From d708dd3210872e9a8e8e1748f8d5b23fa78832d2 Mon Sep 17 00:00:00 2001 From: Misha Sugakov <537715+msugakov@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:08:47 +0100 Subject: [PATCH] ROX-27350: Use trusted tasks (#1742) --- .konflux/README.md | 4 + .konflux/scanner-data/.gitignore | 3 + .../scripts}/fail-build-if-git-is-dirty.sh | 0 .../scripts}/fetch-scanner-data.sh | 0 .tekton/determine-image-tag-task.yaml | 55 -------------- .tekton/fetch-scanner-data-task.yaml | 74 ------------------- .tekton/scanner-component-pipeline.yaml | 22 +++++- image/db/rhel/konflux.Dockerfile | 2 +- image/scanner/rhel/konflux.Dockerfile | 10 +-- 9 files changed, 32 insertions(+), 138 deletions(-) create mode 100644 .konflux/README.md create mode 100644 .konflux/scanner-data/.gitignore rename {scripts/konflux => .konflux/scripts}/fail-build-if-git-is-dirty.sh (100%) rename {scripts/konflux => .konflux/scripts}/fetch-scanner-data.sh (100%) delete mode 100644 .tekton/determine-image-tag-task.yaml delete mode 100644 .tekton/fetch-scanner-data-task.yaml diff --git a/.konflux/README.md b/.konflux/README.md new file mode 100644 index 000000000..3939fdd30 --- /dev/null +++ b/.konflux/README.md @@ -0,0 +1,4 @@ +# .konflux + +This directory is for files supporting ACS builds in Konflux. +There's no Konflux convention to use it. Rather, we organize our scripts and tools here ourselves. diff --git a/.konflux/scanner-data/.gitignore b/.konflux/scanner-data/.gitignore new file mode 100644 index 000000000..256a3d0ce --- /dev/null +++ b/.konflux/scanner-data/.gitignore @@ -0,0 +1,3 @@ +# scanner-data is for blobs downloaded and included in Scanner V2 containers during build. +* +!.gitignore diff --git a/scripts/konflux/fail-build-if-git-is-dirty.sh b/.konflux/scripts/fail-build-if-git-is-dirty.sh similarity index 100% rename from scripts/konflux/fail-build-if-git-is-dirty.sh rename to .konflux/scripts/fail-build-if-git-is-dirty.sh diff --git a/scripts/konflux/fetch-scanner-data.sh b/.konflux/scripts/fetch-scanner-data.sh similarity index 100% rename from scripts/konflux/fetch-scanner-data.sh rename to .konflux/scripts/fetch-scanner-data.sh diff --git a/.tekton/determine-image-tag-task.yaml b/.tekton/determine-image-tag-task.yaml deleted file mode 100644 index ac0e9bf6e..000000000 --- a/.tekton/determine-image-tag-task.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: determine-image-tag - namespace: rh-acs-tenant -# TODO(ROX-23812): Refactor to a task bundle -spec: - description: Determines the tag for the output image using the StackRox convention from 'make tag' output. - params: - - name: TAG_SUFFIX - description: Suffix to append to generated image tag. - type: string - - name: SOURCE_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with - the application source code. This should be the result of the git-clone task, - results from other tasks might fail as dirty. - type: string - results: - - name: IMAGE_TAG - description: Image Tag determined by custom logic. - volumes: - - name: workdir - emptyDir: { } - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - name: determine-image-tag - image: registry.access.redhat.com/ubi8:latest - workingDir: /var/workdir/source - script: | - #!/usr/bin/env bash - set -euo pipefail - dnf -y upgrade --nobest - dnf -y install git make - - scripts/konflux/fail-build-if-git-is-dirty.sh - - # First, try take git tag if it's a tagged commit. - tag="$(git tag --points-at)" - if [[ -z "$tag" ]]; then - # If not, use make target's output. - tag="$(make --quiet --no-print-directory tag)" - elif [[ "$(wc -l <<< "$tag")" -gt 1 ]]; then - >&2 echo -e "Error: the HEAD commit has multiple tags, don't know which one to choose:\n$tag" - exit 5 - fi - - echo -n "${tag}$(params.TAG_SUFFIX)" | tee "$(results.IMAGE_TAG.path)" diff --git a/.tekton/fetch-scanner-data-task.yaml b/.tekton/fetch-scanner-data-task.yaml deleted file mode 100644 index 9131838dd..000000000 --- a/.tekton/fetch-scanner-data-task.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: fetch-scanner-data - namespace: rh-acs-tenant -# TODO(ROX-22196): Make the task EC-compliant (e.g. move to a bundle) -spec: - description: Downloads blobs from definitions.stackrox.io GCloud bucket to be included in Scanner container builds. - params: - - name: blobs-to-fetch - description: | - List of scanner-data file names to fetch to include in the container build. - An empty list is allowed which results in no-op. - type: array - - name: target-dir - description: Target directory relative to workspace where to save downloaded blobs. - type: string - default: "." - - name: SOURCE_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with - the application source code. This should be the result of the git-clone task, - results from other tasks might fail as dirty. - type: string - - name: ociStorage - description: The OCI repository where the Trusted Artifacts are stored. - type: string - - name: ociArtifactExpiresAfter - description: Expiration date for the trusted artifacts created in the - OCI repository. - type: string - results: - - name: SOURCE_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with the application source code - and additional smuggled activation key. - type: string - volumes: - - name: workdir - emptyDir: { } - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - name: fetch-scanner-data - image: registry.access.redhat.com/ubi9:latest - # The only functioning way to pass array parameter that I found is through args array. - # Array params have weird limitations, see https://github.com/tektoncd/pipeline/blob/main/docs/tasks.md#substituting-array-parameters - # Attempts to pass this in other places result in webhook errors and pipeline not starting. - args: [ "$(params.blobs-to-fetch[*])" ] - workingDir: /var/workdir/source - script: | - #!/usr/bin/env bash - set -euo pipefail - dnf -y upgrade --nobest - dnf -y install git - scripts/konflux/fetch-scanner-data.sh "$(params.target-dir)" "$@" - # Blobs for tagged builds are built on GHA in https://github.com/stackrox/scanner. - # If the task times out, look there to debug. - timeout: 1h30m - - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af - args: - - create - - --store - - $(params.ociStorage) - - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source - env: - - name: IMAGE_EXPIRES_AFTER - value: $(params.ociArtifactExpiresAfter) diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index cb376878f..c71b5421d 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -196,12 +196,21 @@ spec: - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) taskRef: - name: determine-image-tag + params: + - name: name + value: determine-image-tag + - name: bundle + value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:886e1482c717078d11ba7c5d6fc4e8013e3740b4d1282ebe5534db62c9f19428 + - name: kind + value: task + resolver: bundles - name: fetch-scanner-data params: - - name: blobs-to-fetch + - name: BLOBS_TO_FETCH value: [ "$(params.blobs-to-fetch[*])" ] + - name: TARGET_DIR + value: .konflux/scanner-data - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage @@ -209,7 +218,14 @@ spec: - name: ociArtifactExpiresAfter value: $(params.oci-artifact-expires-after) taskRef: - name: fetch-scanner-data + params: + - name: name + value: fetch-scanner-v2-data + - name: bundle + value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:886e1482c717078d11ba7c5d6fc4e8013e3740b4d1282ebe5534db62c9f19428 + - name: kind + value: task + resolver: bundles - name: prefetch-dependencies params: diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile index bfc08392a..d43441786 100644 --- a/image/db/rhel/konflux.Dockerfile +++ b/image/db/rhel/konflux.Dockerfile @@ -69,5 +69,5 @@ LABEL \ io.k8s.display-name="scanner-db" \ name="rhacs-scanner-db-rhel8" -COPY --chown=0:0 blob-pg-definitions.sql.gz \ +COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \ /docker-entrypoint-initdb.d/definitions.sql.gz diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index c91314d50..b39df45b7 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -16,11 +16,11 @@ ENV CI=1 COPY . /src WORKDIR /src -RUN scripts/konflux/fail-build-if-git-is-dirty.sh +RUN .konflux/scripts/fail-build-if-git-is-dirty.sh -RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \ - unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \ - unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions +RUN unzip -j .konflux/scanner-data/blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \ + unzip -j .konflux/scanner-data/blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \ + unzip -j .konflux/scanner-data/blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions RUN echo -n "version: " && make --quiet --no-print-directory tag && \ make CGO_ENABLED=1 scanner-build-nodeps @@ -28,7 +28,7 @@ RUN echo -n "version: " && make --quiet --no-print-directory tag && \ # Replace genesis manifests file in the source code with the one generated at # the point when the dump was taken. This is to avoid discrepancy between other # files of the dump and the manifest. -COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json +COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json # Common base for scanner slim and full