From c5ea8d8887318d7fcf85ce73bb157b10716fa5a3 Mon Sep 17 00:00:00 2001 From: Scott Hebert Date: Tue, 16 Apr 2024 11:25:26 -0400 Subject: [PATCH 01/22] Custom CA bundle for prefetch-dependencies Signed-off-by: Scott Hebert --- .../0.1/prefetch-dependencies.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index d69f6cdfa5..a290248a15 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -19,6 +19,14 @@ spec: notice. Use at your own risk. name: dev-package-managers default: "false" + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt steps: - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting @@ -30,6 +38,10 @@ spec: value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true script: | if [ -z "${INPUT}" ] then @@ -43,6 +55,13 @@ spec: dev_pacman_flag="" fi + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + cachi2 fetch-deps \ $dev_pacman_flag \ --source=$(workspaces.source.path)/source \ @@ -59,3 +78,11 @@ spec: workspaces: - name: source description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well + volumes: + - name: trusted-ca + configMap: + name: $(params.caTrustConfigMapName) + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + optional: true From a4b8ee86392ae6d914c9741dd00349375c215e10 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 06:21:37 +0000 Subject: [PATCH 02/22] update task/generate-odcs-compose/0.1/generate-odcs-compose.yaml --- task/generate-odcs-compose/0.1/generate-odcs-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index 084eb609c7..cccaa012e3 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197 + image: quay.io/redhat-appstudio/tools:39497ad4e7761c90fdde580cbb5bce9cb9491427 env: - name: CLIENT_ID valueFrom: From 501b230944bb78b016fa83e14cf08e68e4f440c7 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 06:21:38 +0000 Subject: [PATCH 03/22] update task/provision-env-with-ephemeral-namespace/0.1/README.md --- .../0.1/README.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/task/provision-env-with-ephemeral-namespace/0.1/README.md b/task/provision-env-with-ephemeral-namespace/0.1/README.md index 41610b93e6..9e224c62b9 100644 --- a/task/provision-env-with-ephemeral-namespace/0.1/README.md +++ b/task/provision-env-with-ephemeral-namespace/0.1/README.md @@ -8,17 +8,14 @@ an ephemeral environment that will be completely clean of previous artifacts. ## Params: -| name | description | -|--------------------|-------------------------------------------------------------------| -| KONFLUXNAMESPACE | The namespace to create the spaceRequest from | -| SPACEREQUEST_NAME | The name for the newly created space request | +The task takes no parameters. ## Results: -| name | description | -|-------------------|--------------------------------------------------------------------------------------------------| -| secretRef | The name of the secret with a SA token that had admin permissions in the newly created namespace | +| name | description | +|-------------------|------------------------------------------------------------------| +| secretRef | The name of the secret with a SA token that had admin permissions in the newly created namespace | ## Source repository for task: From 5a9bf34277ed598a34655c26138ee808dae5a6fe Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 06:21:38 +0000 Subject: [PATCH 04/22] update task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml --- .../0.1/provision-env-with-ephemeral-namespace.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml b/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml index ef2d96740b..7781fe3061 100644 --- a/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml +++ b/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml @@ -44,7 +44,7 @@ spec: if oc wait spacerequests $SPACEREQUEST_NAME --for=condition=Ready --timeout=5m -n $KONFLUXNAMESPACE; then secretRef=$(oc get spacerequests $SPACEREQUEST_NAME -o=jsonpath='{.status.namespaceAccess[0].secretRef}') - echo $secretRef > tee "$(results.secretRef.path)" + echo -n $secretRef | tee $(results.secretRef.path) else exit 1 fi From be43f360c48e8b7207d64ab29fdf7c40bbd37dd5 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 06:21:39 +0000 Subject: [PATCH 05/22] update task/verify-signed-rpms/0.1/verify-signed-rpms.yaml --- task/verify-signed-rpms/0.1/verify-signed-rpms.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml index 1f653c7c31..b67c1a51b1 100644 --- a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml +++ b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml @@ -26,7 +26,7 @@ spec: emptyDir: {} steps: - name: verify-signed-rpms - image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197 + image: quay.io/redhat-appstudio/tools:39497ad4e7761c90fdde580cbb5bce9cb9491427 volumeMounts: - name: workdir mountPath: "$(params.WORKDIR)" From 743319bb5b6e85c219e6bc04e622674d569eb3b4 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 12:35:03 +0000 Subject: [PATCH 06/22] update .tekton/tasks/e2e-test.yaml --- .tekton/tasks/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 437632b197..42e48e7323 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -22,7 +22,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-appstudio/e2e-tests:aee2181831ab240041e83f1c9036532415f45ccf + image: quay.io/redhat-appstudio/e2e-tests:a08db6841bb00aecfcd44a2954b1da26a199c0ac # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag args: [ From 686833fcebe4f202f97434ca373edd5d5e39a088 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 19:13:45 +0000 Subject: [PATCH 07/22] update .tekton/tasks/e2e-test.yaml --- .tekton/tasks/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 42e48e7323..bf33813fe7 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -22,7 +22,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-appstudio/e2e-tests:a08db6841bb00aecfcd44a2954b1da26a199c0ac + image: quay.io/redhat-appstudio/e2e-tests:f460221278f5bb897687cb54c4a2b891047be6f6 # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag args: [ From c08d539d65cb03d22e7bc461fcd022b97984de0c Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 09:25:33 +0000 Subject: [PATCH 08/22] update .tekton/tasks/e2e-test.yaml --- .tekton/tasks/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index bf33813fe7..ad313f8525 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -22,7 +22,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-appstudio/e2e-tests:f460221278f5bb897687cb54c4a2b891047be6f6 + image: quay.io/redhat-appstudio/e2e-tests:a517263543642749d14e07dd9daa14dd410023ad # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag args: [ From b41e6138fb31285f362a530607dc33bd57cf5acd Mon Sep 17 00:00:00 2001 From: "ec-automation[bot]" <32872589-ec-automation[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 18:13:55 +0000 Subject: [PATCH 09/22] enterprise contract update --- pipelines/enterprise-contract-everything.yaml | 2 +- pipelines/enterprise-contract-redhat-no-hermetic.yaml | 2 +- pipelines/enterprise-contract-redhat.yaml | 2 +- pipelines/enterprise-contract-slsa3.yaml | 2 +- pipelines/enterprise-contract.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pipelines/enterprise-contract-everything.yaml b/pipelines/enterprise-contract-everything.yaml index 31b5ae8d67..a146d6e879 100644 --- a/pipelines/enterprise-contract-everything.yaml +++ b/pipelines/enterprise-contract-everything.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat-no-hermetic.yaml b/pipelines/enterprise-contract-redhat-no-hermetic.yaml index 0bc7072c57..139ed560a1 100644 --- a/pipelines/enterprise-contract-redhat-no-hermetic.yaml +++ b/pipelines/enterprise-contract-redhat-no-hermetic.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat.yaml b/pipelines/enterprise-contract-redhat.yaml index 1812e64499..2d502d5049 100644 --- a/pipelines/enterprise-contract-redhat.yaml +++ b/pipelines/enterprise-contract-redhat.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-slsa3.yaml b/pipelines/enterprise-contract-slsa3.yaml index 2dde42307c..04da2cda7a 100644 --- a/pipelines/enterprise-contract-slsa3.yaml +++ b/pipelines/enterprise-contract-slsa3.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 7b8990f688..0f7d9eda04 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -66,7 +66,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 - name: name value: verify-enterprise-contract - name: kind From ec2626548743935d1be91697c2340617e50dbf95 Mon Sep 17 00:00:00 2001 From: Scott Hebert Date: Wed, 17 Apr 2024 16:09:23 -0400 Subject: [PATCH 10/22] fix(KFLUXBUGS-1215): fix use of PREFETCH_INPUT - quotes within variable are not handled very well by ssh command and it impacts the buildah-remote task (which is based on this task) we only need to know if prefetch was used, not the actual input. Therefore, we inspect whether cachi2 has been called. Signed-off-by: Scott Hebert --- task/buildah-remote/0.1/buildah-remote.yaml | 11 ++++------- task/buildah/0.1/buildah.yaml | 10 ++++------ 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index d2dc52915d..dd8c8f0520 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -108,8 +108,6 @@ spec: value: vfs - name: HERMETIC value: $(params.HERMETIC) - - name: PREFETCH_INPUT - value: $(params.PREFETCH_INPUT) - name: CONTEXT value: $(params.CONTEXT) - name: DOCKERFILE @@ -245,8 +243,8 @@ spec: BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") fi - if [ -n "${PREFETCH_INPUT}" ]; then - cp -r cachi2 /tmp/ + if [ -d "$(workspaces.source.path)/cachi2" ]; then + cp -r "$(workspaces.source.path)/cachi2" /tmp/ chmod -R go+rwX /tmp/cachi2 VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2" sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path" @@ -301,7 +299,7 @@ spec: echo $container > /workspace/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi @@ -323,7 +321,6 @@ spec: -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e HERMETIC="$HERMETIC" \ - -e PREFETCH_INPUT="$PREFETCH_INPUT" \ -e CONTEXT="$CONTEXT" \ -e DOCKERFILE="$DOCKERFILE" \ -e IMAGE="$IMAGE" \ @@ -428,7 +425,7 @@ spec: image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 name: merge-cachi2-sbom script: | - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 165129fec8..b38c665ee3 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -96,8 +96,6 @@ spec: value: vfs - name: HERMETIC value: $(params.HERMETIC) - - name: PREFETCH_INPUT - value: $(params.PREFETCH_INPUT) - name: CONTEXT value: $(params.CONTEXT) - name: DOCKERFILE @@ -197,8 +195,8 @@ spec: BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") fi - if [ -n "${PREFETCH_INPUT}" ]; then - cp -r cachi2 /tmp/ + if [ -d "$(workspaces.source.path)/cachi2" ]; then + cp -r "$(workspaces.source.path)/cachi2" /tmp/ chmod -R go+rwX /tmp/cachi2 VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2" sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path" @@ -253,7 +251,7 @@ spec: echo $container > /workspace/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi @@ -343,7 +341,7 @@ spec: - name: merge-cachi2-sbom image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 script: | - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json From 25c43952f247797d8de4cf16e668b954292e8794 Mon Sep 17 00:00:00 2001 From: rcerven Date: Mon, 22 Apr 2024 12:38:28 +0200 Subject: [PATCH 11/22] move build-args params only to docker-build pipelines (#956) also support it in buildah-rhtap task KONFLUX-268 Signed-off-by: Robert Cerven --- pipelines/docker-build-rhtap/patch.yaml | 9 +++++++++ pipelines/docker-build/patch.yaml | 9 +++++++++ pipelines/template-build/template-build.yaml | 7 ------- task/buildah-rhtap/0.1/buildah-rhtap.yaml | 12 ++++++++++++ 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 460d45bc59..4ed6df0ab2 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -28,6 +28,13 @@ type: string default: "push" description: "Event that triggered the pipeline run, e.g. push, pull_request" +- op: add + path: /spec/params/- + value: + name: build-args-file + description: Path to a file with build arguments which will be passed to podman during build + type: string + default: "" - op: add path: /spec/results/- value: @@ -51,6 +58,8 @@ value: "$(params.image-expires-after)" - name: COMMIT_SHA value: "$(tasks.clone-repository.results.commit)" + - name: BUILD_ARGS_FILE + value: "$(params.build-args-file)" # Remove tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets diff --git a/pipelines/docker-build/patch.yaml b/pipelines/docker-build/patch.yaml index f5c1018935..885147cc2d 100644 --- a/pipelines/docker-build/patch.yaml +++ b/pipelines/docker-build/patch.yaml @@ -13,6 +13,13 @@ value: name: buildah version: "0.1" +- op: add + path: /spec/params/- + value: + name: build-args-file + description: Path to a file with build arguments which will be passed to podman during build + type: string + default: "" - op: add path: /spec/tasks/3/params value: @@ -30,6 +37,8 @@ value: "$(params.image-expires-after)" - name: COMMIT_SHA value: "$(tasks.clone-repository.results.commit)" + - name: BUILD_ARGS_FILE + value: "$(params.build-args-file)" - op: add path: /spec/results/- value: diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 27b3799b93..ab3fdcf58c 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -53,10 +53,6 @@ spec: description: Build a source image. type: string default: "false" - - name: build-args-file - description: Path to a file with build arguments which will be passed to podman during build - type: string - default: "" tasks: - name: init params: @@ -110,9 +106,6 @@ spec: - input: $(tasks.init.results.build) operator: in values: ["true"] - params: - - name: BUILD_ARGS_FILE - value: "$(params.build-args-file)" runAfter: - prefetch-dependencies taskRef: diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index 231cb93462..a7fc740a9f 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -28,6 +28,10 @@ spec: description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) name: TLSVERIFY type: string + - name: BUILD_ARGS_FILE + description: Path to a file with build arguments which will be passed to podman during build + type: string + default: "" results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -49,6 +53,8 @@ spec: value: $(params.IMAGE) - name: TLSVERIFY value: $(params.TLSVERIFY) + - name: BUILD_ARGS_FILE + value: $(params.BUILD_ARGS_FILE) steps: - name: build image: registry.access.redhat.com/ubi9/buildah@sha256:d28590e6ff9933a50be664e95a99ed9c85e0d50101ddc7f8f7cfc9ceea57fe30 @@ -64,8 +70,14 @@ spec: exit 1 fi + BUILDAH_ARGS=() + if [ -n "${BUILD_ARGS_FILE}" ]; then + BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") + fi + # Build the image buildah build \ + ${BUILDAH_ARGS[@]} \ --tls-verify=$TLSVERIFY \ --ulimit nofile=4096:4096 \ -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT From afdcc3d8b92be38fbffabf6ffa8ac6bf4c954358 Mon Sep 17 00:00:00 2001 From: "ec-automation[bot]" <32872589-ec-automation[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 16:57:18 +0000 Subject: [PATCH 12/22] enterprise contract update --- pipelines/enterprise-contract-everything.yaml | 2 +- pipelines/enterprise-contract-redhat-no-hermetic.yaml | 2 +- pipelines/enterprise-contract-redhat.yaml | 2 +- pipelines/enterprise-contract-slsa3.yaml | 2 +- pipelines/enterprise-contract.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pipelines/enterprise-contract-everything.yaml b/pipelines/enterprise-contract-everything.yaml index a146d6e879..7eafcae635 100644 --- a/pipelines/enterprise-contract-everything.yaml +++ b/pipelines/enterprise-contract-everything.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat-no-hermetic.yaml b/pipelines/enterprise-contract-redhat-no-hermetic.yaml index 139ed560a1..99d3ef7637 100644 --- a/pipelines/enterprise-contract-redhat-no-hermetic.yaml +++ b/pipelines/enterprise-contract-redhat-no-hermetic.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat.yaml b/pipelines/enterprise-contract-redhat.yaml index 2d502d5049..2583b4172f 100644 --- a/pipelines/enterprise-contract-redhat.yaml +++ b/pipelines/enterprise-contract-redhat.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-slsa3.yaml b/pipelines/enterprise-contract-slsa3.yaml index 04da2cda7a..bab5525a07 100644 --- a/pipelines/enterprise-contract-slsa3.yaml +++ b/pipelines/enterprise-contract-slsa3.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 0f7d9eda04..2134e2c1c3 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -66,7 +66,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:98a2484a7fd81eb034cb3347c8629ba16ec0ad626a592e4c5b880eda2c746876 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb - name: name value: verify-enterprise-contract - name: kind From 26a53792c786bc16e92ffcce79f955540514414d Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 17 Apr 2024 19:51:33 +0200 Subject: [PATCH 13/22] chore(STONEINTG-758): deprecate old ver of deprecated-image-check v1 and v2 of deprecated-image-check are deprecated (for real now) and after deprecation date EC will start failing build verifications. Signed-off-by: Martin Basti --- task/deprecated-image-check/0.1/README.md | 2 +- task/deprecated-image-check/0.1/deprecated-image-check.yaml | 1 + task/deprecated-image-check/0.2/README.md | 2 +- task/deprecated-image-check/0.2/deprecated-image-check.yaml | 1 + 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/task/deprecated-image-check/0.1/README.md b/task/deprecated-image-check/0.1/README.md index f2e2622707..5af75d6e2b 100644 --- a/task/deprecated-image-check/0.1/README.md +++ b/task/deprecated-image-check/0.1/README.md @@ -3,7 +3,7 @@ ## Deprecation notice This task version is deprecated, please use the latest version. -Deprecation date: 2024-04-30 +Deprecation date: 2024-06-01 ## Description: The deprecated-image-check checks for deprecated images that are no longer maintained and prone to security issues. diff --git a/task/deprecated-image-check/0.1/deprecated-image-check.yaml b/task/deprecated-image-check/0.1/deprecated-image-check.yaml index 3ecdc0d597..f7e271c4c1 100644 --- a/task/deprecated-image-check/0.1/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.1/deprecated-image-check.yaml @@ -6,6 +6,7 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "appstudio, hacbs" + build.appstudio.redhat.com/expires-on: "2024-06-01T00:00:00Z" name: deprecated-image-check spec: description: >- diff --git a/task/deprecated-image-check/0.2/README.md b/task/deprecated-image-check/0.2/README.md index f2e2622707..5af75d6e2b 100644 --- a/task/deprecated-image-check/0.2/README.md +++ b/task/deprecated-image-check/0.2/README.md @@ -3,7 +3,7 @@ ## Deprecation notice This task version is deprecated, please use the latest version. -Deprecation date: 2024-04-30 +Deprecation date: 2024-06-01 ## Description: The deprecated-image-check checks for deprecated images that are no longer maintained and prone to security issues. diff --git a/task/deprecated-image-check/0.2/deprecated-image-check.yaml b/task/deprecated-image-check/0.2/deprecated-image-check.yaml index b9810143bb..caec83c3d6 100644 --- a/task/deprecated-image-check/0.2/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.2/deprecated-image-check.yaml @@ -6,6 +6,7 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "appstudio, hacbs" + build.appstudio.redhat.com/expires-on: "2024-06-01T00:00:00Z" name: deprecated-image-check spec: description: >- From f58ba64422b4d9bbcb4b296fbfe7b60f7793c3c1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 02:22:17 +0000 Subject: [PATCH 14/22] chore(deps): update shared --- task/acs-deploy-check/0.1/acs-deploy-check.yaml | 2 +- task/acs-image-check/0.1/acs-image-check.yaml | 4 ++-- task/acs-image-scan/0.1/acs-image-scan.yaml | 4 ++-- task/buildah-remote/0.1/buildah-remote.yaml | 4 ++-- task/buildah-rhtap/0.1/buildah-rhtap.yaml | 4 ++-- task/buildah/0.1/buildah.yaml | 4 ++-- task/s2i-java/0.1/s2i-java.yaml | 6 +++--- task/s2i-nodejs/0.1/s2i-nodejs.yaml | 6 +++--- .../0.1/slack-webhook-notification.yaml | 2 +- task/summary/0.1/summary.yaml | 2 +- 10 files changed, 19 insertions(+), 19 deletions(-) diff --git a/task/acs-deploy-check/0.1/acs-deploy-check.yaml b/task/acs-deploy-check/0.1/acs-deploy-check.yaml index 239d1270ae..47879bc4cc 100644 --- a/task/acs-deploy-check/0.1/acs-deploy-check.yaml +++ b/task/acs-deploy-check/0.1/acs-deploy-check.yaml @@ -124,7 +124,7 @@ spec: fi - name: report - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: repository mountPath: /workspace/repository diff --git a/task/acs-image-check/0.1/acs-image-check.yaml b/task/acs-image-check/0.1/acs-image-check.yaml index 6d7a6d87e8..25dfb531fa 100644 --- a/task/acs-image-check/0.1/acs-image-check.yaml +++ b/task/acs-image-check/0.1/acs-image-check.yaml @@ -53,7 +53,7 @@ spec: oc annotate taskrun $(context.taskRun.name) task.output.location=logs - name: rox-image-check - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: rox-secret mountPath: /rox-secret @@ -121,7 +121,7 @@ spec: cp roxctl_image_check_output.json /steps-shared-folder/acs-image-check.json - name: report - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: shared-folder mountPath: /steps-shared-folder diff --git a/task/acs-image-scan/0.1/acs-image-scan.yaml b/task/acs-image-scan/0.1/acs-image-scan.yaml index 02d3a4d8a3..2062b21088 100644 --- a/task/acs-image-scan/0.1/acs-image-scan.yaml +++ b/task/acs-image-scan/0.1/acs-image-scan.yaml @@ -60,7 +60,7 @@ spec: oc annotate taskrun $(context.taskRun.name) task.output.location=logs - name: rox-image-scan - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: rox-secret mountPath: /rox-secret @@ -160,7 +160,7 @@ spec: set_test_output_result SUCCESS "$note" - name: report - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: shared-folder mountPath: /steps-shared-folder diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index dd8c8f0520..0899981cf8 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -387,7 +387,7 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers - computeResources: {} - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a name: merge-syft-sboms script: | #!/bin/python3 @@ -436,7 +436,7 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a name: create-purl-sbom script: | #!/bin/python3 diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index a7fc740a9f..59489ca788 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -57,7 +57,7 @@ spec: value: $(params.BUILD_ARGS_FILE) steps: - name: build - image: registry.access.redhat.com/ubi9/buildah@sha256:d28590e6ff9933a50be664e95a99ed9c85e0d50101ddc7f8f7cfc9ceea57fe30 + image: registry.access.redhat.com/ubi9/buildah@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c script: | # Check if the Dockerfile exists SOURCE_CODE_DIR=source @@ -123,7 +123,7 @@ spec: name: tmpfiles - name: merge-sboms - image: registry.access.redhat.com/ubi8/python-311@sha256:8ded4b6d8087706b6819ddda5d31f22b80e5aa4efa772e94d750699ccfbf98eb + image: registry.access.redhat.com/ubi8/python-311@sha256:634918e88adb803029a99cb1a5a6bb42834c2560ee098e87677efdaf7309380d env: - name: RESULT_PATH value: $(results.SBOM_BLOB_URL.path) diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index b38c665ee3..4e0e53b9d5 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -304,7 +304,7 @@ spec: runAsUser: 0 - name: merge-syft-sboms - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a script: | #!/bin/python3 import json @@ -353,7 +353,7 @@ spec: runAsUser: 0 - name: create-purl-sbom - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a script: | #!/bin/python3 import json diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index 88c72da706..1bc2bce9b4 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -128,7 +128,7 @@ spec: container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /workspace/container_path echo $container > /workspace/container_name - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c name: build env: - name: COMMIT_SHA @@ -180,7 +180,7 @@ spec: name: varlibcontainers securityContext: runAsUser: 0 - - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + - image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. @@ -227,7 +227,7 @@ spec: securityContext: runAsUser: 0 - - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + - image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c # default above is image digest specific name: inject-sbom-and-push computeResources: {} diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index 74f846331d..ea03d6daca 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -113,7 +113,7 @@ spec: container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /workspace/container_path echo $container > /workspace/container_name - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c name: build env: - name: COMMIT_SHA @@ -150,7 +150,7 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers - - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + - image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. @@ -197,7 +197,7 @@ spec: securityContext: runAsUser: 0 - - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + - image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c name: inject-sbom-and-push computeResources: {} script: | diff --git a/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml b/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml index 7f9bf99cbf..2b4f865345 100644 --- a/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml +++ b/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml @@ -27,7 +27,7 @@ spec: optional: true steps: - name: send-message - image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1552@sha256:06d06f15f7b641a78f2512c8817cbecaa1bf549488e273f5ac27ff1654ed33f0 + image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612@sha256:119ac25920c8bb50c8b5fd75dcbca369bf7d1f702b82f3d39663307890f0bf26 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. diff --git a/task/summary/0.1/summary.yaml b/task/summary/0.1/summary.yaml index 7093d1dde3..40b8ab3cd4 100644 --- a/task/summary/0.1/summary.yaml +++ b/task/summary/0.1/summary.yaml @@ -23,7 +23,7 @@ spec: default: Succeeded steps: - name: appstudio-summary - image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1552@sha256:06d06f15f7b641a78f2512c8817cbecaa1bf549488e273f5ac27ff1654ed33f0 + image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612@sha256:119ac25920c8bb50c8b5fd75dcbca369bf7d1f702b82f3d39663307890f0bf26 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. From 8a96f0dbe5dc1aeeb588a945bb5cd4f048707f7b Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 19 Apr 2024 14:05:17 +0200 Subject: [PATCH 15/22] prefetch-dependencies: enable basic git auth Cachi2 may fetch git tags from the source repository and/or clone other git repositories. Those may be private. Give the user a way to authenticate. The basic-auth mechanism is copy-pasted from the git-clone task, except that it gets the repository url from 'git remote get-url origin' (unlike the clone task, which gets it as a Tekton param). Signed-off-by: Adam Cmiel --- .../0.1/prefetch-dependencies.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index a290248a15..bc2ed0dd94 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -38,6 +38,10 @@ spec: value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) + - name: WORKSPACE_GIT_AUTH_BOUND + value: $(workspaces.git-basic-auth.bound) + - name: WORKSPACE_GIT_AUTH_PATH + value: $(workspaces.git-basic-auth.path) volumeMounts: - name: trusted-ca mountPath: /mnt/trusted-ca @@ -55,6 +59,24 @@ spec: dev_pacman_flag="" fi + # Copied from https://github.com/redhat-appstudio/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml + if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ] ; then + if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then + cp "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" "${HOME}/.git-credentials" + cp "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" "${HOME}/.gitconfig" + # Compatibility with kubernetes.io/basic-auth secrets + elif [ -f "${WORKSPACE_GIT_AUTH_PATH}/username" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/password" ]; then + HOSTNAME=$(cd "$(workspaces.source.path)/source" && git remote get-url origin | awk -F/ '{print $3}') + echo "https://$(cat ${WORKSPACE_GIT_AUTH_PATH}/username):$(cat ${WORKSPACE_GIT_AUTH_PATH}/password)@$HOSTNAME" > "${HOME}/.git-credentials" + echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${HOME}/.gitconfig" + else + echo "Unknown git-basic-auth workspace format" + exit 1 + fi + chmod 400 "${HOME}/.git-credentials" + chmod 400 "${HOME}/.gitconfig" + fi + ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -78,6 +100,13 @@ spec: workspaces: - name: source description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well + - name: git-basic-auth + description: | + A Workspace containing a .gitconfig and .git-credentials file or username and password. + These will be copied to the user's home before any cachi2 commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to bind a Secret to this Workspace over other volume types. + optional: true volumes: - name: trusted-ca configMap: From 6a7d1fd8c7e927748ee5ca5a3cad417f2e3629b9 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 19 Apr 2024 14:28:24 +0200 Subject: [PATCH 16/22] template-build: pass git-auth to prefetch task Signed-off-by: Adam Cmiel --- pipelines/template-build/template-build.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index ab3fdcf58c..05b2779dc0 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -101,6 +101,8 @@ spec: workspaces: - name: source workspace: workspace + - name: git-basic-auth + workspace: git-auth - name: build-container when: - input: $(tasks.init.results.build) From f3d214f091b0974992617a784fda0db230c5fd90 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 19 Apr 2024 15:55:27 +0200 Subject: [PATCH 17/22] prefetch-dependencies: expose log-level option Allow the user to set the cachi2 log level. Signed-off-by: Adam Cmiel --- .../0.1/prefetch-dependencies.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index bc2ed0dd94..287fb7aa58 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -19,6 +19,9 @@ spec: notice. Use at your own risk. name: dev-package-managers default: "false" + - description: Set cachi2 log level (debug, info, warning, error) + name: log-level + default: "info" - name: caTrustConfigMapName type: string description: The name of the ConfigMap to read CA bundle data from. @@ -38,6 +41,8 @@ spec: value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) + - name: LOG_LEVEL + value: $(params.log-level) - name: WORKSPACE_GIT_AUTH_BOUND value: $(workspaces.git-basic-auth.bound) - name: WORKSPACE_GIT_AUTH_PATH @@ -84,18 +89,18 @@ spec: update-ca-trust fi - cachi2 fetch-deps \ + cachi2 --log-level="$LOG_LEVEL" fetch-deps \ $dev_pacman_flag \ --source=$(workspaces.source.path)/source \ --output=$(workspaces.source.path)/cachi2/output \ "${INPUT}" - cachi2 generate-env $(workspaces.source.path)/cachi2/output \ + cachi2 --log-level="$LOG_LEVEL" generate-env $(workspaces.source.path)/cachi2/output \ --format env \ --for-output-dir=/cachi2/output \ --output $(workspaces.source.path)/cachi2/cachi2.env - cachi2 inject-files $(workspaces.source.path)/cachi2/output \ + cachi2 --log-level="$LOG_LEVEL" inject-files $(workspaces.source.path)/cachi2/output \ --for-output-dir=/cachi2/output workspaces: - name: source From 84534a889c527d6efb46c9074f2718b30cc5af5d Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 19 Apr 2024 15:55:56 +0200 Subject: [PATCH 18/22] prefetch-dependencies: re-generate README Signed-off-by: Adam Cmiel --- task/prefetch-dependencies/0.1/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/task/prefetch-dependencies/0.1/README.md b/task/prefetch-dependencies/0.1/README.md index 076b1f338b..6a6914bb3e 100644 --- a/task/prefetch-dependencies/0.1/README.md +++ b/task/prefetch-dependencies/0.1/README.md @@ -8,8 +8,12 @@ See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. |---|---|---|---| |input|Configures project packages that will have their dependencies prefetched.||true| |dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false| +|log-level|Set cachi2 log level (debug, info, warning, error)|info|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| ## Workspaces |name|description|optional| |---|---|---| |source|Workspace with the source code, cachi2 artifacts will be stored on the workspace as well|false| +|git-basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. |true| From 032a8745d43a942a247f365fc890b06023ccd67d Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 04:09:47 +0000 Subject: [PATCH 19/22] update .tekton/tasks/e2e-test.yaml --- .tekton/tasks/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index ad313f8525..32637d5a67 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -22,7 +22,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-appstudio/e2e-tests:a517263543642749d14e07dd9daa14dd410023ad + image: quay.io/redhat-appstudio/e2e-tests:27b9e94fee065d8de74a82f5ca726df6c40fd64a # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag args: [ From e5ddc2accad08e95040aeb625939ece3fd5c4395 Mon Sep 17 00:00:00 2001 From: Tom Martensen Date: Mon, 22 Apr 2024 14:30:13 +0200 Subject: [PATCH 20/22] fix: reorder conditions in init task to avoid kube API calls if env vars are set --- task/init/0.2/init.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/task/init/0.2/init.yaml b/task/init/0.2/init.yaml index e6dd5c9a10..7d7f18c7f1 100644 --- a/task/init/0.2/init.yaml +++ b/task/init/0.2/init.yaml @@ -39,8 +39,9 @@ spec: echo echo "Determine if Image Already Exists" - # Build the image when image does not exists or rebuild is set to true - if ! oc image info $IMAGE_URL &>/dev/null || [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ]; then + # Build the image when rebuild is set to true or image does not exist + # The image check comes last to avoid unnecessary, slow API calls + if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! oc image info $IMAGE_URL &>/dev/null; then echo -n "true" > $(results.build.path) else echo -n "false" > $(results.build.path) From b404314d2a31c886d2106b4c7347f422d6f86439 Mon Sep 17 00:00:00 2001 From: Simon Baird Date: Fri, 19 Apr 2024 14:33:21 -0400 Subject: [PATCH 21/22] Use ga repo for the ec task ref used by RHTAP ** NOTE: As per the comments in the beginning of the file being modified, this change has no impact on Konflux since Konflux uses the upstream task definition, not this one. ** Since EC has been declared GA, it's now able to push to the normal repo rather than the tech preview repo. So let's update the image reference in the verify-enterprise-contract task to use the EC image in the new GA repo. There's a similar change in the related task definition in the tssc-sample-pipelines repo, see https://github.com/redhat-appstudio/tssc-sample-pipelines/pull/39 . Ref: https://issues.redhat.com/browse/EC-571 --- .../0.1/verify-enterprise-contract.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml b/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml index 691dde40c7..e2d2c004f0 100644 --- a/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml +++ b/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml @@ -111,12 +111,12 @@ spec: steps: - name: version - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [ec] args: - version - name: initialize-tuf - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 script: |- set -euo pipefail @@ -132,7 +132,7 @@ spec: - name: TUF_MIRROR value: "$(params.TUF_MIRROR)" - name: validate - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [ec] args: - validate @@ -180,23 +180,23 @@ spec: limits: memory: 2Gi - name: report - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [cat] args: - "$(params.HOMEDIR)/report.yaml" - name: report-json - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [cat] args: - "$(params.HOMEDIR)/report-json.json" - name: summary - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [jq] args: - "." - "$(results.TEST_OUTPUT.path)" - name: assert - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [jq] args: - "--argjson" From 7c65cc798f6a493cfed3313bbb35da4011ff6455 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 11:29:05 +0000 Subject: [PATCH 22/22] chore(deps): update ec --- .tekton/tasks/ec-checks.yaml | 4 ++-- pipelines/enterprise-contract-everything.yaml | 2 +- pipelines/enterprise-contract-redhat-no-hermetic.yaml | 2 +- pipelines/enterprise-contract-redhat.yaml | 2 +- pipelines/enterprise-contract-slsa3.yaml | 2 +- pipelines/enterprise-contract.yaml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 04ad50214b..cfc8343df9 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -24,7 +24,7 @@ spec: $(all_tasks_dir all_tasks-ec) - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e script: | set -euo pipefail @@ -38,7 +38,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e script: | set -euo pipefail diff --git a/pipelines/enterprise-contract-everything.yaml b/pipelines/enterprise-contract-everything.yaml index 7eafcae635..9342569128 100644 --- a/pipelines/enterprise-contract-everything.yaml +++ b/pipelines/enterprise-contract-everything.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat-no-hermetic.yaml b/pipelines/enterprise-contract-redhat-no-hermetic.yaml index 99d3ef7637..0816eddf95 100644 --- a/pipelines/enterprise-contract-redhat-no-hermetic.yaml +++ b/pipelines/enterprise-contract-redhat-no-hermetic.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat.yaml b/pipelines/enterprise-contract-redhat.yaml index 2583b4172f..651d57582a 100644 --- a/pipelines/enterprise-contract-redhat.yaml +++ b/pipelines/enterprise-contract-redhat.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-slsa3.yaml b/pipelines/enterprise-contract-slsa3.yaml index bab5525a07..87a4878597 100644 --- a/pipelines/enterprise-contract-slsa3.yaml +++ b/pipelines/enterprise-contract-slsa3.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 2134e2c1c3..9408c6bce7 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -66,7 +66,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:6dccad55da995af50e26d4ef408cbceec6ea739b264968ab97a9a93d5cfad9eb + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind