Switch to using OCI Artifacts via build-trusted-artifacts rather than Jib #1824
Conversation
|
Skipping CI for Draft Pull Request. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1824 +/- ##
============================================
- Coverage 40.37% 39.84% -0.54%
+ Complexity 813 786 -27
============================================
Files 308 308
Lines 14225 14237 +12
Branches 1451 1445 -6
============================================
- Hits 5744 5673 -71
- Misses 7817 7918 +101
+ Partials 664 646 -18 ☔ View full report in Codecov by Sentry. |
rnc
force-pushed
the
OCI
branch
2 times, most recently
from
8b9dd39
to
a358181
Compare
rnc
changed the title
rnc
force-pushed
the
OCI
branch
2 times, most recently
from
43f3c94
to
6c44b93
Compare
| @@ -0,0 +1,3 @@ | |||
| #This file is used to enable renovate to update the digests. It is updated by renovate then substituted into the golang code. | |||
|
|
|||
| FROM quay.io/redhat-user-workloads/rhtap-build-tenant/trusted-artifacts/trusted-artifacts@sha256:9e2ffee0cb28f8a0ed7895a357c73f006005b26ef143f00df067f090282e8cbd | |||
There was a problem hiding this comment.
This should really be provided by config, rather than being baked into the binary. This is fine for now, but we should look at this later, as we will need a general solution for Konflux tasks we are referencing.
There was a problem hiding this comment.
Sure. I did consider adding to e.g. system-config.yaml. I'm not actually renovate will catch this (but equally I know we have to update the builder images manually which is not ideal). I don't know how Konflux keeps the references up to date.
There was a problem hiding this comment.
I think we can configure renovate to handle this. Konflux runs renovate manually to update references, its run by the build service as a scheduled task.
rnc
force-pushed
the
OCI
branch
5 times, most recently
from
05c383f
to
fe857dd
Compare
|
The minikube tests are failing with: |
rnc
force-pushed
the
OCI
branch
7 times, most recently
from
32ffbb9
to
86ba642
Compare
| import io.quarkus.logging.Log; | ||
| import picocli.CommandLine; | ||
|
|
||
| @SuppressWarnings("OptionalUsedAsFieldOrParameterType") | ||
| @CommandLine.Command(name = "deploy") | ||
| public class DeployCommand implements Runnable { | ||
|
|
There was a problem hiding this comment.
I renamed MavenDeployCommand to TagDeployCommand and the original DeployCommand to BuildVerifyCommand.
| @@ -338,22 +356,26 @@ func createPipelineSpec(log logr.Logger, tool string, commitTime int64, jbsConfi | |||
| {Name: PipelineResultImageDigest}, | |||
| {Name: PipelineResultPassedVerification}, | |||
| {Name: PipelineResultVerificationResult}, | |||
| {Name: PipelineResultGitArchive}, | |||
| // TODO: ### DeployPreBuildSource and Deploy push to git. Currently the former is used for GitArchive results. | |||
| // {Name: PipelineResultGitArchive}, | |||
There was a problem hiding this comment.
Previously PipelineResultGitArchive was storing the result of Deploy's git push while DeployPreBuildSource git push was 'lost'. Currently PipelineResultGitArchive is now storing the result of DeployPreBuildSource. I haven't (yet) added another pipeline result for the Deploy pipeline to also store the result of its git archiving - do we want to add that (or perhaps in a subsequent PR) ?
There was a problem hiding this comment.
I think this can come later. It is not 100% clear if we will be pushing to git at all, or if that will come from repour/PNC.
rnc
force-pushed
the
OCI
branch
2 times, most recently
from
5fb7ec4
to
2ba5dab
Compare
|
Current status - there is an issue with rebuilding contaminants ; @stuartwdouglas I suspect moving the Deploy around may have affected it. Perhaps we can sync in order check how its meant to work? |
rnc
force-pushed
the
OCI
branch
3 times, most recently
from
f0aa740
to
6027568
Compare
| // HACK : OCIRepositoryClient assumes that the artifacts are in a directory and it then places them | ||
| // within 'artifacts/...'. This is due to build-trusted-artifact changes as its storage stores | ||
| // the contents of a directory not including the directory itself. | ||
| return List.of(layer1Path, layer2Path, layer3Path.resolve("com")); |
There was a problem hiding this comment.
Not overly fond of this, but the current test doesn't match how build-trusted-artifacts/oras stores (it stores the contents of a directory versus the directory itself) : https://github.com/konflux-ci/build-trusted-artifacts/blob/main/create-oci.sh#L84
| // using AUTHFILE to override. Setting ORAS_OPTIONS to ensure the archive is compatible with jib (for OCIRepositoryClient). | ||
| preBuildImageArgs := fmt.Sprintf(`echo "Creating pre-build-image archive" | ||
| echo $REGISTRY_TOKEN > ~/config.json | ||
| export ORAS_OPTIONS="%s --image-spec=v1.0 --artifact-type application/vnd.oci.image.config.v1+json" |
There was a problem hiding this comment.
Ensures that the OCIRegistry can read the archives.
rnc
force-pushed
the
OCI
branch
3 times, most recently
from
e27be9a
to
5720c25
Compare
…REGISTRY_TOKEN and port
…gistry_token. Fix prependTagToImage.
…t. Fix OCI handling to add directory. Fix e2e tests. Add prependTag to GAV list.
As https://github.com/GoogleContainerTools/jib doesn't preserve symbolic links this switches to https://github.com/konflux-ci/build-trusted-artifacts/ which is based upon https://oras.land/
Requires #1842 merged first.