mirror of https://github.com/coder/coder.git
107 lines
2.7 KiB
Bash
Executable File
107 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# This script builds the ironbank Docker image of Coder containing the given
|
|
# binary. Other dependencies will be automatically downloaded and cached.
|
|
#
|
|
# Usage: ./build_ironbank.sh --target image_tag path/to/coder
|
|
|
|
set -euo pipefail
|
|
# shellcheck source=scripts/lib.sh
|
|
source "$(dirname "${BASH_SOURCE[0]}")/../lib.sh"
|
|
|
|
image_tag=""
|
|
|
|
args="$(getopt -o "" -l target: -- "$@")"
|
|
eval set -- "$args"
|
|
while true; do
|
|
case "$1" in
|
|
--target)
|
|
image_tag="$2"
|
|
shift 2
|
|
;;
|
|
--)
|
|
shift
|
|
break
|
|
;;
|
|
*)
|
|
error "Unrecognized option: $1"
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ "$image_tag" == "" ]]; then
|
|
error "The --image-tag parameter is required"
|
|
fi
|
|
|
|
# Check dependencies
|
|
dependencies docker sha256sum yq
|
|
if [[ $(yq --version) != *" v4."* ]]; then
|
|
error "yq version 4 is required"
|
|
fi
|
|
|
|
if [[ "$#" != 1 ]]; then
|
|
error "Exactly one argument must be provided to this script, $# were supplied"
|
|
fi
|
|
if [[ ! -f "$1" ]]; then
|
|
error "File '$1' does not exist or is not a regular file"
|
|
fi
|
|
input_file="$(realpath "$1")"
|
|
|
|
# Make temporary dir for Docker build context.
|
|
tmpdir="$(mktemp -d)"
|
|
trap 'rm -rf "$tmpdir"' EXIT
|
|
pushd "$(dirname "${BASH_SOURCE[0]}")"
|
|
cp Dockerfile "$tmpdir/"
|
|
cp terraform-filesystem-mirror.tfrc "$tmpdir/"
|
|
popd
|
|
|
|
# Create a coder.tar.gz file.
|
|
execrelative ../archive.sh \
|
|
--format tar.gz \
|
|
--os linux \
|
|
--output "$tmpdir/coder.tar.gz" \
|
|
"$input_file"
|
|
|
|
# Download all resources in the hardening_manifest.yaml file except for
|
|
# coder.tar.gz (which we will make ourselves).
|
|
manifest_path="$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml"
|
|
resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
|
|
while read -r line; do
|
|
filename="$(echo "$line" | cut -f1)"
|
|
url="$(echo "$line" | cut -f2)"
|
|
sha256_hash="$(echo "$line" | cut -f3)"
|
|
|
|
pushd "$(dirname "${BASH_SOURCE[0]}")"
|
|
target=".${filename}.${sha256_hash}"
|
|
if [[ ! -f "$target" ]]; then
|
|
log "Downloading $filename"
|
|
curl -sSL "$url" -o "$target"
|
|
fi
|
|
|
|
sum="$(sha256sum "$target" | cut -d' ' -f1)"
|
|
if [[ "$sum" != "$sha256_hash" ]]; then
|
|
rm "$target"
|
|
error "Downloaded $filename has hash $sum, but expected $sha256_hash"
|
|
fi
|
|
cp "$target" "$tmpdir/$filename"
|
|
popd
|
|
done <<<"$resources"
|
|
|
|
terraform_coder_provider_version="$(yq e '.args.TERRAFORM_CODER_PROVIDER_VERSION' "$manifest_path")"
|
|
if [[ "$terraform_coder_provider_version" == "" ]]; then
|
|
error "TERRAFORM_CODER_PROVIDER_VERSION not found in hardening_manifest.yaml"
|
|
fi
|
|
|
|
# Build the image.
|
|
pushd "$tmpdir"
|
|
docker build \
|
|
--build-arg BASE_REGISTRY=registry.access.redhat.com \
|
|
--build-arg BASE_IMAGE=ubi8/ubi-minimal \
|
|
--build-arg BASE_TAG=8.7 \
|
|
--build-arg TERRAFORM_CODER_PROVIDER_VERSION="$terraform_coder_provider_version" \
|
|
-t "$image_tag" \
|
|
. >&2
|
|
popd
|
|
|
|
echo "$image_tag"
|