Skip to content

Commit 8245199

Browse files
tommartensentommartensen
authored
ROX-25508: migrate scanner pipeline to matrix builds (#2373)
1 parent 41b095d commit 8245199

File tree

3 files changed

+36
-171
lines changed

3 files changed

+36
-171
lines changed

.tekton/scanner-build.yaml

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -63,20 +63,6 @@ spec:
6363
secret:
6464
secretName: '{{ git_auth_secret }}'
6565

66-
taskRunSpecs:
67-
- pipelineTaskName: build-container-amd64
68-
stepSpecs:
69-
# Provision more CPU to speed up build compared to the defaults.
70-
# https://github.com/redhat-appstudio/build-definitions/blob/main/task/buildah/0.1/buildah.yaml#L126
71-
#
72-
# This is not required for multi-arch builds, because they are performed off cluster
73-
- name: build
74-
computeResources:
75-
limits:
76-
cpu: 2
77-
requests:
78-
cpu: 2
79-
8066
taskRunTemplate:
8167
serviceAccountName: build-pipeline-scanner-4-9
8268

.tekton/scanner-component-pipeline.yaml

Lines changed: 36 additions & 143 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,17 @@ spec:
120120
default: docker
121121
type: string
122122
description: The format for the resulting image's mediaType. Valid values are oci or docker.
123+
- default:
124+
- linux/amd64
125+
- linux/arm64
126+
- linux/ppc64le
127+
- linux/s390x
128+
description: >
129+
List of platforms to build the container images for. The available
130+
set of values is determined by the configuration of the multi-platform-controller
131+
on the cluster: https://konflux.pages.redhat.com/docs/users/getting-started/multi-platform-builds.html
132+
name: build-platforms
133+
type: array
123134
- name: extra-labels
124135
type: array
125136
description: Additional labels to put on the built containers.
@@ -269,146 +280,15 @@ spec:
269280
workspaces:
270281
- name: git-basic-auth
271282
workspace: git-auth
272-
- name: build-container-amd64
273-
params:
274-
- name: IMAGE
275-
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-amd64
276-
- name: DOCKERFILE
277-
value: $(params.dockerfile)
278-
- name: CONTEXT
279-
value: $(params.path-context)
280-
- name: HERMETIC
281-
value: $(params.hermetic)
282-
- name: PREFETCH_INPUT
283-
value: $(params.prefetch-input)
284-
- name: IMAGE_EXPIRES_AFTER
285-
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
286-
- name: COMMIT_SHA
287-
value: $(tasks.clone-repository.results.commit)
288-
- name: TARGET_STAGE
289-
value: $(params.build-target-stage)
290-
- name: BUILD_ARGS
291-
value:
292-
- SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
293-
- name: SOURCE_ARTIFACT
294-
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
295-
- name: CACHI2_ARTIFACT
296-
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
297-
- name: BUILDAH_FORMAT
298-
value: $(params.buildah-format)
299-
- name: LABELS
300-
value: ["$(params.extra-labels[*])"]
301-
- name: BUILD_TIMESTAMP
302-
value: "$(tasks.clone-repository.results.commit-timestamp)"
303-
taskRef:
283+
- name: build-images
284+
matrix:
304285
params:
305-
- name: name
306-
value: buildah-oci-ta
307-
- name: bundle
308-
value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.6@sha256:7b4c101b71e48b267079a5b6331d22de0b25e008c9e1dcaca1c41c4312391e39
309-
- name: kind
310-
value: task
311-
resolver: bundles
312-
when:
313-
- input: $(tasks.init.results.build)
314-
operator: in
315-
values: ["true"]
316-
- name: build-container-s390x
286+
- name: PLATFORM
287+
value:
288+
- $(params.build-platforms)
317289
params:
318290
- name: IMAGE
319-
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-s390x
320-
- name: DOCKERFILE
321-
value: $(params.dockerfile)
322-
- name: CONTEXT
323-
value: $(params.path-context)
324-
- name: HERMETIC
325-
value: $(params.hermetic)
326-
- name: PREFETCH_INPUT
327-
value: $(params.prefetch-input)
328-
- name: IMAGE_EXPIRES_AFTER
329-
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
330-
- name: COMMIT_SHA
331-
value: $(tasks.clone-repository.results.commit)
332-
- name: TARGET_STAGE
333-
value: $(params.build-target-stage)
334-
- name: BUILD_ARGS
335-
value:
336-
- SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
337-
- name: SOURCE_ARTIFACT
338-
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
339-
- name: CACHI2_ARTIFACT
340-
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
341-
- name: PLATFORM
342-
value: linux/s390x
343-
- name: BUILDAH_FORMAT
344-
value: $(params.buildah-format)
345-
- name: LABELS
346-
value: ["$(params.extra-labels[*])"]
347-
- name: BUILD_TIMESTAMP
348-
value: "$(tasks.clone-repository.results.commit-timestamp)"
349-
taskRef:
350-
params:
351-
- name: name
352-
value: buildah-remote-oci-ta
353-
- name: bundle
354-
value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:ac05dabe8b6b446f974cf2b6ef1079cfaa9443d7078c2ebe3ec79aa650e1b5b2
355-
- name: kind
356-
value: task
357-
resolver: bundles
358-
when:
359-
- input: $(tasks.init.results.build)
360-
operator: in
361-
values: ["true"]
362-
- name: build-container-ppc64le
363-
params:
364-
- name: IMAGE
365-
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-ppc64le
366-
- name: DOCKERFILE
367-
value: $(params.dockerfile)
368-
- name: CONTEXT
369-
value: $(params.path-context)
370-
- name: HERMETIC
371-
value: $(params.hermetic)
372-
- name: PREFETCH_INPUT
373-
value: $(params.prefetch-input)
374-
- name: IMAGE_EXPIRES_AFTER
375-
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
376-
- name: COMMIT_SHA
377-
value: $(tasks.clone-repository.results.commit)
378-
- name: TARGET_STAGE
379-
value: $(params.build-target-stage)
380-
- name: BUILD_ARGS
381-
value:
382-
- SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
383-
- name: SOURCE_ARTIFACT
384-
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
385-
- name: CACHI2_ARTIFACT
386-
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
387-
- name: PLATFORM
388-
value: linux/ppc64le
389-
- name: BUILDAH_FORMAT
390-
value: $(params.buildah-format)
391-
- name: LABELS
392-
value: ["$(params.extra-labels[*])"]
393-
- name: BUILD_TIMESTAMP
394-
value: "$(tasks.clone-repository.results.commit-timestamp)"
395-
taskRef:
396-
params:
397-
- name: name
398-
value: buildah-remote-oci-ta
399-
- name: bundle
400-
value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:ac05dabe8b6b446f974cf2b6ef1079cfaa9443d7078c2ebe3ec79aa650e1b5b2
401-
- name: kind
402-
value: task
403-
resolver: bundles
404-
when:
405-
- input: $(tasks.init.results.build)
406-
operator: in
407-
values: ["true"]
408-
- name: build-container-arm64
409-
params:
410-
- name: IMAGE
411-
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-arm64
291+
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)
412292
- name: DOCKERFILE
413293
value: $(params.dockerfile)
414294
- name: CONTEXT
@@ -430,8 +310,8 @@ spec:
430310
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
431311
- name: CACHI2_ARTIFACT
432312
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
433-
- name: PLATFORM
434-
value: linux/arm64
313+
- name: IMAGE_APPEND_PLATFORM
314+
value: "true"
435315
- name: BUILDAH_FORMAT
436316
value: $(params.buildah-format)
437317
- name: LABELS
@@ -459,14 +339,12 @@ spec:
459339
value: $(tasks.clone-repository.results.commit)
460340
- name: IMAGES
461341
value:
462-
- $(tasks.build-container-amd64.results.IMAGE_REF)
463-
- $(tasks.build-container-s390x.results.IMAGE_REF)
464-
- $(tasks.build-container-ppc64le.results.IMAGE_REF)
465-
- $(tasks.build-container-arm64.results.IMAGE_REF)
342+
- $(tasks.build-images.results.IMAGE_REF[*])
466343
- name: IMAGE_EXPIRES_AFTER
467344
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
468345
- name: BUILDAH_FORMAT
469346
value: $(params.buildah-format)
347+
runAfter: [ build-images ]
470348
taskRef:
471349
params:
472350
- name: name
@@ -548,6 +426,11 @@ spec:
548426
operator: in
549427
values: ["false"]
550428
- name: clair-scan
429+
matrix:
430+
params:
431+
- name: image-platform
432+
value:
433+
- $(params.build-platforms)
551434
params:
552435
- name: image-digest
553436
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
@@ -567,6 +450,11 @@ spec:
567450
operator: in
568451
values: ["false"]
569452
- name: ecosystem-cert-preflight-checks
453+
matrix:
454+
params:
455+
- name: platform
456+
value:
457+
- $(params.build-platforms)
570458
params:
571459
- name: image-url
572460
value: $(tasks.build-image-index.results.IMAGE_URL)
@@ -653,6 +541,11 @@ spec:
653541
operator: in
654542
values: ["false"]
655543
- name: clamav-scan
544+
matrix:
545+
params:
546+
- name: image-arch
547+
value:
548+
- $(params.build-platforms)
656549
params:
657550
- name: image-digest
658551
value: $(tasks.build-image-index.results.IMAGE_DIGEST)

.tekton/scanner-slim-build.yaml

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -63,20 +63,6 @@ spec:
6363
secret:
6464
secretName: '{{ git_auth_secret }}'
6565

66-
taskRunSpecs:
67-
- pipelineTaskName: build-container-amd64
68-
stepSpecs:
69-
# Provision more CPU to speed up build compared to the defaults.
70-
# https://github.com/redhat-appstudio/build-definitions/blob/main/task/buildah/0.1/buildah.yaml#L126
71-
#
72-
# This is not required for multi-arch builds, because they are performed off cluster
73-
- name: build
74-
computeResources:
75-
limits:
76-
cpu: 2
77-
requests:
78-
cpu: 2
79-
8066
taskRunTemplate:
8167
serviceAccountName: build-pipeline-scanner-slim-4-9
8268

0 commit comments

Comments
 (0)