Fix build_spec for ARM64 cross-build with buildx/QEMU, add IAM docs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 23:53:02 +09:00
parent 745913ca5b
commit 7a896c8c56
2 changed files with 62 additions and 3 deletions
--- a/build_spec.yaml
+++ b/build_spec.yaml
@@ -1,6 +1,6 @@
 version: 0.1
 component: build
-timeoutInSeconds: 1200
+timeoutInSeconds: 1800
 runAs: root
 shell: bash

@@ -13,6 +13,13 @@ env:
    - FRONTEND_IMAGE

 steps:
+  - type: Command
+    name: "Setup buildx for ARM64"
+    command: |
+      docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+      docker buildx create --name armbuilder --use
+      docker buildx inspect --bootstrap
+
  - type: Command
    name: "Set image tag"
    command: |
@@ -27,20 +34,22 @@ steps:
    name: "Build backend image"
    command: |
      cd backend-java
-      docker build --platform linux/arm64 \
+      docker buildx build --platform linux/arm64 \
        -t "${BACKEND_IMAGE}" \
        -t "${REGISTRY}/backend:latest" \
+        --load \
        .

  - type: Command
    name: "Build frontend image"
    command: |
      cd frontend
-      docker build --platform linux/arm64 \
+      docker buildx build --platform linux/arm64 \
        --build-arg NEXT_PUBLIC_GOOGLE_MAPS_API_KEY="${NEXT_PUBLIC_GOOGLE_MAPS_API_KEY}" \
        --build-arg NEXT_PUBLIC_GOOGLE_CLIENT_ID="${NEXT_PUBLIC_GOOGLE_CLIENT_ID}" \
        -t "${FRONTEND_IMAGE}" \
        -t "${REGISTRY}/frontend:latest" \
+        --load \
        .

 outputArtifacts:
--- a/docs/cicd-architecture.md
+++ b/docs/cicd-architecture.md
@@ -150,6 +150,56 @@ oci      → OCI Code Repository                  ← CI/CD 트리거용

 두 리모트에 모두 push하여 소스와 빌드를 동기화합니다.

+### OCI IAM 권한 설정 (빌드/배포용)
+
+OCI DevOps Build Pipeline이 코드 레포, OCIR, 시크릿 등에 접근하려면 **Dynamic Group**과 **IAM Policy**가 필요합니다.
+
+#### Dynamic Group
+
+| 이름 | 설명 |
+|------|------|
+| `tasteby-build-pipeline` | DevOps 빌드/배포 파이프라인 리소스 |
+
+**Matching Rule:**
+```
+ANY {
+  resource.type = 'devopsbuildpipeline',
+  resource.type = 'devopsrepository',
+  resource.type = 'devopsdeploypipeline',
+  resource.type = 'devopsconnection'
+}
+```
+
+#### IAM Policy
+
+| 이름 | 설명 |
+|------|------|
+| `tasteby-devops-policy` | DevOps 파이프라인 리소스 접근 권한 |
+
+**Policy Statements:**
+```
+Allow dynamic-group tasteby-build-pipeline to manage devops-family in tenancy
+Allow dynamic-group tasteby-build-pipeline to manage repos in tenancy
+Allow dynamic-group tasteby-build-pipeline to read secret-family in tenancy
+Allow dynamic-group tasteby-build-pipeline to manage generic-artifacts in tenancy
+Allow dynamic-group tasteby-build-pipeline to use ons-topics in tenancy
+```
+
+> **참고**: IAM 정책은 적용 후 전파에 최대 수 분이 걸릴 수 있습니다.
+> 빌드 실행 시 `RelatedResourceNotAuthorizedOrNotFound` 오류가 나면 정책 전파를 기다린 후 재시도하세요.
+
+#### OCI Code Repository 인증 (HTTPS)
+
+```
+Username: <tenancy-name>/oracleidentitycloudservice/<oci-username>
+Password: OCI Auth Token (User Settings에서 생성)
+```
+
+```bash
+# Git remote 추가 예시
+git remote add oci https://devops.scmservice.ap-seoul-1.oci.oraclecloud.com/namespaces/<namespace>/projects/tasteby/repositories/tasteby
+```
+
 ### build_spec.yaml 구조

 ```yaml