Skip to content

Switch to multi-platform build pipeline, for x86_64 and arm64 #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 11, 2025
Merged

Switch to multi-platform build pipeline, for x86_64 and arm64 #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 40 additions & 17 deletions .tekton/openshift-mcp-server-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,22 @@ spec:
value: quay.io/redhat-user-workloads/crt-nshift-lightspeed-tenant/openshift-mcp-server:on-pr-{{revision}}
- name: image-expires-after
value: 5d
- name: dockerfile
value: Dockerfile.ocp
- name: path-context
value: .
- name: build-platforms
value:
- linux/x86_64
- linux/arm64
- name: hermetic
value: "true"
value: true
- name: dockerfile
value: Dockerfile.ocp
- name: path-context
value: .
pipelineSpec:
description: |
This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.
This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_
_Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_
finally:
- name: show-sbom
params:
Expand Down Expand Up @@ -107,7 +107,7 @@ spec:
description: Build a source image.
name: build-source-image
type: string
- default: "false"
- default: "true"
description: Add built image into an OCI image index
name: build-image-index
type: string
Expand All @@ -124,6 +124,12 @@ spec:
VMs
name: privileged-nested
type: string
- default:
- linux/x86_64
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think, we can also add linux/arm64 in defaults. But not a blocker.

description: List of platforms to build the container images on. The available
set of values is determined by the configuration of the multi-platform-controller.
name: build-platforms
type: array
results:
- description: ""
name: IMAGE_URL
Expand Down Expand Up @@ -210,7 +216,12 @@ spec:
workspace: git-auth
- name: netrc
workspace: netrc
- name: build-container
- matrix:
params:
- name: PLATFORM
value:
- $(params.build-platforms)
name: build-images
params:
- name: IMAGE
value: $(params.output-image)
Expand All @@ -237,14 +248,16 @@ spec:
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: IMAGE_APPEND_PLATFORM
value: "true"
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: buildah-oci-ta
value: buildah-remote-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:3e1e08f539ea3e70b473f348a4b4dc50f8bfc49d40d18e89591358c19fae5aa2
value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:e1c03f2be119f8000100ac10cba614cf7d0d77597a04aa74bc72d91df183bc5b
- name: kind
value: task
resolver: bundles
Expand All @@ -265,9 +278,9 @@ spec:
value: $(params.build-image-index)
- name: IMAGES
value:
- $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)
- $(tasks.build-images.results.IMAGE_REF[*])
runAfter:
- build-container
- build-images
taskRef:
params:
- name: name
Expand Down Expand Up @@ -356,7 +369,12 @@ spec:
operator: in
values:
- "false"
- name: ecosystem-cert-preflight-checks
- matrix:
params:
- name: platform
value:
- $(params.build-platforms)
name: ecosystem-cert-preflight-checks
params:
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
Expand All @@ -367,7 +385,7 @@ spec:
- name: name
value: ecosystem-cert-preflight-checks
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:51d698844b207f7bedff69cc8718858cbc7407b0cadbea3033e5965e71ae5e96
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:3de22bd7d3c274bc00f95a6bb5ed61559c3354aae74568d7afa364b896b513a6
- name: kind
value: task
resolver: bundles
Expand Down Expand Up @@ -402,7 +420,12 @@ spec:
operator: in
values:
- "false"
- name: clamav-scan
- matrix:
params:
- name: image-arch
value:
- $(params.build-platforms)
name: clamav-scan
params:
- name: image-digest
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
Expand Down
57 changes: 40 additions & 17 deletions .tekton/openshift-mcp-server-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,22 +30,22 @@ spec:
value: quay.io/redhat-user-workloads/crt-nshift-lightspeed-tenant/openshift-mcp-server:{{revision}}
- name: image-expires-after
value: 5d
- name: dockerfile
value: Dockerfile.ocp
- name: path-context
value: .
- name: build-platforms
value:
- linux/x86_64
- linux/arm64
- name: hermetic
value: "true"
value: true
- name: dockerfile
value: Dockerfile.ocp
- name: path-context
value: .
pipelineSpec:
description: |
This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.
This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_
_Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_
finally:
- name: show-sbom
params:
Expand Down Expand Up @@ -106,7 +106,7 @@ spec:
description: Build a source image.
name: build-source-image
type: string
- default: "false"
- default: "true"
description: Add built image into an OCI image index
name: build-image-index
type: string
Expand All @@ -123,6 +123,12 @@ spec:
VMs
name: privileged-nested
type: string
- default:
- linux/x86_64
description: List of platforms to build the container images on. The available
set of values is determined by the configuration of the multi-platform-controller.
name: build-platforms
type: array
results:
- description: ""
name: IMAGE_URL
Expand Down Expand Up @@ -209,7 +215,12 @@ spec:
workspace: git-auth
- name: netrc
workspace: netrc
- name: build-container
- matrix:
params:
- name: PLATFORM
value:
- $(params.build-platforms)
name: build-images
params:
- name: IMAGE
value: $(params.output-image)
Expand All @@ -236,14 +247,16 @@ spec:
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: IMAGE_APPEND_PLATFORM
value: "true"
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: buildah-oci-ta
value: buildah-remote-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:3e1e08f539ea3e70b473f348a4b4dc50f8bfc49d40d18e89591358c19fae5aa2
value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:e1c03f2be119f8000100ac10cba614cf7d0d77597a04aa74bc72d91df183bc5b
- name: kind
value: task
resolver: bundles
Expand All @@ -264,9 +277,9 @@ spec:
value: $(params.build-image-index)
- name: IMAGES
value:
- $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)
- $(tasks.build-images.results.IMAGE_REF[*])
runAfter:
- build-container
- build-images
taskRef:
params:
- name: name
Expand Down Expand Up @@ -355,7 +368,12 @@ spec:
operator: in
values:
- "false"
- name: ecosystem-cert-preflight-checks
- matrix:
params:
- name: platform
value:
- $(params.build-platforms)
name: ecosystem-cert-preflight-checks
params:
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
Expand All @@ -366,7 +384,7 @@ spec:
- name: name
value: ecosystem-cert-preflight-checks
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:51d698844b207f7bedff69cc8718858cbc7407b0cadbea3033e5965e71ae5e96
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:3de22bd7d3c274bc00f95a6bb5ed61559c3354aae74568d7afa364b896b513a6
- name: kind
value: task
resolver: bundles
Expand Down Expand Up @@ -401,7 +419,12 @@ spec:
operator: in
values:
- "false"
- name: clamav-scan
- matrix:
params:
- name: image-arch
value:
- $(params.build-platforms)
name: clamav-scan
params:
- name: image-digest
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
Expand Down