Use emptyDir volumeSource for verify task. Copy settings.xml for OCI archiving

rnc · rnc · commit 9eb1ca0a0504 · 2024-10-24T11:58:28.000+01:00
diff --git a/deploy/tasks/maven-deployment.yaml b/deploy/tasks/maven-deployment.yaml
@@ -36,13 +36,6 @@ spec:
     - description: Workspace.
       name: source
       mountPath: /var/workdir
-#  volumes:
-#    - name: workdir
-#      emptyDir: {}
-#  stepTemplate:
-#    volumeMounts:
-#      - mountPath: /var/workdir
-#        name: workdir
   steps:
     - name: restore-trusted-artifact
       image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
diff --git a/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/build/preprocessor/AbstractPreprocessor.java b/java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/build/preprocessor/AbstractPreprocessor.java
@@ -191,17 +191,20 @@ private String getContainerFile() {
                     COPY --from=0 /var/workdir/ /var/workdir/
                     RUN /opt/jboss/container/java/run/run-java.sh copy-artifacts --source-path=/var/workdir/workspace/source --deploy-path=/var/workdir/workspace/artifacts
                     FROM scratch
-                    COPY --from=1 /var/workdir/workspace/settings /
+                    COPY --from=1 /var/workdir/workspace/settings /settings/
                     COPY --from=1 /var/workdir/workspace/artifacts /deployment/
                     """.formatted(buildRequestProcessorImage);
         } else {
             containerFile +=
                 """
                     FROM scratch
-                    COPY --from=0 /var/workdir/workspace/artifacts /
+                    COPY --from=0 /var/workdir/workspace/settings /settings/
+                    COPY --from=0 /var/workdir/workspace/artifacts /deployment/
                     """;
         }
 
+        Log.warnf("### containerFile is\n%s", containerFile);
+
         return containerFile;
     }
 
diff --git a/pkg/reconciler/dependencybuild/buildrecipeyaml.go b/pkg/reconciler/dependencybuild/buildrecipeyaml.go
@@ -19,6 +19,7 @@ import (
 )
 
 const (
+	PostBuildVolume = "post-build-volume"
 	WorkspaceSource = "source"
 	WorkspaceMount  = "/var/workdir"
 	WorkspaceTls    = "tls"
@@ -137,7 +138,7 @@ func createPipelineSpec(log logr.Logger, tool string, commitTime int64, jbsConfi
 	verifyBuiltArtifactsArgs := verifyParameters(jbsConfig, recipe)
 	deployArgs := []string{
 		"verify",
-		"--path=$(workspaces.source.path)/verify-artifacts",
+		"--path=$(workspaces.source.path)/artifacts",
 		"--logs-path=$(workspaces.source.path)/logs",
 		"--task-run-name=$(context.taskRun.name)",
 		"--build-id=" + buildId,
@@ -533,8 +534,10 @@ func createPipelineSpec(log logr.Logger, tool string, commitTime int64, jbsConfi
 	ps.Results = append(ps.Results, tektonpipeline.PipelineResult{Name: PipelineResultImageDigest, Value: tektonpipeline.ResultValue{Type: tektonpipeline.ParamTypeString, StringVal: "$(tasks." + BuildTaskName + ".results." + PipelineResultImageDigest + ")"}})
 
 	postBuildTask := tektonpipeline.TaskSpec{
-		Workspaces: []tektonpipeline.WorkspaceDeclaration{{Name: WorkspaceSource, MountPath: WorkspaceMount}, {Name: WorkspaceTls}},
-		Params:     append(pipelineParams, tektonpipeline.ParamSpec{Name: PipelineResultPreBuildImageDigest, Type: tektonpipeline.ParamTypeString}),
+		// Using a default emptyDir volume as this task is unique to JBS and don't want it interfering with
+		// the shared workspace.
+		Volumes: []v1.Volume{{Name: PostBuildVolume, VolumeSource: v1.VolumeSource{EmptyDir: &v1.EmptyDirVolumeSource{}}}},
+		Params:  append(pipelineParams, tektonpipeline.ParamSpec{Name: PipelineResultPreBuildImageDigest, Type: tektonpipeline.ParamTypeString}),
 		Results: []tektonpipeline.TaskResult{
 			{Name: PipelineResultContaminants},
 			{Name: PipelineResultDeployedResources},
@@ -544,6 +547,7 @@ func createPipelineSpec(log logr.Logger, tool string, commitTime int64, jbsConfi
 		Steps: []tektonpipeline.Step{
 			{
 				Name:            "restore-post-build-artifacts",
+				VolumeMounts:    []v1.VolumeMount{{Name: PostBuildVolume, MountPath: WorkspaceMount}},
 				Image:           strings.TrimSpace(strings.Split(buildTrustedArtifacts, "FROM")[1]),
 				ImagePullPolicy: v1.PullIfNotPresent,
 				SecurityContext: &v1.SecurityContext{RunAsUser: &zero},
@@ -556,14 +560,15 @@ URL=%s
 DIGEST=$(tasks.%s.results.IMAGE_DIGEST)
 AARCHIVE=$(oras manifest fetch $ORAS_OPTIONS $URL@$DIGEST | jq --raw-output '.layers[0].digest')
 echo "URL $URL DIGEST $DIGEST AARCHIVE $AARCHIVE"
-use-archive oci:$URL@$AARCHIVE=$(workspaces.source.path)/verify-artifacts`, orasOptions, registryArgsWithDefaults(jbsConfig, ""), BuildTaskName),
+use-archive oci:$URL@$AARCHIVE=$(workspaces.source.path)/artifacts`, orasOptions, registryArgsWithDefaults(jbsConfig, ""), BuildTaskName),
 			},
 			{
 				Name:            "verify-and-check-for-contaminates",
 				Image:           buildRequestProcessorImage,
 				ImagePullPolicy: pullPolicy,
 				SecurityContext: &v1.SecurityContext{RunAsUser: &zero},
 				Env:             secretVariables,
+				VolumeMounts:    []v1.VolumeMount{{Name: PostBuildVolume, MountPath: WorkspaceMount}},
 				ComputeResources: v1.ResourceRequirements{
 					Requests: v1.ResourceList{"memory": limits.defaultBuildRequestMemory, "cpu": limits.defaultRequestCPU},
 					Limits:   v1.ResourceList{"memory": limits.defaultBuildRequestMemory, "cpu": limits.defaultLimitCPU},
