diff --git a/Containerfile.iib-build-task b/Containerfile.iib-build-task index 098b44d..ee2a542 100644 --- a/Containerfile.iib-build-task +++ b/Containerfile.iib-build-task @@ -1,9 +1,7 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6-1747218906 +FROM quay.io/konflux-ci/buildah-task:latest@sha256:4d8273444b0f2781264c232e12e88449bbf078c99e3da2a7f6dcaaf27bc53712 WORKDIR /opt/app-root/src -ADD https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm epel-release-latest-9.noarch.rpm - # We need multiple OPM versions because IIB uses different upstream versions for different OCP versions ARG OPM_VERSION_1_26_4=v1.26.4 ARG OPM_VERSION_1_40_0=v1.40.0 @@ -11,14 +9,26 @@ ARG OPM_VERSION_1_44_0=v1.44.0 ARG OPM_VERSION_1_48_0=v1.48.0 ARG ORAS_VERSION="1.2.3" -RUN rpm -Uvh epel-release-latest-9.noarch.rpm && \ - microdnf -y --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install \ +RUN microdnf -y --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install \ findutils \ gzip \ jq \ - tar && \ + tar \ + python3 \ + python3-pip \ + skopeo \ + git \ + python3-file-magic && \ microdnf clean all +# Install Python dependencies +RUN pip3 install --no-cache-dir \ + tenacity \ + GitPython \ + kubernetes \ + ruamel.yaml + +# Install OPM versions RUN curl -s -L https://github.com/operator-framework/operator-registry/releases/download/"${OPM_VERSION_1_26_4}"/linux-amd64-opm > /usr/bin/opm-"${OPM_VERSION_1_26_4}" && \ curl -s -L https://github.com/operator-framework/operator-registry/releases/download/"${OPM_VERSION_1_40_0}"/linux-amd64-opm > /usr/bin/opm-"${OPM_VERSION_1_40_0}" && \ curl -s -L https://github.com/operator-framework/operator-registry/releases/download/"${OPM_VERSION_1_44_0}"/linux-amd64-opm > /usr/bin/opm-"${OPM_VERSION_1_44_0}" && \ diff --git a/task/iib-image-builder-oci-ta/iib-image-builder-oci-ta.yaml b/task/iib-image-builder-oci-ta/iib-image-builder-oci-ta.yaml new file mode 100644 index 0000000..35c7044 --- /dev/null +++ b/task/iib-image-builder-oci-ta/iib-image-builder-oci-ta.yaml @@ -0,0 +1,188 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: iib-image-builder-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: image-build, konflux + labels: + app.kubernetes.io/version: "0.1" + build.appstudio.redhat.com/build_type: docker +spec: + description: |- + This task builds source code into multi-architecture index images using Python orchestration + with buildah. + params: + - name: COMMIT_SHA + description: The image is built from this commit. + type: string + default: "" + - name: CONTEXT + description: Path to the directory to use as context. + type: string + default: . + - name: DOCKERFILE + description: Path to the Dockerfile to build. + type: string + default: ./Dockerfile + - name: IMAGE + description: Reference of the image buildah will produce. + type: string + - name: IMAGE_EXPIRES_AFTER + description: Delete image tag after specified time. Empty means to keep the image tag. + type: string + default: "" + - name: LABELS + description: Additional key=value labels that should be applied to the image + type: array + default: [] + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with the application source code. + type: string + - name: STORAGE_DRIVER + description: Storage driver to configure for buildah + type: string + default: overlay + - name: PLATFORMS + description: Comma-separated list of platforms to build for (e.g., linux/amd64,linux/arm64,linux/ppc64le,linux/s390x) + type: string + default: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x" + - name: OPM_VERSION + description: OPM version to use for cache generation + type: string + default: "v1.48.0" + - name: RETRY_ATTEMPTS + description: Number of retry attempts for build operations + type: string + default: "3" + - name: RETRY_DELAY + description: Delay between retry attempts in seconds + type: string + default: "5" + - name: caTrustConfigMapKey + description: The name of the key in the ConfigMap that contains the CA bundle data. + type: string + default: ca-bundle.crt + - name: caTrustConfigMapName + description: The name of the ConfigMap to read CA bundle data from. + type: string + default: trusted-ca + results: + - name: IMAGE_DIGEST + description: Digest of the multi-arch image manifest + - name: IMAGE_REF + description: Image reference of the built multi-arch image + - name: IMAGE_URL + description: Image repository and tag where the built image was pushed + - name: BUILD_RESULTS + description: JSON file containing detailed build results + volumes: + - name: shared + emptyDir: {} + - name: trusted-ca + configMap: + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + name: $(params.caTrustConfigMapName) + optional: true + - name: varlibcontainers + emptyDir: {} + - name: workdir + emptyDir: {} + - name: cache + emptyDir: {} + stepTemplate: + computeResources: + limits: + memory: 16Gi + requests: + cpu: "4" + memory: 4Gi + env: + - name: CONTEXT + value: $(params.CONTEXT) + - name: IMAGE + value: $(params.IMAGE) + - name: IMAGE_EXPIRES_AFTER + value: $(params.IMAGE_EXPIRES_AFTER) + - name: STORAGE_DRIVER + value: $(params.STORAGE_DRIVER) + - name: PLATFORMS + value: $(params.PLATFORMS) + - name: OPM_VERSION + value: $(params.OPM_VERSION) + - name: RETRY_ATTEMPTS + value: $(params.RETRY_ATTEMPTS) + - name: RETRY_DELAY + value: $(params.RETRY_DELAY) + - name: CACHE_DIR + value: /var/workdir/cache + volumeMounts: + - mountPath: /shared + name: shared + - mountPath: /var/workdir + name: workdir + - mountPath: /var/workdir/cache + name: cache + steps: + - name: use-trusted-artifact + image: quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:edd8e3affc389320b15b9de8a5aedbf7b0463211b77c981563a2cfa20076b0c0 + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt + - name: prepare-build-config + image: quay.io/exd-guild-hello-operator/iib-build-task:latest + workingDir: /var/workdir + script: | + #!/bin/bash + set -euo pipefail + + echo "[$(date --utc -Ins)] Preparing build configuration" + + # Prepare labels string + LABELS_STR="" + if [ ${#LABELS[@]} -gt 0 ]; then + LABELS_STR=$(IFS=','; echo "${LABELS[*]}") + fi + + # Set environment variables for Python script + export LABELS="$LABELS_STR" + + echo "[$(date --utc -Ins)] Build configuration prepared" + echo "Labels: $LABELS_STR" + echo "OPM Version: $OPM_VERSION" + echo "Platforms: $PLATFORMS" + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + - name: build-multi-arch + image: quay.io/exd-guild-hello-operator/iib-build-task:latest + workingDir: /var/workdir + script: | + #!/bin/bash + set -euo pipefail + + echo "[$(date --utc -Ins)] Starting multi-architecture build with Python orchestration" + + echo "[$(date --utc -Ins)] Multi-architecture build completed" + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0