qontract-reconcile"
- name: name-space
value: "app-sre-cicd"
- name: remote-registry
value: "quay.io"
- name: remote-org
value: "arilivigni"
workspaces:
- name: shared-data
persistentVolumeClaim:
claimName: pipelines-task-pvc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment