Fix isolated volume for verify task.

rnc · rnc · commit c824577b0552 · 2024-10-24T11:58:28.000+01:00
diff --git a/deploy/tasks/maven-deployment.yaml b/deploy/tasks/maven-deployment.yaml
@@ -39,18 +39,12 @@ spec:
     - name: restore-trusted-artifact
       image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
       script: |
-        echo "Restoring artifacts to workspace"
-        ls -laR /var/workdir
-        echo "Root"
-        ls -laR $HOME
         echo "Restoring artifacts to workspace"
         URL=$IMAGE_URL
         DIGEST=$IMAGE_DIGEST
         AARCHIVE=$(oras manifest fetch $ORAS_OPTIONS $URL@$DIGEST | jq --raw-output '.layers[0].digest')
         echo "URL $URL DIGEST $DIGEST AARCHIVE $AARCHIVE"
         use-archive oci:$URL@$AARCHIVE=/var/workdir/
-        ls -laR /var/workdir
-        echo "DONE"
       env:
         - name: IMAGE_DIGEST
           value: $(params.IMAGE_DIGEST)
diff --git a/pkg/reconciler/dependencybuild/buildrecipeyaml.go b/pkg/reconciler/dependencybuild/buildrecipeyaml.go
@@ -19,10 +19,10 @@ import (
 )
 
 const (
-	PostBuildVolume = "post-build-volume"
-	WorkspaceSource = "source"
-	WorkspaceMount  = "/var/workdir"
-	WorkspaceTls    = "tls"
+	PostBuildVolume      = "post-build-volume"
+	PostBuildVolumeMount = "/var/workdir"
+	WorkspaceSource      = "source"
+	WorkspaceTls         = "tls"
 
 	GitTaskName       = "git-clone"
 	PreBuildTaskName  = "pre-build"
@@ -138,8 +138,8 @@ func createPipelineSpec(log logr.Logger, tool string, commitTime int64, jbsConfi
 	verifyBuiltArtifactsArgs := verifyParameters(jbsConfig, recipe)
 	deployArgs := []string{
 		"verify",
-		"--path=$(workspaces.source.path)/artifacts",
-		"--logs-path=$(workspaces.source.path)/logs",
+		fmt.Sprintf("--path=%s/artifacts", PostBuildVolumeMount),
+		fmt.Sprintf("--logs-path=%s/logs", PostBuildVolumeMount),
 		"--task-run-name=$(context.taskRun.name)",
 		"--build-id=" + buildId,
 		"--scm-uri=" + db.Spec.ScmInfo.SCMURL,
@@ -543,31 +543,32 @@ func createPipelineSpec(log logr.Logger, tool string, commitTime int64, jbsConfi
 			{Name: PipelineResultPassedVerification},
 			{Name: PipelineResultVerificationResult},
 		},
+		StepTemplate: &tektonpipeline.StepTemplate{
+			VolumeMounts: []v1.VolumeMount{{Name: PostBuildVolume, MountPath: PostBuildVolumeMount}},
+		},
 		Steps: []tektonpipeline.Step{
 			{
 				Name:            "restore-post-build-artifacts",
-				VolumeMounts:    []v1.VolumeMount{{Name: PostBuildVolume, MountPath: WorkspaceMount}},
 				Image:           strings.TrimSpace(strings.Split(buildTrustedArtifacts, "FROM")[1]),
 				ImagePullPolicy: v1.PullIfNotPresent,
 				SecurityContext: &v1.SecurityContext{RunAsUser: &zero},
 				Env:             secretVariables,
 				// While the manifest digest is available we need the manifest of the layer within the archive hence
 				// using 'oras manifest fetch' to extract the correct layer.
-				Script: fmt.Sprintf(`echo "Restoring artifacts to workspace : $(workspaces.source.path)"
+				Script: fmt.Sprintf(`echo "Restoring artifacts"
 export ORAS_OPTIONS="%s"
 URL=%s
 DIGEST=$(tasks.%s.results.IMAGE_DIGEST)
 AARCHIVE=$(oras manifest fetch $ORAS_OPTIONS $URL@$DIGEST | jq --raw-output '.layers[0].digest')
 echo "URL $URL DIGEST $DIGEST AARCHIVE $AARCHIVE"
-use-archive oci:$URL@$AARCHIVE=$(workspaces.source.path)/artifacts`, orasOptions, registryArgsWithDefaults(jbsConfig, ""), BuildTaskName),
+use-archive oci:$URL@$AARCHIVE=%s/artifacts`, orasOptions, registryArgsWithDefaults(jbsConfig, ""), BuildTaskName, PostBuildVolumeMount),
 			},
 			{
 				Name:            "verify-and-check-for-contaminates",
 				Image:           buildRequestProcessorImage,
 				ImagePullPolicy: pullPolicy,
 				SecurityContext: &v1.SecurityContext{RunAsUser: &zero},
 				Env:             secretVariables,
-				VolumeMounts:    []v1.VolumeMount{{Name: PostBuildVolume, MountPath: WorkspaceMount}},
 				ComputeResources: v1.ResourceRequirements{
 					Requests: v1.ResourceList{"memory": limits.defaultBuildRequestMemory, "cpu": limits.defaultRequestCPU},
 					Limits:   v1.ResourceList{"memory": limits.defaultBuildRequestMemory, "cpu": limits.defaultLimitCPU},
@@ -855,7 +856,7 @@ func verifyParameters(jbsConfig *v1alpha1.JBSConfig, recipe *v1alpha1.BuildRecip
 	verifyBuiltArtifactsArgs := []string{
 		"verify-built-artifacts",
 		"--repository-url=$(params." + PipelineParamProxyUrl + ")",
-		"--deploy-path=$(workspaces.source.path)/artifacts",
+		fmt.Sprintf("--deploy-path=%s/artifacts", PostBuildVolumeMount),
 		"--task-run-name=$(context.taskRun.name)",
 		"--results-file=$(results." + PipelineResultPassedVerification + ".path)",
 	}
diff --git a/pkg/reconciler/dependencybuild/dependencybuild.go b/pkg/reconciler/dependencybuild/dependencybuild.go
@@ -1362,10 +1362,9 @@ func (r *ReconcileDependencyBuild) removePipelineFinalizer(ctx context.Context,
 	return reconcile.Result{}, nil
 }
 
+// TODO: ### Either remove or replace with verification step *but* the contaminants/verification is all tied to the build pipeline in dependencybuild.go
 func (r *ReconcileDependencyBuild) handleStateDeploying(ctx context.Context, db *v1alpha1.DependencyBuild) (reconcile.Result, error) {
-
 	log, _ := logr.FromContext(ctx)
-	log.Info(fmt.Sprintf("### handleStateDeploying %#v", db.Name))
 	//first we check to see if the pipeline exists
 
 	pr := tektonpipeline.PipelineRun{}
