ROX-24116: Fix tags for init and other cleanups (#1527)

.tekton/determine-image-tag-task.yaml

@@ -7,6 +7,9 @@ metadata:
 spec:
   description: Determines the tag for the output image using the StackRox convention from 'make tag' output.
   params:
+  - name: tag-suffix
+    description: Suffix to append to generated image tag.
+    type: string
   results:
   - name: image-tag
     description: Image Tag determined by custom logic.
@@ -20,7 +23,7 @@ spec:
       dnf -y install git make
       cd "$(workspaces.source.path)/source"
       scripts/konflux/fail-build-if-git-is-dirty.sh
-      echo -n "$(make --quiet --no-print-directory tag)-fast" | tee "$(results.image-tag.path)"
+      echo -n "$(make --quiet --no-print-directory tag)$(params.tag-suffix)" | tee "$(results.image-tag.path)"
   workspaces:
   - name: source
     description: The workspace where source code is included.

.tekton/scanner-component-pipeline.yaml

@@ -61,6 +61,10 @@ spec:
   - description: Output Image Repository
     name: output-image-repo
     type: string
+  - default: "-fast"
+    description: Suffix that will be appended to the output image tag.
+    name: output-tag-suffix
+    type: string
   - default: .
     description: Path to the source code of an application's component from where
       to build image.
@@ -135,11 +139,10 @@ spec:
   - name: init
     params:
     - name: image-url
-      # We can't provide a real tag because it is not known at this time.
-      # We still provide a fake tag to the task to comply with the expected input.
-      # Because 'rebuild' is set to true, this has no effect.
-      # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers
-      value: $(params.output-image-repo):fake-tag
+      # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.)
+      # As a workaround, we still provide a unique tag that's based on a revision in order for this task to comply with
+      # its expected input. We later actually add this tag on a built image with the apply-tags task.
+      value: $(params.output-image-repo):konflux-$(params.revision)
     - name: rebuild
       value: $(params.rebuild)
     - name: skip-checks
@@ -186,6 +189,9 @@ spec:
       workspace: git-auth
 
   - name: determine-image-tag
+    params:
+    - name: tag-suffix
+      value: $(params.output-tag-suffix)
     runAfter:
     # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks.
     - clone-repository
@@ -244,6 +250,9 @@ spec:
       value: $(tasks.clone-repository.results.commit)
     - name: TARGET_STAGE
       value: $(params.build-target-stage)
+    - name: BUILD_ARGS
+      value:
+      - TAG_SUFFIX=$(params.output-tag-suffix)
     runAfter:
     - prefetch-dependencies
     - fetch-scanner-data
@@ -264,6 +273,25 @@ spec:
     - name: source
       workspace: workspace
 
+  - name: apply-tags
+    params:
+    - name: IMAGE
+      value: $(tasks.build-container.results.IMAGE_URL)
+    - name: ADDITIONAL_TAGS
+      value:
+      - konflux-$(params.revision)
+    runAfter:
+    - build-container
+    taskRef:
+      params:
+      - name: name
+        value: apply-tags
+      - name: bundle
+        value: quay.io/redhat-appstudio-tekton-catalog/task-apply-tags:0.1@sha256:29add9a49a2281a3755a9b580d2b9c5cb110231b14cccf8ade2fd7895a9b4b4a
+      - name: kind
+        value: task
+      resolver: bundles
+
   - name: build-source-image
     params:
     - name: BINARY_IMAGE

Makefile

@@ -21,7 +21,7 @@ endif
 endif
 
 ifeq ($(TAG),)
-TAG=$(shell git describe --tags --abbrev=10 --dirty --long)
+TAG=$(shell git describe --tags --abbrev=10 --dirty --long)$(TAG_SUFFIX)
 endif
 
 # Set expiration on Quay.io for non-release tags.
@@ -65,11 +65,12 @@ ifeq ($(GOARCH),s390x)
                 --build-arg="BASE_IMAGE=ubi9-minimal"
 endif
 
+CGO_ENABLED         := 0
 LOCAL_VOLUME_ARGS   := -v$(CURDIR):/src:delegated -v $(GOPATH):/go:delegated
 GOPATH_WD_OVERRIDES := -w /src -e GOPATH=/go
-IMAGE_BUILD_FLAGS   := -e CGO_ENABLED=0 -e GOOS=linux -e GOARCH=${GOARCH}
+IMAGE_BUILD_FLAGS   := -e CGO_ENABLED=$(CGO_ENABLED) -e GOOS=linux -e GOARCH=$(GOARCH)
 IMAGE_BUILD_ARGS     = --build-arg LABEL_VERSION=$(TAG) --build-arg LABEL_RELEASE=$(TAG) --build-arg QUAY_TAG_EXPIRATION=$(QUAY_TAG_EXPIRATION)
-BUILD_FLAGS         := CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH}
+BUILD_FLAGS         := CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=$(GOARCH)
 BUILD_CMD           := go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(TAG)" -o image/scanner/bin/scanner ./cmd/clair
 NODESCAN_BUILD_CMD  := go build -trimpath -o tools/bin/local-nodescanner ./tools/local-nodescanner
 

image/scanner/rhel/konflux.Dockerfile

@@ -5,7 +5,9 @@ ARG BASE_TAG=latest
 # Compiling scanner binaries and staging repo2cpe and genesis manifests
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.21 AS builder
 
-ENV CGO_ENABLED=1
+ARG TAG_SUFFIX
+ENV TAG_SUFFIX="$TAG_SUFFIX"
+
 ENV GOFLAGS=""
 ENV CI=1
 
@@ -18,8 +20,8 @@ RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \
     unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
     unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
 
-RUN echo -n "version: " && scripts/konflux/version.sh && \
-    go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(scripts/konflux/version.sh)" -o image/scanner/bin/scanner ./cmd/clair
+RUN echo -n "version: " && make --quiet --no-print-directory tag && \
+    make CGO_ENABLED=1 scanner-build-nodeps
 
 # Replace genesis manifests file in the source code with the one generated at
 # the point when the dump was taken.  This is to avoid discrepancy between other