Skip to content

Commit

Permalink
fix: update-fbc-catalog need publishingCredentials
Browse files Browse the repository at this point in the history
this PR adds the publishingCredentials parameter to
the update-fbc-catalog pipeline and tasks that is
required to fetch the targetIndex config.

Signed-off-by: Leandro Mendes <lmendes@redhat.com>
  • Loading branch information
theflockers committed Jan 30, 2025
1 parent 37e8cf7 commit 3361cc9
Show file tree
Hide file tree
Showing 15 changed files with 72 additions and 5 deletions.
4 changes: 4 additions & 0 deletions pipelines/internal/update-fbc-catalog/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,14 @@ Tekton pipeline add/update FBC fragments to the FBC catalog by interacting with
| Name | Description | Optional | Default value |
|-------------------------|-----------------------------------------------------------------------------|----------|---------------------|
| iibServiceAccountSecret | Secret containing the credentials for IIB service | yes | iib-service-account |
| publishingCredentials | Publishing credentials used to fetch the image config | yes | catalog-publishing-credentials |
| fbcFragment | FBC fragment built by HACBS | no | - |
| fromIndex | Index image (catalog of catalogs) the FBC fragment will be added to | no | - |
| buildTags | List of additional tags the internal index image copy should be tagged with | yes | '[]' |
| addArches | List of arches the index image should be built for | yes | '[]' |
| hotfix | Whether this build is a hotfix build | yes | false |
| stagedIndex | Whether this build is a staged index build | yes | false |
| buildTimeoutSeconds | IIB Build Service timeout seconds | no | - |

## Changes in 1.1.0
* adds `publishingCredentials` parameter
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: update-fbc-catalog
labels:
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/version: "1.1.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: fbc
Expand All @@ -16,6 +16,10 @@ spec:
type: string
description: Secret containing the credentials for IIB service
default: iib-service-account
- name: publishingCredentials
type: string
default: "catalog-publishing-secret"
description: Publishing credential used to fetch the image config
- name: fbcFragment
type: string
description: FBC fragment built by HACBS
Expand Down Expand Up @@ -55,6 +59,8 @@ spec:
params:
- name: iibServiceAccountSecret
value: $(params.iibServiceAccountSecret)
- name: publishingCredentials
value: $(params.publishingCredentials)
- name: fbcFragment
value: $(params.fbcFragment)
- name: fromIndex
Expand Down
4 changes: 4 additions & 0 deletions tasks/internal/update-fbc-catalog-task/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,13 @@ Tekton task to submit a IIB build request to add/update a fbc-fragment to an ind
| addArches | List of arches the index image should be built for. | No | - |
| buildTimeoutSeconds | Timeout seconds to receive the build state | Yes | "300" |
| iibServiceAccountSecret | Secret with IIB credentials to be used | No | - |
| publishingCredentials | Publishing credentials used to fetch the image config | No | |
| hotfix | Whether this build is a hotfix build | Yes | "false" |
| stagedIndex | Whether this build is for a staged index build | Yes | "false" |

## Changes in 1.2.0
* adds new parameter `publishingCredentials`

## Changes in 1.0.1
* fixes the case when an in_progress IIB build is not resumed;
* adds more unit tests for retry scenarios;
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: check-result
params:
- name: jsonBuildInfo
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: hotfix
value: true
- name: check-result
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: check-result
params:
- name: jsonBuildInfo
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: check-result
params:
- name: jsonBuildInfo
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: check-result
params:
- name: jsonBuildInfo
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: check-result
params:
- name: jsonBuildInfo
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: stagedIndex
value: true
- name: check-result
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ spec:
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: publishingCredentials
value: "publishing-credentials"
- name: buildTimeoutSeconds
value: 1
- name: check-result
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: update-fbc-catalog-task
labels:
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/version: "1.2.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -38,6 +38,9 @@ spec:
- name: iibServiceAccountSecret
type: string
description: Secret with IIB credentials to be used
- name: publishingCredentials
type: string
description: Publishing credentials used to fetch the image config
- name: hotfix
type: string
default: "false"
Expand Down Expand Up @@ -84,6 +87,12 @@ spec:
secretKeyRef:
name: iib-services-config
key: krb5.conf
- name: TARGET_INDEX_CREDENTIAL
valueFrom:
secretKeyRef:
key: targetIndexCredential
name: $(params.publishingCredentials)
optional: true
script: |
#!/usr/bin/env bash
Expand Down Expand Up @@ -121,8 +130,17 @@ spec:
indexImageResolved="$(jq -r '.index_image_resolved' <<< "${build}")"
newCatalogCreatedDate="$(date --date "$(skopeo inspect --config "docker://${indexImageResolved}" | \
jq -r .created)" "+%s")"
upstreamCatalogCreatedDate="$(date --date "$(skopeo inspect --config "docker://$(params.targetIndex)" | \
jq -r .created)" "+%s")"
# authentication is only required for the targetIndex
create_auth_file
targetIndexCreated="$(skopeo inspect --config "docker://$(params.targetIndex)" | jq -r .created)"
# an empty targetdIndexCreated will cause `date` to use an arbitrary date that could allow
# resuming of a image that requires a new build.
if [ -z "${targetIndexCreated}" ]; then
return 0
fi
upstreamCatalogCreatedDate="$(date --date "${targetIndexCreated}" "+%s")"
# checks if the index_image_resolved in the previous completed build is newer
# than the upstream catalog index.
# in case the new catalog index is older than the upstream, a new build is
Expand All @@ -134,6 +152,19 @@ spec:
echo "${build}"
}
create_auth_file() {
mkdir -p "${HOME}/.config/containers"
targetIndex="$(params.targetIndex)"
authName="${targetIndex%:*}"
# disabling debug to not leak the token
set +x
jq --arg authName "${authName}" \
--arg token "$(base64 -w 0 < <(printf %s "${TARGET_INDEX_CREDENTIAL}"))" \
'.auths[$authName].auth = $token' <<< '{}' > "${HOME}/.config/containers/auth.json"
set -x
}
# performs kerberos authentication.
base64 -d /mnt/service-account-secret/keytab > "/tmp/keytab"
Expand Down
3 changes: 3 additions & 0 deletions tasks/managed/add-fbc-contribution/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ Task to create a internalrequest to add fbc contributions to index images
| targetIndex | targetIndex value updated by update-ocp-tag task | No | - |
| resultsDirPath | Path to results directory in the data workspace | No | - |

## Changes in 3.4.4
* Adds the `publishingCredentials` parameter to the internal request call

## Changes in 3.4.3
* Change internal request pipeline from `iib` to `update-fbc-catalog`

Expand Down
4 changes: 3 additions & 1 deletion tasks/managed/add-fbc-contribution/add-fbc-contribution.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: add-fbc-contribution
labels:
app.kubernetes.io/version: "3.4.3"
app.kubernetes.io/version: "3.4.4"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -91,6 +91,7 @@ spec:
else
iib_service_account_secret="iib-service-account-prod"
fi
publishing_credentials=$(jq -r '.fbc.publishingCredentials' "$DATA_FILE")
timestamp_format=$(jq -r '.fbc.timestampFormat // "%s"' "${DATA_FILE}")
timestamp=$(date "+${timestamp_format}")
Expand Down Expand Up @@ -136,6 +137,7 @@ spec:
-p targetIndex="${target_index}" \
-p fbcFragment="${fbc_fragment}" \
-p iibServiceAccountSecret="${iib_service_account_secret}" \
-p publishingCredentials="${publishing_credentials}" \
-p buildTimeoutSeconds="${build_timeout_seconds}" \
-p buildTags="${build_tags}" \
-p addArches="${add_arches}" \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ spec:
cat > "$(workspaces.data.path)/data.json" << EOF
{
"fbc": {
"fbcPublishingCredentials": "test-fbc-publishing-credentials",
"stagedIndex": true,
"buildTimeoutSeconds": 420
}
Expand Down

0 comments on commit 3361cc9

Please sign in to comment.