mirror of
https://github.com/kasmtech/workspaces-core-images.git
synced 2024-11-21 15:03:14 +01:00
Resolve KASM-6454 "Feature/ workspace core images pipelines not longer push to private registry reducing visibility on vulnerabilities/workspaces core images"
This commit is contained in:
Jasper Clark
Richard Koliser
parent
e74c0c79df
commit
5ff2ecd4e3
@ -19,7 +19,7 @@ variables:
|
||||
TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz"
|
||||
SCAN_CONTAINERS: "true"
|
||||
before_script:
|
||||
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
|
||||
- export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
|
||||
|
||||
#######################
|
||||
# Build from template #
|
||||
|
||||
@ -18,7 +18,7 @@ variables:
|
||||
DOCKER_TLS_CERTDIR: ""
|
||||
before_script:
|
||||
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
|
||||
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
|
||||
- export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
|
||||
|
||||
###############################################
|
||||
# Build Containers and push to cache endpoint #
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
# Globals
|
||||
FAILED="false"
|
||||
PUBLIC_BUILD="false"
|
||||
|
||||
# Ingest cli variables
|
||||
## Parse input ##
|
||||
@ -12,19 +13,15 @@ REVERT_PIPELINE_ID=$4
|
||||
IS_ROLLING=$5
|
||||
PULL_BRANCH=${SANITIZED_BRANCH}
|
||||
|
||||
# Determine if this is a private or public build
|
||||
# Determine if this is a public build
|
||||
if [[ "${CI_COMMIT_REF_NAME}" == release/* ]] || [[ "${CI_COMMIT_REF_NAME}" == "develop" ]]; then
|
||||
if [[ "${NAME1}" == "${NAME2}" ]]; then
|
||||
ENDPOINT="core-${NAME1}"
|
||||
else
|
||||
ENDPOINT="core-${NAME1}-${NAME2}"
|
||||
fi
|
||||
PUBLIC_BUILD="true"
|
||||
fi
|
||||
|
||||
if [[ "${NAME1}" == "${NAME2}" ]]; then
|
||||
ENDPOINT="core-${NAME1}"
|
||||
else
|
||||
if [[ "${NAME1}" == "${NAME2}" ]]; then
|
||||
ENDPOINT="core-${NAME1}-private"
|
||||
else
|
||||
ENDPOINT="core-${NAME1}-${NAME2}-private"
|
||||
fi
|
||||
ENDPOINT="core-${NAME1}-${NAME2}"
|
||||
fi
|
||||
|
||||
# Determine if this is a rolling build
|
||||
@ -81,28 +78,50 @@ fi
|
||||
|
||||
# Manifest for multi pull and push for single arch
|
||||
if [[ "${TYPE}" == "multi" ]]; then
|
||||
docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
|
||||
|
||||
# Pull images from cache repo
|
||||
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
||||
docker pull ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
||||
|
||||
# Tag images to live repo
|
||||
# Conditionally Process Public Build
|
||||
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
|
||||
# Tag images to live repo
|
||||
docker tag \
|
||||
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||
${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
||||
docker tag \
|
||||
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||
${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||
|
||||
# Push arches to live repo
|
||||
docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
||||
docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||
|
||||
# Manifest to meta tag on live repo
|
||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
|
||||
docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||
docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
|
||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||
fi
|
||||
|
||||
# Tag images to private repo
|
||||
docker tag \
|
||||
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||
${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
||||
${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
|
||||
docker tag \
|
||||
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||
${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||
${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
|
||||
|
||||
# Push arches to live repo
|
||||
docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
||||
docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||
# Push arches to private repo
|
||||
docker push ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
|
||||
docker push ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
|
||||
|
||||
# Manifest to meta tag
|
||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
|
||||
docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||
docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
|
||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||
# Manifest to meta tag on private repo
|
||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} || :
|
||||
docker manifest create ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
|
||||
docker manifest annotate ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
|
||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
|
||||
|
||||
# Single arch image just pull and push
|
||||
else
|
||||
@ -110,12 +129,23 @@ else
|
||||
# Pull image
|
||||
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
||||
|
||||
# Tage image
|
||||
# Conditionally Process Public Build
|
||||
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
|
||||
# Tage image to live repo
|
||||
docker tag \
|
||||
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||
${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||
|
||||
# Push image to live repo
|
||||
docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||
fi
|
||||
|
||||
# Tage image to private repo
|
||||
docker tag \
|
||||
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||
${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||
${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
|
||||
|
||||
# Push image
|
||||
docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||
# Push image to private repo
|
||||
docker push ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
|
||||
|
||||
fi
|
||||
|
||||
Loading…
Reference in New Issue
Block a user