UNCLASSIFIED

"" did not exist on "development"
Verified Commit 607f1499 authored by DJ Mountney's avatar DJ Mountney
Browse files

Apply changes from the kubectl review to this change

Updates scripts for grabing blob artifacts
parent e5e60fd2
...@@ -11,7 +11,7 @@ ARG NEXUS_SERVER ...@@ -11,7 +11,7 @@ ARG NEXUS_SERVER
ARG GITLAB_VERSION ARG GITLAB_VERSION
ARG VENDOR=gitlab ARG VENDOR=gitlab
ARG PACKAGE_NAME=ubi8-build-dependencies-${GITLAB_VERSION}.tar ARG PACKAGE_NAME=ubi8-build-dependencies-${GITLAB_VERSION}.tar
ARG PACKAGE_URL=${NEXUS_SERVER}/dsop/${VENDOR}/gitlab-task-runner/${PACKAGE_NAME} ARG PACKAGE_URL=https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/gitlab-task-runner/${PACKAGE_NAME}
ADD build-scripts/ /build-scripts/ ADD build-scripts/ /build-scripts/
...@@ -36,7 +36,9 @@ COPY --from=builder /prepare/dependencies / ...@@ -36,7 +36,9 @@ COPY --from=builder /prepare/dependencies /
COPY scripts/bin/* /usr/local/bin/ COPY scripts/bin/* /usr/local/bin/
COPY scripts/lib/* /usr/lib/ruby/vendor_ruby COPY scripts/lib/* /usr/lib/ruby/vendor_ruby
RUN dnf --disableplugin=subscription-manager install -yb --nodocs ca-certificates openssl RUN dnf clean all \
&& rm -r /var/cache/dnf \
&& dnf --disableplugin=subscription-manager --nogpgcheck install -yb --nodocs ca-certificates openssl
USER ${GITLAB_USER}:${GITLAB_USER} USER ${GITLAB_USER}:${GITLAB_USER}
......
MIT License
Copyright (c) 2017
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
# gitlab-task-runner-container
Task Runner is an entry point for interaction with other containers in the cluster. It contains scripts for running Rake tasks, backup, restore, and tools to intract with object storage.
## GitLab 12.5.0 release
The hardened containers for GitLab 12.5 require the gitlab 12.5 blob to be available for download.
There are some included scripts to make this easier for user building images offline on their machine.
## Building
1. Switch to the 12.5 directory
2. Run `./build-scripts/build.sh`
* Runs docker build, and takes care of setting the appropriate build args for users running locally
* Uses the `NEXUS_SERVER` variable from your environment, or full `PACKAGE_URL`.
`build-script/build.sh` is provided as an example and helpful for building locally. You can also instead call docker build and pass build-args directly.
## Build Phases
Some of the GitLab containers are build ontop of previous containers, building the containers in ordered phases is necessary to build all containers.
- Phase One
* kubectl
* gitlab-ruby
- Phase Two
* git-base
* gitlab-exporter
* gitlab-mailroom
* gitlab-shell
* gitlab-rails
* gitlab-workhorse
- Phase 3
* gitaly
- Phase 4
* gitlab-sidekiq
* gitlab-task-runner
* gitlab-unicorn
...@@ -6,11 +6,9 @@ PACKAGE_URL=$1 ...@@ -6,11 +6,9 @@ PACKAGE_URL=$1
WORKSPACE="${WORKSPACE:-/prepare}" WORKSPACE="${WORKSPACE:-/prepare}"
PACKAGE_NAME="${PACKAGE_NAME:-ubi8-build-dependencies.tar}" PACKAGE_NAME="${PACKAGE_NAME:-ubi8-build-dependencies.tar}"
mkdir -p ${WORKSPACE}
# Download UBI dependencies package and it sha256 # Download UBI dependencies package and it sha256
curl -Lf "${PACKAGE_URL}.sha256" -o "${WORKSPACE}/${PACKAGE_NAME}.sha256" curl -fLk --create-dirs "${PACKAGE_URL}.sha256" -o "${WORKSPACE}/${PACKAGE_NAME}.sha256"
curl -Lf "${PACKAGE_URL}" -o "${WORKSPACE}/${PACKAGE_NAME}" curl -fLk --create-dirs "${PACKAGE_URL}" -o "${WORKSPACE}/${PACKAGE_NAME}"
# Verify the package integrity # Verify the package integrity
echo "$(cat ${PACKAGE_NAME}.sha256) ${PACKAGE_NAME}" | sha256sum --check --status \ echo "$(cat ${PACKAGE_NAME}.sha256) ${PACKAGE_NAME}" | sha256sum --check --status \
......
...@@ -5,21 +5,26 @@ set -e ...@@ -5,21 +5,26 @@ set -e
GITLAB_VERSION=v12.5.2-ubi8 GITLAB_VERSION=v12.5.2-ubi8
VENDOR=gitlab VENDOR=gitlab
# These three variables are required to push whatever outside binaries your container needs at build time to our Nexus repo # These three variables are required to push whatever outside binaries your container needs at build time to our Nexus repo
NEXUS_SERVER=${NEXUS_SERVER} NEXUS_SERVER=${NEXUS_SERVER}
NEXUS_USERNAME=${NEXUS_USERNAME} NEXUS_USERNAME=${NEXUS_USERNAME}
NEXUS_PASSWORD=${NEXUS_PASSWORD} NEXUS_PASSWORD=${NEXUS_PASSWORD}
## Download variables
DOWNLOAD_DIR=tmp/${VENDOR}
UPLOAD_URL=https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/kubectl
### Download files/dependencies ### ### Download files/dependencies ###
# temporarily place your binaries locally in /tmp/${VENDOR}/ # temporarily place your binaries locally in the download directory
curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar -o /tmp/${VENDOR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar -o ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar
### GPG Signature Check ### ### GPG Signature Check ###
# GPG signature verification is a requirement in the case that the downloaded files have a GPG signature # GPG signature verification is a requirement in the case that the downloaded files have a GPG signature
# For more information on GPG keys visit https://access.redhat.com/solutions/1541303 or https://gnupg.org/gph/en/manual.html # For more information on GPG keys visit https://access.redhat.com/solutions/1541303 or https://gnupg.org/gph/en/manual.html
curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc -o /tmp/${VENDOR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc -o ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc
for server in $(shuf -e ha.pool.sks-keyservers.net \ for server in $(shuf -e ha.pool.sks-keyservers.net \
hkp://p80.pool.sks-keyservers.net:80 \ hkp://p80.pool.sks-keyservers.net:80 \
...@@ -30,13 +35,13 @@ do ...@@ -30,13 +35,13 @@ do
gpg --batch --keyserver "$server" --recv-keys 8040EEFCCED8C668EF27F7C61DC5606C0C7E9A9B && break || : ; \ gpg --batch --keyserver "$server" --recv-keys 8040EEFCCED8C668EF27F7C61DC5606C0C7E9A9B && break || : ; \
done done
gpg --verify /tmp/${VENDOR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc /tmp/${VENDOR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar gpg --verify ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar
### SHA256 Verification ### ### SHA256 Verification ###
# Verifying the files with the SHA256 is a requirement for all files # Verifying the files with the SHA256 is a requirement for all files
# Make sure to not download the SHA256 from the internet, but create it, check it and upload it to the Nexus repo # Make sure to not download the SHA256 from the internet, but create it, check it and upload it to the Nexus repo
cd /tmp/${VENDOR} cd ${DOWNLOAD_DIR}
sha256sum ubi8-build-dependencies-${GITLAB_VERSION}.tar | awk '{print $1}' > ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 \ sha256sum ubi8-build-dependencies-${GITLAB_VERSION}.tar | awk '{print $1}' > ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 \
&& echo "$(cat ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256) ubi8-build-dependencies-${GITLAB_VERSION}.tar" | sha256sum --check --status \ && echo "$(cat ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256) ubi8-build-dependencies-${GITLAB_VERSION}.tar" | sha256sum --check --status \
&& if [ $? == '0' ]; then printf "\nSHA256 check for ubi8-build-dependencies-${GITLAB_VERSION}.tar succeeded\n\n"; \ && if [ $? == '0' ]; then printf "\nSHA256 check for ubi8-build-dependencies-${GITLAB_VERSION}.tar succeeded\n\n"; \
...@@ -48,5 +53,5 @@ cd - ...@@ -48,5 +53,5 @@ cd -
# format as in Gitlab. You will also need to push the GPG signature file and SHA256 file # format as in Gitlab. You will also need to push the GPG signature file and SHA256 file
for package in ubi8-build-dependencies-${GITLAB_VERSION}.tar ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc for package in ubi8-build-dependencies-${GITLAB_VERSION}.tar ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc
do do
curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/${package} ${NEXUS_SERVER}/dsop/${VENDOR}/gitlab-task-runner/${package} curl -kfS -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T ${DOWNLOAD_DIR}/${package} https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/gitlab-task-runner/${package}
done done
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment