A trusted artifact a way to pass files between two Tekton Tasks without those files being clandestinely modified. This is done by tracking the digest of archived files. A Tekton Task creating a trusted artifact for later use needs to add a result named "ARTIFACTS" and step, for example:
spec:
results:
- name: ARTIFACTS
type: array
description: Produced trusted artifact
steps:
- name: create-trusted-artifact
image: (image built from this repository)
args:
- create
- <name1>=<directory1/file1>
- <name2>=<directory2/file2>Example:
spec:
results:
- name: ARTIFACTS
type: array
description: Produced trusted artifact
steps:
- name: git-clone
- name: create-trusted-artifact
image: (image built from this repository)
args:
- create
- source=${workspaces.source.path}For name of an artifact, it is convinient to use the TaskRun name:
$(context.taskRun.name), especially if the task produces a single artifact.
More than one trusted artifact can be created from that single step by appending
to the args list.
The create operation (as used above), will generate a result named
ARTIFACTS, an array containing an entry for each of the artifacts created in
specified order. The value of the result entry is used to restore the artifact
with the use operation. For example, by adding a step:
spec:
steps:
- name: use-trusted-artifact
image: (image built from this repository)
args:
- use
- <result entry1>=<destination1>
- <result entry2>=<destination2>Since the resulting entry cannot be, in vast majority of cases, predetermined,
referencing the result from the step performing the create operation is most
common way of using the use operation.
Example:
- name: use-trusted-artifact
image: (image built from this repository)
args:
- use
- $(tasks.clone.results.ARTIFACTS[0])=$(workspaces.source.path)/srcIn that example the first entry of the resulting ARTIFACTS array of the clone
task is restored to the source workspace to the subdirectory src.
First make sure that the access information to a image repository is already
present in the $HOME/.docker/config.json file. That is docker login was used
to populate it. Set the environment variable REPOSITORY to the image
repository used, e.g.:
export REPOSITORY=quay.io/usernameThe hack/demo.sh will push to $REPOSITORY/build-trusted-artifacts and
$REPOSITORY/golden.
The demo script patches the git-clone and buildah Task definitions form
https://github.com/konflux-ci/build-definitions/ and expects that
repository to be cloned in ../build-definitions directory.
With that setup, the hack/demo.sh, will spin up a kind cluster, setup
PersistantVolume and PersistantVolumenClaim backed by the storage local
directory; install Tekton Pipelines and run a Pipeline with git-clone and
buildah-tasks.
Have a look in the hack/kustomization.yaml to see how the Tasks ware modified
so that they use trusted artifacts.
podman build . -t quay.io/my-org/build-trusted-artifacts
# creating the artifact
podman run -v $(pwd):/export/run -v ~/.docker/config.json:/home/notroot/.docker/config.json:ro -it quay.io/jstuart/build-trusted-artifacts create --store quay.io/jstuart/trusted-artifacts /export/run/result=/tmp
# unpacking the artifact
podman run -v ~/.docker/config.json:/home/notroot/.docker/config.json:ro -it quay.io/jstuart/build-trusted-artifacts use "$(cat result)=/var/tmp"