From 8e4e323389e66d8365a3243f8e956136e916132e Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 20 Oct 2024 15:27:02 -0400
Subject: [PATCH] Add a tekton task to build a docker image with buildkit
 without a daemon or root.

---
 .../0.1/buildkit-rootless-daemonless.yaml     | 144 ++++++++++++++++++
 1 file changed, 144 insertions(+)
 create mode 100644 task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml

diff --git a/task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml b/task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
new file mode 100644
index 0000000..c8efdb7
--- /dev/null
+++ b/task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
@@ -0,0 +1,144 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: buildkit
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/categories: Image Build
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: image-build
+    tekton.dev/displayName: "Build a docker image with buildkit."
+    tekton.dev/platforms: "linux/amd64"
+    container.apparmor.security.beta.kubernetes.io/step-build-and-push: unconfined
+spec:
+  description: >-
+    This task will build a docker image using buildkit and push the result to an image registry.
+  workspaces:
+    - name: source
+      mountPath: /source
+      readOnly: true
+    - name: dockerconfig
+      description: Includes credentials for the docker image registry.
+      optional: true
+      mountPath: /home/user/.docker
+  params:
+    - name: OUTPUT
+      type: string
+      description: Argument to output flag for `buildctl build`
+      # Examples:
+      #   type=image,name=harbor.mydomain.example/private/foo:3.45,push=true,compression=zstd,compression-level=22
+      #   type=image,"name=harbor.mydomain.example/private/foo:latest,harbor.mydomain.example/private/foo:3.45",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
+    - name: CONTEXT
+      type: string
+      description: Path to the docker context.
+      default: "."
+    - name: DOCKERFILE
+      type: string
+      description: Path to the Dockerfile relative to the context.
+      default: "Dockerfile"
+    - name: BUILDER_IMAGE
+      type: string
+      description: Docker image containing BuildKit.
+      default: "moby/buildkit:v0.17.0-rc1-rootless"
+      # or v0.16.0-rootless
+    - name: EXTRA_ARGS
+      type: array
+      description: Arguments passed to the build command.
+      default: []
+    - name: BUILDKITD_TOML
+      type: string
+      description: Contents of buildkitd.toml.
+      default: ""
+  results:
+    - name: IMAGE_DIGEST
+      description: Digest of the docker image.
+    - name: IMAGE_URL
+      description: Full URL to the docker image.
+      type: array
+  volumes:
+    - name: buildkitd
+      emptyDir: {}
+    - name: buildkitd-toml
+      emptyDir: {}
+    - name: metadata-out
+      emptyDir: {}
+  steps:
+    - name: write-config
+      image: $(params.BUILDER_IMAGE)
+      workingDir: "$(workspaces.source.path)"
+      script: |
+        #!/usr/bin/env sh
+        set -euo pipefail
+        tee /home/user/.config/buildkit/buildkitd.toml <<EOF
+        $(params.BUILDKITD_TOML)
+        EOF
+      volumeMounts:
+        - name: buildkitd
+          mountPath: /home/user/.local/share/buildkit
+        - name: buildkitd-toml
+          mountPath: /home/user/.config/buildkit
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+    - name: build-and-push
+      image: $(params.BUILDER_IMAGE)
+      workingDir: "$(workspaces.source.path)"
+      command: ["buildctl-daemonless.sh"]
+      args:
+        - build
+        - --frontend
+        - dockerfile.v0
+        - --local
+        - context=$(workspaces.source.path)/$(params.CONTEXT)
+        - --local
+        - dockerfile=$(params.DOCKERFILE)
+        - --output
+        - $(params.OUTPUT)
+        - --metadata-file
+        - /home/user/.metadata/build.json
+        - $(params.EXTRA_ARGS)
+      volumeMounts:
+        - name: buildkitd
+          mountPath: /home/user/.local/share/buildkit
+        - name: buildkitd-toml
+          mountPath: /home/user/.config/buildkit
+          readOnly: true
+        - name: metadata-out
+          mountPath: /home/user/.metadata
+      securityContext:
+        seccompProfile:
+          type: Unconfined
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        # appArmorProfile:
+        #   type: Unconfined
+      env:
+        - name: BUILDKITD_FLAGS
+          value: "--oci-worker-no-process-sandbox"
+        - name: DOCKER_CONFIG
+          value: $(workspaces.dockerconfig.path)
+    - name: read-metadata
+      image: python:3.13-alpine3.20
+      workingDir: "$(workspaces.source.path)"
+      script: |
+        #!/usr/bin/env python
+        import json
+        with open("/home/user/.metadata/build.json", "r") as f:
+            meta_body = f.read()
+            print(meta_body)
+            meta = json.loads(meta_body)
+        with open("$(results.IMAGE_DIGEST.path)", "w") as f:
+            print(meta["containerimage.digest"], file=f, end="")
+        with open("$(results.IMAGE_URL.path)", "w") as f:
+            print(json.dumps(meta["image.name"].split(",")), file=f, end="")
+      volumeMounts:
+        - name: metadata-out
+          mountPath: /home/user/.metadata
+          readOnly: true
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000