Skip to content

Commit 6544d08

Browse files
committed
fix(KONFLUX-12379): fix inspect-target-index and collect-index-images
- inspect-target-index-task: add missing targetIndex parameter to skopeo - collect-index-images: fix IMAGE_DIGESTS handling - Save original digests from IIB build before loop - Reset to original digests at start of each iteration - Inspect base tag only (not timestamped tag) for regular releases - Extract InternalRequest result properly from kubectl - Base tag gets fresh digests, timestamped tag uses original Assisted-By: Claude Signed-off-by: Leandro Mendes <lmendes@redhat.com>
1 parent d07cfb7 commit 6544d08

7 files changed

Lines changed: 187 additions & 1 deletion

File tree

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# inspect-target-index pipeline
2+
3+
Tekton pipeline to inspect a built FBC target index image using skopeo
4+
5+
## Parameters
6+
7+
| Name | Description | Optional | Default value |
8+
|--------------------|---------------------------------------------------------------------------------------|----------|-----------------------------------------------------------|
9+
| targetIndex | targetIndex signing image | No | - |
10+
| inspectCredentials | The credentials used to access the registries | No | - |
11+
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
12+
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Pipeline
4+
metadata:
5+
name: inspect-target-index-pipeline
6+
annotations:
7+
tekton.dev/pipelines.minVersion: "0.12.1"
8+
tekton.dev/tags: release
9+
spec:
10+
description: |-
11+
Tekton pipeline to inspect a built FBC target index image using skopeo
12+
params:
13+
- name: targetIndex
14+
type: string
15+
description: targetIndex signing image
16+
- name: inspectCredentials
17+
type: string
18+
description: The credentials used to access the registries
19+
- name: taskGitUrl
20+
type: string
21+
description: The url to the git repo where the release-service-catalog tasks to be used are stored
22+
default: https://github.com/konflux-ci/release-service-catalog.git
23+
- name: taskGitRevision
24+
type: string
25+
description: The revision in the taskGitUrl repo to be used
26+
tasks:
27+
- name: inspect-target-index-task
28+
taskRef:
29+
resolver: "git"
30+
params:
31+
- name: url
32+
value: $(params.taskGitUrl)
33+
- name: revision
34+
value: $(params.taskGitRevision)
35+
- name: pathInRepo
36+
value: tasks/internal/inspect-target-index-task/inspect-target-index-task.yaml
37+
params:
38+
- name: targetIndex
39+
value: $(params.targetIndex)
40+
- name: inspectCredentials
41+
value: $(params.inspectCredentials)
42+
results:
43+
- name: requestMessage
44+
value: $(tasks.inspect-target-index-task.results.requestMessage)

pipelines/managed/fbc-release/fbc-release.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -561,8 +561,12 @@ spec:
561561
- name: pathInRepo
562562
value: tasks/managed/collect-index-images/collect-index-images.yaml
563563
params:
564+
- name: dataPath
565+
value: "$(tasks.collect-data.results.data)"
564566
- name: internalRequestResultsFile
565567
value: $(tasks.add-fbc-contribution-to-index-image.results.internalRequestResultsFile)
568+
- name: pipelineRunUid
569+
value: $(context.pipelineRun.uid)
566570
- name: ociStorage
567571
value: $(params.ociStorage)
568572
- name: sourceDataArtifact
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# inspect-target-index-task
2+
3+
Tekton task to inspect a built FBC target index image using skopeo
4+
5+
## Parameters
6+
7+
| Name | Description | Optional | Default value |
8+
|----------------------|-----------------------------------------------------------------------|----------|----------------------------|
9+
| targetIndex | Target Image pullspec to be inspected | No | - |
10+
| inspectCredentials | The credentials used to access the registries | Yes | fbc-publishing-credentials |
11+
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
12+
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Task
4+
metadata:
5+
name: inspect-target-index-task
6+
annotations:
7+
tekton.dev/pipelines.minVersion: "0.12.1"
8+
tekton.dev/tags: release
9+
spec:
10+
description: |-
11+
Tekton task to inspect a built FBC target index image using skopeo
12+
params:
13+
- name: targetIndex
14+
type: string
15+
description: Target Image pullspec to be inspected
16+
- name: inspectCredentials
17+
type: string
18+
default: "fbc-publishing-credentials"
19+
description: The credentials used to access the registries
20+
- name: caTrustConfigMapName
21+
type: string
22+
description: The name of the ConfigMap to read CA bundle data from
23+
default: trusted-ca
24+
- name: caTrustConfigMapKey
25+
type: string
26+
description: The name of the key in the ConfigMap that contains the CA bundle data
27+
default: ca-bundle.crt
28+
results:
29+
- name: requestMessage
30+
volumes:
31+
- name: inspect-credentials
32+
secret:
33+
secretName: $(params.inspectCredentials)
34+
defaultMode: 0444
35+
- name: trusted-ca
36+
configMap:
37+
name: $(params.caTrustConfigMapName)
38+
items:
39+
- key: $(params.caTrustConfigMapKey)
40+
path: ca-bundle.crt
41+
optional: true
42+
stepTemplate:
43+
volumeMounts:
44+
- name: trusted-ca
45+
mountPath: /mnt/trusted-ca
46+
readOnly: true
47+
steps:
48+
- name: inspect-image
49+
volumeMounts:
50+
- name: inspect-credentials
51+
mountPath: /mnt/inspectCredentials
52+
securityContext:
53+
runAsUser: 1001
54+
image: >-
55+
quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
56+
computeResources:
57+
limits:
58+
memory: 64Mi
59+
requests:
60+
memory: 64Mi
61+
cpu: 400m
62+
script: |
63+
#!/usr/bin/env bash
64+
set -euo pipefail
65+
66+
PATH=/bin:/usr/bin:/usr/local/bin
67+
export PATH
68+
69+
TARGET_INDEX_CREDENTIALS="$(cat /mnt/inspectCredentials/targetIndexCredential)"
70+
skopeo inspect --raw --creds "${TARGET_INDEX_CREDENTIALS}" "docker://$(params.targetIndex)" \
71+
| jq -c '.' | tee "$(results.requestMessage.path)"

tasks/managed/collect-index-images/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ Tekton task that generates a JSON file to be used to create pyxis image for inde
1313
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
1414
| sourceDataArtifact | Location of trusted artifacts to be used to populate data directory | Yes | "" |
1515
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
16+
| dataPath | Path to the JSON string of the merged data to use in the data workspace | No | - |
17+
| pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - |
1618
| taskGitUrl | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored | No | - |
1719
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
1820
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |

tasks/managed/collect-index-images/collect-index-images.yaml

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,12 @@ spec:
3838
description: The location where data will be stored
3939
type: string
4040
default: /var/workdir/release
41+
- name: dataPath
42+
description: Path to the JSON string of the merged data to use in the data workspace
43+
type: string
44+
- name: pipelineRunUid
45+
type: string
46+
description: The uid of the current pipelineRun. Used as a label value when creating internal requests
4147
- name: taskGitUrl
4248
type: string
4349
description: The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored
@@ -120,16 +126,28 @@ spec:
120126
#!/usr/bin/env bash
121127
set -eux
122128
129+
DATA_FILE="$(params.dataDir)/$(params.dataPath)"
130+
if [ ! -f "${DATA_FILE}" ] ; then
131+
echo "No valid data file was provided."
132+
exit 1
133+
fi
134+
123135
RESULTS_FILE=$(params.dataDir)/$(params.internalRequestResultsFile)
124136
SNAPSHOT_FILE=$(params.dataDir)/index_image_snapshot.json
125137
jq -n '{"components": []}' | tee "$SNAPSHOT_FILE"
126138
139+
request="inspect-target-index-pipeline"
140+
credentials=$(jq -r '.fbc.publishingCredentials' "$DATA_FILE")
141+
pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid"
142+
127143
LENGTH="$(jq -r '.components | length' "$RESULTS_FILE")"
128144
for((i=0; i<LENGTH; i++)); do
129145
TARGETINDEX=$(jq -r --argjson i "$i" '.components[$i].target_index' "$RESULTS_FILE")
130146
TARGETINDEX_TS=$(jq -r --argjson i "$i" '.components[$i].target_index_with_timestamp' "$RESULTS_FILE")
131147
SOURCEINDEX=$(jq -r --argjson i "$i" '.components[$i].index_image_resolved' "$RESULTS_FILE")
132-
IMAGE_DIGESTS=$(jq -c --argjson i "$i" '.components[$i].image_digests // []' "$RESULTS_FILE")
148+
149+
# Save original digests from IIB build
150+
ORIGINAL_IMAGE_DIGESTS=$(jq -c --argjson i "$i" '.components[$i].image_digests // []' "$RESULTS_FILE")
133151
134152
# create pyxis entry for the component for tags in separated
135153
for TARGET in $TARGETINDEX $TARGETINDEX_TS; do
@@ -139,6 +157,29 @@ spec:
139157
TAGS=("${TAG}")
140158
JSON_TAGS=$(jq -n -c '$ARGS.positional' --args -- "${TAGS[@]}")
141159
160+
# Reset to original digests for this iteration
161+
IMAGE_DIGESTS="$ORIGINAL_IMAGE_DIGESTS"
162+
163+
# Inspect the target index to get the up to date digest
164+
# another paralell IIB build might have changed it.
165+
# Required only for base tag on regular releases (not pre-ga or hotfix).
166+
if [ "$TARGETINDEX" != "$TARGETINDEX_TS" ] && [ "$TARGET" = "$TARGETINDEX" ]; then
167+
IR_RESULT_FILE=$(mktemp)
168+
internal-request --pipeline "${request}" \
169+
-p targetIndex="${TARGETINDEX}" \
170+
-p inspectCredentials="${credentials}" \
171+
-p taskGitUrl="$(params.taskGitUrl)" \
172+
-p taskGitRevision="$(params.taskGitRevision)" \
173+
-l ${pipelinerun_label}="$(params.pipelineRunUid)" \
174+
| tee "$IR_RESULT_FILE" || \
175+
(grep "^\[" "$IR_RESULT_FILE" | jq . && exit 1)
176+
177+
internalRequest=$(awk -F"'" '/created/ { print $2 }' "$IR_RESULT_FILE")
178+
results=$(kubectl get internalrequest "${internalRequest}" -o=jsonpath='{.status.results}')
179+
requestMessage=$(echo "${results}" | jq -r '.requestMessage // ""')
180+
IMAGE_DIGESTS=$(jq -c '[.manifests[].digest]' <<< "$requestMessage")
181+
fi
182+
142183
# Translate target_index to get rh-registry-repo and registry-access-repo
143184
TRANSLATED=$(translate-delivery-repo "$TARGETINDEX")
144185
RH_REGISTRY_REPO=$(jq -r '.[] | select(.repo=="redhat.io") | .url' <<< "$TRANSLATED" \

0 commit comments

Comments
 (0)