apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: build-images namespace: {{ $.Release.Namespace }} spec: description: >- This task builds images if source is provided workspaces: - name: k8s_cluster_data - name: development_pipeline_data steps: - name: clone image: {{ $.Values.tasks.image.buildImage }} volumeMounts: - mountPath: /certs/client name: dind-certs - mountPath: /usr/local/share/ca-certificates/harbor-ca.crt name: harbor-ca subPath: harbor-ca script: | #!/usr/bin/env sh update-ca-certificates ansible-playbook -vvv {{ $.Values.tasks.git.gitPlaybook }} -i hosts -e '{"stage":"clone"}' -e @"$(workspaces.development_pipeline_data.path)/default.json" -e @"$(workspaces.development_pipeline_data.path)/image.json" - name: set-image-output image: {{ $.Values.tasks.image.buildImage }} script: | #!/usr/bin/env sh cat "$(workspaces.development_pipeline_data.path)/image.json" - name: docker-build image: {{ $.Values.tasks.image.buildImage }} volumeMounts: - mountPath: /certs/client name: dind-certs env: # Connect to the sidecar over TCP, with TLS. - name: DOCKER_HOST value: tcp://localhost:2376 # Verify TLS. - name: DOCKER_TLS_VERIFY value: '1' # Use the certs generated by the sidecar daemon. - name: DOCKER_CERT_PATH value: /certs/client script: | #!/usr/bin/env sh ansible-playbook -vvv {{ $.Values.tasks.image.imagePlaybook }} -i hosts -e '{"stage":"build"}' -e @"$(workspaces.development_pipeline_data.path)/default.json" -e @"$(workspaces.development_pipeline_data.path)/image.json" - name: set-image-build-output-after-build image: {{ $.Values.tasks.image.buildImage }} script: | #!/usr/bin/env sh cat "$(workspaces.development_pipeline_data.path)/image.json" - name: publish-and-scan-image image: {{ $.Values.tasks.image.buildImage }} volumeMounts: - mountPath: /certs/client name: dind-certs - mountPath: /tekton/home/.docker/config.json name: image-push-creds subPath: .dockerconfigjson env: # Connect to the sidecar over TCP, with TLS. - name: DOCKER_HOST value: tcp://localhost:2376 # Verify TLS. - name: DOCKER_TLS_VERIFY value: '1' # Use the certs generated by the sidecar daemon. - name: DOCKER_CERT_PATH value: /certs/client script: | #!/usr/bin/env sh ansible-playbook -vvv {{ $.Values.tasks.image.imagePlaybook }} -i hosts -e '{"stage":"push"}' -e @"$(workspaces.development_pipeline_data.path)/default.json" -e @"$(workspaces.development_pipeline_data.path)/image.json" - name: set-image-output-after-publish-scan image: {{ $.Values.tasks.image.buildImage }} script: | #!/usr/bin/env sh cat "$(workspaces.development_pipeline_data.path)/image.json" - name: get-scan-results image: {{ $.Values.tasks.image.buildImage }} volumeMounts: - mountPath: /certs/client name: dind-certs script: | #!/usr/bin/env sh ansible-playbook -vvv {{ $.Values.tasks.image.imagePlaybook }} -i hosts -e '{"stage":"scan_results"}' -e @"$(workspaces.development_pipeline_data.path)/default.json" -e @"$(workspaces.development_pipeline_data.path)/image.json" - name: set-image-output-set-scan-results image: {{ $.Values.tasks.image.buildImage }} script: | #!/usr/bin/env sh cat "$(workspaces.development_pipeline_data.path)/image.json" sidecars: - image: {{ $.Values.tasks.image.sidecarServer }} name: server args: - --storage-driver=overlay2 - --userland-proxy=false - --debug - --insecure-registry={{ $.Values.tasks.image.insecureRegistry }} securityContext: privileged: true env: # Write generated certs to the path shared with the client. - name: DOCKER_TLS_CERTDIR value: /certs volumeMounts: - mountPath: /certs/client name: dind-certs - mountPath: /var/lib/docker name: var-lib-docker # Wait for the dind daemon to generate the certs it will share with the # client. readinessProbe: periodSeconds: 1 exec: command: ['ls', '/certs/client/ca.pem'] volumes: - name: dind-certs emptyDir: {} - name: var-lib-docker emptyDir: {} - name: image-push-creds secret: secretName: harbor-docker-auth - name: helm-publish-creds secret: secretName: harbor-basic-auth - name: harbor-ca secret: secretName: harbor-ca