@@ -72,14 +72,11 @@ spec:
7272 hours, days, and weeks, respectively.
7373 type : string
7474 default : " "
75- - name : ORAS_OPTIONS
76- type : string
77- description : Optional environment variable string for build-trusted-artifacts
78- default : " "
79- - name : CACHE_URL
80- type : string
81- description : For JBS, URL of the cache.
82- default : " "
75+ - name : LABELS
76+ description : Additional key=value labels that should be applied to the
77+ image
78+ type : array
79+ default : []
8380 - name : PREFETCH_INPUT
8481 description : In case it is not empty, the prefetched content should
8582 be made available to the build.
@@ -203,6 +200,8 @@ spec:
203200 value : $(params.IMAGE_EXPIRES_AFTER)
204201 - name : SKIP_UNUSED_STAGES
205202 value : $(params.SKIP_UNUSED_STAGES)
203+ - name : SOURCE_CODE_DIR
204+ value : source
206205 - name : SQUASH
207206 value : $(params.SQUASH)
208207 - name : STORAGE_DRIVER
@@ -229,13 +228,13 @@ spec:
229228 - use
230229 - $(params.SOURCE_ARTIFACT)=/var/workdir/source
231230 - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
232- env :
233- - name : ORAS_OPTIONS
234- value : $(params.ORAS_OPTIONS)
235231 - name : build
236232 image : $(params.JVM_BUILD_SERVICE_DOMAIN_PROXY_IMAGE)
237233 args :
234+ - --build-args
238235 - $(params.BUILD_ARGS[*])
236+ - --labels
237+ - $(params.LABELS[*])
239238 workingDir : /var/workdir
240239 volumeMounts :
241240 - mountPath : /var/lib/containers
@@ -252,8 +251,6 @@ spec:
252251 env :
253252 - name : COMMIT_SHA
254253 value : $(params.COMMIT_SHA)
255- - name : CACHE_URL
256- value : $(params.CACHE_URL)
257254 script : |
258255 #!/bin/bash
259256 set -e
@@ -264,20 +261,19 @@ spec:
264261 update-ca-trust
265262 fi
266263
267- SOURCE_CODE_DIR=source
268264 if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
269265 dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
270266 elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
271267 dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
272268 elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
273269 echo "Fetch Dockerfile from $DOCKERFILE"
274270 dockerfile_path=$(mktemp --suffix=-Dockerfile)
275- http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
271+ http_code=$(curl -s -S - L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
276272 if [ $http_code != 200 ]; then
277273 echo "No Dockerfile is fetched. Server responds $http_code"
278274 exit 1
279275 fi
280- http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
276+ http_code=$(curl -s -S - L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
281277 if [ $http_code = 200 ]; then
282278 echo "Fetched .dockerignore from $DOCKERFILE.dockerignore"
283279 mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore
@@ -286,8 +282,12 @@ spec:
286282 echo "Cannot find Dockerfile $DOCKERFILE"
287283 exit 1
288284 fi
289- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
290- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
285+
286+ dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX")
287+ cp "$dockerfile_path" "$dockerfile_copy"
288+
289+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then
290+ sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy"
291291 touch /var/lib/containers/java
292292 fi
293293
@@ -299,9 +299,58 @@ spec:
299299 # Setting new namespace to run buildah - 2^32-2
300300 echo 'root:1:4294967294' | tee -a /etc/subuid >>/etc/subgid
301301
302+ build_args=()
303+ if [ -n "${BUILD_ARGS_FILE}" ]; then
304+ # Parse BUILD_ARGS_FILE ourselves because dockerfile-json doesn't support it
305+ echo "Parsing ARGs from $BUILD_ARGS_FILE"
306+ mapfile -t build_args < <(
307+ # https://www.mankier.com/1/buildah-build#--build-arg-file
308+ # delete lines that start with #
309+ # delete blank lines
310+ sed -e '/^#/d' -e '/^\s*$/d' "${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}"
311+ )
312+ fi
313+
314+ LABELS=()
315+ # Split `args` into two sets of arguments.
316+ while [[ $# -gt 0 ]]; do
317+ case $1 in
318+ --build-args)
319+ shift
320+ # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being
321+ # passed to buildah. In that case, the *last* occurrence takes precedence. This is why
322+ # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence.
323+ while [[ $# -gt 0 && $1 != --* ]]; do
324+ build_args+=("$1")
325+ shift
326+ done
327+ ;;
328+ --labels)
329+ shift
330+ while [[ $# -gt 0 && $1 != --* ]]; do
331+ LABELS+=("--label" "$1")
332+ shift
333+ done
334+ ;;
335+ *)
336+ echo "unexpected argument: $1" >&2
337+ exit 2
338+ ;;
339+ esac
340+ done
341+
342+ BUILD_ARG_FLAGS=()
343+ for build_arg in "${build_args[@]}"; do
344+ BUILD_ARG_FLAGS+=("--build-arg=$build_arg")
345+ done
346+
347+ BASE_IMAGES=$(
348+ dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" |
349+ jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)'
350+ )
351+
302352 BUILDAH_ARGS=()
303353
304- BASE_IMAGES=$(dockerfile-json "$dockerfile_path" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName')
305354 if [ "${HERMETIC}" == "true" ]; then
306355 BUILDAH_ARGS+=("--pull=never")
307356 UNSHARE_ARGS="--net"
@@ -315,13 +364,7 @@ spec:
315364 BUILDAH_ARGS+=("--target=${TARGET_STAGE}")
316365 fi
317366
318- if [ -n "${BUILD_ARGS_FILE}" ]; then
319- BUILDAH_ARGS+=("--build-arg-file=$(pwd)/$SOURCE_CODE_DIR/${BUILD_ARGS_FILE}")
320- fi
321-
322- for build_arg in "$@"; do
323- BUILDAH_ARGS+=("--build-arg=$build_arg")
324- done
367+ BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}")
325368
326369 if [ -n "${ADD_CAPABILITIES}" ]; then
327370 BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
@@ -344,7 +387,7 @@ spec:
344387 sed -E -i \
345388 -e 'H;1h;$!d;x' \
346389 -e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \
347- "$dockerfile_path "
390+ "$dockerfile_copy "
348391 echo "Prefetched content will be made available"
349392
350393 prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo"
@@ -371,13 +414,16 @@ spec:
371414 /app/domain-proxy-server-runner &
372415 server_pid=$!
373416
374- LABELS =(
417+ DEFAULT_LABELS =(
375418 "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
376419 "--label" "architecture=$(uname -m)"
377420 "--label" "vcs-type=git"
378421 )
379- [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
380- [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
422+ [ -n "$COMMIT_SHA" ] && DEFAULT_LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
423+ [ -n "$IMAGE_EXPIRES_AFTER" ] && DEFAULT_LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
424+
425+ # Concatenate defaults and explicit labels. If a label appears twice, the last one wins.
426+ LABELS=("${DEFAULT_LABELS[@]}" "${LABELS[@]}")
381427
382428 ACTIVATION_KEY_PATH="/activation-key"
383429 ENTITLEMENT_PATH="/entitlement"
@@ -408,10 +454,8 @@ spec:
408454 done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
409455 fi
410456
411- # TODO: Rename to JBS_CACHE_URL?
412- if [ -n "$CACHE_URL" ]; then
413- BUILDAH_ARGS+=("--build-arg=CACHE_URL=$CACHE_URL")
414- fi
457+ # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
458+ declare IMAGE
415459
416460 # Without expansion
417461 cat > /app/build-script.sh << 'EOF'
@@ -423,7 +467,7 @@ spec:
423467
424468 # With expansion
425469 cat >> /app/build-script.sh << EOF
426- buildah build $VOLUME_MOUNTS ${BUILDAH_ARGS[@]} ${LABELS[@]} --tls-verify=$TLSVERIFY --no-cache --ulimit nofile=4096:4096 -f "$dockerfile_path " -t $IMAGE .
470+ buildah build $VOLUME_MOUNTS ${BUILDAH_ARGS[@]} ${LABELS[@]} --tls-verify=$TLSVERIFY --no-cache --ulimit nofile=4096:4096 -f "$dockerfile_copy " -t $IMAGE .
427471 EOF
428472
429473 # Without expansion
@@ -444,7 +488,7 @@ spec:
444488 wait $server_pid
445489 set -e
446490
447- container=$(buildah from --pull-never $IMAGE)
491+ container=$(buildah from --pull-never " $IMAGE" )
448492 buildah mount $container | tee /shared/container_path
449493 # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
450494 find $(cat /shared/container_path) -xtype l -delete
@@ -464,11 +508,11 @@ spec:
464508 echo "$BASE_IMAGES" >/shared/base_images_from_dockerfile
465509computeResources :
466510 limits :
511+ cpu : " 4"
512+ memory : 8Gi
513+ requests :
467514 cpu : " 1"
468515 memory : 2Gi
469- requests :
470- cpu : " 50m"
471- memory : 512Mi
472516 securityContext :
473517 capabilities :
474518 add :
@@ -483,16 +527,16 @@ spec:
483527 name : shared
484528 script : |
485529 echo "Running syft on the source directory"
486- syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json
530+ syft dir:" /var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json=" /var/workdir/sbom-source.json"
487531 echo "Running syft on the image filesystem"
488- syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json
532+ syft dir:" $(cat /shared/container_path)" --output cyclonedx-json=" /var/workdir/sbom-image.json"
489533computeResources :
490534 limits :
491- cpu : " 1 "
492- memory : 2Gi
535+ cpu : " 2 "
536+ memory : 4Gi
493537 requests :
494- cpu : 50m
495- memory : 512Mi
538+ cpu : 500m
539+ memory : 1Gi
496540 - name : analyse-dependencies-java-sbom
497541 image : quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
498542 volumeMounts :
@@ -509,11 +553,11 @@ spec:
509553 fi
510554computeResources :
511555 limits :
556+ cpu : 200m
557+ memory : 512Mi
558+ requests :
512559 cpu : 100m
513560 memory : 256Mi
514- requests :
515- cpu : 10m
516- memory : 128Mi
517561 securityContext :
518562 runAsUser : 0
519563 - name : prepare-sboms
@@ -539,15 +583,15 @@ spec:
539583 --base-images-digests=/shared/base_images_digests
540584computeResources :
541585 limits :
586+ cpu : 200m
587+ memory : 512Mi
588+ requests :
542589 cpu : 100m
543590 memory : 256Mi
544- requests :
545- cpu : 10m
546- memory : 128Mi
547591 securityContext :
548592 runAsUser : 0
549593 - name : inject-sbom-and-push
550- image : quay.io/konflux-ci/buildah-task:latest@sha256:218d526bbaf0ceee4d6b4ee78af5e22de786cf2ed7c13f8a915263a43ac50f7a
594+ image : quay.io/konflux-ci/buildah-task:latest@sha256:5cbd487022fb7ac476cbfdea25513b810f7e343ec48f89dc6a4e8c3c39fa37a2
551595 workingDir : /var/workdir
552596 volumeMounts :
553597 - mountPath : /var/lib/containers
@@ -610,11 +654,11 @@ spec:
610654 echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
611655computeResources :
612656 limits :
613- cpu : " 2 "
614- memory : 2Gi
657+ cpu : " 4 "
658+ memory : 4Gi
615659 requests :
616- cpu : " 100m "
617- memory : 512Mi
660+ cpu : " 1 "
661+ memory : 1Gi
618662 securityContext :
619663 capabilities :
620664 add :
@@ -638,8 +682,8 @@ spec:
638682 cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
639683computeResources :
640684 limits :
685+ cpu : 200m
686+ memory : 512Mi
687+ requests :
641688 cpu : 100m
642689 memory : 256Mi
643- requests :
644- cpu : 10m
645- memory : 128Mi
0 commit comments