/build-trusted-artifacts

Primary LanguageGoApache License 2.0Apache-2.0

Trusted artifacts

A trusted artifact is a way to pass files between two Tekton Tasks without those files being clandestinely modified. This is done by tracking the digest of archived files. A Tekton Task creating a trusted artifact for later use needs to add a result named "ARTIFACTS" and step, for example:

spec:
  results:
    - name: ARTIFACTS
      type: array
      description: Produced trusted artifact
  steps:
    - name: create-trusted-artifact
      image: (image built from this repository)
      args:
        - create
        - <name1>=<directory1/file1>
        - <name2>=<directory2/file2>

Example:

spec:
  results:
    - name: ARTIFACTS
      type: array
      description: Produced trusted artifact
  steps:
    - name: git-clone
    - name: create-trusted-artifact
      image: (image built from this repository)
      args:
        - create
        - source=${workspaces.source.path}

For name of an artifact, it is convinient to use the TaskRun name: $(context.taskRun.name), especially if the task produces a single artifact.

More than one trusted artifact can be created from that single step by appending to the args list.

The create operation (as used above), will generate a result named ARTIFACTS, an array containing an entry for each of the artifacts created in specified order. The value of the result entry is used to restore the artifact with the use operation. For example, by adding a step:

spec:
  steps:
    - name: use-trusted-artifact
      image: (image built from this repository)
      args:
        - use
        - <result entry1>=<destination1>
        - <result entry2>=<destination2>

Since the resulting entry cannot be, in vast majority of cases, predetermined, referencing the result from the step performing the create operation is most common way of using the use operation.

Example:

- name: use-trusted-artifact
    image: (image built from this repository)
    args:
        - use
        - $(tasks.clone.results.ARTIFACTS[0])=$(workspaces.source.path)/src

In that example the first entry of the resulting ARTIFACTS array of the clone task is restored to the source workspace to the subdirectory src.

Running the demo

First make sure that the access information to a image repository is already present in the $HOME/.docker/config.json file. That is docker login was used to populate it. Set the environment variable REPOSITORY to the image repository used, e.g.:

export REPOSITORY=quay.io/username

The hack/demo.sh will push to $REPOSITORY/build-trusted-artifacts and $REPOSITORY/golden.

The demo script patches the git-clone and buildah Task definitions form https://github.com/konflux-ci/build-definitions/ and expects that repository to be cloned in ../build-definitions directory.

With that setup, the hack/demo.sh, will spin up a kind cluster, setup PersistantVolume and PersistantVolumenClaim backed by the storage local directory; install Tekton Pipelines and run a Pipeline with git-clone and buildah-tasks.

Have a look in the hack/kustomization.yaml to see how the Tasks ware modified so that they use trusted artifacts.

Running from a container

podman build . -t quay.io/my-org/build-trusted-artifacts

# creating the artifact
podman run -v $(pwd):/export/run -v ~/.docker/config.json:/home/notroot/.docker/config.json:ro -it quay.io/jstuart/build-trusted-artifacts create --store quay.io/jstuart/trusted-artifacts /export/run/result=/tmp

# unpacking the artifact
podman run -v ~/.docker/config.json:/home/notroot/.docker/config.json:ro -it quay.io/jstuart/build-trusted-artifacts use "$(cat result)=/var/tmp"

Options

  • Set AUTHFILE to point to an alternative location for $HOME/.docker/config.json.
  • Set DEBUG so that debug logging will be output.
  • ORAS_OPTIONS may be set to a list of space separated extra flags to pass to oras (e.g. --insecure).