Resolve KASM-6454 "Feature/ workspace core images pipelines not longer push to private registry reducing visibility on vulnerabilities/workspaces core images"

This commit is contained in:
Jasper Clark 2024-11-01 16:21:35 +00:00 committed by Richard Koliser
parent e74c0c79df
commit 5ff2ecd4e3
3 changed files with 58 additions and 28 deletions

View File

@ -19,7 +19,7 @@ variables:
TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz" TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz"
SCAN_CONTAINERS: "true" SCAN_CONTAINERS: "true"
before_script: before_script:
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')" - export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
####################### #######################
# Build from template # # Build from template #

View File

@ -18,7 +18,7 @@ variables:
DOCKER_TLS_CERTDIR: "" DOCKER_TLS_CERTDIR: ""
before_script: before_script:
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD - docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')" - export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
############################################### ###############################################
# Build Containers and push to cache endpoint # # Build Containers and push to cache endpoint #

View File

@ -2,6 +2,7 @@
# Globals # Globals
FAILED="false" FAILED="false"
PUBLIC_BUILD="false"
# Ingest cli variables # Ingest cli variables
## Parse input ## ## Parse input ##
@ -12,19 +13,15 @@ REVERT_PIPELINE_ID=$4
IS_ROLLING=$5 IS_ROLLING=$5
PULL_BRANCH=${SANITIZED_BRANCH} PULL_BRANCH=${SANITIZED_BRANCH}
# Determine if this is a private or public build # Determine if this is a public build
if [[ "${CI_COMMIT_REF_NAME}" == release/* ]] || [[ "${CI_COMMIT_REF_NAME}" == "develop" ]]; then if [[ "${CI_COMMIT_REF_NAME}" == release/* ]] || [[ "${CI_COMMIT_REF_NAME}" == "develop" ]]; then
if [[ "${NAME1}" == "${NAME2}" ]]; then PUBLIC_BUILD="true"
ENDPOINT="core-${NAME1}" fi
else
ENDPOINT="core-${NAME1}-${NAME2}" if [[ "${NAME1}" == "${NAME2}" ]]; then
fi ENDPOINT="core-${NAME1}"
else else
if [[ "${NAME1}" == "${NAME2}" ]]; then ENDPOINT="core-${NAME1}-${NAME2}"
ENDPOINT="core-${NAME1}-private"
else
ENDPOINT="core-${NAME1}-${NAME2}-private"
fi
fi fi
# Determine if this is a rolling build # Determine if this is a rolling build
@ -81,28 +78,50 @@ fi
# Manifest for multi pull and push for single arch # Manifest for multi pull and push for single arch
if [[ "${TYPE}" == "multi" ]]; then if [[ "${TYPE}" == "multi" ]]; then
docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
# Pull images from cache repo # Pull images from cache repo
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
docker pull ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} docker pull ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
# Tag images to live repo # Conditionally Process Public Build
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
# Tag images to live repo
docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
docker tag \
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
# Push arches to live repo
docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
# Manifest to meta tag on live repo
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
fi
# Tag images to private repo
docker tag \ docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \ ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
docker tag \ docker tag \
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \ ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
# Push arches to live repo # Push arches to private repo
docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} docker push ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} docker push ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
# Manifest to meta tag # Manifest to meta tag on private repo
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || : docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} || :
docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} docker manifest create ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8 docker manifest annotate ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
# Single arch image just pull and push # Single arch image just pull and push
else else
@ -110,12 +129,23 @@ else
# Pull image # Pull image
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
# Tage image # Conditionally Process Public Build
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
# Tage image to live repo
docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
# Push image to live repo
docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
fi
# Tage image to private repo
docker tag \ docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \ ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
# Push image # Push image to private repo
docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} docker push ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
fi fi