oci.mk

oci-lint

Synopsis: make oci-lint

Hooks: oci-pre-lint, oci-post-lint

Variables:

Variable	Description
OCI_IMAGE_ROOT_DIR	<root dir of image directories>
OCI_BUILDER	[docker\|podman] - OCI executor for linter
OCI_LINTER	<hadolint image> - OCI Image of linter application
OCI_IMAGE_FILE_PATH	<build file usually Dockerfile>
OCI_IMAGES	<list of image directories under ./`$(OCI_IMAGE_ROOT_DIR)`/>

Perform lint checks on a list of OCI Image build manifest files found in the specified OCI_IMAGES directories.

oci-build

Synopsis: make oci-build

Hooks: oci-pre-build, oci-post-build

Variables:

Variable	Description
OCI_IMAGE_ROOT_DIR	<root dir of image directories>
OCI_IMAGE	<image directory under ./`$(OCI_IMAGE_ROOT_DIR)`/> is the name of the image to build
OCI_IMAGE_BUILD_CONTEXT	<path to image build context> relative to ./`$(OCI_IMAGE_ROOT_DIR)`/<image dir> for multiple images, gets replaced by `$(PWD)` for single images where Dockerfile is in the root folder. Don’t use . to provide root folder for multiple images, use `$(PWD)`.
OCI_IMAGE_FILE_PATH	<build file usually Dockerfile>
CAR_OCI_REGISTRY_HOST	<defaults to artefact.skao.int>
VERSION	<semver tag of image> - defaults to release key in .release file
RELEASE_CONTEXT_DIR	<directory holding .release file>
OCI_BUILDER	[docker\|podman] - OCI executor for building images
OCI_BUILD_ADDITIONAL_ARGS	<any additional arguments to pass to OCI_BUILDER>
OCI_SKIP_PUSH	<set non-empty to skip push after build>
OCI_BUILD_ADDITIONAL_TAGS	<set as list of additional oci tags for build jobs> - defaults to empty

Perform an OCI Image build, and optionally push to the project GitLab registry If a Dockerfile is found in the root of the project then the project is deemed to be a one-shot image build with a OCI_IMAGE_BUILD_CONTEXT of the entire project folder passed in. If there are multiple images under `$(OCI_IMAGE_ROOT_DIR)/` folder OCI_IMAGE_BUILD_CONTEXT is set as the ./$(OCI_IMAGE_ROOT_DIR)/<image dir>. A .dockerignore file should be placed in the root of the project to limit the files/directories passed into the build phase, as excess files can impact performance and have unintended consequences. The image tag defaults to $VERSION-dev.c``$CI_COMMIT_SHORT_SHA`` when pushing to $CI_REGISTRY otherwise it will be $VERSION. $VERSION is the current release key in the RELEASE_CONTEXT_DIR .release file. The RELEASE_CONTEXT_DIR defaults to the root folder of the project, but can be overriden if .release files are required per image to build. See ska-tango-images for an example. When running oci-build inside the CI pipeline templates, CAR_OCI_REGISTRY_HOST is set to ${CI_REGISTRY}/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}, so that the image is automatically pushed to the GitLab CI registry for the related project.

oci-build-all

Synopsis: make oci-build-all

Hooks: oci-pre-build-all, oci-post-build-all

Variables:

Variable	Description
OCI_IMAGE_ROOT_DIR	<root dir of image directories>
OCI_IMAGES	<list of image directories under ./`$(OCI_IMAGE_ROOT_DIR)`/> names of the images to build
OCI_IMAGE_FILE_PATH	<build file usually Dockerfile>
CAR_OCI_REGISTRY_HOST	<defaults to artefact.skao.int>
OCI_BUILDER	[docker\|podman] - OCI executor for building images
OCI_BUILD_ADDITIONAL_ARGS	<any additional arguments to pass to OCI_BUILDER>
OCI_SKIP_PUSH	<set non-empty to skip push after build>

Perform an OCI Image build for a list of images by iteratively calling oci-build - see above.

oci-publish

Synopsis: make oci-publish

Hooks: oci-pre-publish, oci-post-publish

Variables:

Variable	Description
OCI_IMAGE_ROOT_DIR	<root dir of image directories>
OCI_IMAGES	<list of image directories under ./`$(OCI_IMAGE_ROOT_DIR)`/> names of the images to publish
CAR_OCI_REGISTRY_HOST	<defaults to artefact.skao.int>
OCI_BUILDER	[docker\|podman] - OCI executor for publishing images
VERSION	<semver tag of image> - defaults to release key in .release file
RELEASE_CONTEXT_DIR	<directory holding .release file>

Publish a list of images to the CAR_OCI_REGISTRY_HOST. This requires the source image to have been already built and pushed to the ${CI_REGISTRY}. OCI publish now requires the Docker Buildx CLI plugin and a Buildx-capable OCI CI image. The publish step promotes the already-published dev tag directly in the registry with docker buildx imagetools create -t <destination> <source>. This preserves single-arch images as-is and keeps multi-arch manifests intact when promoting from the GitLab dev tag to the GitLab release tag and then to the CAR release tag.

oci-vault-pki

Synopsis: make oci-vault-pki

Hooks: oci-pre-vault-pki, oci-post-vault-pki

Variables:

Variable	Description
VAULT_SERVER_URL	<URL of the Vault server>
VAULT_JWT_TOKEN	<JWT obtained from OCI identity service>
OCI_VAULT_PKI_URI	<URI to identify the certificate>

Communicates with the Vault server to manage PKI operations for OCI image signing. It sets up the environment to interact with Vault by exporting necessary variables. Then, it obtains a client token from Vault using the provided JWT for authentication. After obtaining the token, it requests a certificate from Vault for OCI image signing, saving the private key and certificate chain to specific files. Finally, it updates a configuration file with the paths to the generated private key and certificate files.

oci-publish-all

Synopsis: make oci-publish-all

Hooks: oci-pre-publish-all, oci-post-publish-all

Variables:

Variable	Description
OCI_IMAGE_ROOT_DIR	<root dir of image directories>
OCI_IMAGES_TO_PUBLISH	<image directories under ./`$(OCI_IMAGE_ROOT_DIR)`/> is the list of names of the images to publish
CAR_OCI_REGISTRY_HOST	<defaults to artefact.skao.int>
OCI_BUILDER	[docker\|podman] - OCI executor for publishing images
OCI_SKIP_PUSH	<set non-empty to skip push after build>

Publish images listed in OCI_IMAGES_TO_PUBLISH to the CAR_OCI_REGISTRY_HOST by iteratively calling oci-publish - see above.

oci-scan

Synopsis: make oci-scan

Hooks: oci-pre-scan, oci-post-scan

Variables:

Variable	Description
OCI_IMAGE_ROOT_DIR	<root dir of image directories>
OCI_IMAGE	<image name> is the image to be scanned by Trivy
CAR_OCI_REGISTRY_HOST	<defaults to artefact.skao.int> - registry where image held
VERSION	<semver tag of image> - defaults to release key in .release file
RELEASE_CONTEXT_DIR	<directory holding .release file>

Scan image OCI_IMAGE using Trivy. iteratively calling oci-publish - see above.

oci-scan-all

Synopsis: make oci-scan-all

Hooks: oci-pre-scan-all, oci-post-scan-all

Variables:

Variable	Description
OCI_IMAGE_ROOT_DIR	<root dir of image directories>
OCI_IMAGES_TO_PUBLISH	<image directories under ./`$(OCI_IMAGE_ROOT_DIR)`/> is the list of names of the images to be scanned by Trivy
CAR_OCI_REGISTRY_HOST	<defaults to artefact.skao.int> - registry where image held

Scan image OCI_IMAGE using Trivy. iteratively calling oci-publish - see above.

oci-boot-into-tools

Synopsis: make oci-boot-into-tools

Hooks: none

Variables:

Variable	Description
OCI_BUILDER	[docker\|podman] - OCI container executor
OCI_TOOLS_IMAGE	<OCI Tools Image> - tools image - default artefact.skao.int/ska-tango-images-pytango-builder

Launch the tools image with the current directory mounted at /app in container and install the current requirements.txt .