ROX-22474: push Konflux images to quay.io/rhacs-eng #1674
Conversation
| @@ -27,7 +27,7 @@ spec: | |||
| - name: image-expires-after | |||
| value: '13w' | |||
| - name: output-image-repo | |||
| value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/collector-slim | |||
There was a problem hiding this comment.
Can you please remind me, will main, roxctl and operator images think it is a release build in the sense of this code block here https://github.com/stackrox/stackrox/blob/896452897dbc54bb60183782731dda95766e3a20/pkg/images/defaults/flavor.go#L103-L112?
If yes, the repo is fine. If no, -slim should be part of the tag, not repo.
There was a problem hiding this comment.
All three images have GOTAGS=release set, like https://github.com/stackrox/stackrox/blob/master/image/rhel/konflux.Dockerfile#L85.
If I understand this correctly, https://github.com/stackrox/stackrox/blob/896452897dbc54bb60183782731dda95766e3a20/pkg/images/defaults/flavor.go#L107 is true.
version.GetAllVersionsUnified would set the collector & scanner versions to the same as main (make tag of stackrox/stackrox instead of {COLLECTOR, SCANNER}_VERSION (https://github.com/stackrox/stackrox/blob/master/pkg/version/version.go#L72-L77)), BUT this is overriden in L109, L111, L128.
https://github.com/stackrox/stackrox/blob/master/pkg/version/version.go#L72-L77
There was a problem hiding this comment.
TLDR: I think it's fine and the assumption that SCANNER_VERSION and COLLECTOR_VERSION tags will be generated should also hold.
There was a problem hiding this comment.
BUT this is overriden in L109, L111, L128
Overridden to what? GetAllVersionsUnified will return MainVersion there.
With GOTAGS=release:
quay.io/rhacs-eng/collector:<MainVersion>quay.io/rhacs-eng/collector-slim:<MainVersion>
Without:
quay.io/rhacs-eng/collector:<CollectorVersion>-latestquay.io/rhacs-eng/collector:<CollectorVersion>-slim
"<CollectorVersion>" is what we get by running make tag in stackrox/collector repo.
"<MainVersion>" is make tag result in stackrox/stackrox, i.e. a retagged image. https://github.com/stackrox/stackrox/blob/7690ea6ed07fe68b85aac8810b32c9d7b640e8fb/.github/workflows/build.yaml#L400-L408
We don't have a way to retag in Konflux unless we write a custom task which I at the moment doubt is the right choice.
-slim and -latest in suffix were introduced as a compatibility thing to not break old workflows. Maybe this is no longer necessary?
There was a problem hiding this comment.
I think, the simplest for MVP^2 may be to switch the release off, push to -latest+-slim, and plan sorting out release in GA scope.
There was a problem hiding this comment.
I think, the simplest for MVP^2 may be to switch the release off, push to -latest+-slim, and plan sorting out release in GA scope.
IMO we can merge stackrox/stackrox#10824, (this can already be done without merging)
We can deploy a Central cluster and see what it would generate for collector(-slim). It might just work.
There was a problem hiding this comment.
I realized yesterday that we might have to -fast in that file
We should not add suffixes to COLLECTOR_VERSION or SCANNER_VERSION because it can break builds outside of Konflux and/or product built outside of Konflux. We should look for other solution (overriding BUILD_TAG was my first candidate) - https://issues.redhat.com/browse/ROX-19958
So there are actually no images like
quay.io/rhacs-eng/collector-slim:<CollectorVersion>.
Correct! And I think it proves my point, doesn't it?
Is the development_build flavor && releaseBuild path unused?
I believe it executes for nightly builds and any other tagged builds.
We can deploy a Central cluster and see what it would generate for collector(-slim).
There's a quicker way to check:
$ cd tmp
$ podman run --rm -it --entrypoint=/bin/bash -u 0:0 -v ./:/tmp quay.io/redhat-user-workloads/rh-acs-tenant/acs/roxctl:4.4.x-685-g7690ea6ed0-fast
$ roxctl helm output secured-cluster-services --output-dir /tmp/chart-konflux --remove --image-defaults=development_build
INFO: Written Helm chart secured-cluster-services to directory "/tmp/chart-konflux"
$ exit
$ /assets/downloads/cli/roxctl-linux helm output secured-cluster-services --output-dir /tmp/chart-gha --remove --image-defaults=development_build
INFO: Written Helm chart secured-cluster-services to directory "/tmp/chart-gha"
$ exit
(I used some successful build on master)
Then, study internal/defaults/50-images.yaml in both dirs.
/tmp/chart-konflux/internal/defaults/50-images.yaml has:
image:
registry: quay.io/rhacs-eng
main:
name: main
pullPolicy: IfNotPresent
collector:
name: collector
slimName: collector-slim
# ...
image:
collector:
{{- if ._rox.collector.slimMode }}
tag: "4.4.x-685-g7690ea6ed0"
pullPolicy: IfNotPresent
{{- else }}
tag: "4.4.x-685-g7690ea6ed0"
pullPolicy: Always
{{- end }}/tmp/chart-gha/internal/defaults/50-images.yaml:
image:
registry: quay.io/rhacs-eng
main:
name: main
pullPolicy: IfNotPresent
collector:
name: collector
slimName: collector
# ...
image:
collector:
{{- if ._rox.collector.slimMode }}
tag: "3.18.x-221-g580b954a9a-slim"
pullPolicy: IfNotPresent
{{- else }}
tag: "3.18.x-221-g580b954a9a-latest"
pullPolicy: Always
{{- end }}There was a problem hiding this comment.
Did you notice that scanner.tag is also the <MainVersion>, not <ScannerVersion>?
scanner:
name: scanner-slim
tag: 4.4.x-685-g7690ea6ed0I have to think about the other points..
There was a problem hiding this comment.
Right, that's the "unified versions" case of release builds, I expected it (we came up with this code in the Maple team while working on that image flavor stuff that occurred after onboarding all containers to CPaaS).
There was a problem hiding this comment.
From discussion in Weekly:
- We will use non-release builds in Konflux for MVP. That is acceptable because MVP is targeted for Dogfooding and other internal instances. ROX-22474: Do not build Konflux images with release GOTAG stackrox#11136
- non-release builds use SCANNER_VERSION and COLLECTOR_VERSION information, therefore resolving this issue.
- Post-MVP, we will re-enable release builds and come up with a way to do find scanner and collector images built on Konflux: https://issues.redhat.com/browse/ROX-24276
|
/retest |
1 similar comment
|
/retest |
Description
Switch to push images to
quay.io/rhacs-eng.Creates images like:
quay.io/rhacs-eng/collector:3.18.x-231-g2c316751d5-fast-latestquay.io/rhacs-eng/collector:3.18.x-231-g2c316751d5-fast-slimChecklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
Konflux passing with correct image names is sufficient.