Skip to content

ROX-22250: Switch to sanitizing version of determine-image-tag #13995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
msugakov merged 2 commits into from
Jan 30, 2025
Merged

ROX-22250: Switch to sanitizing version of determine-image-tag #13995

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1ca8d0d
Switch to sanitizing version of `determine-image-tag`
msugakov Jan 27, 2025
d24759e
Switch our tasks bundle to the latest
msugakov Jan 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 6 additions & 31 deletions .tekton/basic-component-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,10 +101,6 @@ spec:
description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after which they can be garbage collected.
name: oci-artifact-expires-after
type: string
- name: image-tag-makefile-directory
description: Directory in which to run "make tag" command.
default: "."
type: string

results:
- description: ""
Expand Down Expand Up @@ -179,43 +175,22 @@ spec:

- name: determine-image-tag
params:
- name: MAKEFILE_DIRECTORY
value: $(params.image-tag-makefile-directory)
- name: TAG_SUFFIX
value: $(params.output-tag-suffix)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: SOURCE_BRANCH
value: '{{source_branch}}'
taskRef: &determine-image-tag-task-ref
taskRef:
params:
- name: name
value: determine-image-tag
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles

# `determine-main-version` produces the same output as `determine-image-tag` for all containers built with this
# pipeline except for `operator`. There's a special case for `operator`.
# Main version (same as main image tag) will match the result of `determine-image-tag` (i.e. the tag with which the
# `operator` image is tagged) in all cases except for the `operator` builds in `master`.
# For `operator` in `master`, the image tag will have `.0`: `4.7.0-514-gba6cde5b55-fast`, while the `main` version has
# `.x`: `4.7.x-514-gba6cde5b55-fast`.
# TODO(ROX-22250): make Konflux image tags always go with `.0` despite git tag containing `.x` and remove this task.
- name: determine-main-version
params:
- name: MAKEFILE_DIRECTORY
value: "."
- name: TAG_SUFFIX
value: $(params.output-tag-suffix)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: SOURCE_BRANCH
value: '{{source_branch}}'
taskRef: *determine-image-tag-task-ref

- name: prefetch-dependencies
params:
- name: input
Expand Down Expand Up @@ -257,7 +232,7 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- BUILD_TAG=$(tasks.determine-main-version.results.IMAGE_TAG)
- BUILD_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand Down Expand Up @@ -294,7 +269,7 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- BUILD_TAG=$(tasks.determine-main-version.results.IMAGE_TAG)
- BUILD_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand Down Expand Up @@ -333,7 +308,7 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- BUILD_TAG=$(tasks.determine-main-version.results.IMAGE_TAG)
- BUILD_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand Down Expand Up @@ -372,7 +347,7 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- BUILD_TAG=$(tasks.determine-main-version.results.IMAGE_TAG)
- BUILD_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand Down
4 changes: 2 additions & 2 deletions .tekton/main-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ spec:
- name: name
value: determine-image-tag
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
Expand All @@ -206,7 +206,7 @@ spec:
- name: name
value: fetch-external-networks
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
Expand Down
2 changes: 0 additions & 2 deletions .tekton/operator-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,6 @@ spec:
value: '0'
- name: clone-fetch-tags
value: 'true'
- name: image-tag-makefile-directory
value: 'operator'

workspaces:
- name: git-auth
Expand Down
57 changes: 21 additions & 36 deletions .tekton/operator-bundle-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,38 +284,24 @@ spec:
- name: basic-auth
workspace: git-auth

- name: determine-operator-image-tag
- name: determine-image-tag
params:
- name: TAG_SUFFIX
value: $(params.output-tag-suffix)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: MAKEFILE_DIRECTORY
value: ./operator
- name: SOURCE_BRANCH
value: '{{source_branch}}'
taskRef: &determine-image-tag-ref
taskRef:
params:
- name: name
value: determine-image-tag
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles

- name: determine-main-image-tag
params:
- name: TAG_SUFFIX
value: $(params.output-tag-suffix)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: MAKEFILE_DIRECTORY
value: "."
- name: SOURCE_BRANCH
value: '{{source_branch}}'
taskRef: *determine-image-tag-ref

- name: prefetch-dependencies
params:
- name: input
Expand All @@ -342,13 +328,13 @@ spec:
- name: wait-for-operator-image
params:
- name: IMAGE
value: "$(params.operator-image-build-repo):$(tasks.determine-operator-image-tag.results.IMAGE_TAG)"
value: "$(params.operator-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: &wait-for-image-ref
params:
- name: name
value: wait-for-image
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
Expand All @@ -358,87 +344,87 @@ spec:
- name: wait-for-main-image
params:
- name: IMAGE
value: "$(params.main-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.main-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `main-build.yaml`.
timeout: 2h40m

- name: wait-for-scanner-image
params:
- name: IMAGE
value: "$(params.scanner-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.scanner-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `scanner-retag.yaml`
timeout: 40m

- name: wait-for-scanner-db-image
params:
- name: IMAGE
value: "$(params.scanner-db-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.scanner-db-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `scanner-db-retag.yaml`
timeout: 40m

- name: wait-for-scanner-slim-image
params:
- name: IMAGE
value: "$(params.scanner-slim-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.scanner-slim-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `scanner-slim-retag.yaml`
timeout: 40m

- name: wait-for-scanner-db-slim-image
params:
- name: IMAGE
value: "$(params.scanner-db-slim-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.scanner-db-slim-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `scanner-db-slim-retag.yaml`
timeout: 40m

- name: wait-for-scanner-v4-image
params:
- name: IMAGE
value: "$(params.scanner-v4-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.scanner-v4-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `scanner-v4-build.yaml`.
timeout: 1h10m

- name: wait-for-scanner-v4-db-image
params:
- name: IMAGE
value: "$(params.scanner-v4-db-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.scanner-v4-db-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `scanner-v4-db-build.yaml`.
timeout: 1h10m

- name: wait-for-collector-slim-image
params:
- name: IMAGE
value: "$(params.collector-slim-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.collector-slim-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# The timeout must be the same as the pipeline timeout in `collector-slim-retag.yaml`
timeout: 40m

- name: wait-for-collector-image
params:
- name: IMAGE
value: "$(params.collector-full-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.collector-full-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# The timeout must be the same as the pipeline timeout in `collector-full-retag.yaml`
timeout: 40m

- name: wait-for-roxctl-image
params:
- name: IMAGE
value: "$(params.roxctl-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.roxctl-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `roxctl-build.yaml`.
timeout: 1h10m

- name: wait-for-central-db-image
params:
- name: IMAGE
value: "$(params.central-db-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
value: "$(params.central-db-image-build-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)"
taskRef: *wait-for-image-ref
# This timeout must be the same as the pipeline timeout in `central-db-build.yaml`.
timeout: 1h40m
Expand All @@ -447,7 +433,7 @@ spec:
params:
- name: IMAGE
# Note the operator bundle tag is prefixed with "v".
value: $(params.output-image-repo):v$(tasks.determine-operator-image-tag.results.IMAGE_TAG)
value: $(params.output-image-repo):v$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
Expand All @@ -462,7 +448,7 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- OPERATOR_IMAGE_TAG=$(tasks.determine-operator-image-tag.results.IMAGE_TAG)
- OPERATOR_IMAGE_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- OPERATOR_IMAGE_REF=$(params.operator-image-catalog-repo)@$(tasks.wait-for-operator-image.results.IMAGE_DIGEST)
- RELATED_IMAGE_MAIN=$(params.main-image-catalog-repo)@$(tasks.wait-for-main-image.results.IMAGE_DIGEST)
- RELATED_IMAGE_SCANNER=$(params.scanner-image-catalog-repo)@$(tasks.wait-for-scanner-image.results.IMAGE_DIGEST)
Expand Down Expand Up @@ -677,8 +663,7 @@ spec:
- clamav-scan
- clone-repository
- deprecated-base-image-check
- determine-main-image-tag
- determine-operator-image-tag
- determine-image-tag
- init
- prefetch-dependencies
- push-dockerfile
Expand All @@ -698,7 +683,7 @@ spec:
- wait-for-scanner-v4-image
params:
- name: PRODUCT_VERSION
value: $(tasks.determine-main-image-tag.results.IMAGE_TAG)
value: $(tasks.determine-image-tag.results.IMAGE_TAG)
- name: COMPONENTS
value: |
[
Expand Down Expand Up @@ -786,7 +771,7 @@ spec:
- name: name
value: create-snapshot
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
6 changes: 3 additions & 3 deletions .tekton/retag-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ spec:
- name: name
value: determine-image-tag
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
Expand All @@ -139,7 +139,7 @@ spec:
- name: name
value: determine-dependency-image-tag
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
Expand All @@ -159,7 +159,7 @@ spec:
- name: name
value: retag-image
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
4 changes: 2 additions & 2 deletions .tekton/scanner-v4-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ spec:
- name: name
value: determine-image-tag
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
Expand All @@ -206,7 +206,7 @@ spec:
- name: name
value: fetch-scanner-v4-vuln-mappings
- name: bundle
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:76c8fbd2abac06ce895a765c41be73d14925b00a660b1b5fa6564a50a15cf2ba
value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:a2477a53bfb4159cb6fa0d15acd736153e1844a193b6c91f8f2a6672d90e3d12
- name: kind
value: task
resolver: bundles
Expand Down