- icr-containerize: This task builds and pushes (optionaly) an image to the IBM Cloud Container Registry. This task relies on Buildkit to perform the build of the image.
- icr-execute-in-dind: This task runs
docker
commands (build, inspect...) against a Docker engine running as a sidecar container, and pushes the resulting image to the IBM Cloud Container Registry. - icr-execute-in-dind-cluster: This task runs
docker
commands (build, inspect...) against a Docker engine running in a Kubernetes cluster (a Docker DinD instance will be deployed if none is available on the build cluster), and pushes the resulting image to the IBM Cloud Container Registry. - icr-check-va-scan: This task verifies that a Vulnerability Advisor scan has been made for the image and processes the outcome of the scan.
- icr-cr-build - deprecated: This task relies on IBM Cloud Container Registry
build
command that is deprecated.
WARNING: These tasks needs to run on Kubernetes cluster with minimal version 1.16. If you are using your own Delivery Pipeline Private Worker to run your tekton pipeline(s), ensure your cluster is updated to this version at least.
- Add a github integration to your toolchain with the repository containing the tasks (https://github.com/open-toolchain/tekton-catalog)
- Add this github integration to the Definitions tab of your Continuous Delivery tekton pipeline, with the Path set to
container-registry
-
The
sample
sub-directory contains anbuildkit-no-resources
EventListener definition that you can include in your tekton pipeline configuration to run an example usage of theicr-containerize
andicr-check-va-scan
.See the documentation here
-
The
sample-cr-build
sub-directory contains ancr-build-no-resources
EventListener definition that you can include in your tekton pipeline configuration to run an example usage of theicr-cr-build
andicr-check-va-scan
.See the documentation here
-
The
sample-docker-dind-sidecar
sub-directory contains andind-no-resources
EventListener definition that you can include in your Tekton pipeline configuration to run an example usage of theicr-execute-in-dind
andicr-check-va-scan
.See the documentation here
-
The
sample-docker-dind-cluster
sub-directory contains andind-cluster-no-resources
EventListener definition that you can include in your Tekton pipeline configuration to run an example usage of theicr-execute-in-dind-cluster
andicr-check-va-scan
.See the documentation here
Build Image helper task using buildkit
The task may rely on the following kubernetes resources to be defined:
-
Secret secure-properties
Secret containing:
- apikey: An IBM Cloud Api Key used to access to the IBM Cloud Container registry service (secret name and secret key can be configured using Task's params).
Note: the
secure-properties
secret is injected in the Tekton Pipeline environment by Continuous Delivery Tekton Pipeline support. See Tekton Pipelines environment and resources
- image-url : (optional) the url of the image to build required if no image pipeline resource provided or no registry region, namespace and image name parameters are provided to this task.
- registry-region: (optional) container registry region id. required if no image-url or no image pipeline resources provided.
- registry-namespace: (optional) container registry namespace. required if no image-url or no image pipeline resources provided.
- image-name: (optional) image name. required if no image-url or no image pipeline resources provided.
- path-to-context: (optional) the path to the context that is used for the build (default to
.
meaning current directory) - path-to-dockerfile: (optional) the path to the Dockerfile that is used for the build (default to
.
meaning current directory) - push-to-registry: (optional) indicate if the built image has to be pushed to the registry (default to
true
) - buildkit-image: (optional) The name of the BuildKit image used (default to
moby/buildkit:v0.10.6
) - additional-tags: (optional) comma-separated list of tags for the built image
- additional-tags-script: (optional) Shell script commands that will be invoked to provide additional tags for the build image
- properties-file: (optional) name of the properties file that will be created (if needed) or updated (if existing) as an additional outcome of this task in the pvc. This file will contains the image registry-related information (
REGISTRY_URL
,REGISTRY_NAMESPACE
,REGISTRY_REGION
,IMAGE_NAME
,IMAGE_TAGS
andIMAGE_MANIFEST_SHA
) - resource-group: (optional) target resource group (name or id) for the ibmcloud login operation
- continuous-delivery-context-secret: (optional) Name of the secret containing the continuous delivery pipeline context secrets. Default to
secure-properties
- container-registry-apikey-secret-key: field in the secret that contains the api key used to connect to ibmcloud container registry. Default to
apikey
- check-step-image: (optional) image to use for the check (pre-build) step. Default to
icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.11
- process-log-step-image: (optional) image to use for the process log (post-build) steps. Default to
icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.11
- image-repository: the repository for the built image
- image-tags: the tags for the built image
- image-digest: the image digest (sha-256 hash) for the built image
- source: A workspace containing the source (Dockerfile, Docker context) to create the image
Build Image helper task using ibmcloud cr build
command
The task may rely on the following kubernetes resources to be defined:
-
Secret secure-properties
Secret containing:
- apikey: An IBM Cloud Api Key used to access to the IBM Cloud Container registry service (secret name and secret key can be configured using Task's params).
Note: the
secure-properties
secret is injected in the Tekton Pipeline environment by Continuous Delivery Tekton Pipeline support. See Tekton Pipelines environment and resources
- image-url : (optional) the url of the image to build required if no image pipeline resource provided or no registry region, namespace and image name parameters are provided to this task.
- registry-region: (optional) container registry region id. required if no image-url or no image pipeline resources provided.
- registry-namespace: (optional) container registry namespace. required if no image-url or no image pipeline resources provided.
- image-name: (optional) image name. required if no image-url or no image pipeline resources provided.
- path-to-context: (optional) the path to the context that is used for the build (default to
.
meaning current directory) - path-to-dockerfile: (optional) the path to the Dockerfile that is used for the build (default to
.
meaning current directory) - additional-tags: (optional) comma-separated list of tags for the built image
- additional-tags-script: (optional) Shell script commands that will be invoked to provide additional tags for the build image
- properties-file: (optional) name of the properties file that will be created (if needed) or updated (if existing) as an additional outcome of this task in the workspace. This file will contains the image registry-related information (
REGISTRY_URL
,REGISTRY_NAMESPACE
,REGISTRY_REGION
,IMAGE_NAME
,IMAGE_TAGS
andIMAGE_MANIFEST_SHA
) - resource-group: (optional) target resource group (name or id) for the ibmcloud login operation
- continuous-delivery-context-secret: (optional) Name of the secret containing the continuous delivery pipeline context secrets. Default to
secure-properties
- container-registry-apikey-secret-key: (optional) field in the secret that contains the api key used to connect to ibmcloud container registry. Default to
apikey
- check-and-build-step-image: (optional) image to use for the scan step. Default to
icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.11
- image-repository: the repository for the built image
- image-tags: the tags for the built image
- image-digest: the image digest (sha-256 hash) for the built image
- source: A workspace containing the source (Dockerfile, Docker context) to create the image
This task runs docker
commands (build, inspect...) that communicate with a sidecar Docker-In-Docker (DIND), and pushes the resulting image to the IBM Cloud Container Registry.
Note: the Docker engine used to execute the commands is transient, created by the task as a sidecar container, and is available only during the task's lifespan.
The task may rely on the following kubernetes resources to be defined:
-
Secret secure-properties
Secret containing:
- apikey: An IBM Cloud Api Key used to access to the IBM Cloud Container registry service (secret name and secret key can be configured using Task's params).
Note: the
secure-properties
secret is injected in the Tekton Pipeline environment by Continuous Delivery Tekton Pipeline support. See Tekton Pipelines environment and resources
- image-url : (optional) the url of the image to build - required if no image pipeline resource provided to this task
- image-tag: (optional) the tag for the built image (default to
latest
) - path-to-context: (optional) the path to the context that is used for the build (default to
.
meaning current directory) - path-to-dockerfile: (optional) the path to the Dockerfile that is used for the build (default to
.
) - dockerfile: (optional) the name of the Dockerfile that is used for the build (default to
Dockerfile
) - docker-client-image: (optional) The Docker image to use to run the Docker client (default to
docker
) - properties-file: (optional) name of the properties file that will be created (if needed) or updated (if existing) as an additional outcome of this task in the workspace. This file will contains the image registry-related information (
REGISTRY_URL
,REGISTRY_NAMESPACE
,IMAGE_NAME
,IMAGE_TAGS
andIMAGE_MANIFEST_SHA
) - docker-commands: (optional) The docker command(s) to run. Default commands:
docker build --tag "$IMAGE_URL:$IMAGE_TAG" --file $PATH_TO_DOCKERFILE/$DOCKERFILE $PATH_TO_CONTEXT docker inspect ${IMAGE_URL}:${IMAGE_TAG} docker push ${IMAGE_URL}:${IMAGE_TAG}
- continuous-delivery-context-secret: (optional) Name of the secret containing the continuous delivery pipeline context secrets. Default to
secure-properties
- container-registry-apikey-secret-key: (optional) field in the secret that contains the api key used to connect to ibmcloud container registry. Default to
apikey
- check-step-image: (optional) image to use for the check (pre-build) step. Default to
icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.11
- dind-image: (optional) image to use for the Docker-in-Docker sidecar. Default to
icr.io/continuous-delivery/pipeline/docker:20.10.22-dind
- image-repository: the repository for the built image
- image-tags: the tags for the built image
- image-digest: the image digest (sha-256 hash) for the built image
- source: A workspace containing the source (Dockerfile, Docker context) to create the image
This task runs docker
commands (build, inspect...) that communicate with a Docker-In-Docker (DIND) instance hosted in a kubernetes cluster (eventually deploying the Docker DinD if needed), and pushes the resulting image to the IBM Cloud Container Registry.
The task may rely on the following kubernetes resources to be defined:
-
Secret secure-properties
Secret containing:
- apikey: An IBM Cloud Api Key used to access to the IBM Cloud Container registry service (secret name and secret key can be configured using Task's params).
Note: the
secure-properties
secret is injected in the Tekton Pipeline environment by Continuous Delivery Tekton Pipeline support. See Tekton Pipelines environment and resources
- resource-group: (optional) target resource group (name or id) for the ibmcloud login operation
- cluster-region: (optional) the ibmcloud region hosting the cluster (if value is `` it will default to the toolchain region)
- cluster-namespace: (optional) the kubernetes cluster namespace where the docker engine is hosted/deployed (default to
build
) - cluster-name: (optional) name of the docker build cluster - required if no cluster pipeline resource provided to this task
- image-url : (optional) the url of the image to build - required if no image pipeline resource provided to this task
- image-tag: (optional) the tag for the built image (default to
latest
) - path-to-context: (optional) the path to the context that is used for the build (default to
.
meaning current directory) - path-to-dockerfile: (optional) the path to the Dockerfile that is used for the build (default to
.
) - dockerfile: (optional) the name of the Dockerfile that is used for the build (default to
Dockerfile
) - docker-client-image: (optional) The Docker image to use to run the Docker client (default to
docker
) - properties-file: (optional) name of the properties file that will be created (if needed) or updated (if existing) as an additional outcome of this task in the workspace. This file will contains the image registry-related information (
REGISTRY_URL
,REGISTRY_NAMESPACE
,IMAGE_NAME
,IMAGE_TAGS
andIMAGE_MANIFEST_SHA
) - docker-commands: (optional) The docker command(s) to run. Default commands:
docker build --tag "$IMAGE_URL:$IMAGE_TAG" --file $PATH_TO_DOCKERFILE/$DOCKERFILE $PATH_TO_CONTEXT docker inspect ${IMAGE_URL}:${IMAGE_TAG} docker push ${IMAGE_URL}:${IMAGE_TAG}
- continuous-delivery-context-secret: (Optional) Name of the secret containing the continuous delivery pipeline context secrets. Default to
secure-properties
- container-registry-apikey-secret-key: (optional) field in the secret that contains the api key used to connect to ibmcloud container registry. Default to
apikey
- check-step-image: (optional) image to use for the check (pre-build) step. Default to
icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.11
- cluster-setup-step-image: (optional) image to use for the cluster setup step. Default to
icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.11
- dind-image: (optional) image to use for the Docker-in-Docker sidecar. Default to
icr.io/continuous-delivery/pipeline/docker:20.10.22-dind
- image-repository: the repository for the built image
- image-tags: the tags for the built image
- image-digest: the image digest (sha-256 hash) for the built image
- source: A workspace containing the source (Dockerfile, Docker context) to create the image
Vulnerability Advisor helper task
The task may rely on the following kubernetes resources to be defined:
-
Secret secure-properties
Secret containing:
- apikey: An IBM Cloud Api Key used to access to the IBM Cloud Container registry service (secret name and secret key can be configured using Task's params).
Note: the
secure-properties
secret is injected in the Tekton Pipeline environment by Continuous Delivery Tekton Pipeline support. See Tekton Pipelines environment and resources
- image-url: (optional) url of the image to VA scan - required if no image pipeline resource provided to this task
- image-digest: (optional) SHA id of the image to VA scan - required if no image pipeline resource provided and no
image-properties-file
value provided - image-properties-file: file containing properties of the image to be scanned (default to 'build.properties')
- max-iteration: maximum number of iterations allowed while loop to check for va report (default to 30 iterations maximum)
- sleep-time: sleep time (in seconds) between invocation of ibmcloud cr va in the loop (default to 10 seconds between scan result inquiry)
- scan-report-file: (optional) filename for the scan report (json format) of the given image. It will be copied in the workspace
- fail-on-scanned-issues: flag (
true
|false
) to indicate if the task should fail or continue if issues are found in the image scan result (default to 'true') - resource-group: (optional) target resource group (name or id) for the ibmcloud login operation
- continuous-delivery-context-secret: (optional) Name of the secret containing the continuous delivery pipeline context secrets. Default to
secure-properties
- container-registry-apikey-secret-key: (optional) field in the secret that contains the api key used to connect to ibmcloud container registry. Default to
apikey
- scan-step-image: (optional) image to use for the scan step. Default to
icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.11
- scan-report-file: the filename if the scan report for the image stored in the workspace
- scan-status: the status from Vulnerability Advisor - possible values: OK, WARN, FAIL, UNSUPPORTED, INCOMPLETE, UNSCANNED
- artifacts: Workspace that may contain image information and will have the va report from the VA scan after this task execution