build with arm

equinor · Jun 7, 2024 · 1ebf08b · 1ebf08b
1 parent 9ab41ac
commit 1ebf08b
Show file tree

Hide file tree

Showing 21 changed files with 194 additions and 154 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -9,27 +9,29 @@
       "program": "${workspaceFolder}/pipeline-runner/main.go",
       "env": {},
       "args": [
-        "--RADIX_APP=radix-job-demo",
-        "--JOB_NAME=radix-pipeline-20231113133209-sb8w8",
+        "--RADIX_APP=oauth-demo",
+        "--JOB_NAME=radix-pipeline-20231113133209-r",
         "--PIPELINE_TYPE=build-deploy",
+        "--DEBUG=true",
         "--RADIX_TEKTON_IMAGE=radix-tekton:main-latest",
         "--RADIX_IMAGE_BUILDER=radix-image-builder:master-latest",
         "--RADIX_BUILDAH_IMAGE_BUILDER=quay.io/buildah/stable:v1.31",
         "--SECCOMP_PROFILE_FILENAME=allow-buildah.json",
         "--RADIX_CLUSTER_TYPE=development",
         "--RADIX_ZONE=dev",
-        "--RADIX_CLUSTERNAME=weekly-44",
+        "--RADIX_CLUSTERNAME=weekly-23",
         "--RADIX_CONTAINER_REGISTRY=radixdev.azurecr.io",
+        "--RADIX_APP_CONTAINER_REGISTRY=radixdevapp.azurecr.io",
         "--AZURE_SUBSCRIPTION_ID=16ede44b-1f74-40a5-b428-46cca9a5741b",
-        "--IMAGE_TAG=abcde",
+        "--IMAGE_TAG=abcdw",
         "--BRANCH=main",
-        "--COMMIT_ID=1cbb2fb6b8a562d44a27edae9678c86cb7cbda2e",
+        // "--COMMIT_ID=4069bf49619be55ee7dbdd426194cc14c30fde10",
         "--PUSH_IMAGE=true",
         "--USE_CACHE=true",
         "--RADIX_FILE_NAME=/workspace/radixconfig.yaml",
-        "--TO_ENVIRONMENT=qa",
-        "--IMAGE_TAG_NAME=server=1.23-alpine-slim",
-        "--IMAGE_TAG_NAME=server2=1.22.1-alpine-perl",
+        "--TO_ENVIRONMENT=dev",
+        // "--IMAGE_TAG_NAME=server=1.23-alpine-slim",
+        // "--IMAGE_TAG_NAME=server2=1.22.1-alpine-perl",
         "--RADIX_RESERVED_APP_DNS_ALIASES=api=radix-api,canary=radix-canary-golang,console=radix-web-console,cost-api=radix-cost-allocation-api,webhook=radix-github-webhook",
         "--RADIX_RESERVED_DNS_ALIASES=grafana,prometheus,www"
       ]
@@ -104,7 +106,7 @@
         "RADIXOPERATOR_APP_ROLLING_UPDATE_MAX_SURGE": "25%",
         "RADIXOPERATOR_APP_READINESS_PROBE_INITIAL_DELAY_SECONDS": "5",
         "RADIXOPERATOR_APP_READINESS_PROBE_PERIOD_SECONDS": "10",
-        "RADIX_ACTIVE_CLUSTERNAME": "weekly-51",
+        "RADIX_ACTIVE_CLUSTERNAME": "weekly-23",
         "RADIX_IMAGE_BUILDER": "radix-image-builder:master-latest",
         "RADIX_TEKTON_IMAGE": "radix-tekton:main-latest",
         "RADIXOPERATOR_JOB_SCHEDULER": "radix-job-scheduler:main-latest",

diff --git a/pipeline-runner/internal/tekton/tekton.go b/pipeline-runner/internal/tekton/tekton.go
@@ -5,10 +5,12 @@ import (
 	"strings"
 	"time"
 
+	"github.com/equinor/radix-common/utils/pointers"
 	"github.com/equinor/radix-operator/pipeline-runner/model"
 	pipelineDefaults "github.com/equinor/radix-operator/pipeline-runner/model/defaults"
 	"github.com/equinor/radix-operator/pkg/apis/defaults"
 	"github.com/equinor/radix-operator/pkg/apis/kube"
+	"github.com/equinor/radix-operator/pkg/apis/securitycontext"
 	"github.com/equinor/radix-operator/pkg/apis/utils"
 	"github.com/equinor/radix-operator/pkg/apis/utils/annotations"
 	"github.com/equinor/radix-operator/pkg/apis/utils/git"
@@ -49,16 +51,24 @@ func CreateActionPipelineJob(containerName string, action string, pipelineInfo *
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: defaults.RadixTektonServiceAccountName,
-					SecurityContext:    &pipelineInfo.PipelineArguments.PodSecurityContext,
-					InitContainers:     initContainers,
+					SecurityContext: securitycontext.Pod(
+						securitycontext.WithPodFSGroup(1000),
+						securitycontext.WithPodSeccompProfile(corev1.SeccompProfileTypeRuntimeDefault)),
+					InitContainers: initContainers,
 					Containers: []corev1.Container{
 						{
 							Name:            containerName,
 							Image:           fmt.Sprintf("%s/%s", pipelineInfo.PipelineArguments.ContainerRegistry, pipelineInfo.PipelineArguments.TektonPipeline),
 							ImagePullPolicy: corev1.PullAlways,
 							VolumeMounts:    getJobContainerVolumeMounts(),
-							SecurityContext: &pipelineInfo.PipelineArguments.ContainerSecurityContext,
-							Env:             *envVars,
+							SecurityContext: securitycontext.Container(
+								securitycontext.WithContainerDropAllCapabilities(),
+								securitycontext.WithContainerRunAsUser(1000),
+								securitycontext.WithContainerRunAsGroup(1000),
+								securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault),
+								securitycontext.WithReadOnlyRootFileSystem(pointers.Ptr(true)),
+							),
+							Env: *envVars,
 						},
 					},
 					Volumes:       getJobVolumes(),

diff --git a/pipeline-runner/model/pipelineInfo.go b/pipeline-runner/model/pipelineInfo.go
@@ -5,30 +5,15 @@ import (
 	"strings"
 	"time"
 
-	"github.com/equinor/radix-common/utils/pointers"
 	"github.com/equinor/radix-common/utils/slice"
 	application "github.com/equinor/radix-operator/pkg/apis/applicationconfig"
 	dnsaliasconfig "github.com/equinor/radix-operator/pkg/apis/config/dnsalias"
 	"github.com/equinor/radix-operator/pkg/apis/pipeline"
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
-	"github.com/equinor/radix-operator/pkg/apis/securitycontext"
 	"github.com/equinor/radix-operator/pkg/apis/utils"
-	"github.com/equinor/radix-operator/pkg/apis/utils/conditions"
 	corev1 "k8s.io/api/core/v1"
 )
 
-const (
-	// gitContainerRunAsUser user id for running git initContainer
-	gitContainerRunAsUser = 65534
-
-	// securityContextRunAsGroup A group ID which the user running the container is member of
-	securityContextRunAsGroup = 1000
-
-	// securityContextFsGroup A group ID which the user running the container is member of. This is also the group ID of
-	// files in any mounted volume
-	securityContextFsGroup = 1000
-)
-
 // PipelineInfo Holds info about the pipeline to run
 type PipelineInfo struct {
 	Definition        *pipeline.Definition
@@ -86,12 +71,7 @@ type PipelineArguments struct {
 	ComponentsToDeploy []string
 
 	RadixConfigFile string
-	// Security context
-	PodSecurityContext corev1.PodSecurityContext
-	// Security context for image builder pods
-	BuildKitPodSecurityContext corev1.PodSecurityContext
 
-	ContainerSecurityContext corev1.SecurityContext
 	// Images used for copying radix config/building
 	TektonPipeline string
 	// ImageBuilder Points to the image builder
@@ -132,24 +112,6 @@ func InitPipeline(pipelineType *pipeline.Definition,
 	radixConfigMapName := fmt.Sprintf("radix-config-2-map-%s-%s-%s", timestamp, pipelineArguments.ImageTag, hash)
 	gitConfigFileName := fmt.Sprintf("radix-git-information-%s-%s-%s", timestamp, pipelineArguments.ImageTag, hash)
 
-	podSecContext := securitycontext.Pod(securitycontext.WithPodFSGroup(securityContextFsGroup),
-		securitycontext.WithPodSeccompProfile(corev1.SeccompProfileTypeRuntimeDefault))
-
-	buildKitPodSecContext := securitycontext.Pod(
-		securitycontext.WithPodFSGroup(securityContextFsGroup),
-		securitycontext.WithPodSeccompProfile(corev1.SeccompProfileTypeRuntimeDefault),
-		securitycontext.WithPodRunAsNonRoot(conditions.BoolPtr(false)))
-
-	containerSecContext := securitycontext.Container(securitycontext.WithContainerDropAllCapabilities(),
-		securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault),
-		securitycontext.WithContainerRunAsGroup(securityContextRunAsGroup),
-		securitycontext.WithContainerRunAsUser(gitContainerRunAsUser),
-		securitycontext.WithReadOnlyRootFileSystem(pointers.Ptr(true)))
-
-	pipelineArguments.ContainerSecurityContext = *containerSecContext
-	pipelineArguments.PodSecurityContext = *podSecContext
-	pipelineArguments.BuildKitPodSecurityContext = *buildKitPodSecContext
-
 	stepImplementationsForType, err := getStepStepImplementationsFromType(pipelineType, stepImplementations...)
 	if err != nil {
 		return nil, err

diff --git a/pipeline-runner/steps/build_acr.go b/pipeline-runner/steps/build_acr.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/equinor/radix-common/utils/pointers"
 	"github.com/equinor/radix-operator/pipeline-runner/internal/commandbuilder"
 	"github.com/equinor/radix-operator/pipeline-runner/model"
 	"github.com/equinor/radix-operator/pkg/apis/defaults"
@@ -78,19 +79,19 @@ func buildContainerImageBuildingJob(rr *v1.RadixRegistration, pipelineInfo *mode
 	branch := pipelineInfo.PipelineArguments.Branch
 	imageTag := pipelineInfo.PipelineArguments.ImageTag
 	pipelineJobName := pipelineInfo.PipelineArguments.JobName
-	initContainers := git.CloneInitContainers(rr.Spec.CloneURL, branch, pipelineInfo.PipelineArguments.ContainerSecurityContext)
+	initContainers := git.CloneInitContainers(rr.Spec.CloneURL, branch)
 	buildContainers := createContainerImageBuildingContainers(appName, pipelineInfo, buildComponentImages, buildSecrets)
 	timestamp := time.Now().Format("20060102150405")
 	defaultMode, backOffLimit := int32(256), int32(0)
 	componentImagesAnnotation, _ := json.Marshal(buildComponentImages)
 	annotations := radixannotations.ForClusterAutoscalerSafeToEvict(false)
-	buildPodSecurityContext := &pipelineInfo.PipelineArguments.PodSecurityContext
+	buildPodSecurityContext := getAcrTaskBuildPodSecurityContext()
 
 	if isUsingBuildKit(pipelineInfo) {
 		for _, buildContainer := range buildContainers {
 			annotations[fmt.Sprintf("container.apparmor.security.beta.kubernetes.io/%s", buildContainer.Name)] = "unconfined"
 		}
-		buildPodSecurityContext = &pipelineInfo.PipelineArguments.BuildKitPodSecurityContext
+		buildPodSecurityContext = getBuildKitPodSecurityContext()
 	}
 
 	buildJobName := fmt.Sprintf("radix-builder-%s-%s-%s", timestamp, imageTag, hash)
@@ -238,11 +239,11 @@ func createContainerImageBuildingContainers(appName string, pipelineInfo *model.
 	containerRegistry := pipelineInfo.PipelineArguments.ContainerRegistry
 
 	imageBuilder := fmt.Sprintf("%s/%s", containerRegistry, pipelineInfo.PipelineArguments.ImageBuilder)
-	buildContainerSecContext := &pipelineInfo.PipelineArguments.ContainerSecurityContext
+	buildContainerSecContext := getAcrTaskBuildContainerSecurityContext()
 	var secretMountsArgsString string
 	if isUsingBuildKit(pipelineInfo) {
 		imageBuilder = pipelineInfo.PipelineArguments.BuildKitImageBuilder
-		buildContainerSecContext = getBuildContainerSecContext()
+		buildContainerSecContext = getBuildKitContainerSecurityContext()
 		secretMountsArgsString = getSecretArgs(buildSecrets)
 	}
 
@@ -565,16 +566,39 @@ func isUsingBuildKit(pipelineInfo *model.PipelineInfo) bool {
 	return pipelineInfo.RadixApplication.Spec.Build != nil && pipelineInfo.RadixApplication.Spec.Build.UseBuildKit != nil && *pipelineInfo.RadixApplication.Spec.Build.UseBuildKit
 }
 
-func getBuildContainerSecContext() *corev1.SecurityContext {
+func getAcrTaskBuildPodSecurityContext() *corev1.PodSecurityContext {
+	return securitycontext.Pod(
+		securitycontext.WithPodFSGroup(1000),
+		securitycontext.WithPodSeccompProfile(corev1.SeccompProfileTypeRuntimeDefault))
+}
+
+func getBuildKitPodSecurityContext() *corev1.PodSecurityContext {
+	return securitycontext.Pod(
+		securitycontext.WithPodFSGroup(1000),
+		securitycontext.WithPodSeccompProfile(corev1.SeccompProfileTypeRuntimeDefault),
+		securitycontext.WithPodRunAsNonRoot(pointers.Ptr(false)))
+}
+
+func getAcrTaskBuildContainerSecurityContext() *corev1.SecurityContext {
+	return securitycontext.Container(
+		securitycontext.WithContainerDropAllCapabilities(),
+		securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault),
+		securitycontext.WithContainerRunAsUser(1000),
+		securitycontext.WithContainerRunAsGroup(1000),
+		securitycontext.WithReadOnlyRootFileSystem(pointers.Ptr(true)),
+	)
+}
+
+func getBuildKitContainerSecurityContext() *corev1.SecurityContext {
 	return securitycontext.Container(
 		securitycontext.WithContainerDropAllCapabilities(),
 		securitycontext.WithContainerCapabilities([]corev1.Capability{"SETUID", "SETGID", "SETFCAP"}),
 		securitycontext.WithContainerSeccompProfile(corev1.SeccompProfile{
 			Type:             corev1.SeccompProfileTypeLocalhost,
 			LocalhostProfile: utils.StringPtr("allow-buildah.json"),
 		}),
-		securitycontext.WithContainerRunAsNonRoot(utils.BoolPtr(false)),
-		securitycontext.WithReadOnlyRootFileSystem(utils.BoolPtr(true)),
+		securitycontext.WithContainerRunAsNonRoot(pointers.Ptr(false)),
+		securitycontext.WithReadOnlyRootFileSystem(pointers.Ptr(true)),
 	)
 }
 

diff --git a/pipeline-runner/steps/deploy_test.go b/pipeline-runner/steps/deploy_test.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/equinor/radix-common/utils/pointers"
 	"github.com/equinor/radix-operator/pipeline-runner/internal/watcher"
 	"github.com/equinor/radix-operator/pkg/apis/config/dnsalias"
 	"github.com/equinor/radix-operator/pkg/apis/defaults"
@@ -133,7 +134,7 @@ func TestDeploy_PromotionSetup_ShouldCreateNamespacesForAllBranchesIfNotExists(t
 				WithAuthentication(
 					&v1.Authentication{
 						ClientCertificate: &v1.ClientCertificate{
-							PassCertificateToUpstream: utils.BoolPtr(true),
+							PassCertificateToUpstream: pointers.Ptr(true),
 						},
 					},
 				).
@@ -147,7 +148,7 @@ func TestDeploy_PromotionSetup_ShouldCreateNamespacesForAllBranchesIfNotExists(t
 							&v1.Authentication{
 								ClientCertificate: &v1.ClientCertificate{
 									Verification:              &certificateVerification,
-									PassCertificateToUpstream: utils.BoolPtr(false),
+									PassCertificateToUpstream: pointers.Ptr(false),
 								},
 							},
 						).
@@ -159,7 +160,7 @@ func TestDeploy_PromotionSetup_ShouldCreateNamespacesForAllBranchesIfNotExists(t
 				WithAuthentication(
 					&v1.Authentication{
 						ClientCertificate: &v1.ClientCertificate{
-							PassCertificateToUpstream: utils.BoolPtr(true),
+							PassCertificateToUpstream: pointers.Ptr(true),
 						},
 					},
 				).
@@ -262,13 +263,13 @@ func TestDeploy_PromotionSetup_ShouldCreateNamespacesForAllBranchesIfNotExists(t
 		x0 := &v1.Authentication{
 			ClientCertificate: &v1.ClientCertificate{
 				Verification:              &certificateVerification,
-				PassCertificateToUpstream: utils.BoolPtr(false),
+				PassCertificateToUpstream: pointers.Ptr(false),
 			},
 		}
 
 		x1 := &v1.Authentication{
 			ClientCertificate: &v1.ClientCertificate{
-				PassCertificateToUpstream: utils.BoolPtr(true),
+				PassCertificateToUpstream: pointers.Ptr(true),
 			},
 		}
 

diff --git a/pipeline-runner/steps/prepare_pipelines.go b/pipeline-runner/steps/prepare_pipelines.go
@@ -199,7 +199,7 @@ func (cli *PreparePipelinesStepImplementation) getPreparePipelinesJobConfig(pipe
 		},
 	}
 	sshURL := registration.Spec.CloneURL
-	initContainers := cli.getInitContainerCloningRepo(pipelineInfo, configBranch, sshURL)
+	initContainers := cli.getInitContainerCloningRepo(configBranch, sshURL)
 
 	return internaltekton.CreateActionPipelineJob(defaults.RadixPipelineJobPreparePipelinesContainerName, action, pipelineInfo, appName, initContainers, &envVars)
 
@@ -212,9 +212,8 @@ func getWebhookCommitID(pipelineInfo *model.PipelineInfo) string {
 	return ""
 }
 
-func (cli *PreparePipelinesStepImplementation) getInitContainerCloningRepo(pipelineInfo *model.PipelineInfo, configBranch, sshURL string) []corev1.Container {
-	return git.CloneInitContainersWithContainerName(sshURL, configBranch, git.CloneConfigContainerName,
-		pipelineInfo.PipelineArguments.ContainerSecurityContext)
+func (cli *PreparePipelinesStepImplementation) getInitContainerCloningRepo(configBranch, sshURL string) []corev1.Container {
+	return git.CloneInitContainersWithContainerName(sshURL, configBranch, git.CloneConfigContainerName)
 }
 
 func (cli *PreparePipelinesStepImplementation) getSourceDeploymentGitInfo(ctx context.Context, appName, sourceEnvName, sourceDeploymentName string) (string, string, error) {

diff --git a/pipeline-runner/steps/promotion_test.go b/pipeline-runner/steps/promotion_test.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/equinor/radix-common/utils/pointers"
 	commonslice "github.com/equinor/radix-common/utils/slice"
 	application "github.com/equinor/radix-operator/pkg/apis/applicationconfig"
 	"github.com/equinor/radix-operator/pkg/apis/kube"
@@ -483,7 +484,7 @@ func TestPromote_PromoteToOtherEnvironment_Authentication(t *testing.T) {
 							WithAuthentication(
 								&v1.Authentication{
 									ClientCertificate: &v1.ClientCertificate{
-										PassCertificateToUpstream: utils.BoolPtr(true),
+										PassCertificateToUpstream: pointers.Ptr(true),
 									},
 								},
 							).
@@ -534,7 +535,7 @@ func TestPromote_PromoteToOtherEnvironment_Authentication(t *testing.T) {
 	x0 := &v1.Authentication{
 		ClientCertificate: &v1.ClientCertificate{
 			Verification:              &verification,
-			PassCertificateToUpstream: utils.BoolPtr(true),
+			PassCertificateToUpstream: pointers.Ptr(true),
 		},
 	}
 	assert.NotNil(t, rds.Items[0].Spec.Components[0].Authentication)

diff --git a/pkg/apis/applicationconfig/applicationconfig_test.go b/pkg/apis/applicationconfig/applicationconfig_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/equinor/radix-common/utils/pointers"
 	"github.com/equinor/radix-common/utils/slice"
 	"github.com/equinor/radix-operator/pkg/apis/applicationconfig"
 	"github.com/equinor/radix-operator/pkg/apis/defaults"
@@ -602,13 +603,13 @@ func Test_UseBuildKit(t *testing.T) {
 		},
 		{
 			appName:             "any-app2",
-			useBuildKit:         utils.BoolPtr(false),
-			expectedUseBuildKit: utils.BoolPtr(false),
+			useBuildKit:         pointers.Ptr(false),
+			expectedUseBuildKit: pointers.Ptr(false),
 		},
 		{
 			appName:             "any-app3",
-			useBuildKit:         utils.BoolPtr(true),
-			expectedUseBuildKit: utils.BoolPtr(true),
+			useBuildKit:         pointers.Ptr(true),
+			expectedUseBuildKit: pointers.Ptr(true),
 		},
 	}
 	tu, client, kubeUtil, radixClient := setupTest(t)