Push, sign, and build images
This commit is contained in:
Gerald Pinder
@@ -1,6 +1,9 @@
|
|||||||
stages:
|
stages:
|
||||||
- build
|
- build
|
||||||
|
|
||||||
|
variables:
|
||||||
|
COSIGN_PASSWORD: ""
|
||||||
|
|
||||||
default:
|
default:
|
||||||
image: registry.gitlab.com/wunker-bunker/ci-builder
|
image: registry.gitlab.com/wunker-bunker/ci-builder
|
||||||
before_script:
|
before_script:
|
||||||
@@ -9,12 +12,13 @@ default:
|
|||||||
IMAGE_DESCRIPTION=$(yq '.description' ./$RECIPE)
|
IMAGE_DESCRIPTION=$(yq '.description' ./$RECIPE)
|
||||||
FEDORA_MAJOR_VERSION=$(yq '.fedora-version' ./$RECIPE)
|
FEDORA_MAJOR_VERSION=$(yq '.fedora-version' ./$RECIPE)
|
||||||
BASE_IMAGE_URL=$(yq '.base-image' ./$RECIPE)
|
BASE_IMAGE_URL=$(yq '.base-image' ./$RECIPE)
|
||||||
|
FULL_IMAGE_NAME=$CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$IMAGE_NAME
|
||||||
# Generate a timestamp for creating an image version history
|
# Generate a timestamp for creating an image version history
|
||||||
TIMESTAMP="$(date +%Y%m%d)"
|
TIMESTAMP="$(date +%Y%m%d)"
|
||||||
COMMIT_TAGS=()
|
COMMIT_TAGS=()
|
||||||
BUILD_TAGS=()
|
BUILD_TAGS=()
|
||||||
# Have tags for tracking builds during pull request
|
# Have tags for tracking builds during pull request
|
||||||
COMMIT_TAGS+=("pr-${CI_MERGE_REQUEST_IID}-${FEDORA_MAJOR_VERSION}")
|
COMMIT_TAGS+=("mr-${CI_MERGE_REQUEST_IID}-${FEDORA_MAJOR_VERSION}")
|
||||||
COMMIT_TAGS+=("${CI_COMMIT_SHORT_SHA}-${FEDORA_MAJOR_VERSION}")
|
COMMIT_TAGS+=("${CI_COMMIT_SHORT_SHA}-${FEDORA_MAJOR_VERSION}")
|
||||||
|
|
||||||
BUILD_TAGS=("${FEDORA_MAJOR_VERSION}" "${FEDORA_MAJOR_VERSION}-${TIMESTAMP}")
|
BUILD_TAGS=("${FEDORA_MAJOR_VERSION}" "${FEDORA_MAJOR_VERSION}-${TIMESTAMP}")
|
||||||
@@ -46,5 +50,11 @@ build:
|
|||||||
- recipe-desktop.yml
|
- recipe-desktop.yml
|
||||||
- recipe-framework.yml
|
- recipe-framework.yml
|
||||||
script:
|
script:
|
||||||
- buildah build --build-arg=RECIPE=$RECIPE --build-arg=FEDORA_MAJOR_VERSION=$FEDORA_MAJOR_VERSION --build-arg BASE_IMAGE_URL=$BASE_IMAGE_URL -t $CI_REGISTRY/$CI_PROJECT_NAMESPACE/$IMAGE_NAME:${TAGS} .
|
- buildah build --build-arg=RECIPE=$RECIPE --build-arg=FEDORA_MAJOR_VERSION=$FEDORA_MAJOR_VERSION --build-arg BASE_IMAGE_URL=$BASE_IMAGE_URL -t $FULL_IMAGE_NAME:${TAGS} .
|
||||||
- cosign sign -y --key $SIGNING_SECRET $CI_REGISTRY/$CI_PROJECT_NAMESPACE/$IMAGE_NAME@${TAGS}
|
- |
|
||||||
|
for TAG in "${TAGS[@]}"; do
|
||||||
|
buildah tag $FULL_IMAGE_NAME:${TAGS} $FULL_IMAGE_NAME:${TAG}
|
||||||
|
done
|
||||||
|
- buildah push --all $FULL_IMAGE_NAME
|
||||||
|
- DIGEST=$(buildah images --format '{{.Digest}}' $FULL_IMAGE_NAME:$TAGS | head -n 1)
|
||||||
|
- cosign sign -y --key $SIGNING_SECRET $FULL_IMAGE_NAME@$DIGEST
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4K2T9VlxksEr9vVuFbR5R6RKVSrl
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAyTphXdVzd8Yt5ZK+Hry/xPasjwJ
|
||||||
fOqdOsIjcea0vWt5McZpGp9AraxS7gduJb8x6z5cDxc0GULB08C11q6X+A==
|
EKXoUFZ4ZFvXFAmv9g4QACwx0fpzn8B6qG3b4yj0R0mmaD3bw9sIt8wUzA==
|
||||||
-----END PUBLIC KEY-----
|
-----END PUBLIC KEY-----
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
set -oue pipefail
|
set -oue pipefail
|
||||||
|
|
||||||
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
|
cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo
|
||||||
[kubernetes]
|
[kubernetes]
|
||||||
name=Kubernetes
|
name=Kubernetes
|
||||||
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
|
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
|
||||||
|
|||||||
Reference in New Issue
Block a user