Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions pipelines/internal/inspect-target-index-pipeline/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# inspect-target-index pipeline

Tekton pipeline to inspect a built FBC target index image using skopeo

## Parameters

| Name | Description | Optional | Default value |
|--------------------|---------------------------------------------------------------------------------------|----------|-----------------------------------------------------------|
| targetIndex | targetIndex signing image | No | - |
| inspectCredentials | The credentials used to access the registries | No | - |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: inspect-target-index-pipeline
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: |-
Tekton pipeline to inspect a built FBC target index image using skopeo
params:
- name: targetIndex
type: string
description: targetIndex signing image
- name: inspectCredentials
type: string
description: The credentials used to access the registries
- name: taskGitUrl
type: string
description: The url to the git repo where the release-service-catalog tasks to be used are stored
default: https://github.com/konflux-ci/release-service-catalog.git
- name: taskGitRevision
type: string
description: The revision in the taskGitUrl repo to be used
tasks:
- name: inspect-target-index-task
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/internal/inspect-target-index-task/inspect-target-index-task.yaml
params:
- name: targetIndex
value: $(params.targetIndex)
- name: inspectCredentials
value: $(params.inspectCredentials)
results:
- name: requestMessage
value: $(tasks.inspect-target-index-task.results.requestMessage)
10 changes: 4 additions & 6 deletions pipelines/managed/fbc-release/fbc-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -494,8 +494,6 @@ spec:
- name: pathInRepo
value: tasks/managed/extract-index-image/extract-index-image.yaml
params:
- name: inputDataFile
value: $(tasks.add-fbc-contribution-to-index-image.results.requestResultsFile)
- name: resultsDirPath
value: "$(tasks.collect-data.results.resultsDir)"
- name: ociStorage
Expand Down Expand Up @@ -529,8 +527,6 @@ spec:
value: "$(tasks.collect-data.results.data)"
- name: internalRequestResultsFile
value: $(tasks.add-fbc-contribution-to-index-image.results.internalRequestResultsFile)
- name: buildTimestamp
value: $(tasks.add-fbc-contribution-to-index-image.results.buildTimestamp)
- name: retries
value: "3"
- name: pipelineRunUid
Expand Down Expand Up @@ -565,10 +561,12 @@ spec:
- name: pathInRepo
value: tasks/managed/collect-index-images/collect-index-images.yaml
params:
- name: buildTimestamp
value: $(tasks.add-fbc-contribution-to-index-image.results.buildTimestamp)
- name: dataPath
value: "$(tasks.collect-data.results.data)"
- name: internalRequestResultsFile
value: $(tasks.add-fbc-contribution-to-index-image.results.internalRequestResultsFile)
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
- name: ociStorage
value: $(params.ociStorage)
- name: sourceDataArtifact
Expand Down
12 changes: 12 additions & 0 deletions tasks/internal/inspect-target-index-task/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# inspect-target-index-task

Tekton task to inspect a built FBC target index image using skopeo

## Parameters

| Name | Description | Optional | Default value |
|----------------------|-----------------------------------------------------------------------|----------|----------------------------|
| targetIndex | Target Image pullspec to be inspected | No | - |
| inspectCredentials | The credentials used to access the registries | Yes | fbc-publishing-credentials |
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: inspect-target-index-task
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: |-
Tekton task to inspect a built FBC target index image using skopeo
params:
- name: targetIndex
type: string
description: Target Image pullspec to be inspected
- name: inspectCredentials
type: string
default: "fbc-publishing-credentials"
description: The credentials used to access the registries
- name: caTrustConfigMapName
type: string
description: The name of the ConfigMap to read CA bundle data from
default: trusted-ca
- name: caTrustConfigMapKey
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data
default: ca-bundle.crt
results:
- name: requestMessage
volumes:
- name: inspect-credentials
secret:
secretName: $(params.inspectCredentials)
defaultMode: 0444
- name: trusted-ca
configMap:
name: $(params.caTrustConfigMapName)
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
optional: true
stepTemplate:
volumeMounts:
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
steps:
- name: inspect-image
volumeMounts:
- name: inspect-credentials
mountPath: /mnt/inspectCredentials
securityContext:
runAsUser: 1001
image: >-
quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
computeResources:
limits:
memory: 64Mi
requests:
memory: 64Mi
cpu: 400m
script: |
#!/usr/bin/env bash
set -euo pipefail

PATH=/bin:/usr/bin:/usr/local/bin
export PATH

TARGET_INDEX_CREDENTIALS="$(cat /mnt/inspectCredentials/targetIndexCredential)"
skopeo inspect --creds "${TARGET_INDEX_CREDENTIALS}" "docker://$(params.targetIndex)" \
| jq -c '{ "digest": .Digest, "labels": .Labels }' | tee "$(results.requestMessage.path)"
41 changes: 33 additions & 8 deletions tasks/managed/add-fbc-contribution/add-fbc-contribution.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,6 @@ spec:
description: The name of the key in the ConfigMap that contains the CA bundle data
default: ca-bundle.crt
results:
- name: buildTimestamp
description: Build timestamp used in the tag
- name: requestResultsFile
description: Internal Request results file
- name: internalRequestResultsFile
Expand Down Expand Up @@ -211,9 +209,6 @@ spec:
mustPublishIndexImage="$(params.mustPublishIndexImage)"
mustOverwriteFromIndexImage="$(params.mustOverwriteFromIndexImage)"

timestamp_format=$(jq -r '.fbc.timestampFormat // "%s"' "${DATA_FILE}")
timestamp=$(date "+${timestamp_format}")

# Extract OCP versions from snapshot
ocp_versions=$(jq -r '.components[].ocpVersion' "$SNAPSHOT_PATH" | sort -u)
echo "INFO: Found OCP versions: $(echo "$ocp_versions" | tr '\n' ' ')"
Expand All @@ -223,8 +218,6 @@ spec:
echo " - mustOverwriteFromIndexImage: ${mustOverwriteFromIndexImage}"
echo " - iibServiceAccountSecret: ${iib_service_account_secret}"

# Initialize results file for multi-OCP processing
echo -n "$timestamp" > "$(results.buildTimestamp.path)"
jq -n '{"components": []}' | tee "$RESULTS_FILE"

# Snapshot validation for multi-OCP processing
Expand Down Expand Up @@ -472,10 +465,40 @@ spec:
# Process results for each fragment in this batch
local decompressed_json_build_info
decompressed_json_build_info="$(jq -r '.jsonBuildInfo' <<< "${results}" | base64 -d | gunzip)"

# Extract and validate completion_time from IIB build info
local completion_time_raw
completion_time_raw="$(jq -r '.updated' <<< "${decompressed_json_build_info}")"

if [[ -z "${completion_time_raw}" || "${completion_time_raw}" == "null" ]]; then
echo "ERROR: completion_time not found in IIB build info"
return 1
fi

echo "INFO: Extracting completion_time from IIB build info"
echo " Raw value: ${completion_time_raw}"

local completion_time
completion_time=$(date +"${timestamp_format}" -d "${completion_time_raw}")
if ! completion_time=$(date +"%s" -d "${completion_time_raw}"); then
echo "ERROR: Failed to parse completion_time: ${completion_time_raw}"
echo "Date conversion error: ${completion_time}"
return 1
fi
echo " Epoch timestamp: ${completion_time}"

# Ensure completion_time contains ten digits
if [[ ! "${completion_time}" =~ ^[0-9]{10}$ ]]; then
echo "ERROR: Invalid completion_time format (expected 10 digits): ${completion_time}"
return 1
fi

# timestamped_target_index is the target_index with completion_time, unless
# for hotfix or pre-ga which already has it and can be the same.
if [[ "$group_target_index" =~ .*[0-9]{10}$ ]]; then
target_index_with_timestamp="$group_target_index"
else
target_index_with_timestamp="$group_target_index-${completion_time}"
fi

# Process fragments in batch
local fragment_index=0
Expand All @@ -488,12 +511,14 @@ spec:
build_results=$(jq \
--arg fragment "$fragment" \
--arg target_index "$group_target_index" \
--arg target_index_with_timestamp "$target_index_with_timestamp" \
--arg ocp_version "$group_ocp_version" \
--arg completion_time "$completion_time" \
--argjson decompressed_json "${decompressed_json_build_info}" \
'{
"fbc_fragment": $fragment,
"target_index": $target_index,
"target_index_with_timestamp": $target_index_with_timestamp,
"ocp_version": $ocp_version,
"image_digests": (.indexImageDigests | split(" ") | del(.[] | select(. == ""))),
"index_image": $decompressed_json.index_image,
Expand Down
2 changes: 1 addition & 1 deletion tasks/managed/add-fbc-contribution/tests/mocks.sh
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ function date() {
"+%Y-%m-%dT%H:%M:%SZ")
echo "2023-10-10T15:00:00Z" |tee $(params.dataDir)/mock_date_iso_format.txt
;;
"+%s")
"+%s"*)
echo "1696946200" | tee $(params.dataDir)/mock_date_epoch.txt
;;
"-u +%Hh%Mm%Ss -d @"*)
Expand Down
Loading
Loading