Improve docs, add AWS ECR into entrypoint.sh

lzap · lzap · commit f6c889d18c7e · 2026-03-06T15:56:01.000+01:00
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ are used by image builder.
 
 * `quay.io/fedora/fedora-bootc` versions N and N-1 (`x86_64`, `aarch64`)
 * `quay.io/centos-bootc/centos-bootc` versions Stream 9 and 10 (`x86_64`, `aarch64`)
+* `registry.redhat.io/rhelXX/rhel-bootc` (9 and 10) (`x86_64`)
 
 ## Building Containerfiles
 
@@ -57,20 +58,29 @@ Images are available as multi-arch image manifests with the following URIs:
 * `quay.io/osbuild/centos-bootc:stream10-gce`
 * `quay.io/osbuild/centos-bootc:stream10-qcow2`
 
+Image Mode for RHEL 9/10 images are only built on CICD to ensure everything
+works, but not pushed anywhere. 
+
 Derived images are automatically rebuilt after every push. Daily rebuild is
 scheduled for every morning (CET).
 
 ## CICD
 
 Building, manifest creation, and pushing are handled by a GitHub Action. Because
-the configuration matrix is large, it is generated using the `gen-cicd.py`
-script from [`config.yaml`](config.yaml).
+the configuration matrix is large, it is generated using the `make matrix`
+command and it uses [`config.yaml`](config.yaml) as the input.
 
 No cross-arch build is currently done since only x86_64 and aarch64 are
 supported and these are all available on GitHub.
 
-GitHub Actions use `ghcr.io` as a cache registry to speed up builds do base
-images does not need to be pulled from `quay.io` everytime.
+GitHub Actions use `ghcr.io` as a cache registry to speed up pulls and builds
+because both `quay.io` and `registry.redhat.io` are hosted elsewhere. The cache
+registry is private.
+
+The generation script also creates `matrix-*.sh` shell scripts which are called
+from `entrypoint.sh` which is used on RHOS cron job for builds on our AWS EC2
+infra. This is used in `Container.foundry` which is containerized version of
+this repository with all the scripts and Containerfiles.
 
 ## Using derived images
 
@@ -84,9 +94,3 @@ image-builder-cli manifest --bootc-ref quay.io/osbuild/fedora-bootc:43-qcow2 --b
 ## LICENSE
 
 Apache License 2.0
-
-## TODO
-
-* Document RHEL builds
-* Add AWS credentials and client to login.sh
-* Looks like /root/resources directory is missing (so symlinks are incorrect)
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -29,11 +29,19 @@ else
   echo "Using registry.redhat.io credentials from the host system"
 fi
 
+IMAGE="rhel-bootc"
+if [ -n "${AWS_REGION:-}" ] && [ -n "${AWS_ACCESS_KEY_ID:-}" ] && [ -n "${AWS_SECRET_ACCESS_KEY:-}" ] && [ -n "${ECR_URL:-}" ]; then
+  ECR_HOSTNAME=$(echo "$ECR_URL" | sed -e 's|^https://||' -e 's|^http://||')
+  echo "Logging in to $ECR_HOSTNAME"
+  aws ecr get-login-password --region "$AWS_REGION" | buildah login --username AWS --password-stdin "$ECR_HOSTNAME"
+  IMAGE="$ECR_HOSTNAME/$IMAGE"
+fi
+
 if [ -n "${1:-}" ]; then
   echo "Running custom script $1 with arguments: ${*:2}"
   ./"$1" "${@:2}"
 else
   echo "Running default build matrix"
-  ./matrix-rhel9.sh rhel-bootc:9
-  ./matrix-rhel10.sh rhel-bootc:10
+  ./matrix-rhel9.sh "$IMAGE:9"
+  ./matrix-rhel10.sh "$IMAGE:10"
 fi
diff --git a/login.sh b/login.sh
@@ -4,10 +4,6 @@ set -xeuo pipefail
 if [ -n "${REPO_USERNAME:-}" ] && [ -n "${REPO_PASSWORD:-}" ]; then
   echo "Logging in to $TO_REGISTRY"
   echo "$REPO_PASSWORD" | buildah login -u "$REPO_USERNAME" --password-stdin "$TO_REGISTRY"
-elif [ -n "${AWS_REGION:-}" ] && [ -n "${AWS_ACCESS_KEY_ID:-}" ] && [ -n "${AWS_SECRET_ACCESS_KEY:-}" ] && [ -n "${ECR_URL:-}" ]; then
-  # Let's assume the ECR_URL from app-interface Vault is in fact not URL but hostname
-  echo "Logging in to $ECR_URL"
-  aws ecr get-login-password --region "$AWS_REGION" | buildah login --username AWS --password-stdin "$ECR_URL"
 fi
 
 USE_CACHE=
