Merge branch 'feature/KASM-6454_workspace_core_images_pipelines_not_longer_push_to_private_registry_reducing_visibility_on_vulnerabilities/workspaces-core-images' into 'develop'

Resolve KASM-6454 "Feature/ workspace core images pipelines not longer push to private registry reducing visibility on vulnerabilities/workspaces core images"

Closes KASM-6454

See merge request kasm-technologies/internal/workspaces-core-images!232
This commit is contained in:
Richard Koliser 2024-11-01 16:21:35 +00:00
commit 845bd9a3bf
3 changed files with 58 additions and 28 deletions

View File

@ -19,7 +19,7 @@ variables:
TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz"
SCAN_CONTAINERS: "true"
before_script:
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
- export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
#######################
# Build from template #

View File

@ -18,7 +18,7 @@ variables:
DOCKER_TLS_CERTDIR: ""
before_script:
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
- export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
###############################################
# Build Containers and push to cache endpoint #

View File

@ -2,6 +2,7 @@
# Globals
FAILED="false"
PUBLIC_BUILD="false"
# Ingest cli variables
## Parse input ##
@ -12,20 +13,16 @@ REVERT_PIPELINE_ID=$4
IS_ROLLING=$5
PULL_BRANCH=${SANITIZED_BRANCH}
# Determine if this is a private or public build
# Determine if this is a public build
if [[ "${CI_COMMIT_REF_NAME}" == release/* ]] || [[ "${CI_COMMIT_REF_NAME}" == "develop" ]]; then
PUBLIC_BUILD="true"
fi
if [[ "${NAME1}" == "${NAME2}" ]]; then
ENDPOINT="core-${NAME1}"
else
ENDPOINT="core-${NAME1}-${NAME2}"
fi
else
if [[ "${NAME1}" == "${NAME2}" ]]; then
ENDPOINT="core-${NAME1}-private"
else
ENDPOINT="core-${NAME1}-${NAME2}-private"
fi
fi
# Determine if this is a rolling build
if [[ "${SCHEDULED}" != "NO" ]]; then
@ -81,11 +78,14 @@ fi
# Manifest for multi pull and push for single arch
if [[ "${TYPE}" == "multi" ]]; then
docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
# Pull images from cache repo
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
docker pull ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
# Conditionally Process Public Build
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
# Tag images to live repo
docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
@ -98,11 +98,30 @@ if [[ "${TYPE}" == "multi" ]]; then
docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
# Manifest to meta tag
# Manifest to meta tag on live repo
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
fi
# Tag images to private repo
docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
docker tag \
${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
# Push arches to private repo
docker push ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
docker push ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
# Manifest to meta tag on private repo
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} || :
docker manifest create ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
docker manifest annotate ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
# Single arch image just pull and push
else
@ -110,12 +129,23 @@ else
# Pull image
docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
# Tage image
# Conditionally Process Public Build
if [[ "${PUBLIC_BUILD}" == "true" ]]; then
# Tage image to live repo
docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
# Push image
# Push image to live repo
docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
fi
# Tage image to private repo
docker tag \
${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
# Push image to private repo
docker push ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
fi