Konflux-build-cli: replace build step of build-image-index task by mkosiarc · Pull Request #3321 · konflux-ci/build-definitions

mkosiarc · 2026-03-03T18:08:10Z

Start using the konflux-build-cli for building the image index.
Related PR: konflux-ci/konflux-build-cli#69

Also NOTE: The build step is now run explicitly as root by using
runAsUser: 0, since the permissions for the "konflux-build-cli" container
are different and they no longer allow executing the necessary setup steps,
like updating the ca-trust. The step was always run with root
permissions, now it us just explicitly setup in the tekton step.

STONEBLD-4060

snyk-io · 2026-03-03T18:08:22Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

mkosiarc · 2026-03-03T18:08:53Z

Related pr konflux-ci/konflux-build-cli#69

mkosiarc · 2026-03-25T11:58:33Z

/retest

mkosiarc · 2026-03-25T12:45:02Z

/retest

MartinBasti · 2026-03-25T14:39:37Z

task/build-image-index/0.3/MIGRATION.md

+  was not useful.
+- Image reference validation is now stricter and will fail earlier for invalid formats.
+
+## Action from Users


don't we need migration script?

We don't strictly speaking need it, since unused params are just ignored by Tekton. But it would be nice to have one

added migration script

MartinBasti · 2026-03-25T14:43:04Z

IMO we want also this task to be bumped into v3 (it will be just generated) https://github.com/konflux-ci/build-definitions/tree/main/task/build-image-index-min

mkosiarc · 2026-03-26T14:03:31Z

IMO we want also this task to be bumped into v3 (it will be just generated) https://github.com/konflux-ci/build-definitions/tree/main/task/build-image-index-min

bumped

MartinBasti · 2026-03-31T09:12:52Z

task/build-image-index-min/0.3/migrations/0.3.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash


This mgiration scrip is in min task, but we need it in the regular task

Forgot to git add in the regular task, updated.

chmeliik

I think the way we currently pass boolean params is wrong, would be worth manually testing.

Minor comment on the commit message:

Also NOTE!: The build step now needs to be run as root, since the
permissions for the "konflux-build-cli" container are different

This sounds worse than it is - the step always needed to run as root. Previously, root was the default user in the container image, now we just need to set root explicitly

chmeliik · 2026-03-31T09:13:19Z

task/build-image-index/0.3/build-image-index.yaml

+        "--tls-verify" "$TLSVERIFY"
+        "--buildah-format" "$BUILDAH_FORMAT"
+        "--always-build-index" "$ALWAYS_BUILD_INDEX"


I think all the boolean flags need to be in this form: --tls-verify=$TLSVERIFY. Related: konflux-ci/konflux-build-cli#60

I think e2e tests are currently not testing version 0.3. We need to update the version in pipelines/

updated how I pass the booleans + updated the pipelines now

chmeliik · 2026-03-31T09:16:55Z

task/build-image-index/0.3/build-image-index.yaml

+      for image in "$@"; do
+        cli_args+=("--images" "$image")
      done


nitpick: this can just be --images "$@", and we don't even need the cli_args array

updated and removed the cli_args completely

mkosiarc · 2026-03-31T11:23:23Z

I think the way we currently pass boolean params is wrong, would be worth manually testing.

Minor comment on the commit message:

Also NOTE!: The build step now needs to be run as root, since the
permissions for the "konflux-build-cli" container are different

This sounds worse than it is - the step always needed to run as root. Previously, root was the default user in the container image, now we just need to set root explicitly

You are right. Updated the commit message to not sound so alarming and explicitly mentioned that nothing really changed

Start using the konflux-build-cli for building the image index. Related PR: konflux-ci/konflux-build-cli#69 Also NOTE: The build step is now run explicitly as root by using runAsUser: 0, since the permissions for the "konflux-build-cli" container are different and they no longer allow executing the necessary setup steps, like updating the ca-trust. The step was always run with root permissions, now it us just explicitly setup in the tekton step. STONEBLD-4060 Assisted-by: Claude Signed-off-by: mkosiarc <[email protected]>

mkosiarc mentioned this pull request Mar 3, 2026

Implement build image index konflux-ci/konflux-build-cli#69

Merged

mkosiarc force-pushed the build-image-index-in-konflux-cli branch 4 times, most recently from 91100b5 to 8058d27 Compare March 25, 2026 09:46

mkosiarc marked this pull request as ready for review March 25, 2026 11:10

mkosiarc requested review from a team, Allda and jedinym as code owners March 25, 2026 11:10

MartinBasti reviewed Mar 25, 2026

View reviewed changes

mkosiarc force-pushed the build-image-index-in-konflux-cli branch from 8058d27 to a875152 Compare March 25, 2026 14:41

mkosiarc force-pushed the build-image-index-in-konflux-cli branch 2 times, most recently from 10d49b0 to bfab648 Compare March 26, 2026 14:01

mkosiarc force-pushed the build-image-index-in-konflux-cli branch from bfab648 to b902c89 Compare March 31, 2026 08:36

MartinBasti reviewed Mar 31, 2026

View reviewed changes

chmeliik reviewed Mar 31, 2026

View reviewed changes

mkosiarc force-pushed the build-image-index-in-konflux-cli branch from b902c89 to 6f3b6eb Compare March 31, 2026 11:12

mkosiarc requested review from a team, amisstea, avi-biton, eqrx, erdii, gbenhaim and yftacherzog as code owners March 31, 2026 11:12

mkosiarc force-pushed the build-image-index-in-konflux-cli branch from 6f3b6eb to 49a22c3 Compare March 31, 2026 11:17

mkosiarc added 3 commits April 2, 2026 14:11

Initial commit - no changes

144f765

bump the version to 0.3 and remove unused parameters

e0bccbf

mkosiarc force-pushed the build-image-index-in-konflux-cli branch from 49a22c3 to 9dc517a Compare April 2, 2026 12:11

MartinBasti approved these changes Apr 2, 2026

View reviewed changes

Conversation

mkosiarc commented Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

snyk-io bot commented Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Snyk checks have passed. No issues have been found so far.

Uh oh!

mkosiarc commented Mar 3, 2026

Uh oh!

mkosiarc commented Mar 25, 2026

Uh oh!

mkosiarc commented Mar 25, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

MartinBasti commented Mar 25, 2026

Uh oh!

mkosiarc commented Mar 26, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

chmeliik left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mkosiarc commented Mar 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

mkosiarc commented Mar 3, 2026 •

edited

Loading

snyk-io bot commented Mar 3, 2026 •

edited

Loading