feat(RELEASE-1387): use trusted artifacts #784
Conversation
|
Skipping CI for Draft Pull Request. |
scoheb
force-pushed
the
use-trusted-artifacts
branch
28 times, most recently
from
c5831b5 to
92310a3
Compare
scoheb
force-pushed
the
use-trusted-artifacts
branch
4 times, most recently
from
7764841 to
b8b89bc
Compare
scoheb
changed the title
scoheb
changed the title
scoheb
force-pushed
the
use-trusted-artifacts
branch
4 times, most recently
from
4adff68 to
8779560
Compare
scoheb
force-pushed
the
use-trusted-artifacts
branch
from
8779560 to
09144e8
Compare
| @@ -353,3 +391,29 @@ spec: | |||
| "${SNAPSHOT_SPEC_FILE}" > /tmp/temp && mv /tmp/temp "${SNAPSHOT_SPEC_FILE}" | |||
| fi | |||
| done | |||
| - name: create-trusted-artifact | |||
There was a problem hiding this comment.
The first step says we will skip trusted-artifacts steps if the param is empty, but I don't see any when condition on this step. Is that intended?
There was a problem hiding this comment.
seems you cannot guard Steps from execution ... only Tasks in a Pipeline
the mechanism for skipping involves creating a skip file in the extract or create directory.
There was a problem hiding this comment.
Gotcha. I think it may be helpful to add like a # this step does nothing is a .skip-trusted-artifacts file exists or something (assuming that is accurate) as that is not at all obvious to me
tasks/managed/apply-mapping/tests/test-apply-mapping-content-gateway-disabled.yaml
Show resolved
Hide resolved
scoheb
force-pushed
the
use-trusted-artifacts
branch
3 times, most recently
from
e43cbd8 to
918991a
Compare
|
|
||
| prepare_docker_config() { | ||
| authString=$(echo -n "root:root" | base64 -w0) | ||
| cat > "/tmp/.dockerconfig.json" <<EOF |
There was a problem hiding this comment.
Any consideration of using a mktemp here instead of a static file?
There was a problem hiding this comment.
well, I need to know where the file is for this operation: https://github.com/konflux-ci/release-service-catalog/pull/784/files#diff-d7a3587abb00052131d9b5ae6602c6786f2189d7daa363e550859f89ab620bf3R35
There was a problem hiding this comment.
Yeah, but (and this relates to my now resolved comment) couldn't you just call the export in the deploy_registry.sh script instead of test_tekton_tasks.sh? Then you wouldn't need to know where the file is in test_tekton_tasks.sh. It seems like it would be a bit more self contained that way, but it is mostly a nit pick anyways
scoheb
force-pushed
the
use-trusted-artifacts
branch
5 times, most recently
from
4aa7a92 to
52074e0
Compare
- in an effort to move away from PVCs, we are trying trusted artifacts based on: https://github.com/konflux-ci/build-trusted-artifacts/tree/main - tasks that have been updated now support 2 modes: - PVC based workspaces - Trusted artifacts with emptyDir workspaces Summary: - collect-data, reduce-snapshot, apply-mapping now support trusted artifacts mode - pipelines that use apply-mapping have had the workspace used for the apply-mapping task renamed to be in line with other tasks. - CI changes: - it now attempts to detect if a Trusted Artifacts based task has been changes and runs the tests with trusted artifacts enabled. - tests now create an on-local-cluster registry. Signed-off-by: Scott Hebert <scoheb@gmail.com>
scoheb
force-pushed
the
use-trusted-artifacts
branch
from
52074e0 to
a9f87cc
Compare
| @@ -22,22 +22,62 @@ spec: | |||
| type: string | |||
| description: Fail the task if the resulting snapshot contains 0 components | |||
| default: "false" | |||
| - name: ociStorage | |||
| description: The OCI repository where the Trusted Artifacts are stored. | |||
There was a problem hiding this comment.
nit - period at end (already removed in README after other comment)
| default: "empty" | ||
| - name: ociArtifactExpiresAfter | ||
| description: Expiration date for the trusted artifacts created in the | ||
| OCI repository. An empty string means the artifacts do not expire. |
There was a problem hiding this comment.
nit - period at end (already removed in README after other comment)
|
|
||
| prepare_docker_config() { | ||
| authString=$(echo -n "root:root" | base64 -w0) | ||
| cat > "/tmp/.dockerconfig.json" <<EOF |
There was a problem hiding this comment.
Yeah, but (and this relates to my now resolved comment) couldn't you just call the export in the deploy_registry.sh script instead of test_tekton_tasks.sh? Then you wouldn't need to know where the file is in test_tekton_tasks.sh. It seems like it would be a bit more self contained that way, but it is mostly a nit pick anyways
| @@ -353,3 +391,29 @@ spec: | |||
| "${SNAPSHOT_SPEC_FILE}" > /tmp/temp && mv /tmp/temp "${SNAPSHOT_SPEC_FILE}" | |||
| fi | |||
| done | |||
| - name: create-trusted-artifact | |||
There was a problem hiding this comment.
Gotcha. I think it may be helpful to add like a # this step does nothing is a .skip-trusted-artifacts file exists or something (assuming that is accurate) as that is not at all obvious to me
| @@ -10,22 +10,36 @@ spec: | |||
| for the component. | |||
| workspaces: | |||
| - name: tests-workspace | |||
| params: | |||
| - name: ociStorage | |||
There was a problem hiding this comment.
So the way this works is the test script file injects this parameter based on what mode it is being called in, right? Pretty clever
There was a problem hiding this comment.
Why doesn't this task need
- name: patch-source-data-artifact-result
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env bash
set -eu
# this is needed to skip trusted-artifacts tasks
# when using PVC based workspaces.
if [ "$(params.ociStorage)" == "empty" ]; then
echo -n "$(params.ociStorage)" > "$(results.sourceDataArtifact.path)"
fi
?
| - name: sourceDataArtifact | ||
| type: string | ||
| default: "" | ||
| - name: subdirectory |
There was a problem hiding this comment.
Can you remind me why this task needs this param when collect-data already outputs each file in a subdir?
| @@ -72,6 +81,12 @@ spec: | |||
| - name: releasePipelineMetadata | |||
| type: string | |||
| description: json object containing git resolver metadata about the running release pipeline | |||
| - description: Produced trusted data artifact | |||
There was a problem hiding this comment.
It's better to use the same attribute order with the previous params.
Describe your changes
trusted artifacts based on https://github.com/konflux-ci/build-trusted-artifacts/tree/main
Summary:
artifacts mode
the apply-mapping task renamed to be in line with other tasks.
has been changes and runs the tests with trusted artifacts enabled.
requires konflux-ci/release-service#666 for use on real clusters
Relevant Jira
Checklist before requesting a review
do not mergelabel if there's a dependency PRrelease-service-maintainershandle if you are unsure who to tagSigned-off-by: My name <email>