Merge branch 'tm/acs-add-determine-image-tag-task' of github.com:stac…

…krox/redhat-appstudio-build-definitions into tm/acs-add-determine-image-tag-task
konflux-ci · Aug 12, 2024 · 936471b · 936471b
2 parents f1b8833 + 2e2c584
commit 936471b
Show file tree

Hide file tree

Showing 20 changed files with 314 additions and 127 deletions.
diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml
@@ -26,7 +26,7 @@ spec:
       type: string
   steps:
     - name: e2e-test
-      image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:f745749e498fe1542b91129db743abf959b07c8a
+      image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:efcb425bd32dcf61b82b1214c45e58f68f6f445d
       command: ["/konflux-e2e/konflux-e2e.test"]
       # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened
       # against build-definitions to update this tag
@@ -44,7 +44,7 @@ spec:
       - name: APP_SUFFIX
         value: "$(params.app_suffix)"
       - name: COMPONENT_REPO_URLS
-        value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo"
+        value: "https://github.com/konflux-qe-bd/devfile-sample-python-basic,https://github.com/konflux-qe-bd/retrodep,https://github.com/konflux-qe-bd/pip-e2e-test,https://github.com/konflux-qe-bd/fbc-sample-repo"
       - name: QUAY_E2E_ORGANIZATION
         value: konflux-ci
       - name: E2E_APPLICATIONS_NAMESPACE
@@ -60,7 +60,7 @@ spec:
             name: quay-push-secret-konflux-ci
             key: .dockerconfigjson
       - name: MY_GITHUB_ORG
-        value: redhat-appstudio-appdata
+        value: konflux-qe-bd
       - name: EC_PIPELINES_REPO_URL
         value: $(params.ec_pipelines_repo_url)
       - name: EC_PIPELINES_REPO_REVISION

diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml
@@ -23,7 +23,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:662648a893b2403fe6604655a7c98dd561705865e29239198e18f689ee7ae242
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:a63668adc33c513b455dcd494d556e43fdab95ce8e06bfc74ac6f104af11116a
     script: |
       set -euo pipefail
 
@@ -37,7 +37,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:662648a893b2403fe6604655a7c98dd561705865e29239198e18f689ee7ae242
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:a63668adc33c513b455dcd494d556e43fdab95ce8e06bfc74ac6f104af11116a
     script: |
       set -euo pipefail
 

diff --git a/hack/generate-buildah-remote.sh b/hack/generate-buildah-remote.sh
@@ -8,7 +8,7 @@ go build -o /tmp/remote-generator ./remote/main.go
 
 for version in 0.1 0.2; do
     /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah/${version}/buildah.yaml" \
-        --remote-task="${SCRIPTDIR}/../task/buildah-remote/${version}/buildah-remote.yaml"
+        --remote-task="${SCRIPTDIR}/../task/buildah-remote/${version}/buildah-remote.yaml" --task-version="$version"
     /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah-oci-ta/${version}/buildah-oci-ta.yaml" \
-        --remote-task="${SCRIPTDIR}/../task/buildah-remote-oci-ta/${version}/buildah-remote-oci-ta.yaml"
+        --remote-task="${SCRIPTDIR}/../task/buildah-remote-oci-ta/${version}/buildah-remote-oci-ta.yaml" --task-version="$version"
 done
diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml
@@ -64,6 +64,8 @@
     value: $(params.image-expires-after)
 - op: remove
   path: /spec/tasks/2/workspaces/0
+- op: remove
+  path: /spec/tasks/2/when
 
 # build-container
 - op: replace

diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml
@@ -79,7 +79,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:7a8e4c27716c1c5653cf4338f58cb2838e2712984c6c29204a28a9bee730df07
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:294b14582fa0e44f42c7e0651915ca67425488527fa7d9ecb49c3974ede028fc
           - name: name
             value: verify-enterprise-contract
           - name: kind

diff --git a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/README.md b/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/README.md
@@ -9,9 +9,10 @@ This StepAction provisions an ephemeral cluster using Hypershift with 3 worker n
 |version|The version of OpenShift to install. Container images will be pulled from: `quay.io/openshift-release-dev/ocp-release:${version}-multi`.||true|
 |instanceType|AWS EC2 instance type for worker nodes. Supported values: `m5.large`, `m5.xlarge`, `m5.2xlarge`, `m6g.large`, `m6g.xlarge`, `m6g.2xlarge`|m6g.large|false|
 |insecureSkipTLSVerify|Skip TLS verification when accessing the EaaS hub cluster. This should not be set to "true" in a production environment.|false|false|
+|timeout|How long to wait for cluster provisioning to complete.|30m|false|
 
 ## Results
 |name|description|
 |---|---|
-|clusterName|The name of the generated ClusterTemplateInstance resource|
+|clusterName|The name of the generated ClusterTemplateInstance resource.|
 
diff --git a/...te-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml b/...te-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml
@@ -28,6 +28,10 @@ spec:
       description: >-
         Skip TLS verification when accessing the EaaS hub cluster.
         This should not be set to "true" in a production environment.
+    - name: timeout
+      type: string
+      default: 30m
+      description: How long to wait for cluster provisioning to complete.
   results:
     - name: clusterName
       description: The name of the generated ClusterTemplateInstance resource.
@@ -45,6 +49,8 @@ spec:
           key: kubeconfig
     - name: INSECURE_SKIP_TLS_VERIFY
       value: "$(params.insecureSkipTLSVerify)"
+    - name: TIMEOUT
+      value: "$(params.timeout)"
   script: |
     #!/bin/bash
     set -eo pipefail
@@ -61,6 +67,8 @@ spec:
           value: $INSTANCE_TYPE
         - name: version
           value: $VERSION
+        - name: timeout
+          value: $TIMEOUT
     EOF
 
     trap 'rm -f "$KUBECONFIG"' EXIT
@@ -71,12 +79,12 @@ spec:
     echo "Created ClusterTemplateInstance $CTI_NAME"
     echo -n $CTI_NAME > $(step.results.clusterName.path)
 
-    echo "Waiting for ClusterTemplateInstance to be ready (20m timeout)"
-    if "${OC[@]}" wait cti $CTI_NAME --for=jsonpath='{.status.phase}'=Ready --timeout=20m; then
+    echo "Waiting for ClusterTemplateInstance to be ready ($TIMEOUT timeout)"
+    if "${OC[@]}" wait cti "$CTI_NAME" --for=jsonpath='{.status.phase}'=Ready --timeout="$TIMEOUT"; then
       echo "Successfully provisioned $CTI_NAME"
       exit 0
     else
-      "${OC[@]}" get cti $CTI_NAME -o yaml
+      "${OC[@]}" get cti "$CTI_NAME" -o yaml
       echo "Failed to provision $CTI_NAME"
       exit 1
     fi
diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go
@@ -18,6 +18,7 @@ import (
 	"flag"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	tektonapi "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
@@ -33,18 +34,20 @@ import (
 func main() {
 	var buildahTask string
 	var buildahRemoteTask string
+	var taskVersion string
 
 	flag.StringVar(&buildahTask, "buildah-task", "", "The location of the buildah task")
 	flag.StringVar(&buildahRemoteTask, "remote-task", "", "The location of the buildah-remote task to overwrite")
+	flag.StringVar(&taskVersion, "task-version", "", "The version of the task to overwrite")
 
 	opts := zap.Options{
 		Development: true,
 	}
 	opts.BindFlags(flag.CommandLine)
 	klog.InitFlags(flag.CommandLine)
 	flag.Parse()
-	if buildahTask == "" || buildahRemoteTask == "" {
-		println("Must specify both buildah-task and remote-task params")
+	if buildahTask == "" || buildahRemoteTask == "" || taskVersion == "" {
+		println("Must specify both buildah-task, remote-task, and task-version params")
 		os.Exit(1)
 	}
 
@@ -53,7 +56,7 @@ func main() {
 
 	decodingScheme := runtime.NewScheme()
 	utilruntime.Must(tektonapi.AddToScheme(decodingScheme))
-	convertToSsh(&task)
+	convertToSsh(&task, taskVersion)
 	y := printers.YAMLPrinter{}
 	b := bytes.Buffer{}
 	_ = y.PrintObj(&task, &b)
@@ -87,7 +90,7 @@ func streamFileYamlToTektonObj(path string, obj runtime.Object) runtime.Object {
 	return decodeBytesToTektonObjbytes(bytes, obj)
 }
 
-func convertToSsh(task *tektonapi.Task) {
+func convertToSsh(task *tektonapi.Task, taskVersion string) {
 
 	builderImage := ""
 	syncVolumes := map[string]bool{}
@@ -96,14 +99,44 @@ func convertToSsh(task *tektonapi.Task) {
 			syncVolumes[i.Name] = true
 		}
 	}
+	// The images produced in multi-platform builds need to have unique tags in order
+	// to prevent them from getting garbage collected before generating the image index.
+	// We can simplify this process, preventing the need for users to manually specify
+	// the image by auto-appending the architecture from the PLATFORM parameter. For
+	// example, this will append -arm64 if PLATFORM is linux/arm64 if not present. Since
+	// we cannot modify the parameter itself, this replacement needs to happen in any task
+	// step where the IMAGE parameter is used.
+	// If a user defines the IMAGE parameter with an -arm64 suffix, the arm64 suffix will
+	// not be appended again based on the PLATFORM.
+	adjustRemoteImage := `if [[ "${IMAGE##*-}" != "${PLATFORM##*/}" ]]; then
+  export IMAGE="${IMAGE}-${PLATFORM##*/}"
+fi
+`
+
 	for stepPod := range task.Spec.Steps {
+		ret := ""
 		step := &task.Spec.Steps[stepPod]
-		if step.Name != "build" {
+		if step.Script != "" && taskVersion != "0.1" && step.Name != "build" {
+			scriptHeaderRE := regexp.MustCompile(`^#!/bin/bash\nset -e\n`)
+			if scriptHeaderRE.FindString(step.Script) != "" {
+				ret = scriptHeaderRE.ReplaceAllString(step.Script, "")
+			} else {
+				ret = step.Script
+			}
+			if !strings.HasPrefix(ret, "#!") {
+				// If there is a shebang, it is explicitly non-bash, so don't adjust the image
+				ret = "#!/bin/bash\nset -e\n" + adjustRemoteImage + ret
+			}
+			step.Script = ret
+			continue
+		} else if step.Name != "build" {
 			continue
 		}
 		podmanArgs := ""
 
-		ret := `set -o verbose
+		ret = `#!/bin/bash
+set -e
+set -o verbose
 mkdir -p ~/.ssh
 if [ -e "/ssh/error" ]; then
   #no server could be provisioned
@@ -130,7 +163,9 @@ PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80"
 PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost"
 fi
 `
-
+		if taskVersion != "0.1" {
+			ret += adjustRemoteImage
+		}
 		env := "$PODMAN_PORT_FORWARD \\\n"
 
 		// disable podman subscription-manager integration
@@ -160,9 +195,19 @@ fi
 		script := "scripts/script-" + step.Name + ".sh"
 
 		ret += "\ncat >" + script + " <<'REMOTESSHEOF'\n"
-		if !strings.HasPrefix(step.Script, "#!") {
+
+		// The base task might now be using a bash shell, so we need to make sure
+		// that we only have one shebang declaration. If there is a shebang declaration,
+		// we should also consolidate the set declarations.
+		reShebang := regexp.MustCompile(`(#!.*\n)(set -.*\n)*`)
+		shebangMatch := reShebang.FindString(step.Script)
+		if shebangMatch != "" {
+			ret += shebangMatch
+			step.Script = strings.TrimPrefix(step.Script, shebangMatch)
+		} else {
 			ret += "#!/bin/bash\nset -o verbose\nset -e\n"
 		}
+
 		if step.WorkingDir != "" {
 			ret += "cd " + step.WorkingDir + "\n"
 		}
@@ -229,4 +274,7 @@ fi
 		},
 	})
 	task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "BUILDER_IMAGE", Value: builderImage})
+	if taskVersion != "0.1" {
+		task.Spec.StepTemplate.Env = append(task.Spec.StepTemplate.Env, v1.EnvVar{Name: "PLATFORM", Value: "$(params.PLATFORM)"})
+	}
 }
diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml
@@ -54,7 +54,7 @@ spec:
     - name: COMMIT_SHA
       value: $(params.COMMIT_SHA)
   steps:
-  - image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db
+  - image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     name: build

diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
@@ -171,8 +171,6 @@ spec:
       emptyDir: {}
   stepTemplate:
     env:
-      - name: ACTIVATION_KEY
-        value: $(params.ACTIVATION_KEY)
       - name: ADDITIONAL_SECRET
         value: $(params.ADDITIONAL_SECRET)
       - name: ADD_CAPABILITIES
@@ -222,7 +220,7 @@ spec:
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: build
-      image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db
+      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
       args:
         - $(params.BUILD_ARGS[*])
       workingDir: /var/workdir
@@ -366,15 +364,13 @@ spec:
         ACTIVATION_KEY_PATH="/activation-key"
         ENTITLEMENT_PATH="/entitlement"
 
-        # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.
-        # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container.
-
-        if [ -d "$ACTIVATION_KEY_PATH" ]; then
+        if [ -e /activation-key/org ]; then
           cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
           mkdir /shared/rhsm-tmp
           VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z"
           echo "Adding activation key to the build"
-        elif [ -d "$ENTITLEMENT_PATH" ]; then
+
+        elif find /entitlement -name "*.pem" >>null; then
           cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
           VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement"
           echo "Adding the entitlement to the build"
@@ -532,7 +528,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: inject-sbom-and-push
-      image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db
+      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /var/lib/containers

diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -222,7 +222,7 @@ spec:
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: build
-      image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db
+      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
       args:
         - $(params.BUILD_ARGS[*])
       workingDir: /var/workdir
@@ -242,6 +242,8 @@ spec:
         - name: COMMIT_SHA
           value: $(params.COMMIT_SHA)
       script: |
+        #!/bin/bash
+        set -e
         ca_bundle=/mnt/trusted-ca/ca-bundle.crt
         if [ -f "$ca_bundle" ]; then
           echo "INFO: Using mounted CA bundle: $ca_bundle"
@@ -367,14 +369,16 @@ spec:
         ENTITLEMENT_PATH="/entitlement"
 
         # do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.
-        # when activation keys are used, an empty directory on shared emptydir volume to /etc/pki/entitlement to prevent certificates from being included in the produced container.
+        # when activation keys are used an empty directory on shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced container
+        # To use activation key file 'org' must exist, which means the key 'org' must exist in the key/value secret
 
-        if [ -d "$ACTIVATION_KEY_PATH" ]; then
+        if [ -e /activation-key/org ]; then
           cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
           mkdir /shared/rhsm-tmp
           VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z"
           echo "Adding activation key to the build"
-        elif [ -d "$ENTITLEMENT_PATH" ]; then
+
+        elif find /entitlement -name "*.pem" >>null; then
           cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
           VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement"
           echo "Adding the entitlement to the build"
@@ -531,7 +535,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: inject-sbom-and-push
-      image: quay.io/konflux-ci/buildah:latest@sha256:7d7658b12457107d171f3c1644850e22a22513668484c5e971e6a773542461db
+      image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /var/lib/containers
@@ -598,18 +602,18 @@ spec:
             - SETFCAP
         runAsUser: 0
     - name: upload-sbom
-      image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
-      args:
-        - attach
-        - sbom
-        - --sbom
-        - sbom-cyclonedx.json
-        - --type
-        - cyclonedx
-        - $(params.IMAGE)
+      image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
       workingDir: /var/workdir
       volumeMounts:
-        - mountPath: /etc/ssl/certs/ca-bundle.crt
+        - mountPath: /mnt/trusted-ca
           name: trusted-ca
           readOnly: true
-          subPath: ca-bundle.crt
+      script: |
+        ca_bundle=/mnt/trusted-ca/ca-bundle.crt
+        if [ -f "$ca_bundle" ]; then
+          echo "INFO: Using mounted CA bundle: $ca_bundle"
+          cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
+          update-ca-trust
+        fi
+
+        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"