Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-27350: Setup ACS trusted tasks builds and publishing #3

Open
wants to merge 32 commits into
base: main
Choose a base branch
from
Open

ROX-27350: Setup ACS trusted tasks builds and publishing #3

wants to merge 32 commits into from

Conversation

msugakov
Copy link
Contributor

@msugakov msugakov commented Dec 11, 2024
edited
Loading

Notes

  • This change can be reviewed per commits as I broke it down in chunks and put descriptions that seemed meaningful. However, due the large number of commits, it can be quicker to just review the final version.
  • I know that duplication in determine-image-tag isn't great but it will not be the right time to address that now. Let's leave that for ROX-27384 or, most likely, ROX-26026.
  • Some tasks in the build pipeline don't feel quite fine, e.g. clair-scan and clamav-scan but they aren't failing the pipeline either, and so I decided to keep them in the hopes that one day they may start working. By keeping the tasks it will hopefully be easier to conform EC when that will be required.

Links

Testing

  • Tested builds in the consuming repos are fine with the new tasks. See the PRs linked above.
  • EC status is hard to present due to known issues of EC logs disappearing but I'm confident from earlier testing that all should be good once we update the policy.

@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 2 times, most recently from 18c2c31 to ad9ed75 Compare December 11, 2024 19:21
@msugakov
Copy link
Contributor Author

/retest acs-konflux-tasks-on-push

@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 6 times, most recently from 7016f0d to 36eac71 Compare December 12, 2024 10:05
@msugakov
Create basic .editorconfig
b0684e7 
for consistent text editing experience in IDEs.

Generic contents from https://editorconfig.org/

YAML formatting borrowed from
https://github.com/stackrox/stackrox/blob/master/.editorconfig
@msugakov
Add basic .gitignore
ac95cc2
@msugakov
Copy custom tasks from StackRox repo verbatim
6d8ae9f 
Used the following commands, no manual changes:

```
$ cdrox
$ cp .tekton/*-task.yaml ~/projects/stackrox-konflux-tasks/tasks/
```
@msugakov
Rename determine-image-tag-task to determine-image-tag-stackrox-task
82f797d 
to prevent clashes with collector and scanner copies of it.
@msugakov
Rename fetch-scanner-vuln-mappings to fetch-scanner-v4-vuln-mappings
b9a871a 
in order to differentiate this V4 task from V2 task that'll come
from the `scanner` repo.
@msugakov
Copy custom tasks from scanner repo verbatim
97315b8 
Used the following commands, no further manual changes

```
$ cdrox scanner
$ cp .tekton/*-task.yaml ~/projects/stackrox-konflux-tasks/tasks/
```
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 3 times, most recently from a98d0a0 to 4056835 Compare December 12, 2024 10:59
@msugakov msugakov mentioned this pull request Dec 12, 2024
Draft
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 3 times, most recently from b798fe8 to 6921801 Compare December 12, 2024 12:17
@msugakov msugakov changed the title ROX-27350: WIP ROX-27350: Setup ACS trusted tasks builds and publishing Dec 12, 2024
msugakov added a commit to stackrox/collector that referenced this pull request Dec 12, 2024
@msugakov
Switch determine-image-tag to trusted task
a04bf50 
See stackrox/konflux-tasks#3
@msugakov msugakov mentioned this pull request Dec 12, 2024
Draft
5 tasks
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 12, 2024
@msugakov
Switch to trusted tasks
c695592 
which come from
stackrox/konflux-tasks#3
@msugakov msugakov mentioned this pull request Dec 12, 2024
Draft
9 tasks
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 12, 2024
@msugakov
Switch to trusted tasks
ad9d2f8 
which come from
stackrox/konflux-tasks#3
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch from 3f000ed to 7d11471 Compare December 12, 2024 19:49
@msugakov
Rename fetch-scanner-data-task to fetch-scanner-v2-data-task
b851afd 
in order to better differentiate it better from its V4 sibling.
@msugakov
Switch build-container to tkn-bundle-oci-ta
1155c08 
`tkn-bundle-oci-ta` is the one which builds and pushes tasks bundle
as OCI artifact.

https://github.com/konflux-ci/build-definitions/tree/main/task/tkn-bundle-oci-ta/0.1
@msugakov
Delete deprecated-base-image-check task
da1a794 
because there's no base image anyway and because the task isn't happy
due to architecture not being specified on the image.

```
step-check-images
WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations.
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>'.
Error: could not parse reference: quay.io/redhat-user-workloads/rh-acs-tenant/acs-konflux-tasks@
main.go:74: error during command execution: could not parse reference: quay.io/redhat-user-workloads/rh-acs-tenant/acs-konflux-tasks@
{"result":"ERROR","timestamp":"2024-12-11T19:23:19+00:00","note":"Unexpected error: Script errored at command: cosign download sbom $arch_imageanddigest > ${SBOM_FILE_PATH}.","namespace":"default","successes":0,"failures":0,"warnings":0}
```
@msugakov
Remove failing ecosystem-cert-preflight-checks
40bc989 
which is not used to work with containers without architecture
(and there's no way to force architecture via parameters).

From logs:

```
step-check-container
time="2024-12-12T08:09:55Z" level=info msg="certification library version" version="1.10.2 <commit: 3a93f15cba1f3a4517c02f10914d6cff5cfa5c60>"
Error: cannot process image manifest of different arch without platform override
Usage:
  preflight check container [flags]
...
```
@msugakov
Switch to push to our own tasks repo
3ea3f80
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch 3 times, most recently from 333d151 to 526fa7d Compare December 13, 2024 10:29
@msugakov
Apply floating tags on the tasks bundle image
2b6b37e
@msugakov
Add step to make our tasks trusted
d8c2203
@msugakov
Change the location of scanner v2 Konflux scripts
ceda8eb 
This is paired with stackrox/scanner#1742

The idea is to unify determine-image-tag tasks for scanner and
collector after that.
@msugakov
Unify Scanner and Collector determine-image-tag tasks
cfb791e 
and add notes to later unify with the StackRox one.

Scanner can be unified with Collector thanks to
stackrox/scanner#1742

It could be that the ultimate unification will come in
https://issues.redhat.com/browse/ROX-26026 but I created a new task
anyway.
@msugakov
Pin ubi9 tag for Scanner V2 fetch and switch determine tag to ubi9
7a61085
@msugakov
Remove the default value from the Scanner-v2 task's target-dir
5ea6bbb 
since "." makes Cachi2 not love.
@msugakov
Rename V2 fetch task's parameters
ed7c114 
to match SCREAMING_CASE of the other ones.
This seems to be our predominant convention.
@msugakov
Introduce TARGET_DIR param for fetching tasks of stackrox repo
06ae7c8 
To make things symmetric with the Scanner V2's task.
@msugakov
Add pipeline timeouts
951c0d9 
The pipeline is quick so these timeouts are quite generous and
there's room to make them lower, but let's see how it goes.
@msugakov
Introduce BUNDLE_REF output parameter for convenience
a231be0
@msugakov
Add basic readme
c91e794 
so that the repo does not look naked.
@msugakov
Move BUNDLE_REF to an informational task and return bundle contents
987be32 
for user's convenience.
@msugakov
Remove build-image-index task
aa451b2 
Task bundles are architecture-neutral containers with data and so
`build-image-index` is currently disabled and I'm confident we
will not need to enable it in the foreseeable future.

If some Tekton task needs to use some native binaries, these are
provided through step's `image:` attribute.

Therefore `build-image-index` is simply redundant at this point.
@msugakov
Switch StackRox tasks to UBI9 and pin references
dd67459 
stackrox/stackrox#13599 will help to
catch any regressions.
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch from 526fa7d to dd67459 Compare December 13, 2024 10:44
@msugakov msugakov force-pushed the misha/ROX-27350-initial-setup branch from 9a6400e to 1c67bf3 Compare December 13, 2024 10:53
@msugakov
Copy link
Contributor Author

/retest

msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 13, 2024
@msugakov
Switch to trusted tasks
e2c1de8 
which come from
stackrox/konflux-tasks#3
msugakov added a commit to stackrox/collector that referenced this pull request Dec 13, 2024
@msugakov
Switch determine-image-tag to trusted task
3513785 
See stackrox/konflux-tasks#3
@msugakov msugakov marked this pull request as ready for review December 13, 2024 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kylape kylape Awaiting requested review from kylape

@tommartensen tommartensen Awaiting requested review from tommartensen

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@msugakov