fix(KFLUXBUGS-1152): add support for multi-arch #871
Conversation
|
/retest-required |
|
Similar: #873 ^ is possibly a more generic change? |
|
I started something similar in 95c15a7. A difference is that it would print all of the sboms, one for each arch, if an image index was detected. I didn't get a chance to test it yet though. I got hung up when I realized that the existing image for the task contains only cosign, and doesn't contain skopeo. At that point I backed out and tried #873 If you see a way to easily get skopeo and cosign both in the image here, I think the dynamic approach here is better than #873. If we do go ahead with this, consider pulling in the looping idea from 95c15a7 instead of assuming that amd64 is the only arch the user cares about. |
|
Note, the other architectures are actually important. For the bootc images, for instance, we expect the sbom content to differ between the different arches - and those differences will be important for some users to know. For example, try one of the centos-bootc images: quay.io/redhat-user-workloads/centos-bootc-tenant/centos-bootc/centos-bootc. Download the sbom twice, once with --platform linux/amd64 and once with --platform linux/arm64. Note the grub2-pc package in the diff between those SBOMs. |
scoheb
force-pushed
the
KBUGS-1152
branch
2 times, most recently
from
5a4f9b9 to
7077a82
Compare
|
updated PR to use different task image that includes |
scoheb
force-pushed
the
KBUGS-1152
branch
3 times, most recently
from
300c4fd to
188f004
Compare
task/show-sbom/0.1/show-sbom.yaml
Outdated
| for arch in $ARCHES; do | ||
| echo "" | ||
| echo "Arch: $arch" | ||
| echo "" | ||
| download_sbom_with_retry " --platform=linux/$arch " | ||
| done |
There was a problem hiding this comment.
Since this is just a task to show the summary in the console, I don't know if users would get any value iterating through all of the arches and showing all SBOMs. I wouldn't expect this to be a primary means to see the information. Instead, this might decrease the utility as it just increases the size of the logs.
There was a problem hiding this comment.
See @ralphbean 's comment:
There was a problem hiding this comment.
Yes, the SBOM content is important, but I don't know if it is important in this context. This Tekton task is just an "quick method" to show users what is in the builds. I posit that if users want to see detailed information then they will likely try to either access it locally where they can target specific architectures or they will upload the SBOMs to some tool like guac.sh.
There was a problem hiding this comment.
I started this conversation with @ralphbean in #873 (review) but it wasn't resolved before that PR was closed.
|
so we remove the task from the pipeline? I am not familiar with the history of why this task was needed in the first place. |
|
@ralphbean and I chatted again. We agree that it would make sense to use a solution like #873 where we default to amd64 by default. This would prevent e2e tests from breaking as you observed in this PR and it would allow users to show specific architecture's SBOMs on their own if they are interested in it. |
|
That's what I was thinking too. Although we still have to detect if it is a multi-arch image because you cannot specify a platform for a single Arch image with cosign. |
scoheb
force-pushed
the
KBUGS-1152
branch
2 times, most recently
from
5da9e4b to
43eb761
Compare
|
@arewm @ralphbean please review |
task/show-sbom/0.1/show-sbom.yaml
Outdated
| echo "Inspecting image ${IMAGE_URL}" | ||
|
|
There was a problem hiding this comment.
Does this need to be dropped so as not to break the e2e-tests and other sensitive parsers who are expecting only JSON here?
task/show-sbom/0.1/show-sbom.yaml
Outdated
| if [ -z "${PLATFORM}" ]; then | ||
| PLATFORM="amd64" | ||
| fi | ||
| download_sbom_with_retry " --platform=linux/$PLATFORM " |
There was a problem hiding this comment.
Let's not hardcode the "linux/" prefix here to make the task more generic. Let PLATFORM be exactly whatever the user specifies and modify the documentation to tell users to set it to "linux/amd64" if they want amd64.
Note, there are actually non-linux containers like mcr.microsoft.com/windows/servercore:ltsc2022.
There was a problem hiding this comment.
updated to be more flexible.
task/show-sbom/0.1/README.md
Outdated
| | name | description | default value | required | | ||
| |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------| | ||
| | IMAGE_URL | Fully qualified image name to show SBOM for. | | true | | ||
| | PLATFORM | Specific architecture to display the SBOM for. An example arch would be "amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "amd64". | | false | |
There was a problem hiding this comment.
See comment below - I think this should be updated to expect a string like "linux/amd64" so that we don't box ourselves in.
|
/retest |
task/show-sbom/0.1/README.md
Outdated
| | name | description | default value | required | | ||
| |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------| | ||
| | IMAGE_URL | Fully qualified image name to show SBOM for. | | true | | ||
| | PLATFORM | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | | false | |
There was a problem hiding this comment.
Nit: The default value is not included in the table column
|
/retest |
1 similar comment
|
/retest |
- add new parameter called PLATFORM. The user can supply this parameter value if they want to display the sbom for a particular arch in the case of a multi-arch image. - In the case of a single arch image, the parameter is ignored. - if PLATFORM is empty and the image is multi-arch, the task defaults to 'amd64' Signed-off-by: Scott Hebert <[email protected]>
|
README mentions this: Adding a new parameter with a default value does not require the task version increase so we should be ok as-is |
for each arch present