Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PNC prebuild task based upon git-clone-oci-ta #1819

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@
/task/build-maven-zip @ligangty @yma96
/task/build-maven-zip-oci-ta @ligangty @yma96

# renovate groupName=pnc
/task/pnc-prebuild-git-clone-oci-ta @rnc

# renovate groupName=oci-copy
/task/oci-copy @ralphbean
/task/oci-copy-oci-ta @ralphbean
Expand Down
2 changes: 1 addition & 1 deletion hack/build-and-push.sh
Original file line number Diff line number Diff line change
Expand Up @@ -484,7 +484,7 @@ build_push_tasks() {
attach_migration_file "$task_dir" "$concrete_task_version" "$task_bundle_with_digest"

# version placeholder is removed naturally by the substitution.
echo "info: inject task bundle to pielines $task_bundle_with_digest" 1>&2
echo "info: inject task bundle to pipelines $task_bundle_with_digest" 1>&2
real_task_name=$(yq e '.metadata.name' "$prepared_task_file")
inject_bundle_ref_to_pipelines "$real_task_name" "$task_version" "$task_bundle_with_digest"
done
Expand Down
5 changes: 5 additions & 0 deletions task/git-clone-oci-ta/0.1/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- git-clone-oci-ta.yaml
48 changes: 48 additions & 0 deletions task/pnc-prebuild-git-clone-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# pnc-prebuild-git-clone-oci-ta task

The pnc-prebuild-git-clone-oci-ta task will clone a repo from the provided url, apply PNC prebuild modifications (from https://github.com/project-ncl/konflux-tooling) and store it as a trusted artifact in the provided OCI repository. The prebuild modifications create a Containerfile and suitable build script in order for the Java based project to be built within a container given build parameters configured from PNC.

## Parameters
|name|description|default value|required|
|---|---|---|---|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
|depth|Perform a shallow clone, fetching only the most recent N commits.|1|false|
|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. |true|false|
|fetchTags|Fetch all tags for the repo.|false|false|
|httpProxy|HTTP proxy server for non-SSL requests.|""|false|
|httpsProxy|HTTPS proxy server for SSL requests.|""|false|
|noProxy|Opt out of proxying HTTP/HTTPS requests.|""|false|
|ociArtifactExpiresAfter|Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.|""|false|
|ociStorage|The OCI repository where the Trusted Artifacts are stored.||true|
|refspec|Refspec to fetch before checking out revision.|""|false|
|revision|Revision to checkout. (branch, tag, sha, ref, etc...)|""|false|
|shortCommitLength|Length of short commit SHA|7|false|
|sparseCheckoutDirectories|Define the directory patterns to match or exclude when performing a sparse checkout.|""|false|
|sslVerify|Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.|true|false|
|submodules|Initialize and fetch git submodules.|true|false|
|url|Repository URL to clone from.||true|
|userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. |/tekton/home|false|
|verbose|Log the commands that are executed during `git-clone`'s operation.|false|false|
|BUILD_SCRIPT|Middleware (Maven/Gradle/Ant/SBT) build script to build the project to embed with the Containerfile||true|
|BUILD_TOOL|The build tool to use (ant, gradle, maven, sbt).||true|
|BUILD_TOOL_VERSION|The build tool version to use (e.g. 3.9.5)||true|
|JAVA_VERSION|Java version to use (7, 8, 9, 11, 17, 21, 22, 23)||true|
|RECIPE_IMAGE|The image from the build recipe to use||true|

## Results
|name|description|
|---|---|
|CHAINS-GIT_COMMIT|The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.|
|CHAINS-GIT_URL|The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.|
|commit|The precise commit SHA that was fetched by this Task.|
|commit-timestamp|The commit timestamp of the checkout|
|short-commit|The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters|
|url|The precise URL that was fetched by this Task.|

## Workspaces
|name|description|optional|
|---|---|---|
|basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. |true|
|ssh-directory|A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. |true|
10 changes: 10 additions & 0 deletions task/pnc-prebuild-git-clone-oci-ta/0.1/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../../git-clone-oci-ta/0.1

patches:
- path: patch.yaml
target:
kind: Task
73 changes: 73 additions & 0 deletions task/pnc-prebuild-git-clone-oci-ta/0.1/patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
- op: replace
path: /metadata/name
value: pnc-prebuild-git-clone-oci-ta
- op: replace
path: /metadata/annotations/tekton.dev~1displayName
value: pnc prebuild git clone oci trusted artifacts
- op: replace
path: /spec/description
value: The pnc-prebuild-git-clone-oci-ta task will clone a repo from the provided url, apply
PNC prebuild modifications (from https://github.com/project-ncl/konflux-tooling) and store
it as a trusted artifact in the provided OCI repository. The prebuild modifications create
a Containerfile and suitable build script in order for the Java based project to be built
within a container given build parameters configured from PNC.

- op: add
path: /spec/params/-
value:
name: BUILD_SCRIPT
description: Middleware (Maven/Gradle/Ant/SBT) build script to build the project to embed with the Containerfile
type: string
- op: add
path: /spec/params/-
value:
name: BUILD_TOOL
description: The build tool to use (ant, gradle, maven, sbt).
type: string
- op: add
path: /spec/params/-
value:
name: BUILD_TOOL_VERSION
description: The build tool version to use (e.g. 3.9.5)
type: string
- op: add
path: /spec/params/-
value:
name: JAVA_VERSION
description: Java version to use (7, 8, 9, 11, 17, 21, 22, 23)
type: string
- op: add
path: /spec/params/-
value:
name: RECIPE_IMAGE
description: The image from the build recipe to use
type: string

- op: add
path: /spec/steps/2
value:
name: preprocessor
image: quay.io/redhat-user-workloads/konflux-jbs-pnc-tenant/konflux-tooling:latest
securityContext:
runAsUser: 0
computeResources:
limits:
cpu: 300m
memory: 512Mi
requests:
cpu: 10m
memory: 512Mi
args:
- prepare
rnc marked this conversation as resolved.
Show resolved Hide resolved
- --build-tool-version=$(params.BUILD_TOOL_VERSION)
- --java-version=$(params.JAVA_VERSION)
- --recipe-image=$(params.RECIPE_IMAGE)
- --tooling-image=quay.io/redhat-user-workloads/konflux-jbs-pnc-tenant/konflux-tooling:latest
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that we should reference an image from redhat-user-workloads as this can be accidentally deleted of the component is deleted. Can we release this to be an image in quay.io/konflux-ci instead?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed but we'll have to discuss that on how best to release that single component to the konflux owned namespace.

- --type=$(params.BUILD_TOOL)
- /var/workdir/source
volumeMounts:
- mountPath: /var/workdir
name: workdir
env:
- name: BUILD_SCRIPT
value: $(params.BUILD_SCRIPT)