From d6490a7a58a4afb93954d9557bcfe359876d6e44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Fri, 21 Feb 2025 12:15:54 +0100 Subject: [PATCH] RHOAIENG-18401: chore(.tekton/): implement Public Konflux build for ODH-io/kubeflow repository --- .github/{renovate.json => renovate.json5} | 6 +- .tekton/image-registry.yaml | 75 ++ ...tebook-controller-odh-io-main-on-push.yaml | 589 +++++++++++++++ ...k-controller-odh-io-main-pull-request.yaml | 592 +++++++++++++++ ...tebook-controller-odh-io-main-on-push.yaml | 589 +++++++++++++++ ...k-controller-odh-io-main-pull-request.yaml | 592 +++++++++++++++ .../generate_component_build_pipelines.py | 705 ++++++++++++++++++ ci/konflux/generate_component_definitions.py | 85 +++ 8 files changed, 3229 insertions(+), 4 deletions(-) rename .github/{renovate.json => renovate.json5} (95%) create mode 100644 .tekton/image-registry.yaml create mode 100644 .tekton/kf-notebook-controller-odh-io-main-on-push.yaml create mode 100644 .tekton/kf-notebook-controller-odh-io-main-pull-request.yaml create mode 100644 .tekton/odh-notebook-controller-odh-io-main-on-push.yaml create mode 100644 .tekton/odh-notebook-controller-odh-io-main-pull-request.yaml create mode 100755 ci/konflux/generate_component_build_pipelines.py create mode 100755 ci/konflux/generate_component_definitions.py diff --git a/.github/renovate.json b/.github/renovate.json5 similarity index 95% rename from .github/renovate.json rename to .github/renovate.json5 index ad61a716bca..0ab5085d903 100644 --- a/.github/renovate.json +++ b/.github/renovate.json5 @@ -1,3 +1,5 @@ +// This file is ignored if `.github/renovate.json` is also present, +// see https://docs.renovatebot.com/configuration-options/#configuration-options and https://json5.org. { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "description": [ @@ -77,10 +79,6 @@ "enabled": false } ], - "ignorePaths": [ - "**/Dockerfile", - "!**/Dockerfile.konflux*" - ], "pinDigests": true }, "tekton": { diff --git a/.tekton/image-registry.yaml b/.tekton/image-registry.yaml new file mode 100644 index 00000000000..4a9ff7157bb --- /dev/null +++ b/.tekton/image-registry.yaml @@ -0,0 +1,75 @@ +--- +# List of images referenced from the Python code generation scripts for Tekton pipelines. +# +# The structure of this file must be compatible with +# https://docs.renovatebot.com/modules/manager/tekton/ +# +# Specifically, see `function getDeps` and `function getBundleValue()` in +# https://github.com/renovatebot/renovate/blob/main/lib/modules/manager/tekton/extract.ts +# +# This is using the 'older-style' bundle references (see ^^^), because they are a bit less verbose +# +# Konflux (MintMaker) will then update the hashes in this yaml together with the generated Tekton pipelines +# because the default renovate.json config includes `.tekton/**.yaml` (and `.yml`) files +# https://github.com/konflux-ci/mintmaker/blob/289fefb5c7ac18c978b96080c2628d55d0712e83/config/renovate/renovate.json#L62-L70 +items: + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:75e882bf1619dd45a4043060ce42a6ad3ce781264ade5b7f66a1d994ee159126 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:af93b35e6e71a6ff7f3785ad8d8497b11204a5c0c33ab1a78b44f9d43f49c7a5 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:fde1e556e69b8293a38d815473040f0d1ee3567c520c52cb1bd4ea712c715b4f + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:18c1c2665cdb10ca589f69f75f2bb49758f9ed75b69a9171d562856dec3cfd76 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + - spec: + taskRef: + bundle: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:39cd56ffa26ff5edfd5bf9b61e902cae35a345c078cd9dcbc0737d30f3ce5ef1 diff --git a/.tekton/kf-notebook-controller-odh-io-main-on-push.yaml b/.tekton/kf-notebook-controller-odh-io-main-on-push.yaml new file mode 100644 index 00000000000..b68b13e4b80 --- /dev/null +++ b/.tekton/kf-notebook-controller-odh-io-main-on-push.yaml @@ -0,0 +1,589 @@ +# yamllint disable-file +# This file is autogenerated by ci/konflux/generate_component_build_pipelines.py +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: '3' + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" + creationTimestamp: null + labels: + appstudio.openshift.io/application: kubeflow + appstudio.openshift.io/component: kf-notebook-controller + pipelines.appstudio.openshift.io/type: build + name: kf-notebook-controller-on-push + namespace: rhoai-ide-konflux-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/kf-notebook-controller:{{revision}} + - name: dockerfile + value: components/notebook-controller/Dockerfile + pipelineSpec: + description: 'This pipeline is ideal for building container images from a Containerfile + while maintaining trust after pipeline customization. + + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). + It also optionally creates a source image and runs some build-time tests. Information + is shared between tasks using OCI artifacts instead of PVCs. EC will pass the + [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) + policy as long as all data used to build the artifact is generated from trusted + tasks. + + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + + ' + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: '' + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: 'false' + description: Force rebuild image + name: rebuild + type: string + - default: 'false' + description: Skip checks against built image + name: skip-checks + type: string + - default: 'false' + description: Execute the build with network isolation + name: hermetic + type: string + - default: '' + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: '' + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: 'false' + description: Build a source image. + name: build-source-image + type: string + - default: 'false' + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: '' + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: '' + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: '' + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: '' + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: '' + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:75e882bf1619dd45a4043060ce42a6ad3ce781264ade5b7f66a1d994ee159126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - input: $(params.build-source-image) + operator: in + values: + - 'true' + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:af93b35e6e71a6ff7f3785ad8d8497b11204a5c0c33ab1a78b44f9d43f49c7a5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:fde1e556e69b8293a38d815473040f0d1ee3567c520c52cb1bd4ea712c715b4f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:18c1c2665cdb10ca589f69f75f2bb49758f9ed75b69a9171d562856dec3cfd76 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:39cd56ffa26ff5edfd5bf9b61e902cae35a345c078cd9dcbc0737d30f3ce5ef1 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} + diff --git a/.tekton/kf-notebook-controller-odh-io-main-pull-request.yaml b/.tekton/kf-notebook-controller-odh-io-main-pull-request.yaml new file mode 100644 index 00000000000..36e8bfb4e6a --- /dev/null +++ b/.tekton/kf-notebook-controller-odh-io-main-pull-request.yaml @@ -0,0 +1,592 @@ +# yamllint disable-file +# This file is autogenerated by ci/konflux/generate_component_build_pipelines.py +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: '3' + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" + creationTimestamp: null + labels: + appstudio.openshift.io/application: kubeflow + appstudio.openshift.io/component: kf-notebook-controller + pipelines.appstudio.openshift.io/type: build + name: kf-notebook-controller-on-pull-request + namespace: rhoai-ide-konflux-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/kf-notebook-controller:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: components/notebook-controller/Dockerfile + pipelineSpec: + description: 'This pipeline is ideal for building container images from a Containerfile + while maintaining trust after pipeline customization. + + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). + It also optionally creates a source image and runs some build-time tests. Information + is shared between tasks using OCI artifacts instead of PVCs. EC will pass the + [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) + policy as long as all data used to build the artifact is generated from trusted + tasks. + + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + + ' + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: '' + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: 'false' + description: Force rebuild image + name: rebuild + type: string + - default: 'false' + description: Skip checks against built image + name: skip-checks + type: string + - default: 'false' + description: Execute the build with network isolation + name: hermetic + type: string + - default: '' + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: '' + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: 'false' + description: Build a source image. + name: build-source-image + type: string + - default: 'false' + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: '' + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: '' + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: '' + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: '' + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: '' + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:75e882bf1619dd45a4043060ce42a6ad3ce781264ade5b7f66a1d994ee159126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - input: $(params.build-source-image) + operator: in + values: + - 'true' + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:af93b35e6e71a6ff7f3785ad8d8497b11204a5c0c33ab1a78b44f9d43f49c7a5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:fde1e556e69b8293a38d815473040f0d1ee3567c520c52cb1bd4ea712c715b4f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:18c1c2665cdb10ca589f69f75f2bb49758f9ed75b69a9171d562856dec3cfd76 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:39cd56ffa26ff5edfd5bf9b61e902cae35a345c078cd9dcbc0737d30f3ce5ef1 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} + diff --git a/.tekton/odh-notebook-controller-odh-io-main-on-push.yaml b/.tekton/odh-notebook-controller-odh-io-main-on-push.yaml new file mode 100644 index 00000000000..e2fa367dfd9 --- /dev/null +++ b/.tekton/odh-notebook-controller-odh-io-main-on-push.yaml @@ -0,0 +1,589 @@ +# yamllint disable-file +# This file is autogenerated by ci/konflux/generate_component_build_pipelines.py +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: '3' + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" + creationTimestamp: null + labels: + appstudio.openshift.io/application: kubeflow + appstudio.openshift.io/component: odh-notebook-controller + pipelines.appstudio.openshift.io/type: build + name: odh-notebook-controller-on-push + namespace: rhoai-ide-konflux-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/odh-notebook-controller:{{revision}} + - name: dockerfile + value: components/odh-notebook-controller/Dockerfile + pipelineSpec: + description: 'This pipeline is ideal for building container images from a Containerfile + while maintaining trust after pipeline customization. + + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). + It also optionally creates a source image and runs some build-time tests. Information + is shared between tasks using OCI artifacts instead of PVCs. EC will pass the + [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) + policy as long as all data used to build the artifact is generated from trusted + tasks. + + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + + ' + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: '' + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: 'false' + description: Force rebuild image + name: rebuild + type: string + - default: 'false' + description: Skip checks against built image + name: skip-checks + type: string + - default: 'false' + description: Execute the build with network isolation + name: hermetic + type: string + - default: '' + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: '' + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: 'false' + description: Build a source image. + name: build-source-image + type: string + - default: 'false' + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: '' + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: '' + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: '' + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: '' + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: '' + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:75e882bf1619dd45a4043060ce42a6ad3ce781264ade5b7f66a1d994ee159126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - input: $(params.build-source-image) + operator: in + values: + - 'true' + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:af93b35e6e71a6ff7f3785ad8d8497b11204a5c0c33ab1a78b44f9d43f49c7a5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:fde1e556e69b8293a38d815473040f0d1ee3567c520c52cb1bd4ea712c715b4f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:18c1c2665cdb10ca589f69f75f2bb49758f9ed75b69a9171d562856dec3cfd76 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:39cd56ffa26ff5edfd5bf9b61e902cae35a345c078cd9dcbc0737d30f3ce5ef1 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} + diff --git a/.tekton/odh-notebook-controller-odh-io-main-pull-request.yaml b/.tekton/odh-notebook-controller-odh-io-main-pull-request.yaml new file mode 100644 index 00000000000..5843b29507a --- /dev/null +++ b/.tekton/odh-notebook-controller-odh-io-main-pull-request.yaml @@ -0,0 +1,592 @@ +# yamllint disable-file +# This file is autogenerated by ci/konflux/generate_component_build_pipelines.py +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: '3' + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" + creationTimestamp: null + labels: + appstudio.openshift.io/application: kubeflow + appstudio.openshift.io/component: odh-notebook-controller + pipelines.appstudio.openshift.io/type: build + name: odh-notebook-controller-on-pull-request + namespace: rhoai-ide-konflux-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/odh-notebook-controller:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: components/odh-notebook-controller/Dockerfile + pipelineSpec: + description: 'This pipeline is ideal for building container images from a Containerfile + while maintaining trust after pipeline customization. + + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). + It also optionally creates a source image and runs some build-time tests. Information + is shared between tasks using OCI artifacts instead of PVCs. EC will pass the + [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) + policy as long as all data used to build the artifact is generated from trusted + tasks. + + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + + ' + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: '' + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: 'false' + description: Force rebuild image + name: rebuild + type: string + - default: 'false' + description: Skip checks against built image + name: skip-checks + type: string + - default: 'false' + description: Execute the build with network isolation + name: hermetic + type: string + - default: '' + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: '' + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: 'false' + description: Build a source image. + name: build-source-image + type: string + - default: 'false' + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: '' + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: '' + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: '' + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: '' + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: '' + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:75e882bf1619dd45a4043060ce42a6ad3ce781264ade5b7f66a1d994ee159126 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - input: $(params.build-source-image) + operator: in + values: + - 'true' + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:af93b35e6e71a6ff7f3785ad8d8497b11204a5c0c33ab1a78b44f9d43f49c7a5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:fde1e556e69b8293a38d815473040f0d1ee3567c520c52cb1bd4ea712c715b4f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:18c1c2665cdb10ca589f69f75f2bb49758f9ed75b69a9171d562856dec3cfd76 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:39cd56ffa26ff5edfd5bf9b61e902cae35a345c078cd9dcbc0737d30f3ce5ef1 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} + diff --git a/ci/konflux/generate_component_build_pipelines.py b/ci/konflux/generate_component_build_pipelines.py new file mode 100755 index 00000000000..9220722fecc --- /dev/null +++ b/ci/konflux/generate_component_build_pipelines.py @@ -0,0 +1,705 @@ +#!/usr/bin/env python3 + +import re +import pathlib +import yaml + +ROOT_DIR = pathlib.Path(__file__).parent.parent.parent + +workspace_name = "rhoai-ide-konflux-tenant" +application_name = "kubeflow" +git_revision = "main" +git_url = "https://github.com/opendatahub-io/notebooks" + + +""" +We have a couple of components and their pipeline specs are very repetitive. + +This script creates the Tekton pipelines under /.tekton + +Usage: + +$ poetry run ci/konflux/generate_component_build_pipelines.py +""" + +def bundle_task_ref(name) -> dict: + """Returns a reference to a Konflux task bundle. + + Uses the `image-registry.yaml` file as an up-to-date source for the digests.""" + with open(ROOT_DIR / ".tekton/image-registry.yaml") as f: + data = yaml.load(f, Loader=yaml.FullLoader) + images: list[str] = [image['spec']['taskRef']['bundle'] for image in data['items']] + for image in images: + if re.search(f'^quay.io/konflux-ci/tekton-catalog/task-{name}:', image): + bundle = image + break + else: + raise Exception(f"Could not find bundle {name}") + + return { + "params": [ + {"name": "name", "value": name}, + { + "name": "bundle", + "value": bundle, + }, + {"name": "kind", "value": "task"}, + ], + "resolver": "bundles", + } + + +def build_container( + name_suffix: str = "", + output_image: str = "$(params.output-image)", + dockerfile: str = "$(params.dockerfile)", + run_after: str = "prefetch-dependencies", + build_arg: str = "$(params.build-args[*])") -> dict: + """Returns a build-container step definition for the Konflux pipeline.""" + return { + "name": "build-container" + name_suffix, + "params": [ + {"name": "IMAGE", "value": output_image}, + {"name": "DOCKERFILE", "value": dockerfile}, + {"name": "CONTEXT", "value": "$(params.path-context)"}, + {"name": "HERMETIC", "value": "$(params.hermetic)"}, + {"name": "PREFETCH_INPUT", "value": "$(params.prefetch-input)"}, + { + "name": "IMAGE_EXPIRES_AFTER", + "value": "$(params.image-expires-after)", + }, + { + "name": "COMMIT_SHA", + "value": "$(tasks.clone-repository.results.commit)", + }, + {"name": "BUILD_ARGS", "value": [build_arg]}, + { + "name": "BUILD_ARGS_FILE", + "value": "$(params.build-args-file)", + }, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + { + "name": "CACHI2_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)", + }, + ], + "runAfter": [run_after], + "taskRef": bundle_task_ref("buildah-oci-ta"), + "when": [ + { + "input": "$(tasks.init.results.build)", + "operator": "in", + "values": ["true"], + } + ], + } + + +def component_build_pipeline(component_name, dockerfile_path, + build_container_tasks: list[dict], is_pr: bool = True) -> dict: + """Returns a component build pipeline definition. + + This is general enough to create PR pipeline as well as push pipeline. + """ + name = component_name + ("-on-pull-request" if is_pr else "-on-push") + return { + "apiVersion": "tekton.dev/v1", + "kind": "PipelineRun", + "metadata": { + "annotations": { + "build.appstudio.openshift.io/repo": git_url + "?rev={{revision}}", + "build.appstudio.redhat.com/commit_sha": "{{revision}}", + **({"build.appstudio.redhat.com/pull_request_number": "{{pull_request_number}}"} if is_pr else {}), + "build.appstudio.redhat.com/target_branch": "{{target_branch}}", + "pipelinesascode.tekton.dev/max-keep-runs": "3", + "pipelinesascode.tekton.dev/on-cel-expression": ( + 'event == "pull_request" && target_branch == "main"' if is_pr + else 'event == "push" && target_branch == "main"' + ), + }, + "creationTimestamp": None, + "labels": { + "appstudio.openshift.io/application": application_name, + "appstudio.openshift.io/component": component_name, + "pipelines.appstudio.openshift.io/type": "build", + }, + "name": name, + "namespace": workspace_name, + }, + "spec": { + "params": [ + {"name": "git-url", "value": "{{source_url}}"}, + {"name": "revision", "value": "{{revision}}"}, + { + "name": "output-image", + "value": "quay.io/redhat-user-workloads/" + workspace_name + "/" + component_name + ":" + ( + "on-pr-" if is_pr else "") + "{{revision}}", + }, + *([{"name": "image-expires-after", "value": "5d"}] if is_pr else []), + *([{"name": "dockerfile", "value": dockerfile_path}] if dockerfile_path else []), + ], + "pipelineSpec": { + "description": "This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.\n\n_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.\nThis pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_\n", + "finally": [ + { + "name": "show-sbom", + "params": [ + { + "name": "IMAGE_URL", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + } + ], + "taskRef": bundle_task_ref("show-sbom") + } + ], + "params": [ + { + "description": "Source Repository URL", + "name": "git-url", + "type": "string", + }, + { + "default": "", + "description": "Revision of the Source Repository", + "name": "revision", + "type": "string", + }, + { + "description": "Fully Qualified Output Image", + "name": "output-image", + "type": "string", + }, + { + "default": ".", + "description": "Path to the source code of an application's component from where to build image.", + "name": "path-context", + "type": "string", + }, + { + "default": "Dockerfile", + "description": "Path to the Dockerfile inside the context specified by parameter path-context", + "name": "dockerfile", + "type": "string", + }, + { + "default": "false", + "description": "Force rebuild image", + "name": "rebuild", + "type": "string", + }, + { + "default": "false", + "description": "Skip checks against built image", + "name": "skip-checks", + "type": "string", + }, + { + "default": "false", + "description": "Execute the build with network isolation", + "name": "hermetic", + "type": "string", + }, + { + "default": "", + "description": "Build dependencies to be prefetched by Cachi2", + "name": "prefetch-input", + "type": "string", + }, + { + "default": "", + "description": "Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", + "name": "image-expires-after", + }, + { + "default": "false", + "description": "Build a source image.", + "name": "build-source-image", + "type": "string", + }, + { + "default": "false", + "description": "Add built image into an OCI image index", + "name": "build-image-index", + "type": "string", + }, + { + "default": [], + "description": 'Array of --build-arg values ("arg=value" strings) for buildah', + "name": "build-args", + "type": "array", + }, + { + "default": "", + "description": "Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file", + "name": "build-args-file", + "type": "string", + }, + ], + "results": [ + { + "description": "", + "name": "IMAGE_URL", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "description": "", + "name": "IMAGE_DIGEST", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + { + "description": "", + "name": "CHAINS-GIT_URL", + "value": "$(tasks.clone-repository.results.url)", + }, + { + "description": "", + "name": "CHAINS-GIT_COMMIT", + "value": "$(tasks.clone-repository.results.commit)", + }, + ], + "tasks": [ + { + "name": "init", + "params": [ + {"name": "image-url", "value": "$(params.output-image)"}, + {"name": "rebuild", "value": "$(params.rebuild)"}, + {"name": "skip-checks", "value": "$(params.skip-checks)"}, + ], + "taskRef": bundle_task_ref("init"), + }, + { + "name": "clone-repository", + "params": [ + {"name": "url", "value": "$(params.git-url)"}, + {"name": "revision", "value": "$(params.revision)"}, + {"name": "ociStorage", "value": "$(params.output-image).git"}, + { + "name": "ociArtifactExpiresAfter", + "value": "$(params.image-expires-after)", + }, + ], + "runAfter": ["init"], + "taskRef": bundle_task_ref("git-clone-oci-ta"), + "when": [ + { + "input": "$(tasks.init.results.build)", + "operator": "in", + "values": ["true"], + } + ], + "workspaces": [{"name": "basic-auth", "workspace": "git-auth"}], + }, + { + "name": "prefetch-dependencies", + "params": [ + {"name": "input", "value": "$(params.prefetch-input)"}, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.clone-repository.results.SOURCE_ARTIFACT)", + }, + { + "name": "ociStorage", + "value": "$(params.output-image).prefetch", + }, + { + "name": "ociArtifactExpiresAfter", + "value": "$(params.image-expires-after)", + }, + ], + "runAfter": ["clone-repository"], + "taskRef": bundle_task_ref("prefetch-dependencies-oci-ta"), + "workspaces": [ + {"name": "git-basic-auth", "workspace": "git-auth"}, + {"name": "netrc", "workspace": "netrc"}, + ], + }, + *build_container_tasks, + { + "name": "build-image-index", + "params": [ + {"name": "IMAGE", "value": "$(params.output-image)"}, + { + "name": "COMMIT_SHA", + "value": "$(tasks.clone-repository.results.commit)", + }, + { + "name": "IMAGE_EXPIRES_AFTER", + "value": "$(params.image-expires-after)", + }, + { + "name": "ALWAYS_BUILD_INDEX", + "value": "$(params.build-image-index)", + }, + { + "name": "IMAGES", + "value": [ + "$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)" + ], + }, + ], + "runAfter": ["build-container"], + "taskRef": bundle_task_ref("build-image-index"), + "when": [ + { + "input": "$(tasks.init.results.build)", + "operator": "in", + "values": ["true"], + } + ], + }, + { + "name": "build-source-image", + "params": [ + {"name": "BINARY_IMAGE", "value": "$(params.output-image)"}, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + { + "name": "CACHI2_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("source-build-oci-ta"), + "when": [ + { + "input": "$(tasks.init.results.build)", + "operator": "in", + "values": ["true"], + }, + { + "input": "$(params.build-source-image)", + "operator": "in", + "values": ["true"], + }, + ], + }, + { + "name": "deprecated-base-image-check", + "params": [ + { + "name": "IMAGE_URL", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "IMAGE_DIGEST", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("deprecated-image-check"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "clair-scan", + "params": [ + { + "name": "image-digest", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("clair-scan"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "ecosystem-cert-preflight-checks", + "params": [ + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + } + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("ecosystem-cert-preflight-checks"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "sast-snyk-check", + "params": [ + { + "name": "image-digest", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + { + "name": "CACHI2_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("sast-snyk-check-oci-ta"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "clamav-scan", + "params": [ + { + "name": "image-digest", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("clamav-scan"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "sast-coverity-check", + "params": [ + { + "name": "image-digest", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + { + "name": "CACHI2_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)", + }, + ], + "runAfter": ["coverity-availability-check"], + "taskRef": bundle_task_ref("sast-coverity-check-oci-ta"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + }, + { + "input": "$(tasks.coverity-availability-check.results.STATUS)", + "operator": "in", + "values": ["success"], + }, + ], + }, + { + "name": "coverity-availability-check", + "params": [ + { + "name": "image-digest", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + { + "name": "CACHI2_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("coverity-availability-check-oci-ta"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "sast-shell-check", + "params": [ + { + "name": "image-digest", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + { + "name": "CACHI2_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("sast-shell-check-oci-ta"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "sast-unicode-check", + "params": [ + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + { + "name": "CACHI2_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("sast-shell-check-oci-ta"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + { + "name": "apply-tags", + "params": [ + { + "name": "IMAGE", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + } + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("apply-tags"), + }, + { + "name": "push-dockerfile", + "params": [ + { + "name": "IMAGE", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "IMAGE_DIGEST", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + {"name": "DOCKERFILE", "value": "$(params.dockerfile)"}, + {"name": "CONTEXT", "value": "$(params.path-context)"}, + { + "name": "SOURCE_ARTIFACT", + "value": "$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("push-dockerfile-oci-ta"), + }, + { + "name": "rpms-signature-scan", + "params": [ + { + "name": "image-url", + "value": "$(tasks.build-image-index.results.IMAGE_URL)", + }, + { + "name": "image-digest", + "value": "$(tasks.build-image-index.results.IMAGE_DIGEST)", + }, + ], + "runAfter": ["build-image-index"], + "taskRef": bundle_task_ref("rpms-signature-scan"), + "when": [ + { + "input": "$(params.skip-checks)", + "operator": "in", + "values": ["false"], + } + ], + }, + ], + "workspaces": [ + {"name": "git-auth", "optional": True}, + {"name": "netrc", "optional": True}, + ], + }, + "taskRunTemplate": {}, + "workspaces": [ + {"name": "git-auth", "secret": {"secretName": "{{ git_auth_secret }}"}} + ], + }, + "status": {}, + } + + +def main(): + for task_name, dockerfile_path in [ + ("kf-notebook-controller", "components/notebook-controller/Dockerfile"), + ("odh-notebook-controller", "components/odh-notebook-controller/Dockerfile"), + ]: + with open(ROOT_DIR / ".tekton" / (task_name + "-odh-io-main" + "-on-push.yaml"), "w") as yaml_file: + print("# yamllint disable-file", file=yaml_file) + print("# This file is autogenerated by ci/konflux/generate_component_build_pipelines.py", file=yaml_file) + print(yaml.dump(component_build_pipeline(component_name=task_name, dockerfile_path=dockerfile_path, + build_container_tasks=[build_container()], is_pr=False)), + file=yaml_file) + with open(ROOT_DIR / ".tekton" / (task_name + "-odh-io-main" + "-pull-request.yaml"), "w") as yaml_file: + print("# yamllint disable-file", file=yaml_file) + print("# This file is autogenerated by ci/konflux/generate_component_build_pipelines.py", file=yaml_file) + print(yaml.dump(component_build_pipeline(component_name=task_name, dockerfile_path=dockerfile_path, + build_container_tasks=[build_container()], is_pr=True)), + file=yaml_file) + + +if __name__ == "__main__": + main() diff --git a/ci/konflux/generate_component_definitions.py b/ci/konflux/generate_component_definitions.py new file mode 100755 index 00000000000..1c6ce3041ad --- /dev/null +++ b/ci/konflux/generate_component_definitions.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 + +import yaml + + +""" +This script is used to configure a Konflux Application with component definitions. +We have very many components, and clicking them one by one in the UI is too inefficient. + +$ poetry run ci/cached-builds/konflux_generate_component_definitions.py > konflux_components.yaml +$ oc apply -f konflux_components.yaml + +Open https://console.redhat.com/application-pipeline/workspaces/rhoai-ide-konflux/applications +and see the result in the "Components" tab. +""" + +workspace_name = "rhoai-ide-konflux-tenant" +application_name = "kubeflow" +application_uid = "89959242-a304-41ef-9654-c360c415fbb9" +git_revision = "main" +git_url = "https://github.com/opendatahub-io/kubeflow" +pr_number = "514" + + +def konflux_component(component_name: str, context_path: str, dockerfile_path: str) -> dict: + return { + "apiVersion": "appstudio.redhat.com/v1alpha1", + "kind": "Component", + "metadata": { + "annotations": { + # this annotation will create imagerepository in quay, + # https://redhat-internal.slack.com/archives/C07S8637ELR/p1736436093726049?thread_ts=1736420157.217379&cid=C07S8637ELR + "image.redhat.com/generate": '{"visibility": "public"}', + + "build.appstudio.openshift.io/status": '{"pac":{"state":"enabled","merge-url":"' + git_url + '/pull/' + pr_number + '","configuration-time":"Tue, 18 Feb 2025 12:39:27 UTC"},"message":"done"}', + "build.appstudio.openshift.io/pipeline": '{"name":"docker-build-oci-ta","bundle":"latest"}', + "git-provider": "github", + "git-provider-url": "https://github.com", + }, + "name": component_name, + "namespace": workspace_name, + "ownerReferences": [ + { + "apiVersion": "appstudio.redhat.com/v1alpha1", + "kind": "Application", + "name": application_name, + "uid": application_uid, + } + ], + "finalizers": [ + "test.appstudio.openshift.io/component", + "pac.component.appstudio.openshift.io/finalizer", + ], + }, + "spec": { + "application": application_name, + "componentName": component_name, + "containerImage": "quay.io/redhat-user-workloads/" + + workspace_name + + "/" + + component_name, + "resources": {}, + "source": { + "git": { + "context": context_path, + "dockerfileUrl": dockerfile_path, + "revision": git_revision, + "url": git_url, + } + }, + }, + } + + +def main(): + components = [ + konflux_component("kf-notebook-controller", context_path="components/", dockerfile_path="components/notebook-controller/Dockerfile"), + konflux_component("odh-notebook-controller", context_path="components/", dockerfile_path="components/odh-notebook-controller/Dockerfile"), + ] + for component in components: + print(yaml.dump(component, explicit_start=True)) + + +if __name__ == "__main__": + main()