From 89d005b063964114e728e144cc015cd39467466a Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Tue, 27 Aug 2024 13:42:38 +0000 Subject: [PATCH 1/4] Red Hat Konflux update gatekeeper-fbc-v413 Signed-off-by: red-hat-konflux --- .tekton/gatekeeper-fbc-v413-pull-request.yaml | 28 +++++++++---------- .tekton/gatekeeper-fbc-v413-push.yaml | 26 ++++++++--------- 2 files changed, 25 insertions(+), 29 deletions(-) diff --git a/.tekton/gatekeeper-fbc-v413-pull-request.yaml b/.tekton/gatekeeper-fbc-v413-pull-request.yaml index 4858f1b7..b5f3e3e1 100644 --- a/.tekton/gatekeeper-fbc-v413-pull-request.yaml +++ b/.tekton/gatekeeper-fbc-v413-pull-request.yaml @@ -9,7 +9,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && ( "v4.13/***".pathChanged() || ".tekton/gatekeeper-fbc-v413-pull-request.yaml".pathChanged() - ) + || "catalog.Containerfile".pathChanged() ) creationTimestamp: null labels: appstudio.openshift.io/application: gatekeeper-fbc-v413 @@ -28,7 +28,7 @@ spec: - name: image-expires-after value: 5d - name: dockerfile - value: Containerfile.catalog + value: catalog.Containerfile - name: path-context value: v4.13 pipelineSpec: @@ -42,7 +42,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:7f8b5499a21de9aca718d0cf2e170949af6b30cacf882d64983471a2c673b1da + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b - name: kind value: task resolver: bundles @@ -144,7 +144,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:99c98d3e5195e9920482f2187590d6f9150c4b8a2001b1ce5dcd5077abda9481 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc - name: kind value: task resolver: bundles @@ -161,7 +161,7 @@ spec: - name: name value: git-clone - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:de0ca8872c791944c479231e21d68379b54877aaf42e5f766ef4a8728970f8b3 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 - name: kind value: task resolver: bundles @@ -196,7 +196,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.1@sha256:72e4ddd9b543e2766830e3a513da5c2fec26ea7a72a50e8c85be642912caa603 + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.1@sha256:86b4ef27ca34e0e02429b2e44e3567169223067e34aff2e1bedbf7faab598045 - name: kind value: task resolver: bundles @@ -210,8 +210,6 @@ spec: workspace: workspace - name: deprecated-base-image-check params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - name: IMAGE_URL value: $(tasks.build-container.results.IMAGE_URL) - name: IMAGE_DIGEST @@ -223,7 +221,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:ea275aeb7d204ef203a67e6a45a4902479afc1d906d2120f0d8c77d9541ea850 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:d98fa9daf5ee12dfbf00880b83d092d01ce9994d79836548d2f82748bb0c64a2 - name: kind value: task resolver: bundles @@ -245,7 +243,7 @@ spec: - name: name value: sbom-json-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:acc9cb8a714f33c0e48d6ca219b6bd0191f09cdd767af4ef3a35d0a5cac53b5d + value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:89b375e21613aa48a48bec8d61a166e07155e1282456c17dd794cd59933cdeaa - name: kind value: task resolver: bundles @@ -265,7 +263,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:516875845f2988848ebde5f3e9c717d6077af7bf9b3cb2b34a3c3f86b2609a14 + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:8a8c1342bfa0b263361cbbc28036750ebc3d7c2460230b14d641170b812dddcc - name: kind value: task resolver: bundles @@ -286,7 +284,7 @@ spec: - name: name value: push-dockerfile - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:e2c8fa67da036cef81e407e28c14b6a2034c6564009e084c368005a4640c554c + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:e4abc7c7671e4455465e48f96831cfafdb4de368cbcb9f27a8e5b9b0553ac35e - name: kind value: task resolver: bundles @@ -306,7 +304,7 @@ spec: - name: name value: inspect-image - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:081686425a7e37356da5806eb348bceee47964f2a588f760a14e454aba1fd56f + value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:35243540a5ca012c299d45e9861debacd0c283303897b0c26806536b908067c1 - name: kind value: task resolver: bundles @@ -333,7 +331,7 @@ spec: - name: name value: fbc-validation - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-fbc-validation:0.1@sha256:37af0ac519e093860b1ba5f88f0beea87d768d402a71e41c214705f33ffd535e + value: quay.io/konflux-ci/tekton-catalog/task-fbc-validation:0.1@sha256:1f14e99269499446cfaee5bed9876f1238095292c8742c88bffa94422e62451e - name: kind value: task resolver: bundles @@ -353,7 +351,7 @@ spec: - name: name value: fbc-related-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-fbc-related-image-check:0.1@sha256:02e8efbb04783d19e0f1f48a4261770625b20e2fdfe0515336570aab9bdf7ecc + value: quay.io/konflux-ci/tekton-catalog/task-fbc-related-image-check:0.1@sha256:0fae84cc832d21c250334ab1d285db92e7e22e916ea342d044e46136c502d2f8 - name: kind value: task resolver: bundles diff --git a/.tekton/gatekeeper-fbc-v413-push.yaml b/.tekton/gatekeeper-fbc-v413-push.yaml index 85853b9d..e3358c8c 100644 --- a/.tekton/gatekeeper-fbc-v413-push.yaml +++ b/.tekton/gatekeeper-fbc-v413-push.yaml @@ -24,7 +24,7 @@ spec: - name: output-image value: quay.io/redhat-user-workloads/konflux-samples-tenant/gatekeeper-fbc-v413/gatekeeper-fbc-v413:{{revision}} - name: dockerfile - value: Containerfile.catalog + value: catalog.Containerfile - name: path-context value: v4.13 pipelineSpec: @@ -38,7 +38,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:7f8b5499a21de9aca718d0cf2e170949af6b30cacf882d64983471a2c673b1da + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b - name: kind value: task resolver: bundles @@ -140,7 +140,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:99c98d3e5195e9920482f2187590d6f9150c4b8a2001b1ce5dcd5077abda9481 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc - name: kind value: task resolver: bundles @@ -157,7 +157,7 @@ spec: - name: name value: git-clone - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:de0ca8872c791944c479231e21d68379b54877aaf42e5f766ef4a8728970f8b3 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 - name: kind value: task resolver: bundles @@ -192,7 +192,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.1@sha256:72e4ddd9b543e2766830e3a513da5c2fec26ea7a72a50e8c85be642912caa603 + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.1@sha256:86b4ef27ca34e0e02429b2e44e3567169223067e34aff2e1bedbf7faab598045 - name: kind value: task resolver: bundles @@ -206,8 +206,6 @@ spec: workspace: workspace - name: deprecated-base-image-check params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - name: IMAGE_URL value: $(tasks.build-container.results.IMAGE_URL) - name: IMAGE_DIGEST @@ -219,7 +217,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:ea275aeb7d204ef203a67e6a45a4902479afc1d906d2120f0d8c77d9541ea850 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:d98fa9daf5ee12dfbf00880b83d092d01ce9994d79836548d2f82748bb0c64a2 - name: kind value: task resolver: bundles @@ -241,7 +239,7 @@ spec: - name: name value: sbom-json-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:acc9cb8a714f33c0e48d6ca219b6bd0191f09cdd767af4ef3a35d0a5cac53b5d + value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:89b375e21613aa48a48bec8d61a166e07155e1282456c17dd794cd59933cdeaa - name: kind value: task resolver: bundles @@ -261,7 +259,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:516875845f2988848ebde5f3e9c717d6077af7bf9b3cb2b34a3c3f86b2609a14 + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:8a8c1342bfa0b263361cbbc28036750ebc3d7c2460230b14d641170b812dddcc - name: kind value: task resolver: bundles @@ -282,7 +280,7 @@ spec: - name: name value: push-dockerfile - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:e2c8fa67da036cef81e407e28c14b6a2034c6564009e084c368005a4640c554c + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:e4abc7c7671e4455465e48f96831cfafdb4de368cbcb9f27a8e5b9b0553ac35e - name: kind value: task resolver: bundles @@ -302,7 +300,7 @@ spec: - name: name value: inspect-image - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:081686425a7e37356da5806eb348bceee47964f2a588f760a14e454aba1fd56f + value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:35243540a5ca012c299d45e9861debacd0c283303897b0c26806536b908067c1 - name: kind value: task resolver: bundles @@ -329,7 +327,7 @@ spec: - name: name value: fbc-validation - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-fbc-validation:0.1@sha256:37af0ac519e093860b1ba5f88f0beea87d768d402a71e41c214705f33ffd535e + value: quay.io/konflux-ci/tekton-catalog/task-fbc-validation:0.1@sha256:1f14e99269499446cfaee5bed9876f1238095292c8742c88bffa94422e62451e - name: kind value: task resolver: bundles @@ -349,7 +347,7 @@ spec: - name: name value: fbc-related-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-fbc-related-image-check:0.1@sha256:02e8efbb04783d19e0f1f48a4261770625b20e2fdfe0515336570aab9bdf7ecc + value: quay.io/konflux-ci/tekton-catalog/task-fbc-related-image-check:0.1@sha256:0fae84cc832d21c250334ab1d285db92e7e22e916ea342d044e46136c502d2f8 - name: kind value: task resolver: bundles From c8640f9048431d4df972fa4317e9394e2b8cbb9a Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Tue, 27 Aug 2024 13:53:55 +0000 Subject: [PATCH 2/4] Red Hat Konflux update gatekeeper-fbc-v413 Signed-off-by: red-hat-konflux --- .tekton/gatekeeper-fbc-v413-pull-request.yaml | 103 +++++++++--------- .tekton/gatekeeper-fbc-v413-push.yaml | 103 +++++++++--------- 2 files changed, 108 insertions(+), 98 deletions(-) diff --git a/.tekton/gatekeeper-fbc-v413-pull-request.yaml b/.tekton/gatekeeper-fbc-v413-pull-request.yaml index b5f3e3e1..74aea2e3 100644 --- a/.tekton/gatekeeper-fbc-v413-pull-request.yaml +++ b/.tekton/gatekeeper-fbc-v413-pull-request.yaml @@ -36,7 +36,7 @@ spec: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name @@ -55,7 +55,7 @@ spec: - name: image-url value: $(params.output-image) - name: build-task-status - value: $(tasks.build-container.status) + value: $(tasks.build-image-index.status) taskRef: params: - name: name @@ -105,10 +105,6 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. @@ -117,13 +113,17 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) @@ -196,7 +196,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.1@sha256:86b4ef27ca34e0e02429b2e44e3567169223067e34aff2e1bedbf7faab598045 + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:83db74702b5f0d714b3aae066faa5037d3f096f9fa108d18c0e78317fa35f1fd - name: kind value: task resolver: bundles @@ -208,14 +208,43 @@ spec: workspaces: - name: source workspace: workspace + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:409ff39379c50d3c257229b4c6d6600e35eb53637504c47fb36ade262c70716e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -233,17 +262,17 @@ spec: - name: sbom-json-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: sbom-json-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:89b375e21613aa48a48bec8d61a166e07155e1282456c17dd794cd59933cdeaa + value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:2c5de51ec858fc8d47e41c65b20c83fdac249425d67ed6d1058f9f3e0b574500 - name: kind value: task resolver: bundles @@ -255,56 +284,32 @@ spec: - name: apply-tags params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:8a8c1342bfa0b263361cbbc28036750ebc3d7c2460230b14d641170b812dddcc - - name: kind - value: task - resolver: bundles - - name: push-dockerfile - params: - - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - runAfter: - - build-container - taskRef: - params: - - name: name - value: push-dockerfile - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:e4abc7c7671e4455465e48f96831cfafdb4de368cbcb9f27a8e5b9b0553ac35e + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:e6beb161ed59d7be26317da03e172137b31b26648d3e139558e9a457bc56caff - name: kind value: task resolver: bundles - workspaces: - - name: workspace - workspace: workspace - name: inspect-image params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: inspect-image - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:35243540a5ca012c299d45e9861debacd0c283303897b0c26806536b908067c1 + value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:c8d7616fba1533637547eccd598314721a106ec0d108dcb5162e234d5d90c755 - name: kind value: task resolver: bundles @@ -319,9 +324,9 @@ spec: - name: fbc-validate params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: BASE_IMAGE value: $(tasks.inspect-image.results.BASE_IMAGE) runAfter: diff --git a/.tekton/gatekeeper-fbc-v413-push.yaml b/.tekton/gatekeeper-fbc-v413-push.yaml index e3358c8c..15182d3a 100644 --- a/.tekton/gatekeeper-fbc-v413-push.yaml +++ b/.tekton/gatekeeper-fbc-v413-push.yaml @@ -32,7 +32,7 @@ spec: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name @@ -51,7 +51,7 @@ spec: - name: image-url value: $(params.output-image) - name: build-task-status - value: $(tasks.build-container.status) + value: $(tasks.build-image-index.status) taskRef: params: - name: name @@ -101,10 +101,6 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. @@ -113,13 +109,17 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) @@ -192,7 +192,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.1@sha256:86b4ef27ca34e0e02429b2e44e3567169223067e34aff2e1bedbf7faab598045 + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:83db74702b5f0d714b3aae066faa5037d3f096f9fa108d18c0e78317fa35f1fd - name: kind value: task resolver: bundles @@ -204,14 +204,43 @@ spec: workspaces: - name: source workspace: workspace + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:409ff39379c50d3c257229b4c6d6600e35eb53637504c47fb36ade262c70716e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -229,17 +258,17 @@ spec: - name: sbom-json-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: sbom-json-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:89b375e21613aa48a48bec8d61a166e07155e1282456c17dd794cd59933cdeaa + value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:2c5de51ec858fc8d47e41c65b20c83fdac249425d67ed6d1058f9f3e0b574500 - name: kind value: task resolver: bundles @@ -251,56 +280,32 @@ spec: - name: apply-tags params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:8a8c1342bfa0b263361cbbc28036750ebc3d7c2460230b14d641170b812dddcc - - name: kind - value: task - resolver: bundles - - name: push-dockerfile - params: - - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - runAfter: - - build-container - taskRef: - params: - - name: name - value: push-dockerfile - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:e4abc7c7671e4455465e48f96831cfafdb4de368cbcb9f27a8e5b9b0553ac35e + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:e6beb161ed59d7be26317da03e172137b31b26648d3e139558e9a457bc56caff - name: kind value: task resolver: bundles - workspaces: - - name: workspace - workspace: workspace - name: inspect-image params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: inspect-image - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:35243540a5ca012c299d45e9861debacd0c283303897b0c26806536b908067c1 + value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:c8d7616fba1533637547eccd598314721a106ec0d108dcb5162e234d5d90c755 - name: kind value: task resolver: bundles @@ -315,9 +320,9 @@ spec: - name: fbc-validate params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: BASE_IMAGE value: $(tasks.inspect-image.results.BASE_IMAGE) runAfter: From b85301ea9b936251fef47ffe100d60a873acda03 Mon Sep 17 00:00:00 2001 From: arewm Date: Tue, 27 Aug 2024 10:24:44 -0400 Subject: [PATCH 3/4] Change build pipeline to use multi-arch matrix builds This also includes using OCI trusted artifacts up to the build task. A workspace is still needed for some of the FBC tasks as these have not been rewritten to support OCI trusted artifacts. Signed-off-by: arewm --- .tekton/gatekeeper-fbc-v413-pull-request.yaml | 101 +++++++----------- .tekton/gatekeeper-fbc-v413-push.yaml | 95 ++++++---------- 2 files changed, 73 insertions(+), 123 deletions(-) diff --git a/.tekton/gatekeeper-fbc-v413-pull-request.yaml b/.tekton/gatekeeper-fbc-v413-pull-request.yaml index 74aea2e3..08606e06 100644 --- a/.tekton/gatekeeper-fbc-v413-pull-request.yaml +++ b/.tekton/gatekeeper-fbc-v413-pull-request.yaml @@ -9,7 +9,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && ( "v4.13/***".pathChanged() || ".tekton/gatekeeper-fbc-v413-pull-request.yaml".pathChanged() - || "catalog.Containerfile".pathChanged() ) + || "Containerfile.catalog".pathChanged() ) creationTimestamp: null labels: appstudio.openshift.io/application: gatekeeper-fbc-v413 @@ -28,9 +28,13 @@ spec: - name: image-expires-after value: 5d - name: dockerfile - value: catalog.Containerfile + value: Containerfile.catalog - name: path-context value: v4.13 + - name: build-platforms + value: + - linux/x86_64 + - linux/arm64 pipelineSpec: finally: - name: show-sbom @@ -46,28 +50,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-image-index.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -97,7 +79,7 @@ spec: description: Skip checks against built image name: skip-checks type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string @@ -113,10 +95,17 @@ spec: description: Build a source image. name: build-source-image type: string - - default: "false" + - default: "true" description: Add built image into an OCI image index name: build-image-index type: string + - default: + - linux/x86_64 + - linux/arm64 + description: List of platforms to build the container images on. The available + set of values is determined by the configuration of the multi-platform-controller. + name: build-platforms + type: array results: - description: "" name: IMAGE_URL @@ -154,14 +143,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0f4360ce144d46171ebd2e8f4d4575539a0600e02208ba5fc9beeb2c27ddfd4c - name: kind value: task resolver: bundles @@ -171,11 +164,14 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - - name: build-container + - matrix: + params: + - name: PLATFORM + value: + - $(params.build-platforms) + name: build-images params: - name: IMAGE value: $(params.output-image) @@ -184,19 +180,23 @@ spec: - name: CONTEXT value: $(params.path-context) - name: HERMETIC - value: "true" + value: $(params.hermetic) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: IMAGE_APPEND_PLATFORM + value: "true" runAfter: - clone-repository taskRef: params: - name: name - value: buildah + value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:83db74702b5f0d714b3aae066faa5037d3f096f9fa108d18c0e78317fa35f1fd + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:ef246ea31c4ff9b98295830cb39892f39d1b5d1b21ca1ccb0ad9e7b9bd83608f - name: kind value: task resolver: bundles @@ -205,9 +205,6 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-image-index params: - name: IMAGE @@ -220,15 +217,15 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-images.results.IMAGE_REF[*]) runAfter: - - build-container + - build-images taskRef: params: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:409ff39379c50d3c257229b4c6d6600e35eb53637504c47fb36ade262c70716e + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:dd87c1a2c598ebf2286d4cf7f1ff2c07d0ee3665c16041576012dd3f1a36b080 - name: kind value: task resolver: bundles @@ -259,28 +256,6 @@ spec: operator: in values: - "false" - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:2c5de51ec858fc8d47e41c65b20c83fdac249425d67ed6d1058f9f3e0b574500 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - name: apply-tags params: - name: IMAGE @@ -390,4 +365,4 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' -status: {} +status: {} \ No newline at end of file diff --git a/.tekton/gatekeeper-fbc-v413-push.yaml b/.tekton/gatekeeper-fbc-v413-push.yaml index 15182d3a..1346fd45 100644 --- a/.tekton/gatekeeper-fbc-v413-push.yaml +++ b/.tekton/gatekeeper-fbc-v413-push.yaml @@ -27,6 +27,10 @@ spec: value: catalog.Containerfile - name: path-context value: v4.13 + - name: build-platforms + value: + - linux/x86_64 + - linux/arm64 pipelineSpec: finally: - name: show-sbom @@ -42,28 +46,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-image-index.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -93,7 +75,7 @@ spec: description: Skip checks against built image name: skip-checks type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string @@ -109,10 +91,17 @@ spec: description: Build a source image. name: build-source-image type: string - - default: "false" + - default: "true" description: Add built image into an OCI image index name: build-image-index type: string + - default: + - linux/x86_64 + - linux/arm64 + description: List of platforms to build the container images on. The available + set of values is determined by the configuration of the multi-platform-controller. + name: build-platforms + type: array results: - description: "" name: IMAGE_URL @@ -150,14 +139,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0f4360ce144d46171ebd2e8f4d4575539a0600e02208ba5fc9beeb2c27ddfd4c - name: kind value: task resolver: bundles @@ -167,11 +160,14 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - - name: build-container + - matrix: + params: + - name: PLATFORM + value: + - $(params.build-platforms) + name: build-images params: - name: IMAGE value: $(params.output-image) @@ -180,19 +176,23 @@ spec: - name: CONTEXT value: $(params.path-context) - name: HERMETIC - value: "true" + value: $(params.hermetic) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: IMAGE_APPEND_PLATFORM + value: "true" runAfter: - clone-repository taskRef: params: - name: name - value: buildah + value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:83db74702b5f0d714b3aae066faa5037d3f096f9fa108d18c0e78317fa35f1fd + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:ef246ea31c4ff9b98295830cb39892f39d1b5d1b21ca1ccb0ad9e7b9bd83608f - name: kind value: task resolver: bundles @@ -201,9 +201,6 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-image-index params: - name: IMAGE @@ -216,15 +213,15 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-images.results.IMAGE_REF[*]) runAfter: - - build-container + - build-images taskRef: params: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:409ff39379c50d3c257229b4c6d6600e35eb53637504c47fb36ade262c70716e + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:dd87c1a2c598ebf2286d4cf7f1ff2c07d0ee3665c16041576012dd3f1a36b080 - name: kind value: task resolver: bundles @@ -255,28 +252,6 @@ spec: operator: in values: - "false" - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.1@sha256:2c5de51ec858fc8d47e41c65b20c83fdac249425d67ed6d1058f9f3e0b574500 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - name: apply-tags params: - name: IMAGE From 08f37975e99e8a366e60e8bb54491820566ea981 Mon Sep 17 00:00:00 2001 From: arewm Date: Tue, 27 Aug 2024 14:28:06 -0400 Subject: [PATCH 4/4] add doc snippet for converting fbc to multi-arch Signed-off-by: arewm --- docs/konflux-onboarding.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/konflux-onboarding.md b/docs/konflux-onboarding.md index fba17636..f3435935 100644 --- a/docs/konflux-onboarding.md +++ b/docs/konflux-onboarding.md @@ -116,4 +116,10 @@ This process of creating and maintaining FBC graphs can be integrated into your * https://github.com/ASzc/fbc-utils (These scripts use the `semver template`) -(If you would like to add references to new repositories/tools, please open a PR!) \ No newline at end of file +(If you would like to add references to new repositories/tools, please open a PR!) + +### Convert FBC pipeline to multi-arch + +If you plan to use your catalogs on multiple cluster architectures, you will need to build your FBC fragments on multiple architectures by modifying the Tekton PipelineRuns. + +A sample PR for these changes can be found in https://github.com/konflux-ci/olm-operator-konflux-sample/pull/65. \ No newline at end of file