airship/charts
Code Issues Proposed changes
charts/tools/gate/jarvis/development-pipeline/templates/task-image.yaml
FLETCHER beefa8dd30 feat(entrypoint) Create entrypoints 
This patchset moves all of the Tekton task script sections to use
a defined entrypoint instead of an ansible-playbook command. This is
a step to keeping all business logic out of the tekton tasks, i.e. the
tekton tasks should work with any standard container given, not just one
using Ansible.

Change-Id: I5e106a8a75b79c0c2948cda638fbe532fd12fae3
2021-03-02 09:38:19 -06:00

138 lines
4.1 KiB
YAML
Raw Blame History

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: image-tasks
namespace: {{ $.Release.Namespace }}
spec:
description: >-
This task builds images if source is provided
workspaces:
- name: k8s_cluster_data
- name: development_pipeline_data
steps:
- name: clone
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
- mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
name: harbor-ca
subPath: harbor-ca
script: |
/jarvis/git_clone_image_repo.sh
- name: set-image-output
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
- name: docker-build
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
env:
# Connect to the sidecar over TCP, with TLS.
- name: DOCKER_HOST
value: tcp://localhost:2376
# Verify TLS.
- name: DOCKER_TLS_VERIFY
value: '1'
# Use the certs generated by the sidecar daemon.
- name: DOCKER_CERT_PATH
value: /certs/client
script: |
update-ca-certificates
/jarvis/build_docker_image.sh
- name: set-image-build-output-after-build
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
- name: publish-and-scan-image
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
- mountPath: /tekton/home/.docker/config.json
name: image-push-creds
subPath: .dockerconfigjson
env:
# Connect to the sidecar over TCP, with TLS.
- name: DOCKER_HOST
value: tcp://localhost:2376
# Verify TLS.
- name: DOCKER_TLS_VERIFY
value: '1'
# Use the certs generated by the sidecar daemon.
- name: DOCKER_CERT_PATH
value: /certs/client
script: |
/jarvis/push_docker_image.sh
- name: set-image-output-after-publish-scan
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
- name: get-scan-results
image: {{ $.Values.tasks.image.buildImage }}
volumeMounts:
- mountPath: /certs/client
name: dind-certs
script: |
/jarvis/get_image_scan_results.sh
- name: set-image-output-set-scan-results
image: {{ $.Values.tasks.image.buildImage }}
script: |
#!/usr/bin/env sh
cat "$(workspaces.development_pipeline_data.path)/image.json"
sidecars:
- image: {{ $.Values.tasks.image.sidecarServer }}
name: server
args:
- --storage-driver=overlay2
- --userland-proxy=false
- --debug
- --insecure-registry={{ $.Values.tasks.image.insecureRegistry }}
##TODO: Get rid of privileged true
securityContext:
privileged: true
env:
# Write generated certs to the path shared with the client.
- name: DOCKER_TLS_CERTDIR
value: /certs
volumeMounts:
- mountPath: /certs/client
name: dind-certs
- mountPath: /var/lib/docker
name: var-lib-docker
- mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
name: harbor-ca
subPath: harbor-ca
# Wait for the dind daemon to generate the certs it will share with the
# client.
readinessProbe:
periodSeconds: 1
exec:
command: ['ls', '/certs/client/ca.pem']
volumes:
- name: dind-certs
emptyDir: {}
- name: var-lib-docker
emptyDir: {}
- name: image-push-creds
secret:
secretName: harbor-docker-auth
- name: helm-publish-creds
secret:
secretName: harbor-basic-auth
- name: harbor-ca
secret:
secretName: harbor-ca
View Git Blame Copy Permalink