add readOnlyFsConfig and volumes to buildstrategies

Signed-off-by: Hasan Awad <[email protected]>

Author: hasanawad94

samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml

@@ -11,6 +11,17 @@ spec:
       workingDir: $(params.shp-source-root)
       securityContext:
         privileged: true
+        readOnlyRootFilesystem: true
+      volumeMounts:
+        - name: shp-buildah-container-storage
+          mountPath: /var/lib/containers # Read/Write location of container storage
+        - name: shp-tmp
+          mountPath: /shp-tmp
+        - name: shp-run
+          mountPath: /var/run
+      env:
+        - name: TMPDIR
+          value: /shp-tmp
       command:
         - /bin/bash
       args:
@@ -125,21 +136,21 @@ spec:
 
           echo "[INFO] Creating registries config file..."
           if [ "${registriesSearch}" != "" ]; then
-            cat <<EOF >>/tmp/registries.conf
+            cat <<EOF >>/shp-tmp/registries.conf
           [registries.search]
           registries = [${registriesSearch::-2}]
 
           EOF
           fi
           if [ "${registriesInsecure}" != "" ]; then
-            cat <<EOF >>/tmp/registries.conf
+            cat <<EOF >>/shp-tmp/registries.conf
           [registries.insecure]
           registries = [${registriesInsecure::-2}]
 
           EOF
           fi
           if [ "${registriesBlock}" != "" ]; then
-            cat <<EOF >>/tmp/registries.conf
+            cat <<EOF >>/shp-tmp/registries.conf
           [registries.block]
           registries = [${registriesBlock::-2}]
 
@@ -150,7 +161,7 @@ spec:
           echo "[INFO] Building image ${image}"
           buildah --storage-driver=$(params.storage-driver) \
             bud "${budArgs[@]}" \
-            --registries-conf=/tmp/registries.conf \
+            --registries-conf=/shp-tmp/registries.conf \
             --tag="${image}" \
             --file="${dockerfile}" \
             .
@@ -219,6 +230,13 @@ spec:
       description: "Sets the target stage to be built."
       type: string
       default: ""
+  volumes:
+    - name: shp-buildah-container-storage
+      emptyDir: {}
+    - name: shp-tmp
+      emptyDir: {}
+    - name: shp-run
+      emptyDir: {}
   securityContext:
     runAsUser: 0
     runAsGroup: 0

samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml

@@ -10,9 +10,20 @@ spec:
       imagePullPolicy: Always
       workingDir: $(params.shp-source-root)
       securityContext:
+        readOnlyRootFilesystem: true
         capabilities:
           add:
           - "SETFCAP"
+      volumeMounts:
+        - name: shp-buildah-container-storage
+          mountPath: /var/lib/containers # Read/Write location of container storage
+        - name: shp-tmp
+          mountPath: /shp-tmp
+        - name: shp-run
+          mountPath: /var/run
+      env:
+        - name: TMPDIR
+          value: /shp-tmp
       command:
         - /bin/bash
       args:
@@ -125,21 +136,21 @@ spec:
 
           echo "[INFO] Creating registries config file..."
           if [ "${registriesSearch}" != "" ]; then
-            cat <<EOF >>/tmp/registries.conf
+            cat <<EOF >>/shp-tmp/registries.conf
           [registries.search]
           registries = [${registriesSearch::-2}]
 
           EOF
           fi
           if [ "${registriesInsecure}" != "" ]; then
-            cat <<EOF >>/tmp/registries.conf
+            cat <<EOF >>/shp-tmp/registries.conf
           [registries.insecure]
           registries = [${registriesInsecure::-2}]
 
           EOF
           fi
           if [ "${registriesBlock}" != "" ]; then
-            cat <<EOF >>/tmp/registries.conf
+            cat <<EOF >>/shp-tmp/registries.conf
           [registries.block]
           registries = [${registriesBlock::-2}]
 
@@ -150,7 +161,7 @@ spec:
           echo "[INFO] Building image ${image}"
           buildah --storage-driver=$(params.storage-driver) \
             bud "${budArgs[@]}" \
-            --registries-conf=/tmp/registries.conf \
+            --registries-conf=/shp-tmp/registries.conf \
             --tag="${image}" \
             --file="${dockerfile}" \
             .
@@ -222,3 +233,10 @@ spec:
   securityContext:
     runAsUser: 0
     runAsGroup: 0
+  volumes:
+    - name: shp-buildah-container-storage
+      emptyDir: {}
+    - name: shp-tmp
+      emptyDir: {}
+    - name: shp-run
+      emptyDir: {}

samples/v1beta1/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml

@@ -37,15 +37,21 @@ spec:
       image: moby/buildkit:v0.25.1-rootless
       imagePullPolicy: Always
       securityContext:
-        allowPrivilegeEscalation: true
         capabilities:
           add:
             - SETGID
             - SETUID
         seccompProfile:
           type: Unconfined
+        readOnlyRootFilesystem: true
+        runAsUser: 1000
+        runAsGroup: 1000
       workingDir: $(params.shp-source-root)
       env:
+        # This is required to align the temporary directory created by buildkit
+        # with the volume mount for that directory.
+        - name: XDG_RUNTIME_DIR
+          value: /home/user/.local/tmp
         - name: DOCKER_CONFIG
           value: /tekton/home/.docker
         - name: HOME
@@ -67,6 +73,13 @@ spec:
           value: $(params.cache)
         - name: PARAM_TARGET
           value: $(params.target)
+      volumeMounts:
+        - name: buildkitd-1
+          mountPath: /home/user/.local/share/buildkit
+        - name: buildkitd-2
+          mountPath: /home/user/.local/tmp
+        - name: shp-tmp
+          mountPath: /tmp
       command:
         - /bin/ash
       args:
@@ -180,3 +193,10 @@ spec:
   securityContext:
     runAsUser: 1000
     runAsGroup: 1000
+  volumes:
+    - name: shp-tmp
+      emptyDir: {}
+    - name: buildkitd-1
+      emptyDir: {}
+    - name: buildkitd-2
+      emptyDir: {}

samples/v1beta1/buildstrategy/ko/buildstrategy_ko_cr.yaml

@@ -25,15 +25,24 @@ spec:
       description: "Volume to contain the GOCACHE. Can be set to a persistent volume to optimize compilation performance for rebuilds."
       overridable: true
       emptyDir: {}
+    - name: ko-tmp
+      description: "Volume to contain temporary files for ko binary and other build artifacts."
+      overridable: true
+      emptyDir: {}
   steps:
     - name: build
       image: golang:$(params.go-version)
       imagePullPolicy: Always
       workingDir: $(params.shp-source-root)
+      securityContext:
+        readOnlyRootFilesystem: true
       volumeMounts:
         - mountPath: /gocache
           name: gocache
           readOnly: false
+        - mountPath: /ko-tmp
+          name: ko-tmp
+          readOnly: false
       env:
         - name: DOCKER_CONFIG
           value: /tekton/home/.docker
@@ -43,6 +52,10 @@ spec:
           value: $(params.go-flags)
         - name: GOCACHE
           value: /gocache
+        - name: GOTMPDIR
+          value: /ko-tmp
+        - name: TMPDIR
+          value: /ko-tmp
         - name: PARAM_OUTPUT_IMAGE
           value: $(params.shp-output-image)
         - name: PARAM_OUTPUT_DIRECTORY
@@ -80,7 +93,7 @@ spec:
           fi
 
           # Download ko to the temp directory
-          curl -f -s -L "https://github.com/ko-build/ko/releases/download/${KO_VERSION_WITH_V}/ko_${KO_VERSION_WITHOUT_V}_$(uname)_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | tar xzf - -C /tmp ko
+          curl -f -s -L "https://github.com/ko-build/ko/releases/download/${KO_VERSION_WITH_V}/ko_${KO_VERSION_WITHOUT_V}_$(uname)_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | tar xzf - -C /ko-tmp ko
 
           # Determine the platform
           PLATFORM="${PARAM_TARGET_PLATFORM}"
@@ -90,7 +103,7 @@ spec:
 
           # Print version information
           go version
-          echo "ko version $(/tmp/ko version)"
+          echo "ko version $(/ko-tmp/ko version)"
 
           # Allow directory to be owned by other user which is normal for a volume-mounted directory.
           # This allows Go to run git commands to access repository metadata.
@@ -102,7 +115,7 @@ spec:
           export GOROOT="$(go env GOROOT)"
 
           pushd "${PARAM_SOURCE_CONTEXT}" > /dev/null
-            /tmp/ko build "${PARAM_PACKAGE_DIRECTORY}" --oci-layout-path="${PARAM_OUTPUT_DIRECTORY}" --platform="${PLATFORM}" --push=false
+            /ko-tmp/ko build "${PARAM_PACKAGE_DIRECTORY}" --oci-layout-path="${PARAM_OUTPUT_DIRECTORY}" --platform="${PLATFORM}" --push=false
           popd > /dev/null
       resources:
         limits:

samples/v1beta1/buildstrategy/multiarch-native-buildah/buildstrategy_multiarch_native_buildah_cr.yaml

@@ -10,13 +10,25 @@ spec:
       overridable: true
     - name: additional-bins
       emptyDir: {}
+    - name: tmp
+      emptyDir: {}
+    - name: run
+      emptyDir: {}
+    - name: buildah-storage
+      emptyDir: {}
   steps:
     - name: prepare-build
       image: quay.io/centos/centos:stream9
       workingDir: $(params.shp-source-root)
+      securityContext:
+        readOnlyRootFilesystem: true
       volumeMounts:
         - mountPath: /usr/local/bin
           name: additional-bins
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /run
+          name: run
       resources:
         requests:
           cpu: 100m
@@ -198,8 +210,22 @@ spec:
                     volumeMounts:
                       - mountPath: /var/workdir
                         name: workdir
+                      # Temporary directories - all use buildah-temp volume
+                      - mountPath: /tmp
+                        name: buildah-temp
+                      - mountPath: /var/tmp
+                        name: buildah-temp
+                      - mountPath: /var/cache
+                        name: buildah-temp
+                      # Runtime directory
+                      - mountPath: /run
+                        name: buildah-run
+                      # Buildah storage
+                      - mountPath: /var/lib/containers
+                        name: buildah-storage
                     securityContext:
                       privileged: true
+                      readOnlyRootFilesystem: true
                     command:
                       - bash
                     resources:
@@ -243,6 +269,12 @@ spec:
                 volumes:
                 - name: workdir
                   emptyDir: {}
+                - name: buildah-temp
+                  emptyDir: {}
+                - name: buildah-run
+                  emptyDir: {}
+                - name: buildah-storage
+                  emptyDir: {}
           EOF
           done
 
@@ -331,11 +363,17 @@ spec:
     - name: wait-manifests-complete
       image: quay.io/centos/centos:stream9
       workingDir: /tmp
+      securityContext:
+        readOnlyRootFilesystem: true
       volumeMounts:
         - mountPath: /var/oci-archive-storage
           name: oci-archive-storage
         - mountPath: /usr/local/bin
           name: additional-bins
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /run
+          name: run
       resources:
         requests:
           cpu: 50m
@@ -415,6 +453,7 @@ spec:
       image: quay.io/containers/buildah:v1.41.5
       securityContext:
         privileged: true
+        readOnlyRootFilesystem: true
       workingDir: /var/oci-archive-storage
       resources:
         requests:
@@ -423,8 +462,22 @@ spec:
         limits:
           memory: 256Mi
       volumeMounts:
+        # Image archive storage
         - mountPath: /var/oci-archive-storage
           name: oci-archive-storage
+        # Temporary directories - all use tmp volume  
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /var/tmp
+          name: tmp
+        - mountPath: /var/cache
+          name: tmp
+        # Runtime directory
+        - mountPath: /run
+          name: run
+        # Buildah storage
+        - mountPath: /var/lib/containers
+          name: buildah-storage
       command:
         - bash
       args: