Skip to content

Commit 983d43b

Browse files
committed
fix: inspect image before continue
1 parent 47d33a3 commit 983d43b

4 files changed

Lines changed: 150 additions & 1 deletion

File tree

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
# publish-index-image pipeline
2+
3+
Tekton pipeline to publish a built FBC index image using skopeo
4+
5+
## Parameters
6+
7+
| Name | Description | Optional | Default value |
8+
|-----------------------|---------------------------------------------------------------------------------------|----------|-----------------------------------------------------------|
9+
| sourceIndex | sourceIndex signing image | No | - |
10+
| targetIndex | targetIndex signing image | No | - |
11+
| targetOcpVersion | target OCP Version of the index image | Yes | "" |
12+
| retries | Number of skopeo retries | Yes | 0 |
13+
| publishingCredentials | The credentials used to access the registries | No | - |
14+
| requestUpdateTimeout | Max seconds waiting for the status update | Yes | 360 |
15+
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
16+
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Pipeline
4+
metadata:
5+
name: inspect-target-index-pipeline
6+
annotations:
7+
tekton.dev/pipelines.minVersion: "0.12.1"
8+
tekton.dev/tags: release
9+
spec:
10+
description: |-
11+
Tekton pipeline to inspect a built FBC target index image using skopeo
12+
params:
13+
- name: targetIndex
14+
type: string
15+
description: targetIndex signing image
16+
- name: inspectCredentials
17+
type: string
18+
description: The credentials used to access the registries
19+
- name: taskGitUrl
20+
type: string
21+
description: The url to the git repo where the release-service-catalog tasks to be used are stored
22+
default: https://github.com/konflux-ci/release-service-catalog.git
23+
- name: taskGitRevision
24+
type: string
25+
description: The revision in the taskGitUrl repo to be used
26+
tasks:
27+
- name: inspect-target-index-task
28+
taskRef:
29+
resolver: "git"
30+
params:
31+
- name: url
32+
value: $(params.taskGitUrl)
33+
- name: revision
34+
value: $(params.taskGitRevision)
35+
- name: pathInRepo
36+
value: tasks/internal/publish-index-image-task/inspect-target-index-task.yaml
37+
params:
38+
- name: targetIndex
39+
value: $(params.targetIndex)
40+
- name: inspectCredentials
41+
value: $(params.publishingCredentials)
42+
results:
43+
- name: requestMessage
44+
value: $(tasks.publish-index-image-task.results.requestMessage)
Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Task
4+
metadata:
5+
name: inspect-target-index-task
6+
annotations:
7+
tekton.dev/pipelines.minVersion: "0.12.1"
8+
tekton.dev/tags: release
9+
spec:
10+
description: |-
11+
Tekton task to inspect a built FBC target index image using skopeo
12+
params:
13+
- name: targetIndex
14+
type: string
15+
description: Target Image pullspec to be inspected
16+
- name: inspectCredentials
17+
type: string
18+
default: "fbc-publishing-credentials"
19+
description: The credentials used to access the registries
20+
- name: caTrustConfigMapName
21+
type: string
22+
description: The name of the ConfigMap to read CA bundle data from
23+
default: trusted-ca
24+
- name: caTrustConfigMapKey
25+
type: string
26+
description: The name of the key in the ConfigMap that contains the CA bundle data
27+
default: ca-bundle.crt
28+
results:
29+
- name: requestMessage
30+
volumes:
31+
- name: inspect-credentials
32+
secret:
33+
secretName: $(params.inspectCredentials)
34+
defaultMode: 0444
35+
- name: trusted-ca
36+
configMap:
37+
name: $(params.caTrustConfigMapName)
38+
items:
39+
- key: $(params.caTrustConfigMapKey)
40+
path: ca-bundle.crt
41+
optional: true
42+
stepTemplate:
43+
volumeMounts:
44+
- name: trusted-ca
45+
mountPath: /mnt/trusted-ca
46+
readOnly: true
47+
steps:
48+
- name: inspect-image
49+
volumeMounts:
50+
- name: inspect-credentials
51+
mountPath: /mnt/inspectCredentials
52+
securityContext:
53+
runAsUser: 1001
54+
image: >-
55+
quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
56+
computeResources:
57+
limits:
58+
memory: 64Mi
59+
requests:
60+
memory: 64Mi
61+
cpu: 400m
62+
script: |
63+
#!/usr/bin/env bash
64+
set -euo pipefail
65+
66+
PATH=/bin:/usr/bin:/usr/local/bin
67+
export PATH
68+
69+
TARGET_INDEX_CREDENTIALS="$(cat /mnt/inspectCredentials/targetIndexCredential)"
70+
skopeo inspect --raw --creds "${TARGET_INDEX_CREDENTIAL}" | jq -c '.' | tee "$(results.requestMessage.path)"

tasks/managed/collect-index-images/collect-index-images.yaml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,6 @@ spec:
130130
TARGETINDEX_TS=$(jq -r --argjson i "$i" '.components[$i].target_index_with_timestamp' "$RESULTS_FILE")
131131
SOURCEINDEX=$(jq -r --argjson i "$i" '.components[$i].index_image_resolved' "$RESULTS_FILE")
132132
IMAGE_DIGESTS=$(jq -c --argjson i "$i" '.components[$i].image_digests // []' "$RESULTS_FILE")
133-
134133
# create pyxis entry for the component for tags in separated
135134
for TARGET in $TARGETINDEX $TARGETINDEX_TS; do
136135
REPOSITORY=${TARGET%:*}
@@ -139,6 +138,26 @@ spec:
139138
TAGS=("${TAG}")
140139
JSON_TAGS=$(jq -n -c '$ARGS.positional' --args -- "${TAGS[@]}")
141140
141+
# inspect the target index to get the up to date digest
142+
# another paralell IIB build might have changed it.
143+
# required only when not pre-ga or hotfix.
144+
if [ "$TARGETINDEX" != "$TARGETINDEX_TS" ]; then
145+
IR_RESULT_FILE=$(mktemp)
146+
# inspect the target index to get the up to date digest
147+
internal-request --pipeline "${request}" \
148+
-p targetIndex="${TARGETINDEX}" \
149+
-p publishingCredentials="${credentials}" \
150+
-p taskGitUrl="$(params.taskGitUrl)" \
151+
-p taskGitRevision="$(params.taskGitRevision)" \
152+
--pipeline-timeout "${pipelineTimeout}" \
153+
--task-timeout "$taskTimeout" \
154+
-l ${pipelinerun_label}="$(params.pipelineRunUid)" \
155+
| tee "$IR_RESULT_FILE" || \
156+
(grep "^\[" "$IR_RESULT_FILE" | jq . && exit 1)
157+
158+
IMAGE_DIGESTS="$(jq -r '[.manifests[].digest]' "$IR_RESULT_FILE")"
159+
fi
160+
142161
# Translate target_index to get rh-registry-repo and registry-access-repo
143162
TRANSLATED=$(translate-delivery-repo "$TARGETINDEX")
144163
RH_REGISTRY_REPO=$(jq -r '.[] | select(.repo=="redhat.io") | .url' <<< "$TRANSLATED" \

0 commit comments

Comments
 (0)