-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to using OCI Artifacts via build-trusted-artifacts rather than Jib #1824
Conversation
Skipping CI for Draft Pull Request. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1824 +/- ##
============================================
- Coverage 40.37% 39.84% -0.54%
+ Complexity 813 786 -27
============================================
Files 308 308
Lines 14225 14237 +12
Branches 1451 1445 -6
============================================
- Hits 5744 5673 -71
- Misses 7817 7918 +101
+ Partials 664 646 -18 ☔ View full report in Codecov by Sentry. |
8b9dd39
to
a358181
Compare
43f3c94
to
6c44b93
Compare
@@ -0,0 +1,3 @@ | |||
#This file is used to enable renovate to update the digests. It is updated by renovate then substituted into the golang code. | |||
|
|||
FROM quay.io/redhat-user-workloads/rhtap-build-tenant/trusted-artifacts/trusted-artifacts@sha256:9e2ffee0cb28f8a0ed7895a357c73f006005b26ef143f00df067f090282e8cbd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should really be provided by config, rather than being baked into the binary. This is fine for now, but we should look at this later, as we will need a general solution for Konflux tasks we are referencing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. I did consider adding to e.g. system-config.yaml. I'm not actually renovate will catch this (but equally I know we have to update the builder images manually which is not ideal). I don't know how Konflux keeps the references up to date.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can configure renovate to handle this. Konflux runs renovate manually to update references, its run by the build service as a scheduled task.
05c383f
to
fe857dd
Compare
The minikube tests are failing with:
|
32ffbb9
to
86ba642
Compare
import io.quarkus.logging.Log; | ||
import picocli.CommandLine; | ||
|
||
@SuppressWarnings("OptionalUsedAsFieldOrParameterType") | ||
@CommandLine.Command(name = "deploy") | ||
public class DeployCommand implements Runnable { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I renamed MavenDeployCommand to TagDeployCommand and the original DeployCommand to BuildVerifyCommand.
@@ -338,22 +356,26 @@ func createPipelineSpec(log logr.Logger, tool string, commitTime int64, jbsConfi | |||
{Name: PipelineResultImageDigest}, | |||
{Name: PipelineResultPassedVerification}, | |||
{Name: PipelineResultVerificationResult}, | |||
{Name: PipelineResultGitArchive}, | |||
// TODO: ### DeployPreBuildSource and Deploy push to git. Currently the former is used for GitArchive results. | |||
// {Name: PipelineResultGitArchive}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previously PipelineResultGitArchive
was storing the result of Deploy's git push while DeployPreBuildSource git push was 'lost'. Currently PipelineResultGitArchive
is now storing the result of DeployPreBuildSource
. I haven't (yet) added another pipeline result for the Deploy pipeline to also store the result of its git archiving - do we want to add that (or perhaps in a subsequent PR) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this can come later. It is not 100% clear if we will be pushing to git at all, or if that will come from repour/PNC.
5fb7ec4
to
2ba5dab
Compare
Current status - there is an issue with rebuilding contaminants ; @stuartwdouglas I suspect moving the Deploy around may have affected it. Perhaps we can sync in order check how its meant to work? |
f0aa740
to
6027568
Compare
// HACK : OCIRepositoryClient assumes that the artifacts are in a directory and it then places them | ||
// within 'artifacts/...'. This is due to build-trusted-artifact changes as its storage stores | ||
// the contents of a directory not including the directory itself. | ||
return List.of(layer1Path, layer2Path, layer3Path.resolve("com")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not overly fond of this, but the current test doesn't match how build-trusted-artifacts/oras stores (it stores the contents of a directory versus the directory itself) : https://github.com/konflux-ci/build-trusted-artifacts/blob/main/create-oci.sh#L84
// using AUTHFILE to override. Setting ORAS_OPTIONS to ensure the archive is compatible with jib (for OCIRepositoryClient). | ||
preBuildImageArgs := fmt.Sprintf(`echo "Creating pre-build-image archive" | ||
echo $REGISTRY_TOKEN > ~/config.json | ||
export ORAS_OPTIONS="%s --image-spec=v1.0 --artifact-type application/vnd.oci.image.config.v1+json" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensures that the OCIRegistry can read the archives.
e27be9a
to
5720c25
Compare
…REGISTRY_TOKEN and port
…gistry_token. Fix prependTagToImage.
…t. Fix OCI handling to add directory. Fix e2e tests. Add prependTag to GAV list.
As https://github.com/GoogleContainerTools/jib doesn't preserve symbolic links this switches to https://github.com/konflux-ci/build-trusted-artifacts/ which is based upon https://oras.land/
Requires #1842 merged first.