mirror of
https://github.com/kasmtech/workspaces-core-images.git
synced 2024-11-21 15:03:14 +01:00
Resolve KASM-6454 "Feature/ workspace core images pipelines not longer push to private registry reducing visibility on vulnerabilities/workspaces core images"
This commit is contained in:
parent
e74c0c79df
commit
5ff2ecd4e3
@ -19,7 +19,7 @@ variables:
|
|||||||
TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz"
|
TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz"
|
||||||
SCAN_CONTAINERS: "true"
|
SCAN_CONTAINERS: "true"
|
||||||
before_script:
|
before_script:
|
||||||
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
|
- export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
|
||||||
|
|
||||||
#######################
|
#######################
|
||||||
# Build from template #
|
# Build from template #
|
||||||
|
@ -18,7 +18,7 @@ variables:
|
|||||||
DOCKER_TLS_CERTDIR: ""
|
DOCKER_TLS_CERTDIR: ""
|
||||||
before_script:
|
before_script:
|
||||||
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
|
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
|
||||||
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
|
- export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
|
||||||
|
|
||||||
###############################################
|
###############################################
|
||||||
# Build Containers and push to cache endpoint #
|
# Build Containers and push to cache endpoint #
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
# Globals
|
# Globals
|
||||||
FAILED="false"
|
FAILED="false"
|
||||||
|
PUBLIC_BUILD="false"
|
||||||
|
|
||||||
# Ingest cli variables
|
# Ingest cli variables
|
||||||
## Parse input ##
|
## Parse input ##
|
||||||
@ -12,19 +13,15 @@ REVERT_PIPELINE_ID=$4
|
|||||||
IS_ROLLING=$5
|
IS_ROLLING=$5
|
||||||
PULL_BRANCH=${SANITIZED_BRANCH}
|
PULL_BRANCH=${SANITIZED_BRANCH}
|
||||||
|
|
||||||
# Determine if this is a private or public build
|
# Determine if this is a public build
|
||||||
if [[ "${CI_COMMIT_REF_NAME}" == release/* ]] || [[ "${CI_COMMIT_REF_NAME}" == "develop" ]]; then
|
if [[ "${CI_COMMIT_REF_NAME}" == release/* ]] || [[ "${CI_COMMIT_REF_NAME}" == "develop" ]]; then
|
||||||
if [[ "${NAME1}" == "${NAME2}" ]]; then
|
PUBLIC_BUILD="true"
|
||||||
ENDPOINT="core-${NAME1}"
|
fi
|
||||||
else
|
|
||||||
ENDPOINT="core-${NAME1}-${NAME2}"
|
if [[ "${NAME1}" == "${NAME2}" ]]; then
|
||||||
fi
|
ENDPOINT="core-${NAME1}"
|
||||||
else
|
else
|
||||||
if [[ "${NAME1}" == "${NAME2}" ]]; then
|
ENDPOINT="core-${NAME1}-${NAME2}"
|
||||||
ENDPOINT="core-${NAME1}-private"
|
|
||||||
else
|
|
||||||
ENDPOINT="core-${NAME1}-${NAME2}-private"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Determine if this is a rolling build
|
# Determine if this is a rolling build
|
||||||
@ -81,28 +78,50 @@ fi
|
|||||||
|
|
||||||
# Manifest for multi pull and push for single arch
|
# Manifest for multi pull and push for single arch
|
||||||
if [[ "${TYPE}" == "multi" ]]; then
|
if [[ "${TYPE}" == "multi" ]]; then
|
||||||
|
docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
|
||||||
|
|
||||||
# Pull images from cache repo
|
# Pull images from cache repo
|
||||||
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
||||||
docker pull ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
docker pull ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
||||||
|
|
||||||
# Tag images to live repo
|
# Conditionally Process Public Build
|
||||||
|
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
|
||||||
|
# Tag images to live repo
|
||||||
|
docker tag \
|
||||||
|
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||||
|
${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
||||||
|
docker tag \
|
||||||
|
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||||
|
${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||||
|
|
||||||
|
# Push arches to live repo
|
||||||
|
docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
||||||
|
docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||||
|
|
||||||
|
# Manifest to meta tag on live repo
|
||||||
|
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
|
||||||
|
docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
||||||
|
docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
|
||||||
|
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Tag images to private repo
|
||||||
docker tag \
|
docker tag \
|
||||||
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||||
${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
|
||||||
docker tag \
|
docker tag \
|
||||||
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||||
${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
|
||||||
|
|
||||||
# Push arches to live repo
|
# Push arches to private repo
|
||||||
docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
|
docker push ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
|
||||||
docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
docker push ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
|
||||||
|
|
||||||
# Manifest to meta tag
|
# Manifest to meta tag on private repo
|
||||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
|
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} || :
|
||||||
docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
|
docker manifest create ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
|
||||||
docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
|
docker manifest annotate ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
|
||||||
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
|
||||||
|
|
||||||
# Single arch image just pull and push
|
# Single arch image just pull and push
|
||||||
else
|
else
|
||||||
@ -110,12 +129,23 @@ else
|
|||||||
# Pull image
|
# Pull image
|
||||||
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
|
||||||
|
|
||||||
# Tage image
|
# Conditionally Process Public Build
|
||||||
|
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
|
||||||
|
# Tage image to live repo
|
||||||
|
docker tag \
|
||||||
|
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||||
|
${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||||
|
|
||||||
|
# Push image to live repo
|
||||||
|
docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Tage image to private repo
|
||||||
docker tag \
|
docker tag \
|
||||||
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
|
||||||
${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
|
||||||
|
|
||||||
# Push image
|
# Push image to private repo
|
||||||
docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
|
docker push ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user