From 5e0b00fedc0a2bc25d26eab42daa233a0fbeb141 Mon Sep 17 00:00:00 2001 From: arewm Date: Tue, 6 Aug 2024 13:29:52 -0400 Subject: [PATCH] unify on a common buildah image for all tasks Signed-off-by: arewm --- task-generator/remote/main.go | 1 - .../0.1/build-image-index.yaml | 130 ++++++++++++++++++ .../0.1/build-image-manifest.yaml | 2 +- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 4 +- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 4 +- .../0.1/buildah-remote-oci-ta.yaml | 6 +- .../0.2/buildah-remote-oci-ta.yaml | 6 +- task/buildah-remote/0.1/buildah-remote.yaml | 4 +- task/buildah-remote/0.2/buildah-remote.yaml | 6 +- task/buildah/0.1/buildah.yaml | 4 +- task/buildah/0.2/buildah.yaml | 4 +- 11 files changed, 150 insertions(+), 21 deletions(-) create mode 100644 task/build-image-index/0.1/build-image-index.yaml diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index e1551bf08b..a08b17983d 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -268,7 +268,6 @@ if ! [[ $IS_LOCALHOST ]]; then } step.Script = ret builderImage = step.Image - step.Image = "quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44" step.VolumeMounts = append(step.VolumeMounts, v1.VolumeMount{ Name: "ssh", ReadOnly: true, diff --git a/task/build-image-index/0.1/build-image-index.yaml b/task/build-image-index/0.1/build-image-index.yaml new file mode 100644 index 0000000000..57a22957aa --- /dev/null +++ b/task/build-image-index/0.1/build-image-index.yaml @@ -0,0 +1,130 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + build.appstudio.redhat.com/build_type: "docker" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "image-build, konflux" + name: build-image-index +spec: + description: |- + This takes existing Image Manifests and combines them in an Image Index. + params: + - name: IMAGE + description: The target image and tag where the image will be pushed to. + type: string + - name: TLSVERIFY + description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) + type: string + default: "true" + - name: COMMIT_SHA + description: The commit the image is built from. + type: string + default: "" + - name: IMAGES + description: List of Image Manifests to be referenced by the Image Index + type: array + - name: IMAGE_EXPIRES_AFTER + description: Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + type: string + default: "" + - name: BUILD_IMAGE_INDEX + description: Create an OCI image index referencing all passed params.IMAGES. This allows us to always include this task for a consistent pipeline even if a user does not want to generate the image index. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. + type: string + default: "false" + - name: STORAGE_DRIVER + description: Storage driver to configure for buildah + type: string + default: vfs + results: + - description: Digest of the image just built + name: IMAGE_DIGEST + - description: Image repository where the built image was pushed + name: IMAGE_URL + - description: List of all referenced image manifests + name: IMAGES + stepTemplate: + env: + - name: BUILDAH_FORMAT + value: oci + - name: COMMIT_SHA + value: $(params.COMMIT_SHA) + - name: IMAGE + value: $(params.IMAGE) + - name: TLSVERIFY + value: $(params.TLSVERIFY) + - name: BUILD_IMAGE_INDEX + value: $(params.BUILD_IMAGE_INDEX) + - name: STORAGE_DRIVER + value: $(params.STORAGE_DRIVER) + steps: + - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + name: build + computeResources: + limits: + memory: 4Gi + requests: + memory: 512Mi + cpu: 250m + args: ["$(params.IMAGES[*])"] + script: | + #!/bin/bash + # Fixing group permission on /var/lib/containers + set -eu + set -o pipefail + chown root:root /var/lib/containers + + sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf + + image_manifests="" + buildah manifest create "$IMAGE" + for i in $@ + do + TOADD="$i" + if [[ $(echo "$i" | tr -cd ":" | wc -c) == 2 ]]; then + #we need to remove the tag, and just reference the digest + #as tag + digest is not supported + TOADD_REPOSITORY="$(echo "$i" | cut -d: -f1)" + TOADD_DIGEST="sha256:$(echo "$i" | cut -d: -f3)" + TOADD="${TOADD_REPOSITORY}@${TOADD_DIGEST}" + fi + if [[ "$SKIP_INDEX_GENERATION" != "false" ]]; then + echo "Skipping image index generation. Returning results for $TOADD" + echo -n "${TOADD_REPOSITORY}" > "$(results.IMAGE_URL.path)" + echo -n "${TOADD_DIGEST}" > "$(results.IMAGE_DIGEST.path)" + echo -n "${TOADD}" > "$(results.IMAGES.path)" + exit 0 + fi + echo "Adding $TOADD" + image_manifests="${image_manifests} ${TOADD}," + buildah manifest add $IMAGE "docker://$TOADD" --all + done + + status=-1 + max_run=5 + sleep_sec=10 + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + echo "Pushing image to registry" + buildah manifest push \ + --tls-verify=$TLSVERIFY \ + --digestfile image-digest $IMAGE \ + docker://$IMAGE && break || status=$? + done + if [ "$status" -ne 0 ]; then + echo "Failed to push image to registry after ${max_run} tries" + exit 1 + fi + + cat image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${image_manifests:1:-1}" > "$(results.IMAGES.path)" + securityContext: + capabilities: + add: + - SETFCAP diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml index 57ba3c3a90..26b0456588 100644 --- a/task/build-image-manifest/0.1/build-image-manifest.yaml +++ b/task/build-image-manifest/0.1/build-image-manifest.yaml @@ -54,7 +54,7 @@ spec: - name: COMMIT_SHA value: $(params.COMMIT_SHA) steps: - - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent name: build diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index d4e6ea3710..45f0f325fa 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -220,7 +220,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: build - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 args: - $(params.BUILD_ARGS[*]) workingDir: /var/workdir @@ -528,7 +528,7 @@ spec: securityContext: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 workingDir: /var/workdir volumeMounts: - mountPath: /var/lib/containers diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 953adc4df4..4b024dc380 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -222,7 +222,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: build - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 args: - $(params.BUILD_ARGS[*]) workingDir: /var/workdir @@ -535,7 +535,7 @@ spec: securityContext: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 workingDir: /var/workdir volumeMounts: - mountPath: /var/lib/containers diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index cade2c416b..bf2e7f1f6b 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -184,7 +184,7 @@ spec: - name: YUM_REPOS_D_TARGET value: $(params.YUM_REPOS_D_TARGET) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 volumeMounts: - mountPath: /shared name: shared @@ -209,7 +209,7 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) - image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: build script: |- #!/bin/bash @@ -618,7 +618,7 @@ spec: runAsUser: 0 workingDir: /var/workdir - computeResources: {} - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: inject-sbom-and-push script: | base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 1b87a63dbb..ddee0b8d48 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -186,7 +186,7 @@ spec: - name: YUM_REPOS_D_TARGET value: $(params.YUM_REPOS_D_TARGET) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 - name: PLATFORM value: $(params.PLATFORM) volumeMounts: @@ -213,7 +213,7 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) - image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: build script: |- #!/bin/bash @@ -647,7 +647,7 @@ spec: runAsUser: 0 workingDir: /var/workdir - computeResources: {} - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: inject-sbom-and-push script: | #!/bin/bash diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 0117478309..4f9f99d08b 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -181,7 +181,7 @@ spec: - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 volumeMounts: - mountPath: /shared name: shared @@ -197,7 +197,7 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) - image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: build script: |- #!/bin/bash diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index bf9a0b0647..15c86a866d 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -177,7 +177,7 @@ spec: - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 - name: PLATFORM value: $(params.PLATFORM) volumeMounts: @@ -195,7 +195,7 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) - image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: build script: |- #!/bin/bash @@ -629,7 +629,7 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: inject-sbom-and-push script: | #!/bin/bash diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 87cac02954..5771a08f00 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -169,7 +169,7 @@ spec: value: $(params.SKIP_UNUSED_STAGES) steps: - - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: build computeResources: limits: @@ -491,7 +491,7 @@ spec: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 computeResources: {} script: | if [ -n "${PARAM_BUILDER_IMAGE}" ]; then diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 00ebcec480..5f6ff4b511 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -164,7 +164,7 @@ spec: value: $(params.SKIP_UNUSED_STAGES) steps: - - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 name: build computeResources: limits: @@ -487,7 +487,7 @@ spec: runAsUser: 0 - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 + image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 computeResources: {} script: | #!/bin/bash