diff --git a/packages/kontinuous/tests/__snapshots__/job-builds.dev.yaml b/packages/kontinuous/tests/__snapshots__/job-builds.dev.yaml index 48543ea1ca..e60e6990ca 100644 --- a/packages/kontinuous/tests/__snapshots__/job-builds.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/job-builds.dev.yaml @@ -110,7 +110,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -159,7 +159,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -177,19 +177,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-job-builds/app - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -205,25 +254,60 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-job-builds/app - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"NEXT_PUBLIC_HASURA_URL=https://hasura-test-job-builds-feature-branch-1.dev.fabrique.social.gouv.fr/v1/graphql\\" \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"NEXT_PUBLIC_HASURA_URL=https://hasura-test-job-builds-feature-branch-1.dev.fabrique.social.gouv.fr/v1/graphql\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -234,6 +318,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -311,7 +396,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -360,7 +445,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -378,19 +463,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-job-builds/hasura - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -406,24 +540,59 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-job-builds/hasura - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace//packages/hasura \\\\ - --local dockerfile=/workspace/packages/hasura \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace//packages/hasura \\\\ + --local dockerfile=/workspace/packages/hasura \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -434,6 +603,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/job-no-affinity.dev.yaml b/packages/kontinuous/tests/__snapshots__/job-no-affinity.dev.yaml index 88a00ee41c..23b6809621 100644 --- a/packages/kontinuous/tests/__snapshots__/job-no-affinity.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/job-no-affinity.dev.yaml @@ -110,7 +110,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -159,7 +159,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -177,19 +177,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-job-no-affinity/app - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -205,24 +254,59 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-job-no-affinity/app - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -233,6 +317,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/jobs-build-options.dev.yaml b/packages/kontinuous/tests/__snapshots__/jobs-build-options.dev.yaml index 66c67f6c19..18461b0383 100644 --- a/packages/kontinuous/tests/__snapshots__/jobs-build-options.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/jobs-build-options.dev.yaml @@ -111,7 +111,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -160,7 +160,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -178,19 +178,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-jobs-build-options/app - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -206,26 +255,61 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-jobs-build-options/app - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"arg1=value1\\" \\\\ - --opt build-arg:\\"arg2=value2\\" \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"arg1=value1\\" \\\\ + --opt build-arg:\\"arg2=value2\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -236,6 +320,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/jobs-build-stage.dev.yaml b/packages/kontinuous/tests/__snapshots__/jobs-build-stage.dev.yaml index 9c4e900d3c..1a342eba7c 100644 --- a/packages/kontinuous/tests/__snapshots__/jobs-build-stage.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/jobs-build-stage.dev.yaml @@ -437,7 +437,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -486,7 +486,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -504,19 +504,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-jobs-build-stage/app - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -532,24 +581,59 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-jobs-build-stage/app - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -560,6 +644,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -638,7 +723,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -687,7 +772,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -705,19 +790,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-jobs-build-stage/hasura - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -733,24 +867,59 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-jobs-build-stage/hasura - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace//hasura \\\\ - --local dockerfile=/workspace/hasura \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace//hasura \\\\ + --local dockerfile=/workspace/hasura \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -761,6 +930,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/jobs-build.dev.yaml b/packages/kontinuous/tests/__snapshots__/jobs-build.dev.yaml index 1abbfe7b0d..57d726c8ab 100644 --- a/packages/kontinuous/tests/__snapshots__/jobs-build.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/jobs-build.dev.yaml @@ -436,7 +436,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -485,7 +485,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -503,19 +503,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-jobs-build/app - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -531,24 +580,59 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-jobs-build/app - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -559,6 +643,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -636,7 +721,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -685,7 +770,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -703,19 +788,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-jobs-build/hasura - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -731,24 +865,59 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-jobs-build/hasura - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace//hasura \\\\ - --local dockerfile=/workspace/hasura \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace//hasura \\\\ + --local dockerfile=/workspace/hasura \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -759,6 +928,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/repo.domifa.dev.yaml b/packages/kontinuous/tests/__snapshots__/repo.domifa.dev.yaml index 3b8ff8bac1..efcbaf3a89 100644 --- a/packages/kontinuous/tests/__snapshots__/repo.domifa.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/repo.domifa.dev.yaml @@ -147,7 +147,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -196,7 +196,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -214,19 +214,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/backend - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -242,29 +291,64 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/backend - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/backend/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ - --opt build-arg:\\"DOMIFA_FRONTEND_URL=https://test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/backend/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ + --opt build-arg:\\"DOMIFA_FRONTEND_URL=https://test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -275,6 +359,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -352,7 +437,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -401,7 +486,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -419,19 +504,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/frontend - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -447,30 +581,65 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/frontend - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/frontend/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ - --opt build-arg:\\"DOMIFA_FRONTEND_META_ROBOTS=noindex,nofollow\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_SENTRY_DSN_FRONTEND=https://***@sentry.fabrique.social.gouv.fr/31\\" \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/frontend/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ + --opt build-arg:\\"DOMIFA_FRONTEND_META_ROBOTS=noindex,nofollow\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_SENTRY_DSN_FRONTEND=https://***@sentry.fabrique.social.gouv.fr/31\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -481,6 +650,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -558,7 +728,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -607,7 +777,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -625,19 +795,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/portail-admins - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -653,26 +872,61 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/portail-admins - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/portail-admins/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/portail-admins/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -683,6 +937,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -760,7 +1015,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -809,7 +1064,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -827,19 +1082,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/portail-usagers - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -855,27 +1159,62 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/portail-usagers - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/portail-usagers/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ - --opt build-arg:\\"DOMIFA_SENTRY_DSN_PORTAIL=https://***@sentry.fabrique.social.gouv.fr/58\\" \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/portail-usagers/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo-domifa-feature-branch-1-o91f7v1i.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=dev\\" \\\\ + --opt build-arg:\\"DOMIFA_SENTRY_DSN_PORTAIL=https://***@sentry.fabrique.social.gouv.fr/58\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -886,6 +1225,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/repo.domifa.preprod.yaml b/packages/kontinuous/tests/__snapshots__/repo.domifa.preprod.yaml index 0a6f485f51..f7b4058b52 100644 --- a/packages/kontinuous/tests/__snapshots__/repo.domifa.preprod.yaml +++ b/packages/kontinuous/tests/__snapshots__/repo.domifa.preprod.yaml @@ -145,7 +145,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -194,7 +194,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -212,19 +212,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/backend - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -240,25 +289,60 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/backend - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/backend/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ - echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/backend/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -269,6 +353,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -346,7 +431,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -395,7 +480,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -413,19 +498,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/frontend - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -441,30 +575,65 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/frontend - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/frontend/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ - --opt build-arg:\\"DOMIFA_FRONTEND_META_ROBOTS=noindex,nofollow\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_SENTRY_DSN_FRONTEND=https://***@sentry.fabrique.social.gouv.fr/31\\" \\\\ - echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/frontend/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ + --opt build-arg:\\"DOMIFA_FRONTEND_META_ROBOTS=noindex,nofollow\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_SENTRY_DSN_FRONTEND=https://***@sentry.fabrique.social.gouv.fr/31\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -475,6 +644,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -552,7 +722,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -601,7 +771,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -619,19 +789,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/portail-admins - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -647,26 +866,61 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/portail-admins - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/portail-admins/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ - echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/portail-admins/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -677,6 +931,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -754,7 +1009,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -803,7 +1058,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -821,19 +1076,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/portail-usagers - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -849,27 +1153,62 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/portail-usagers - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/portail-usagers/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ - --opt build-arg:\\"DOMIFA_SENTRY_DSN_PORTAIL=https://***@sentry.fabrique.social.gouv.fr/58\\" \\\\ - echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/portail-usagers/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://api-test-repo.domifa-preprod.dev.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=preprod\\" \\\\ + --opt build-arg:\\"DOMIFA_SENTRY_DSN_PORTAIL=https://***@sentry.fabrique.social.gouv.fr/58\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:preprod-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -880,6 +1219,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/repo.domifa.prod.yaml b/packages/kontinuous/tests/__snapshots__/repo.domifa.prod.yaml index 6cdcd268bf..69bb2c16e7 100644 --- a/packages/kontinuous/tests/__snapshots__/repo.domifa.prod.yaml +++ b/packages/kontinuous/tests/__snapshots__/repo.domifa.prod.yaml @@ -200,7 +200,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -249,7 +249,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -267,19 +267,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/backend - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -295,28 +344,63 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/backend - export LATEST_TAG=\\"\\" if [ \\"true\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/backend/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ - echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/backend/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -327,6 +411,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -404,7 +489,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -453,7 +538,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -471,19 +556,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/frontend - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -499,30 +633,65 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/frontend - export LATEST_TAG=\\"\\" if [ \\"true\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/frontend/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ - --opt build-arg:\\"DOMIFA_FRONTEND_META_ROBOTS=noindex,nofollow\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_SENTRY_DSN_FRONTEND=https://***@sentry.fabrique.social.gouv.fr/31\\" \\\\ - echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/frontend/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ + --opt build-arg:\\"DOMIFA_FRONTEND_META_ROBOTS=noindex,nofollow\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_ADMINS_URL=https://admin-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_PORTAIL_USAGERS_URL=https://mon-test-repo.domifa.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_SENTRY_DSN_FRONTEND=https://***@sentry.fabrique.social.gouv.fr/31\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -533,6 +702,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -610,7 +780,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -659,7 +829,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -677,19 +847,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/portail-admins - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -705,27 +924,62 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/portail-admins - export LATEST_TAG=\\"\\" if [ \\"true\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/portail-admins/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ - --opt build-arg:\\"PRODUCTION=true\\" \\\\ - echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/portail-admins/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ + --opt build-arg:\\"PRODUCTION=true\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -736,6 +990,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: @@ -813,7 +1068,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -862,7 +1117,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -880,19 +1135,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/domifa/test-repo.domifa/portail-usagers - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -908,28 +1212,63 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/domifa/test-repo.domifa/portail-usagers - export LATEST_TAG=\\"\\" if [ \\"true\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./packages/portail-usagers/Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ - --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ - --opt build-arg:\\"DOMIFA_SENTRY_DSN_PORTAIL=https://***@sentry.fabrique.social.gouv.fr/58\\" \\\\ - --opt build-arg:\\"PRODUCTION=true\\" \\\\ - echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./packages/portail-usagers/Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:prod,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"DOMIFA_BACKEND_URL=https://domifa-api.fabrique.social.gouv.fr/\\" \\\\ + --opt build-arg:\\"DOMIFA_ENV_ID=prod\\" \\\\ + --opt build-arg:\\"DOMIFA_SENTRY_DSN_PORTAIL=https://***@sentry.fabrique.social.gouv.fr/58\\" \\\\ + --opt build-arg:\\"PRODUCTION=true\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:prod\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -940,6 +1279,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops-override.dev.yaml b/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops-override.dev.yaml index 2b916b686a..79af75d2a2 100644 --- a/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops-override.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops-override.dev.yaml @@ -111,7 +111,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -160,7 +160,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -178,19 +178,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-socialgouv-autodevops-override/app - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -206,25 +255,60 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-socialgouv-autodevops-override/app - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - --opt build-arg:\\"COMMIT_SHA=ffac537e6cbbf934b08745a378932722df287a53\\" \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + --opt build-arg:\\"COMMIT_SHA=ffac537e6cbbf934b08745a378932722df287a53\\" \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -235,6 +319,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: diff --git a/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops.dev.yaml b/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops.dev.yaml index 802bdafacc..a8e10f2ad5 100644 --- a/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops.dev.yaml +++ b/packages/kontinuous/tests/__snapshots__/socialgouv-autodevops.dev.yaml @@ -111,7 +111,7 @@ metadata: app.kubernetes.io/manifest-managed-by: kontinuous app.kubernetes.io/manifest-created-by: kontinuous spec: - backoffLimit: 1 + backoffLimit: 0 activeDeadlineSeconds: 3600 ttlSecondsAfterFinished: 1800 template: @@ -160,7 +160,7 @@ spec: memory: \\"0\\" containers: - name: job - image: moby/buildkit:v0.11.6-rootless + image: moby/buildkit:v0.13.0-rootless imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -178,19 +178,68 @@ spec: - > set -e - if [ \\"\\" != \\"\\" ]; then - export CI_REGISTRY=\\"\\" - fi - buildctl_options_cache=\\"\\" + export IMAGE_NAME=/test-socialgouv-autodevops/app - buildctl_options_mtls=\\"\\" + export IMAGE_PATH=\\"\${CI_REGISTRY}\${IMAGE_NAME}\\" + + + buildctl_options_cache=\\"\\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-main \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-master \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-dev \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:cache-develop \\\\ + --import-cache type=registry,ref=$IMAGE_PATH:feature-branch-1 \\\\ + \\" + + + + buildkit_addr=tcp://buildkit-service.buildkit-service.svc:1234 + + + # consistent hashing distribution + + + + ## setup consistent hashing variable + + export pod_count='1' + + export pod_hash_ref=\\"$IMAGE_NAME\\" + + + ## get the pod number + + pod_num=$(( 0x$(echo \\"$pod_hash_ref\\" | md5sum | cut -d ' ' -f 1 | head -c 15) )) + + [ $pod_num -lt 0 ] && pod_num=$((pod_num * -1)) + + pod_num=$(( $pod_num % $pod_count )) + + + ## rewrite addr + + prefix_addr=\\"\${buildkit_addr%%.*}\\" + + protocol=\\"\${prefix_addr%%://*}\\" + + # protocol=kube-pod + subdomain=\\"\${prefix_addr#*//}\\" - buildctl_cmd=\\"buildctl \\\\ - --addr tcp://buildkit-service.buildkit-service.svc:1234 \\\\ - \\" + buildkit_addr=$(echo \\"$buildkit_addr\\" | sed \\"s|$prefix_addr|$protocol://$subdomain-$pod_num.$subdomain|\\") + + + + # buildkit_addr=\\"tcp://test-buildkit-service.test-buildkit-service.svc:1235\\" # enable in debug to emulate service failure + + + + + buildctl_cmd=\\"buildctl --addr $buildkit_addr \\" + + buildctl_options_mtls=\\"\\" if [ -f /buildkit-certs/cert.pem ]; then buildctl_options_mtls=\\"\\\\ @@ -206,24 +255,59 @@ spec: echo \\"{\\\\\\"auths\\\\\\":{\\\\\\"$CI_REGISTRY\\\\\\":{\\\\\\"username\\\\\\":\\\\\\"$CI_REGISTRY_USER\\\\\\",\\\\\\"password\\\\\\":\\\\\\"$CI_REGISTRY_PASSWORD\\\\\\"}}}\\" > /home/user/.docker/config.json - export IMAGE_PATH=$CI_REGISTRY/test-socialgouv-autodevops/app - export LATEST_TAG=\\"\\" if [ \\"false\\" = \\"true\\" ]; then export LATEST_TAG=\\",$IMAGE_PATH:latest\\" fi - $buildctl_cmd \\\\ - $buildctl_options_mtls \\\\ - build \\\\ - --frontend dockerfile.v0 \\\\ - --local context=/workspace/ \\\\ - --local dockerfile=/workspace \\\\ - --opt filename=./Dockerfile \\\\ - --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ - $buildctl_options_cache \\\\ - echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE + + runBuildkit() { + tempfile=$(mktemp -u) + pipe=$(mktemp -u) + mkfifo \\"$pipe\\" + tee \\"$tempfile\\" < \\"$pipe\\" & + + $buildctl_cmd \\\\ + $buildctl_options_mtls \\\\ + build \\\\ + --frontend dockerfile.v0 \\\\ + --local context=/workspace/ \\\\ + --local dockerfile=/workspace \\\\ + --opt filename=./Dockerfile \\\\ + --output type=image,\\\\\\"name=$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53,$IMAGE_PATH:feature-branch-1$LATEST_TAG\\\\\\",push=true \\\\ + $buildctl_options_cache \\\\ + >\\"$pipe\\" 2>&1 + return $? + } + + + set +e + + runBuildkit + + status=$? + + set -e + + + if [ \\"$status\\" -ne 0 ]; then + echo \\"Command failed. Handling error...\\" + if grep -q -e \\"listing workers for Build: failed to list workers: Unavailable\\" $tempfile; then + echo \\"buildkit optimized service unavailable, fallback to local build\\" + buildctl_cmd=\\"buildctl-daemonless.sh\\" + buildctl_options_mtls=\\"\\" + runBuildkit + else + exit $status + fi + fi + + + echo \\"build succeeded.\\" + + + echo \\"$IMAGE_PATH:sha-ffac537e6cbbf934b08745a378932722df287a53\\" >$KONTINUOUS_OUTPUT/IMAGE resources: limits: cpu: \\"2\\" @@ -234,6 +318,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + allowPrivilegeEscalation: true seccompProfile: type: Unconfined volumeMounts: