Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-27350: Setup ACS trusted tasks builds and publishing #3

Merged
merged 35 commits into from
Dec 17, 2024
Merged

ROX-27350: Setup ACS trusted tasks builds and publishing #3

merged 35 commits into from
Dec 17, 2024

Conversation

msugakov
Copy link
Contributor

@msugakov msugakov commented Dec 11, 2024
edited
Loading

Notes

  • This change can be reviewed per commits as I broke it down in chunks and put descriptions that seemed meaningful. However, due the large number of commits, it can be quicker to just review the final version.
  • I know that duplication in determine-image-tag isn't great but it will not be the right time to address that now. Let's leave that for ROX-27384 or, most likely, ROX-26026.
  • Some tasks in the build pipeline don't feel quite fine, e.g. clair-scan and clamav-scan but they aren't failing the pipeline either, and so I decided to keep them in the hopes that one day they may start working. By keeping the tasks it will hopefully be easier to conform EC when that will be required.

Links

Testing

  • Tested builds in the consuming repos are fine with the new tasks. See the PRs linked above.
  • EC status is hard to present due to known issues of EC logs disappearing but I'm confident from earlier testing that all should be good once we update the policy.

@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 11 times, most recently from a98d0a0 to 4056835 Compare December 12, 2024 10:59
@msugakov msugakov mentioned this pull request Dec 12, 2024
Merged
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 3 times, most recently from b798fe8 to 6921801 Compare December 12, 2024 12:17
@msugakov msugakov changed the title ROX-27350: WIP ROX-27350: Setup ACS trusted tasks builds and publishing Dec 12, 2024
msugakov added a commit to stackrox/collector that referenced this pull request Dec 12, 2024
@msugakov
Switch determine-image-tag to trusted task
a04bf50 
See stackrox/konflux-tasks#3
@msugakov msugakov mentioned this pull request Dec 12, 2024
Merged
1 task
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 12, 2024
@msugakov
Switch to trusted tasks
c695592 
which come from
stackrox/konflux-tasks#3
@msugakov msugakov mentioned this pull request Dec 12, 2024
Merged
4 tasks
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 12, 2024
@msugakov
Switch to trusted tasks
ad9d2f8 
which come from
stackrox/konflux-tasks#3
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 6 times, most recently from 9a6400e to 1c67bf3 Compare December 13, 2024 10:53
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 13, 2024
@msugakov
Switch to trusted tasks
e2c1de8 
which come from
stackrox/konflux-tasks#3
msugakov added a commit to stackrox/collector that referenced this pull request Dec 13, 2024
@msugakov
Switch determine-image-tag to trusted task
3513785 
See stackrox/konflux-tasks#3
@msugakov msugakov requested a review from kylape December 13, 2024 11:32
@msugakov
Introduce TARGET_DIR param for fetching tasks of stackrox repo
2960eb8 
To make things symmetric with the Scanner V2's task.
@msugakov
Add pipeline timeouts
9609251 
The pipeline is quick so these timeouts are quite generous and
there's room to make them lower, but let's see how it goes.
@msugakov
Introduce BUNDLE_REF output parameter for convenience
958bd90
@msugakov
Add basic readme
879b8b2 
so that the repo does not look naked.
@msugakov
Move BUNDLE_REF to an informational task and return bundle contents
932c5dd 
for user's convenience.
@msugakov
Remove build-image-index task
d0994b4 
Task bundles are architecture-neutral containers with data and so
`build-image-index` is currently disabled and I'm confident we
will not need to enable it in the foreseeable future.

If some Tekton task needs to use some native binaries, these are
provided through step's `image:` attribute.

Therefore `build-image-index` is simply redundant at this point.
@msugakov
Switch StackRox tasks to UBI9 and pin references
8f82af5 
stackrox/stackrox#13599 will help to
catch any regressions.
@msugakov
Add CODEOWNERS so that we get tagged on all PRs
989ef07
@msugakov
Remove netrc
5452d8e 
since it's unused for now.
@msugakov
Update application to acs-konflux-tasks
66e0b58 
After https://gitlab.cee.redhat.com/releng/konflux-release-data/-/merge_requests/3605
got merged and finally properly landed.
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch from 9ae0fcb to 66e0b58 Compare December 17, 2024 12:49
@msugakov
Add explicit dependency from get-bundle-info to apply-tags
019ec28 
It occured to me after looking at the pipeline graph that the one
was missing. Looks like I was always lucky that `apply-tags` got
executed before `update-tasks-trust` (or maybe there are retries in
the `ec` command).
@msugakov
Copy link
Contributor Author

/retest acs-konflux-tasks-on-push

3 similar comments
@msugakov
Copy link
Contributor Author

/retest acs-konflux-tasks-on-push

@msugakov
Copy link
Contributor Author

/retest acs-konflux-tasks-on-push

@msugakov
Copy link
Contributor Author

/retest acs-konflux-tasks-on-push

@msugakov msugakov merged commit 5c84623 into main Dec 17, 2024
1 check passed
@msugakov msugakov deleted the misha/ROX-27350-initial-setup branch December 17, 2024 13:11
@msugakov
Copy link
Contributor Author

There was some failure during container build that seemed like a bug. It got resolved after I manually deleted a tag from Quay repo. Let's keep an eye on this in the future.

step-build
*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)
Creating Tekton Bundle:
	- Added Task: fetch-external-networks to image
	- Added Task: retag-image to image
	- Added Task: fetch-scanner-v4-vuln-mappings to image
	- Added Task: fetch-scanner-v2-data to image
	- Added Task: determine-image-tag-stackrox to image
	- Added Task: determine-image-tag to image
	- Added Task: wait-for-image to image
Error: could not push image to registry as "quay.io/rhacs-eng/konflux-tasks:rev-019ec288c660e477572c6f36c4bcf4c39855b856": GET https://quay.io:443/v2/rhacs-eng/konflux-tasks/manifests/rev-019ec288c660e477572c6f36c4bcf4c39855b856: MANIFEST_UNKNOWN: manifest unknown; map[]

Affected

  1. https://console.redhat.com/application-pipeline/workspaces/rh-acs/applications/acs-konflux-tasks/pipelineruns/acs-konflux-tasks-on-push-jxc8v
  2. https://console.redhat.com/application-pipeline/workspaces/rh-acs/applications/acs-konflux-tasks/pipelineruns/acs-konflux-tasks-on-push-vnl75

@msugakov msugakov mentioned this pull request Dec 17, 2024
Merged
msugakov added a commit to stackrox/scanner that referenced this pull request Dec 17, 2024
@msugakov
Switch to latest tasks
a80ab5c 
After stackrox/konflux-tasks#3 was merged
and pushed them.
msugakov added a commit to stackrox/collector that referenced this pull request Dec 17, 2024
@msugakov
Switch determine-image-tag to trusted task
d75aa34 
See stackrox/konflux-tasks#3
msugakov added a commit to stackrox/collector that referenced this pull request Dec 17, 2024
@msugakov
Switch to the task with the latest tag
b751136 
Possible now after stackrox/konflux-tasks#3
got merged.
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 17, 2024
@msugakov
Switch to trusted tasks
0ff4c21 
which come from
stackrox/konflux-tasks#3
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 17, 2024
@msugakov
Switch to the latest tasks
70ac379 
After stackrox/konflux-tasks#3 got merged.
@msugakov msugakov mentioned this pull request Dec 18, 2024
Merged
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 18, 2024
@msugakov
Switch to trusted tasks
833aea5 
which come from
stackrox/konflux-tasks#3
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 18, 2024
@msugakov
Switch to the latest tasks
93963c2 
After stackrox/konflux-tasks#3 got merged.
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 20, 2024
@msugakov
Switch to trusted tasks
1ac09e7 
which come from
stackrox/konflux-tasks#3
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 20, 2024
@msugakov
Switch to the latest tasks
1001173 
After stackrox/konflux-tasks#3 got merged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tommartensen tommartensen tommartensen approved these changes

@kylape kylape Awaiting requested review from kylape

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@msugakov @tommartensen