A set of scripts to clone the oc-mirror repo and build a container with a statically linked binary of the current branch (also can handle PR's)
The base container is fairly lightweight as it uses a ubi9-minimal image, with the compiled binary and with the scripts and isc folders copied into the binary
# build
podman build -t quay.io/oc-mirror/integration-tests-artifacts:v0.0.1 -f containerfile-rhel9-artifacts
# push
podman push quay.io/oc-mirror/integration-tests-artifacts:v0.0.1The following step are for local dev testing and can be ignored
To build the container for local-dev
Execute the following command line
# this will build from the main branch
# parameters are
# $1 branch
# $2 delete oc-mirror directory
# $3 pr (number)
local-dev/clone-build.sh main true
# to build from a pr
local-dev/clone-build.sh MY-PR-BRANCH true 1073On successful build of the container
# clean up images
podman rmi -f $(podman images | awk '{print $1":"$3}' | grep none | cut -d':' -f2)
# list all images
podman images
# use the image tag for quay.io/oc-mirror/integration-tests:v0.0.1-dev
# or just use the full name i.e quay.io/oc-mirror/integrations-tests-artifacts:v0.0.1-dev
# execute the container
# note the mount points
# - credentials ~/.docker
# - images (for host disk)
mkdir working-dir
podman run -it --net=host -v /home/${USER}/.docker/:/root/.docker -v ./working-dir/:/artifacts/workingdir a3e3773b0627 bash
# do a mirror to disk
oc-mirror --config isc/isc-happy-path.yaml file://workingdir --v2 --remove-signatures
# do a disk to mirror
# this assumes you have an instance of a registry running on your host
oc-mirror --config isc/isc-happy-path.yaml --from file://workingdir docker://localhost:5000/test --v2 --dest-tls-verify=falseTo execute a flow use the following command
# mount the scripts folder for easier debugging
podman run -it --net=host -v /home/${USER}/.docker/:/root/.docker -v ./images/:/artifacts/workingdir -v ./scripts/:/artfifacts/scripts a3e3773b0627 bash
# this will do a a mirror-to-disk and disk-to-mirror
# also assumes you have an external registry (localhost:5000) running
./scripts/flow-controller.sh all_happy_pathThis step has been included and updated in the current artifacts image.
This is just for information sake in case there are changes needed to the test-release-index or test-image on quay.io.
You will also need to follow the next steps if you want to run these tests locally, as oc-mirror verifies the GPG signature on OpenShift releases.
First, execute the following command to create a "fake" GPG robot account. Use default settings and when prompted use an email like robot@test.com:
# use something like robot@test.com for an email address
gpg2 -a --full-generate-key
As we have a fixed naming convention for our release image we can now sign it.
To do so, you can navigate to quay.io and create a robot account (Account Settings > Robot Accounts).
Once created, click on it and copy and execute the Podman Login command, appending --authfile ~/.docker/robot-quay.json.
Once the authfile is created, proceed to create the sigstore and keys directories and sign the image:
mkdir ./sigstore
mkdir ./keys
podman image sign docker://quay.io/oc-mirror/release/test-release-index:v0.0.1 --sign-by robot@test.com --directory ./sigstore --authfile /home/${USER}/.docker/robot-quay.json --log-level=trace
Generate the ascii output so that oc-mirror can read in the pk key
gpg -a --output ./keys/release-pk.asc --export-secret-key robot@test.com
Finally copy the sigstore public key to keys
cp sigstore/oc-mirror/release/test-release-index\@sha256\=f81792339c8b5934191d18a53b18bc1d584e01a9f37d59c0aa6905b00200aa1b/signature-1 keys/v0.0.1-f81792339c8b5934191d18a53b18bc1d584e01a9f37d59c0aa6905b00200aa1b