-
Notifications
You must be signed in to change notification settings - Fork 1
/
buildpacks-extension-check.yaml
98 lines (84 loc) · 3.88 KB
/
buildpacks-extension-check.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: buildpacks-extension-check
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.40.0"
tekton.dev/categories: Image Build
tekton.dev/tags: image-build
tekton.dev/displayName: "Buildpacks extensions check"
tekton.dev/platforms: "linux/amd64"
spec:
description: >-
This Task will inspect a Buildpacks builder image using the skopeo tool
to find if the image includes the labels: io.buildpacks.extension.layers and io.buildpacks.buildpack.order-extensions.
If this is the case, then, you can use the "results.extensionLabels" within your PipelineRun or TaskRun to
trigger the build using either the buildpacks extension Task or the buildpacks task.
Additionally, the CNB USER ID and CNB GROUP ID of the image will be exported as results.
params:
- name: verbose
description: Log the commands that are executed during `git-clone`'s operation.
type: string
default: "false"
- name: builderImage
description: Builder image to be scanned
type: string
results:
- name: uid
description: UID of the user specified in the image
- name: gid
description: GID of the user specified in the image
- name: extensionLabels
description: Extensions labels defined in the image
workspaces:
- name: creds
description: Directory to mount registry credentials from secrets
optional: true
steps:
- name: check-image-builder-extension
image: quay.io/ch007m/extended-skopeo
env:
- name: PARAM_VERBOSE
value: $(params.verbose)
- name: PARAM_BUILDER_IMAGE
value: $(params.builderImage)
script: |
#!/usr/bin/env bash
set -eu
if [ "${PARAM_VERBOSE}" = "true" ] ; then
set -x
fi
# Check if registry configuration file(s) have been mounted from secret(s)"
if [[ "$(workspaces.creds.bound)" == "true" ]]; then
echo "Registry configuration file(s) have been mounted from secret(s) ..."
ls -la $(workspaces.creds.path)/
fi
EXT_LABEL_1="io.buildpacks.extension.layers"
EXT_LABEL_2="io.buildpacks.buildpack.order-extensions"
IMG_MANIFEST=$(skopeo inspect --authfile $(workspaces.creds.path)/dockercfg/.dockerconfigjson "docker://${PARAM_BUILDER_IMAGE}")
#
# The following test should be reviewed as :
#
# 1) we get from non ubi images a {} value as you can see hereafter
# "io.buildpacks.extension.layers": "{}",
#
# 2) Do we have to check the content of this label too ?
# "io.buildpacks.buildpack.order-extensions": "null",
#
IMG_LABELS=$(echo $IMG_MANIFEST | jq -e '.Labels')
if [[ $(echo "$IMG_LABELS" | jq -r '.["'${EXT_LABEL_1}'"]') != "{}" ]] > /dev/null; then
echo "## The builder image ${PARAM_BUILDER_IMAGE} includes some extension as the extension label \"${EXT_LABEL_1}\" is NOT empty:"
echo -n "$IMG_LABELS" | jq -r '.["'${EXT_LABEL_1}'"]' | tee "$(results.extensionLabels.path)"
echo ""
else
echo "## The builder image ${PARAM_BUILDER_IMAGE} dot not include extensions as the extension label \"${EXT_LABEL_1}\" is empty !"
echo -n "empty" | tee "$(results.extensionLabels.path)"
fi
CNB_USER_ID=$(echo $IMG_MANIFEST | jq -r '.Env' | jq -r '.[] | select(test("^CNB_USER_ID="))' | cut -d '=' -f 2)
CNB_GROUP_ID=$(echo $IMG_MANIFEST | jq -r '.Env' | jq -r '.[] | select(test("^CNB_GROUP_ID="))' | cut -d '=' -f 2)
echo "## The CNB_USER_ID & CNB_GROUP_ID defined within the builder image: ${PARAM_BUILDER_IMAGE} are:"
echo -n "$CNB_USER_ID" | tee "$(results.uid.path)"
echo ""
echo -n "$CNB_GROUP_ID" | tee "$(results.gid.path)"