Create Tekton task and Pipeline for Tekton bundles #284
Conversation
|
I guess the tests might go stale unless there's some automation to run them. Would it be crazy to add a GitHub workflow in this repo with the kind cluster setup to exercise them? |
zregvart
force-pushed
the
issue/HACBS-1675
branch
from
bc57f22
to
9eec08d
Compare
Entirely possible, let's do this as a followup: HACBS-1698 |
zregvart
force-pushed
the
issue/HACBS-1675
branch
4 times, most recently
from
dd49758
to
94b327b
Compare
|
Something is not setup correctly on redhat-appstudio-tekton-catalog/pull-request-builds, perhaps it is not public? $ curl https://quay.io/api/v1/repository/redhat-appstudio-tekton-catalog/pull-request-builds:nodejs-builder-94b327bfea218b7ff71ef0a0cc73cbc278c8e888
{"detail": "Requires authentication", "error_message": "Requires authentication", "error_type": "invalid_token", "title": "invalid_token", "type": "https://quay.io/api/v1/error/invalid_token", "status": 401}vs. $ curl https://quay.io/api/v1/repository/redhat-appstudio-tekton-catalog/pipeline-nodejs-builder
{"namespace": "redhat-appstudio-tekton-catalog", "name": "pipeline-nodejs-builder", "kind": "image", "description": "", "is_public": true,...Also not sure why the |
|
Oh, I think I get it |
zregvart
force-pushed
the
issue/HACBS-1675
branch
4 times, most recently
from
a3b8b66
to
e17bb0a
Compare
zregvart
force-pushed
the
issue/HACBS-1675
branch
from
e17bb0a
to
c346b30
Compare
| patches: | ||
| # Use the template-build as a template replacing the Pipeline name and the | ||
| # `build-container` step's task reference | ||
| - patch: |- |
There was a problem hiding this comment.
NIT: Maybe worth setting these labels? pipelines.openshift.io/runtime, pipelines.openshift.io/strategy?
(although... I'm not quite sure how those are used)
There was a problem hiding this comment.
Found no documentation on this, no way of telling what those need to be set to so I left them unset
| # Use the template-build as a template replacing the Pipeline name and the | ||
| # `build-container` step's task reference | ||
| - patch: |- | ||
| - op: replace |
There was a problem hiding this comment.
NIT: It might be worth loading a patch from its own yaml (like the other pipelines do). It's a bit easier to edit than an embedding yaml in yaml.
There was a problem hiding this comment.
Not really, this documents the patch much better
| && exit 1 | ||
| exec 3>&1; | ||
| OUT="$(tkn bundle push "$(params.IMAGE)" \ | ||
| $(printf ' -f %s' "${FILES[@]}") \ |
There was a problem hiding this comment.
IMO, this is something that needs to be dealt with in Tekton. The task will fail with more than 20 (see this PR). I don't think it is worth taking additional complexity.
zregvart
force-pushed
the
issue/HACBS-1675
branch
from
c346b30
to
f539cd1
Compare
This is a requirement for implementing SLSA build as code requirement (see HACBS-1282). We need to start somewhere and with time migrate or adapt our own pipelines in this repository to generate provenance information. So, this is for customers who want to be SLSA level 3, and for the pipelines/tasks from this repository if we chose to do so as well. |
zregvart
force-pushed
the
issue/HACBS-1675
branch
from
f539cd1
to
e660c6a
Compare
zregvart
force-pushed
the
issue/HACBS-1675
branch
2 times, most recently
from
4353ed5
to
ff6b6ef
Compare
This adds `tkn-bundle` Tekton Task that simply finds all *.yaml or *.yml files in the current `params.CONTEXT` directory and creates a Tekton Bundle by pushing it to `params.IMAGE`. The result of the task are `IMAGE_URL` image reference with digest (no tag) and `IMAGE_DIGEST` containing the image digest. Also adds `tekton-bundle-builder` builder pipeline that uses the `tkn-bundle` task for the `build` step. Tests are provided. Ref. https://issues.redhat.com/browse/HACBS-1675
Passes the pull request commit id to the `check-task-pipeline-repo-existence` step to make the validation consider pull request image references; otherwise the check checks for images that are have resulted from changes pushed to the default branch. The URL being checked for existence now checks against the Docker registry API, the quay.io REST API has no endpoint to check for existence of tags. Also the non-pull request artifacts are checked for their correct tag/version now.
zregvart
force-pushed
the
issue/HACBS-1675
branch
from
ff6b6ef
to
82967f7
Compare
|
Last pipeline run was successful. I want to do one more quality of life change: for faster feedback it would be better if |
...r build-container
|
@tkdchen @Michkov @lcarva can you have another look at this? FYI @Michkov looks like registry.redhat.io/openshift4/ose-tools-rhel8 contains good amount of tools we usually need ( |
|
Thanks for the reviews, merging now... |
This adds
tkn-bundleTekton Task that simply finds all *.yaml or *.yml files in the currentparams.CONTEXTdirectory and creates a Tekton Bundle by pushing it toparams.IMAGE. The result of the task areIMAGE_URLimage reference with digest (no tag) andIMAGE_DIGESTcontaining the image digest.Also adds
tekton-bundle-builderbuilder pipeline that uses thetkn-bundletask for thebuildstep.Tests are provided.
Ref. https://issues.redhat.com/browse/HACBS-1675