Skip to content

Commit c9933bb

Browse files
committed
fix: inspect image before continue
1 parent 47d33a3 commit c9933bb

4 files changed

Lines changed: 158 additions & 2 deletions

File tree

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
# publish-index-image pipeline
2+
3+
Tekton pipeline to publish a built FBC index image using skopeo
4+
5+
## Parameters
6+
7+
| Name | Description | Optional | Default value |
8+
|-----------------------|---------------------------------------------------------------------------------------|----------|-----------------------------------------------------------|
9+
| sourceIndex | sourceIndex signing image | No | - |
10+
| targetIndex | targetIndex signing image | No | - |
11+
| targetOcpVersion | target OCP Version of the index image | Yes | "" |
12+
| retries | Number of skopeo retries | Yes | 0 |
13+
| publishingCredentials | The credentials used to access the registries | No | - |
14+
| requestUpdateTimeout | Max seconds waiting for the status update | Yes | 360 |
15+
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
16+
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Pipeline
4+
metadata:
5+
name: inspect-target-index-pipeline
6+
annotations:
7+
tekton.dev/pipelines.minVersion: "0.12.1"
8+
tekton.dev/tags: release
9+
spec:
10+
description: |-
11+
Tekton pipeline to inspect a built FBC target index image using skopeo
12+
params:
13+
- name: targetIndex
14+
type: string
15+
description: targetIndex signing image
16+
- name: inspectCredentials
17+
type: string
18+
description: The credentials used to access the registries
19+
- name: taskGitUrl
20+
type: string
21+
description: The url to the git repo where the release-service-catalog tasks to be used are stored
22+
default: https://github.com/konflux-ci/release-service-catalog.git
23+
- name: taskGitRevision
24+
type: string
25+
description: The revision in the taskGitUrl repo to be used
26+
tasks:
27+
- name: inspect-target-index-task
28+
taskRef:
29+
resolver: "git"
30+
params:
31+
- name: url
32+
value: $(params.taskGitUrl)
33+
- name: revision
34+
value: $(params.taskGitRevision)
35+
- name: pathInRepo
36+
value: tasks/internal/publish-index-image-task/inspect-target-index-task.yaml
37+
params:
38+
- name: targetIndex
39+
value: $(params.targetIndex)
40+
- name: inspectCredentials
41+
value: $(params.publishingCredentials)
42+
results:
43+
- name: requestMessage
44+
value: $(tasks.publish-index-image-task.results.requestMessage)
Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Task
4+
metadata:
5+
name: inspect-target-index-task
6+
annotations:
7+
tekton.dev/pipelines.minVersion: "0.12.1"
8+
tekton.dev/tags: release
9+
spec:
10+
description: |-
11+
Tekton task to inspect a built FBC target index image using skopeo
12+
params:
13+
- name: targetIndex
14+
type: string
15+
description: Target Image pullspec to be inspected
16+
- name: inspectCredentials
17+
type: string
18+
default: "fbc-publishing-credentials"
19+
description: The credentials used to access the registries
20+
- name: caTrustConfigMapName
21+
type: string
22+
description: The name of the ConfigMap to read CA bundle data from
23+
default: trusted-ca
24+
- name: caTrustConfigMapKey
25+
type: string
26+
description: The name of the key in the ConfigMap that contains the CA bundle data
27+
default: ca-bundle.crt
28+
results:
29+
- name: requestMessage
30+
volumes:
31+
- name: inspect-credentials
32+
secret:
33+
secretName: $(params.inspectCredentials)
34+
defaultMode: 0444
35+
- name: trusted-ca
36+
configMap:
37+
name: $(params.caTrustConfigMapName)
38+
items:
39+
- key: $(params.caTrustConfigMapKey)
40+
path: ca-bundle.crt
41+
optional: true
42+
stepTemplate:
43+
volumeMounts:
44+
- name: trusted-ca
45+
mountPath: /mnt/trusted-ca
46+
readOnly: true
47+
steps:
48+
- name: inspect-image
49+
volumeMounts:
50+
- name: inspect-credentials
51+
mountPath: /mnt/inspectCredentials
52+
securityContext:
53+
runAsUser: 1001
54+
image: >-
55+
quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
56+
computeResources:
57+
limits:
58+
memory: 64Mi
59+
requests:
60+
memory: 64Mi
61+
cpu: 400m
62+
script: |
63+
#!/usr/bin/env bash
64+
set -euo pipefail
65+
66+
PATH=/bin:/usr/bin:/usr/local/bin
67+
export PATH
68+
69+
TARGET_INDEX_CREDENTIALS="$(cat /mnt/inspectCredentials/targetIndexCredential)"
70+
skopeo inspect --raw --creds "${TARGET_INDEX_CREDENTIALS}" | jq -c '.' | tee "$(results.requestMessage.path)"

tasks/managed/collect-index-images/collect-index-images.yaml

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,17 +120,25 @@ spec:
120120
#!/usr/bin/env bash
121121
set -eux
122122
123+
DATA_FILE="$(params.dataDir)/$(params.dataPath)"
124+
if [ ! -f "${DATA_FILE}" ] ; then
125+
echo "No valid data file was provided."
126+
exit 1
127+
fi
128+
123129
RESULTS_FILE=$(params.dataDir)/$(params.internalRequestResultsFile)
124130
SNAPSHOT_FILE=$(params.dataDir)/index_image_snapshot.json
125131
jq -n '{"components": []}' | tee "$SNAPSHOT_FILE"
126132
133+
request="inspect-target-index-pipeline"
134+
credentials=$(jq -r '.fbc.publishingCredentials' "$DATA_FILE")
135+
pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid"
136+
127137
LENGTH="$(jq -r '.components | length' "$RESULTS_FILE")"
128138
for((i=0; i<LENGTH; i++)); do
129139
TARGETINDEX=$(jq -r --argjson i "$i" '.components[$i].target_index' "$RESULTS_FILE")
130140
TARGETINDEX_TS=$(jq -r --argjson i "$i" '.components[$i].target_index_with_timestamp' "$RESULTS_FILE")
131141
SOURCEINDEX=$(jq -r --argjson i "$i" '.components[$i].index_image_resolved' "$RESULTS_FILE")
132-
IMAGE_DIGESTS=$(jq -c --argjson i "$i" '.components[$i].image_digests // []' "$RESULTS_FILE")
133-
134142
# create pyxis entry for the component for tags in separated
135143
for TARGET in $TARGETINDEX $TARGETINDEX_TS; do
136144
REPOSITORY=${TARGET%:*}
@@ -139,6 +147,24 @@ spec:
139147
TAGS=("${TAG}")
140148
JSON_TAGS=$(jq -n -c '$ARGS.positional' --args -- "${TAGS[@]}")
141149
150+
IMAGE_DIGESTS=$(jq -c --argjson i "$i" '.components[$i].image_digests // []' "$RESULTS_FILE")
151+
# inspect the target index to get the up to date digest
152+
# another paralell IIB build might have changed it.
153+
# required only when not pre-ga or hotfix.
154+
if [ "$TARGETINDEX" != "$TARGETINDEX_TS" ]; then
155+
IR_RESULT_FILE=$(mktemp)
156+
# inspect the target index to get the up to date digest
157+
internal-request --pipeline "${request}" \
158+
-p targetIndex="${TARGETINDEX}" \
159+
-p inspectCredentials="${credentials}" \
160+
-p taskGitUrl="$(params.taskGitUrl)" \
161+
-p taskGitRevision="$(params.taskGitRevision)" \
162+
-l ${pipelinerun_label}="$(params.pipelineRunUid)" \
163+
| tee "$IR_RESULT_FILE" || \
164+
(grep "^\[" "$IR_RESULT_FILE" | jq . && exit 1)
165+
IMAGE_DIGESTS="$(jq -r '[.manifests[].digest]' "$IR_RESULT_FILE")"
166+
fi
167+
142168
# Translate target_index to get rh-registry-repo and registry-access-repo
143169
TRANSLATED=$(translate-delivery-repo "$TARGETINDEX")
144170
RH_REGISTRY_REPO=$(jq -r '.[] | select(.repo=="redhat.io") | .url' <<< "$TRANSLATED" \

0 commit comments

Comments
 (0)