From c9a479cbb3f234fa918f097cc5b26cef29dedbe8 Mon Sep 17 00:00:00 2001 From: arewm Date: Thu, 1 Aug 2024 22:21:48 -0400 Subject: [PATCH] Add image index task to pipelines The build-image-index task is added to all pipelines but the generation of an image index is disabled by default. Signed-off-by: arewm --- pipelines/docker-build-oci-ta/patch.yaml | 47 ++++++------- pipelines/docker-build-rhtap/patch.yaml | 47 +++++++------ pipelines/docker-build/patch.yaml | 24 +++++++ pipelines/fbc-builder/patch.yaml | 49 ++++++++------ pipelines/template-build/template-build.yaml | 71 ++++++++++++-------- 5 files changed, 145 insertions(+), 93 deletions(-) diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml index 677281306d..68bf341fac 100644 --- a/pipelines/docker-build-oci-ta/patch.yaml +++ b/pipelines/docker-build-oci-ta/patch.yaml @@ -12,19 +12,20 @@ path: /spec/workspaces/0 # Order of Tasks from the base docker-build Pipeline: # $ kustomize build pipelines/docker-build | yq .spec.tasks.[].name | nl -v 0 -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check -# 11 apply-tags -# 12 push-dockerfile +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile # clone-repository Task - op: replace @@ -84,46 +85,46 @@ # build-source-image - op: replace - path: /spec/tasks/4/taskRef/name + path: /spec/tasks/5/taskRef/name value: source-build-oci-ta - op: add - path: /spec/tasks/4/params/- + path: /spec/tasks/5/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: add - path: /spec/tasks/4/params/- + path: /spec/tasks/5/params/- value: name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove - path: /spec/tasks/4/workspaces/0 + path: /spec/tasks/5/workspaces/0 # sast-snyk-check - op: replace - path: /spec/tasks/8/taskRef/name + path: /spec/tasks/9/taskRef/name value: sast-snyk-check-oci-ta - op: add # In the docker-build Pipeline, the snyk Task does not receive any parameters, so we cannot # append to it. - path: /spec/tasks/8/params + path: /spec/tasks/9/params value: - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: remove - path: /spec/tasks/8/workspaces/0 + path: /spec/tasks/9/workspaces/0 # push-dockerfile - op: replace - path: /spec/tasks/12/taskRef/name + path: /spec/tasks/13/taskRef/name value: push-dockerfile-oci-ta - op: add - path: /spec/tasks/12/params/- + path: /spec/tasks/13/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: remove - path: /spec/tasks/12/workspaces/0 + path: /spec/tasks/13/workspaces/0 # Order of finally Tasks from the base docker-build Pipeline: # $ kustomize build pipelines/docker-build | yq .spec.finally.[].name | nl -v 0 diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 55d2981f38..77099ebf99 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -73,40 +73,43 @@ # Remove tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check -# 11 apply-tags -# 12 push-dockerfile +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile - op: replace path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/12 # push-dockerfile + path: /spec/tasks/13 # push-dockerfile - op: remove - path: /spec/tasks/11 # apply-tags + path: /spec/tasks/12 # apply-tags - op: remove - path: /spec/tasks/10 # sbom-json-check + path: /spec/tasks/11 # sbom-json-check - op: remove - path: /spec/tasks/9 # clamav-scan + path: /spec/tasks/10 # clamav-scan - op: remove - path: /spec/tasks/8 # sast-snyk-check + path: /spec/tasks/9 # sast-snyk-check - op: remove - path: /spec/tasks/7 # ecosystem-cert-preflight-checks + path: /spec/tasks/8 # ecosystem-cert-preflight-checks - op: remove - path: /spec/tasks/6 # clair-scan + path: /spec/tasks/7 # clair-scan - op: remove - path: /spec/tasks/5 # deprecated-base-image-check + path: /spec/tasks/6 # deprecated-base-image-check - op: remove - path: /spec/tasks/4 # build-source-image + path: /spec/tasks/5 # build-source-image +- op: remove + path: /spec/tasks/4 # build-image-index - op: remove path: /spec/tasks/2 # prefetch-dependencies - op: remove diff --git a/pipelines/docker-build/patch.yaml b/pipelines/docker-build/patch.yaml index 560b76342f..9eaf44c9cc 100644 --- a/pipelines/docker-build/patch.yaml +++ b/pipelines/docker-build/patch.yaml @@ -8,6 +8,23 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "generic" "pipelines.openshift.io/strategy": "docker" +# yq ".spec.tasks.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile + +# build-container - op: replace path: /spec/tasks/3/taskRef value: @@ -49,6 +66,13 @@ - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: "$(params.build-args-file)" + +# build-image-index +- op: add + path: /spec/tasks/4/params/- + value: + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" - op: add path: /spec/results/- value: diff --git a/pipelines/fbc-builder/patch.yaml b/pipelines/fbc-builder/patch.yaml index 9f139a8ce4..ad3a90042b 100644 --- a/pipelines/fbc-builder/patch.yaml +++ b/pipelines/fbc-builder/patch.yaml @@ -31,30 +31,37 @@ # Remove tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile - op: replace path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/9 # clamav-scan + path: /spec/tasks/13 # push-dockerfile - op: remove - path: /spec/tasks/8 # sast-snyk-check + path: /spec/tasks/11 # sbom-json-check - op: remove - path: /spec/tasks/7 # ecosystem-cert-preflight-checks + path: /spec/tasks/10 # clamav-scan - op: remove - path: /spec/tasks/6 # clair-scan + path: /spec/tasks/9 # sast-snyk-check - op: remove - path: /spec/tasks/4 # build-source-image + path: /spec/tasks/8 # ecosystem-cert-preflight-checks +- op: remove + path: /spec/tasks/7 # clair-scan +- op: remove + path: /spec/tasks/5 # build-source-image - op: remove path: /spec/tasks/2 # prefetch-dependencies - op: add @@ -66,15 +73,15 @@ operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: inspect-image version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) workspaces: - name: source workspace: workspace @@ -93,9 +100,9 @@ version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: BASE_IMAGE value: $(tasks.inspect-image.results.BASE_IMAGE) workspaces: diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index c852f64ef1..daa4a9da40 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -56,6 +56,10 @@ spec: description: Build a source image. type: string default: "false" + - name: build-image-index + description: Add built image into an OCI image index + type: string + default: "false" tasks: - name: init params: @@ -121,6 +125,19 @@ spec: workspaces: - name: source workspace: workspace + - name: build-image-index + when: + - input: $(tasks.init.results.build) + operator: in + values: ["true"] + runAfter: + - build-container + taskRef: + name: build-image-index + version: "0.1" + params: + name: BUILD_IMAGE_INDEX + value: $(params.build-image-index) - name: build-source-image when: - input: $(tasks.init.results.build) @@ -130,7 +147,7 @@ spec: operator: in values: ["true"] runAfter: - - build-container + - build-image-index taskRef: name: source-build version: "0.1" @@ -150,46 +167,46 @@ spec: version: "0.4" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index - name: clair-scan when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: clair-scan version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: ecosystem-cert-preflight-checks when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: ecosystem-cert-preflight-checks version: "0.1" params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: sast-snyk-check when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: sast-snyk-check version: "0.1" @@ -198,59 +215,59 @@ spec: workspace: workspace params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: clamav-scan when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: clamav-scan version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: sbom-json-check when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: sbom-json-check version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: apply-tags runAfter: - - build-container + - build-image-index taskRef: name: apply-tags version: "0.1" params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: push-dockerfile runAfter: - - build-container + - build-image-index taskRef: name: push-dockerfile version: "0.1" params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT @@ -266,7 +283,7 @@ spec: version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: show-summary taskRef: name: summary @@ -279,15 +296,15 @@ spec: - name: image-url value: $(params.output-image) - name: build-task-status - value: $(tasks.build-container.status) + value: $(tasks.build-image-index.status) workspaces: - name: workspace workspace: workspace results: - name: IMAGE_URL - value: "$(tasks.build-container.results.IMAGE_URL)" + value: "$(tasks.build-image-index.results.IMAGE_URL)" - name: IMAGE_DIGEST - value: "$(tasks.build-container.results.IMAGE_DIGEST)" + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" - name: CHAINS-GIT_URL value: "$(tasks.clone-repository.results.url)" - name: CHAINS-GIT_COMMIT