unify on a common buildah image for all tasks

Signed-off-by: arewm <[email protected]>
konflux-ci · Aug 12, 2024 · 5e0b00f · 5e0b00f
1 parent 66fcd99
commit 5e0b00f
Show file tree

Hide file tree

Showing 11 changed files with 150 additions and 21 deletions.
diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go
@@ -268,7 +268,6 @@ if ! [[ $IS_LOCALHOST ]]; then
 		}
 		step.Script = ret
 		builderImage = step.Image
-		step.Image = "quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44"
 		step.VolumeMounts = append(step.VolumeMounts, v1.VolumeMount{
 			Name:      "ssh",
 			ReadOnly:  true,

diff --git a/task/build-image-index/0.1/build-image-index.yaml b/task/build-image-index/0.1/build-image-index.yaml
@@ -0,0 +1,130 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+    build.appstudio.redhat.com/build_type: "docker"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "image-build, konflux"
+  name: build-image-index
+spec:
+  description: |-
+    This takes existing Image Manifests and combines them in an Image Index.
+  params:
+  - name: IMAGE
+    description: The target image and tag where the image will be pushed to.
+    type: string
+  - name: TLSVERIFY
+    description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+    type: string
+    default: "true"
+  - name: COMMIT_SHA
+    description: The commit the image is built from.
+    type: string
+    default: ""
+  - name: IMAGES
+    description: List of Image Manifests to be referenced by the Image Index
+    type: array
+  - name: IMAGE_EXPIRES_AFTER
+    description: Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+    type: string
+    default: ""
+  - name: BUILD_IMAGE_INDEX
+    description: Create an OCI image index referencing all passed params.IMAGES. This allows us to always include this task for a consistent pipeline even if a user does not want to generate the image index. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.
+    type: string
+    default: "false"
+  - name: STORAGE_DRIVER
+    description: Storage driver to configure for buildah
+    type: string
+    default: vfs
+  results:
+  - description: Digest of the image just built
+    name: IMAGE_DIGEST
+  - description: Image repository where the built image was pushed
+    name: IMAGE_URL
+  - description: List of all referenced image manifests
+    name: IMAGES
+  stepTemplate:
+    env:
+    - name: BUILDAH_FORMAT
+      value: oci
+    - name: COMMIT_SHA
+      value: $(params.COMMIT_SHA)
+    - name: IMAGE
+      value: $(params.IMAGE)
+    - name: TLSVERIFY
+      value: $(params.TLSVERIFY)
+    - name: BUILD_IMAGE_INDEX
+      value: $(params.BUILD_IMAGE_INDEX)
+    - name: STORAGE_DRIVER
+      value: $(params.STORAGE_DRIVER)
+  steps:
+  - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
+    # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+    # the cluster will set imagePullPolicy to IfNotPresent
+    name: build
+    computeResources:
+      limits:
+        memory: 4Gi
+      requests:
+        memory: 512Mi
+        cpu: 250m
+    args: ["$(params.IMAGES[*])"]
+    script: |
+      #!/bin/bash
+      # Fixing group permission on /var/lib/containers
+      set -eu
+      set -o pipefail
+      chown root:root /var/lib/containers
+
+      sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
+
+      image_manifests=""
+      buildah manifest create "$IMAGE"
+      for i in $@
+      do
+        TOADD="$i"
+        if [[ $(echo "$i" | tr -cd ":" | wc -c) == 2 ]]; then
+          #we need to remove the tag, and just reference the digest
+          #as tag + digest is not supported
+          TOADD_REPOSITORY="$(echo "$i" | cut -d: -f1)"
+          TOADD_DIGEST="sha256:$(echo "$i" | cut -d: -f3)"
+          TOADD="${TOADD_REPOSITORY}@${TOADD_DIGEST}"
+        fi
+        if [[ "$SKIP_INDEX_GENERATION" != "false" ]]; then
+          echo "Skipping image index generation. Returning results for $TOADD"
+          echo -n "${TOADD_REPOSITORY}" > "$(results.IMAGE_URL.path)"
+          echo -n "${TOADD_DIGEST}" > "$(results.IMAGE_DIGEST.path)"
+          echo -n "${TOADD}" > "$(results.IMAGES.path)"
+          exit 0
+        fi
+        echo "Adding $TOADD"
+        image_manifests="${image_manifests} ${TOADD},"
+        buildah manifest add $IMAGE "docker://$TOADD" --all
+      done
+
+      status=-1
+      max_run=5
+      sleep_sec=10
+      for run in $(seq 1 $max_run); do
+        status=0
+        [ "$run" -gt 1 ] && sleep $sleep_sec
+        echo "Pushing image to registry"
+        buildah manifest push \
+          --tls-verify=$TLSVERIFY \
+          --digestfile image-digest $IMAGE \
+          docker://$IMAGE && break || status=$?
+      done
+      if [ "$status" -ne 0 ]; then
+          echo "Failed to push image to registry after ${max_run} tries"
+          exit 1
+      fi
+
+      cat image-digest | tee $(results.IMAGE_DIGEST.path)
+      echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
+      echo -n "${image_manifests:1:-1}" > "$(results.IMAGES.path)"
+    securityContext:
+      capabilities:
+        add:
+          - SETFCAP
diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml
@@ -54,7 +54,7 @@ spec:
     - name: COMMIT_SHA
       value: $(params.COMMIT_SHA)
   steps:
-  - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+  - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     name: build

diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
@@ -220,7 +220,7 @@ spec:
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: build
-      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
       args:
         - $(params.BUILD_ARGS[*])
       workingDir: /var/workdir
@@ -528,7 +528,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: inject-sbom-and-push
-      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /var/lib/containers

diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -222,7 +222,7 @@ spec:
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: build
-      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
       args:
         - $(params.BUILD_ARGS[*])
       workingDir: /var/workdir
@@ -535,7 +535,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: inject-sbom-and-push
-      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /var/lib/containers

diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
@@ -184,7 +184,7 @@ spec:
     - name: YUM_REPOS_D_TARGET
       value: $(params.YUM_REPOS_D_TARGET)
     - name: BUILDER_IMAGE
-      value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     volumeMounts:
     - mountPath: /shared
       name: shared
@@ -209,7 +209,7 @@ spec:
     env:
     - name: COMMIT_SHA
       value: $(params.COMMIT_SHA)
-    image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: build
     script: |-
       #!/bin/bash
@@ -618,7 +618,7 @@ spec:
       runAsUser: 0
     workingDir: /var/workdir
   - computeResources: {}
-    image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: inject-sbom-and-push
     script: |
       base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')

diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
@@ -186,7 +186,7 @@ spec:
     - name: YUM_REPOS_D_TARGET
       value: $(params.YUM_REPOS_D_TARGET)
     - name: BUILDER_IMAGE
-      value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     - name: PLATFORM
       value: $(params.PLATFORM)
     volumeMounts:
@@ -213,7 +213,7 @@ spec:
     env:
     - name: COMMIT_SHA
       value: $(params.COMMIT_SHA)
-    image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: build
     script: |-
       #!/bin/bash
@@ -647,7 +647,7 @@ spec:
       runAsUser: 0
     workingDir: /var/workdir
   - computeResources: {}
-    image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: inject-sbom-and-push
     script: |
       #!/bin/bash

diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -181,7 +181,7 @@ spec:
     - name: SKIP_UNUSED_STAGES
       value: $(params.SKIP_UNUSED_STAGES)
     - name: BUILDER_IMAGE
-      value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     volumeMounts:
     - mountPath: /shared
       name: shared
@@ -197,7 +197,7 @@ spec:
     env:
     - name: COMMIT_SHA
       value: $(params.COMMIT_SHA)
-    image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: build
     script: |-
       #!/bin/bash

diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml
@@ -177,7 +177,7 @@ spec:
     - name: SKIP_UNUSED_STAGES
       value: $(params.SKIP_UNUSED_STAGES)
     - name: BUILDER_IMAGE
-      value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+      value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     - name: PLATFORM
       value: $(params.PLATFORM)
     volumeMounts:
@@ -195,7 +195,7 @@ spec:
     env:
     - name: COMMIT_SHA
       value: $(params.COMMIT_SHA)
-    image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: build
     script: |-
       #!/bin/bash
@@ -629,7 +629,7 @@ spec:
       runAsUser: 0
     workingDir: $(workspaces.source.path)
   - computeResources: {}
-    image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: inject-sbom-and-push
     script: |
       #!/bin/bash

diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -169,7 +169,7 @@ spec:
       value: $(params.SKIP_UNUSED_STAGES)
 
   steps:
-  - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+  - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: build
     computeResources:
       limits:
@@ -491,7 +491,7 @@ spec:
       runAsUser: 0
 
   - name: inject-sbom-and-push
-    image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     computeResources: {}
     script: |
       if [ -n "${PARAM_BUILDER_IMAGE}" ]; then

diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml
@@ -164,7 +164,7 @@ spec:
       value: $(params.SKIP_UNUSED_STAGES)
 
   steps:
-  - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+  - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     name: build
     computeResources:
       limits:
@@ -487,7 +487,7 @@ spec:
       runAsUser: 0
 
   - name: inject-sbom-and-push
-    image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
+    image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314
     computeResources: {}
     script: |
       #!/bin/bash