netobserv · jotak · Mar 19, 2025 · Mar 19, 2025 · Mar 19, 2025
diff --git a/.tekton/netobserv-ebpf-agent-pull-request.yaml b/.tekton/netobserv-ebpf-agent-pull-request.yaml
@@ -26,24 +26,11 @@ spec:
     value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/netobserv-ebpf-agent:on-pr-{{revision}}
   - name: image-expires-after
     value: 5d
+  - name: build-args-file
+    value: Dockerfile-args.downstream
   - name: dockerfile
     value: Dockerfile.downstream
+  - name: build-platforms
+    value: ["linux/x86_64"]
   pipelineRef:
     name: build-pipeline
-  taskRunTemplate: {}
-  workspaces:
-  - name: workspace
-    volumeClaimTemplate:
-      metadata:
-        creationTimestamp: null
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-      status: {}
-  - name: git-auth
-    secret:
-      secretName: '{{ git_auth_secret }}'
-status: {}
diff --git a/.tekton/netobserv-ebpf-agent-push.yaml b/.tekton/netobserv-ebpf-agent-push.yaml
@@ -6,7 +6,7 @@ metadata:
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    build.appstudio.openshift.io/build-nudge-files: "hack/container_digest.sh"
+    build.appstudio.openshift.io/build-nudge-files: "hack/nudging/container_digest.sh"
     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
       == "main"
   creationTimestamp: null
@@ -24,24 +24,11 @@ spec:
     value: '{{revision}}'
   - name: output-image
     value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/netobserv-ebpf-agent:{{revision}}
+  - name: image-expires-after
+    value: 14d
+  - name: build-args-file
+    value: Dockerfile-args.downstream
   - name: dockerfile
     value: Dockerfile.downstream
   pipelineRef:
     name: build-pipeline
-  taskRunTemplate: {}
-  workspaces:
-  - name: workspace
-    volumeClaimTemplate:
-      metadata:
-        creationTimestamp: null
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-      status: {}
-  - name: git-auth
-    secret:
-      secretName: '{{ git_auth_secret }}'
-status: {}
diff --git a/.tekton/pipeline-ref.yaml b/.tekton/pipeline-ref.yaml
@@ -247,7 +247,6 @@ spec:
       operator: in
       values:
       - "true"
-
   - name: build-source-image
     params:
     - name: BINARY_IMAGE
@@ -298,20 +297,20 @@ spec:
       operator: in
       values:
       - "false"
-  - name: clair-scan
+  - name: rpms-signature-scan
     params:
-    - name: image-digest
-      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     - name: image-url
       value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: image-digest
+      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     runAfter:
     - build-image-index
     taskRef:
       params:
       - name: name
-        value: clair-scan
+        value: rpms-signature-scan
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:03383b5a8674edef0ae184dd81f00386017624a5af255cb0b5803d7659483ba5
+        value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d00d159c370e3c99447516970c316ef57dfd27c29e0ce3cff50727c9c40936d8
       - name: kind
         value: task
       resolver: bundles
@@ -320,18 +319,20 @@ spec:
       operator: in
       values:
       - "false"
-  - name: ecosystem-cert-preflight-checks
+  - name: clair-scan
     params:
+    - name: image-digest
+      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     - name: image-url
       value: $(tasks.build-image-index.results.IMAGE_URL)
     runAfter:
     - build-image-index
     taskRef:
       params:
       - name: name
-        value: ecosystem-cert-preflight-checks
+        value: clair-scan
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:2ad615f9b8141ed2e0b060ebda366ce43cf55a9dd7c98e2d93970ff328dca8b2
+        value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:03383b5a8674edef0ae184dd81f00386017624a5af255cb0b5803d7659483ba5
       - name: kind
         value: task
       resolver: bundles
@@ -340,24 +341,18 @@ spec:
       operator: in
       values:
       - "false"
-  - name: sast-snyk-check
+  - name: ecosystem-cert-preflight-checks
     params:
-    - name: image-digest
-      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     - name: image-url
       value: $(tasks.build-image-index.results.IMAGE_URL)
-    - name: SOURCE_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-    - name: CACHI2_ARTIFACT
-      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     runAfter:
     - build-image-index
     taskRef:
       params:
       - name: name
-        value: sast-snyk-check-oci-ta
+        value: ecosystem-cert-preflight-checks
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:540f585f8abc3790e9e1285330d5610c1101173d9b26a61924586c220e4024e6
+        value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:2ad615f9b8141ed2e0b060ebda366ce43cf55a9dd7c98e2d93970ff328dca8b2
       - name: kind
         value: task
       resolver: bundles
@@ -366,20 +361,24 @@ spec:
       operator: in
       values:
       - "false"
-  - name: rpms-signature-scan
+  - name: sast-snyk-check
     params:
-    - name: image-url
-      value: $(tasks.build-image-index.results.IMAGE_URL)
     - name: image-digest
       value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+    - name: image-url
+      value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: CACHI2_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     runAfter:
     - build-image-index
     taskRef:
       params:
       - name: name
-        value: rpms-signature-scan
+        value: sast-snyk-check-oci-ta
       - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d00d159c370e3c99447516970c316ef57dfd27c29e0ce3cff50727c9c40936d8
+        value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:540f585f8abc3790e9e1285330d5610c1101173d9b26a61924586c220e4024e6
       - name: kind
         value: task
       resolver: bundles

diff --git a/Dockerfile-args.downstream b/Dockerfile-args.downstream
@@ -0,0 +1 @@
+BUILDVERSION=1.9.0
diff --git a/Dockerfile.downstream b/Dockerfile.downstream
@@ -1,12 +1,8 @@
-ARG TARGETARCH
-ARG COMMIT
+ARG BUILDVERSION
 
 # Build the manager binary
-FROM --platform=linux/$TARGETARCH brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23 as builder
-
-ARG TARGETARCH=amd64
-ARG BUILDVERSION="1.9.0"
-ARG COMMIT
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23 as builder
+ARG BUILDVERSION
 
 WORKDIR /opt/app-root
 
@@ -20,11 +16,11 @@ COPY go.sum go.sum
 
 # Build
 ENV GOEXPERIMENT strictfipsruntime
-RUN GOARCH=$TARGETARCH go build -tags strictfipsruntime -ldflags "-X 'main.buildVersion=${BUILDVERSION}' -X 'main.buildDate=`date +%Y-%m-%d\ %H:%M`'" -mod vendor -a -o bin/netobserv-ebpf-agent cmd/netobserv-ebpf-agent.go
+RUN go build -tags strictfipsruntime -ldflags "-X 'main.buildVersion=${BUILDVERSION}' -X 'main.buildDate=`date +%Y-%m-%d\ %H:%M`'" -mod vendor -a -o bin/netobserv-ebpf-agent cmd/netobserv-ebpf-agent.go
 
 # Create final image from minimal + built binary
-FROM --platform=linux/$TARGETARCH registry.access.redhat.com/ubi9/ubi-minimal:9.5-1739420147
-ARG COMMIT
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1739420147
+ARG BUILDVERSION
 
 WORKDIR /
 COPY --from=builder /opt/app-root/bin/netobserv-ebpf-agent .
@@ -39,7 +35,5 @@ LABEL io.k8s.description="Network Observability eBPF Agent"
 LABEL summary="Network Observability eBPF Agent"
 LABEL maintainer="[email protected]"
 LABEL io.openshift.tags="network-observability-ebpf-agent"
-LABEL upstream-vcs-ref=$COMMIT
-LABEL upstream-vcs-type="git"
 LABEL description="The Network Observability eBPF Agent allows collecting and aggregating all the ingress and egress flows on a Linux host."
 LABEL version=$BUILDVERSION