From 1946708153ac9e3bcf84bdd2a1e009f77a6a573c Mon Sep 17 00:00:00 2001 From: arewm Date: Tue, 23 Jul 2024 14:51:37 -0400 Subject: [PATCH] Add an architecture suffix to images pushed for multi-platform In order to reduce the likelihood of users accidentally forgetting to specify unique tags for each architecture, we can add a suffix to the pushed image if an arch-specific one doesn't exist. Signed-off-by: arewm --- hack/generate-buildah-remote.sh | 4 +-- task-generator/remote/main.go | 25 ++++++++++++++----- .../0.1/build-image-manifest.yaml | 2 +- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 12 +++------ .../0.2/buildah-remote-oci-ta.yaml | 23 +++++++++-------- task/buildah-remote/0.2/buildah-remote.yaml | 23 +++++++++-------- task/buildah/0.2/buildah.yaml | 12 +++------ 7 files changed, 54 insertions(+), 47 deletions(-) diff --git a/hack/generate-buildah-remote.sh b/hack/generate-buildah-remote.sh index da061ed821..27ea1fdcfb 100755 --- a/hack/generate-buildah-remote.sh +++ b/hack/generate-buildah-remote.sh @@ -8,7 +8,7 @@ go build -o /tmp/remote-generator ./remote/main.go for version in 0.1 0.2; do /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah/${version}/buildah.yaml" \ - --remote-task="${SCRIPTDIR}/../task/buildah-remote/${version}/buildah-remote.yaml" + --remote-task="${SCRIPTDIR}/../task/buildah-remote/${version}/buildah-remote.yaml" --task-version="$version" /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah-oci-ta/${version}/buildah-oci-ta.yaml" \ - --remote-task="${SCRIPTDIR}/../task/buildah-remote-oci-ta/${version}/buildah-remote-oci-ta.yaml" + --remote-task="${SCRIPTDIR}/../task/buildah-remote-oci-ta/${version}/buildah-remote-oci-ta.yaml" --task-version="$version" done diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index d03c0e4359..4ab9c59f6e 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -33,9 +33,11 @@ import ( func main() { var buildahTask string var buildahRemoteTask string + var taskVersion string flag.StringVar(&buildahTask, "buildah-task", "", "The location of the buildah task") flag.StringVar(&buildahRemoteTask, "remote-task", "", "The location of the buildah-remote task to overwrite") + flag.StringVar(&taskVersion, "task-version", "", "The version of the task to overwrite") opts := zap.Options{ Development: true, @@ -43,8 +45,8 @@ func main() { opts.BindFlags(flag.CommandLine) klog.InitFlags(flag.CommandLine) flag.Parse() - if buildahTask == "" || buildahRemoteTask == "" { - println("Must specify both buildah-task and remote-task params") + if buildahTask == "" || buildahRemoteTask == "" || taskVersion == "" { + println("Must specify both buildah-task, remote-task, and task-version params") os.Exit(1) } @@ -53,7 +55,7 @@ func main() { decodingScheme := runtime.NewScheme() utilruntime.Must(tektonapi.AddToScheme(decodingScheme)) - convertToSsh(&task) + convertToSsh(&task, taskVersion) y := printers.YAMLPrinter{} b := bytes.Buffer{} _ = y.PrintObj(&task, &b) @@ -87,7 +89,7 @@ func streamFileYamlToTektonObj(path string, obj runtime.Object) runtime.Object { return decodeBytesToTektonObjbytes(bytes, obj) } -func convertToSsh(task *tektonapi.Task) { +func convertToSsh(task *tektonapi.Task, taskVersion string) { builderImage := "" syncVolumes := map[string]bool{} @@ -96,9 +98,15 @@ func convertToSsh(task *tektonapi.Task) { syncVolumes[i.Name] = true } } + adjustRemoteImage := "if [[ \"${IMAGE##*-}\" != \"${PLATFORM##*/}\" ]]; then" + adjustRemoteImage += "\n export IMAGE=\"${IMAGE}-${PLATFORM##*/}\"\nfi\n" + for stepPod := range task.Spec.Steps { step := &task.Spec.Steps[stepPod] - if step.Name != "build" { + if step.Name == "inject-sbom-and-push" && taskVersion == "0.2" { + step.Script = adjustRemoteImage + "\n" + step.Script + continue + } else if step.Name != "build" { continue } podmanArgs := "" @@ -130,7 +138,9 @@ PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" fi ` - + if taskVersion == "0.2" { + ret += adjustRemoteImage + } env := "$PODMAN_PORT_FORWARD \\\n" // disable podman subscription-manager integration @@ -229,4 +239,7 @@ fi }, }) task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "BUILDER_IMAGE", Value: builderImage}) + if taskVersion == "0.2" { + task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "PLATFORM", Value: "$(params.PLATFORM)"}) + } } diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml index e0d1a08cd7..273c82b98d 100644 --- a/task/build-image-manifest/0.1/build-image-manifest.yaml +++ b/task/build-image-manifest/0.1/build-image-manifest.yaml @@ -62,7 +62,7 @@ spec: requests: memory: 512Mi cpu: 250m - args: ["$(params.IMAGES[*])"] + args: ["$(params.IMAGES)"] script: | #!/bin/bash # Fixing group permission on /var/lib/containers diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 92f9c295e7..a28120f2a4 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -584,13 +584,7 @@ spec: - SETFCAP runAsUser: 0 - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 workingDir: /var/workdir + script: | + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx $(cat $(results.IMAGE_REF.path)) diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 6db39a03ca..c4170001dc 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -187,6 +187,8 @@ spec: value: $(params.YUM_REPOS_D_TARGET) - name: BUILDER_IMAGE value: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050 + - name: PLATFORM + value: $(params.PLATFORM) volumeMounts: - mountPath: /shared name: shared @@ -240,6 +242,9 @@ spec: PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" fi + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" @@ -607,6 +612,10 @@ spec: script: | #!/bin/bash set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -658,17 +667,11 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: /var/workdir - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - computeResources: {} - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 + - computeResources: {} + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom + script: | + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx $(cat $(results.IMAGE_REF.path)) workingDir: /var/workdir volumes: - name: activation-key diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index f23ebb69c9..f38e62b860 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -178,6 +178,8 @@ spec: value: $(params.SKIP_UNUSED_STAGES) - name: BUILDER_IMAGE value: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050 + - name: PLATFORM + value: $(params.PLATFORM) volumeMounts: - mountPath: /shared name: shared @@ -222,6 +224,9 @@ spec: PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" fi + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" @@ -589,6 +594,10 @@ spec: script: | #!/bin/bash set -e + if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then + export IMAGE="${IMAGE}-${PLATFORM##*/}" + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -640,17 +649,11 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: $(workspaces.source.path) - - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) - computeResources: {} - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 + - computeResources: {} + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom + script: | + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx $(cat $(results.IMAGE_REF.path)) workingDir: $(workspaces.source.path) volumes: - emptyDir: {} diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 425ec93ae7..0e794910c3 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -538,15 +538,9 @@ spec: workingDir: $(workspaces.source.path) - name: upload-sbom - image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 + script: | + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx $(cat $(results.IMAGE_REF.path)) workingDir: $(workspaces.source.path) volumes: