Configurable image names for clone step in pipeline runner (#1138)

* configure images used by git clone containers * update launch.json with images from cache acr
equinor · Jul 3, 2024 · 790146e · 790146e
1 parent 38d1714
commit 790146e
Show file tree

Hide file tree

Showing 17 changed files with 434 additions and 147 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -17,6 +17,9 @@
         "--RADIX_IMAGE_BUILDER=radix-image-builder:master-latest",
         "--RADIX_BUILDAH_IMAGE_BUILDER=quay.io/buildah/stable:v1.31",
         "--SECCOMP_PROFILE_FILENAME=allow-buildah.json",
+        "--RADIX_PIPELINE_GIT_CLONE_NSLOOKUP_IMAGE=radixdevcache.azurecr.io/alpine:3.20",
+        "--RADIX_PIPELINE_GIT_CLONE_GIT_IMAGE=radixdevcache.azurecr.io/alpine/git:2.45.2",
+        "--RADIX_PIPELINE_GIT_CLONE_BASH_IMAGE=radixdevcache.azurecr.io/bash:5.2",
         "--RADIX_CLUSTER_TYPE=development",
         "--RADIX_ZONE=dev",
         "--RADIX_CLUSTERNAME=weekly-23",
@@ -49,6 +52,9 @@
         "--JOB_NAME=radix-pipeline-20231121120818-sb2xq",
         "--PIPELINE_TYPE=promote",
         "--RADIX_TEKTON_IMAGE=radix-tekton:main-latest",
+        "--RADIX_PIPELINE_GIT_CLONE_NSLOOKUP_IMAGE=radixdevcache.azurecr.io/alpine:3.20",
+        "--RADIX_PIPELINE_GIT_CLONE_GIT_IMAGE=radixdevcache.azurecr.io/alpine/git:2.45.2",
+        "--RADIX_PIPELINE_GIT_CLONE_BASH_IMAGE=radixdevcache.azurecr.io/bash:5.2",
         "--FROM_ENVIRONMENT=dev",
         "--TO_ENVIRONMENT=prod",
         "--DEPLOYMENT_NAME=dev-hyxzv-j9pg34k2",
@@ -71,6 +77,9 @@
         "--JOB_NAME=radix-pipeline-20231030091802-mfzoz",
         "--PIPELINE_TYPE=deploy",
         "--RADIX_TEKTON_IMAGE=radix-tekton:main-latest",
+        "--RADIX_PIPELINE_GIT_CLONE_NSLOOKUP_IMAGE=radixdevcache.azurecr.io/alpine:3.20",
+        "--RADIX_PIPELINE_GIT_CLONE_GIT_IMAGE=radixdevcache.azurecr.io/alpine/git:2.45.2",
+        "--RADIX_PIPELINE_GIT_CLONE_BASH_IMAGE=radixdevcache.azurecr.io/bash:5.2",
         "--TO_ENVIRONMENT=prod",
         "--DEBUG=true",
         "--RADIX_FILE_NAME=/workspace/radixconfig.yaml",

diff --git a/charts/radix-operator/Chart.yaml b/charts/radix-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: radix-operator
-version: 1.36.3
-appVersion: 1.56.3
+version: 1.37.0
+appVersion: 1.57.0
 kubeVersion: ">=1.24.0"
 description: Radix Operator
 keywords:

diff --git a/charts/radix-operator/templates/deployment.yaml b/charts/radix-operator/templates/deployment.yaml
@@ -157,6 +157,12 @@ spec:
               value: {{ .Values.seccompProfile.fileNameOnNode }}
             - name: RADIX_BUILDAH_IMAGE_BUILDER
               value: {{ .Values.buildahImageBuilder }}
+            - name: RADIX_PIPELINE_GIT_CLONE_NSLOOKUP_IMAGE
+              value: {{ .Values.gitCloneNsLookupImage }}
+            - name: RADIX_PIPELINE_GIT_CLONE_GIT_IMAGE
+              value: {{ .Values.gitCloneGitImage }}
+            - name: RADIX_PIPELINE_GIT_CLONE_BASH_IMAGE
+              value: {{ .Values.gitCloneBashImage }}
             - name: RADIX_RESERVED_APP_DNS_ALIASES
               value: {{ include "helm-toolkit.utils.joinMapWithComma" .Values.reservedAppDNSAlias | quote }}
             - name: RADIX_RESERVED_DNS_ALIASES

diff --git a/charts/radix-operator/values.yaml b/charts/radix-operator/values.yaml
@@ -19,6 +19,12 @@ imageBuilder: radix-image-builder:master-latest
 buildahImageBuilder: xx
 jobScheduler: radix-job-scheduler:main-latest
 radixTekton: radix-tekton:main-latest
+
+# Images used by git clone init containers in pipeline
+gitCloneNsLookupImage: "" # Image containing nslookup, e.g. "alpine:3.20". Defaults to "alpine:latest" if not set
+gitCloneGitImage: "" # Image containing git, e.g. "alpine/git:2.45.2". Defaults to "alpine/git:latest" if not set
+gitCloneBashImage: "" # Image containing bash, e.g. "bash:5.2". Defaults to "bash:latest" if not set
+
 useImageBuilderCache: 0
 reservedAppDNSAlias:
   api: radix-api

diff --git a/pipeline-runner/internal/git/clone.go b/pipeline-runner/internal/git/clone.go
@@ -0,0 +1,14 @@
+package git
+
+import (
+	"github.com/equinor/radix-operator/pipeline-runner/model"
+	gitclone "github.com/equinor/radix-operator/pkg/apis/utils/git"
+)
+
+func CloneConfigFromPipelineArgs(args model.PipelineArguments) gitclone.CloneConfig {
+	return gitclone.CloneConfig{
+		NSlookupImage: args.GitCloneNsLookupImage,
+		GitImage:      args.GitCloneGitImage,
+		BashImage:     args.GitCloneBashImage,
+	}
+}
diff --git a/pipeline-runner/internal/git/clone_test.go b/pipeline-runner/internal/git/clone_test.go
@@ -0,0 +1,17 @@
+package git_test
+
+import (
+	"testing"
+
+	internalgit "github.com/equinor/radix-operator/pipeline-runner/internal/git"
+	"github.com/equinor/radix-operator/pipeline-runner/model"
+	"github.com/equinor/radix-operator/pkg/apis/utils/git"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_CloneConfigFromPipelineArgs(t *testing.T) {
+	args := model.PipelineArguments{GitCloneNsLookupImage: "anynslookup:any", GitCloneGitImage: "anygit:any", GitCloneBashImage: "anybash:any"}
+	actual := internalgit.CloneConfigFromPipelineArgs(args)
+	expected := git.CloneConfig{NSlookupImage: args.GitCloneNsLookupImage, GitImage: args.GitCloneGitImage, BashImage: args.GitCloneBashImage}
+	assert.Equal(t, expected, actual)
+}
diff --git a/pipeline-runner/main.go b/pipeline-runner/main.go
@@ -127,6 +127,10 @@ func setPipelineArgsFromArguments(cmd *cobra.Command, pipelineArgs *model.Pipeli
 	cmd.Flags().StringToStringVar(&pipelineArgs.DNSConfig.ReservedAppDNSAliases, defaults.RadixReservedAppDNSAliasesEnvironmentVariable, make(map[string]string), "The list of DNS aliases, reserved for Radix platform Radix application")
 	cmd.Flags().StringSliceVar(&pipelineArgs.DNSConfig.ReservedDNSAliases, defaults.RadixReservedDNSAliasesEnvironmentVariable, make([]string, 0), "The list of DNS aliases, reserved for Radix platform services")
 	cmd.Flags().StringSliceVar(&pipelineArgs.ComponentsToDeploy, defaults.RadixComponentsToDeployVariable, make([]string, 0), "The list of components to deploy (optional)")
+	// Git clone init container images
+	cmd.Flags().StringVar(&pipelineArgs.GitCloneNsLookupImage, defaults.RadixGitCloneNsLookupImageEnvironmentVariable, "alpine:latest", "Container image with nslookup used by git clone init containers")
+	cmd.Flags().StringVar(&pipelineArgs.GitCloneGitImage, defaults.RadixGitCloneGitImageEnvironmentVariable, "alpine/git:latest", "Container image with git used by git clone init containers")
+	cmd.Flags().StringVar(&pipelineArgs.GitCloneBashImage, defaults.RadixGitCloneBashImageEnvironmentVariable, "bash:latest", "Container image with bash used by git clone init containers")
 
 	err := cmd.Flags().Parse(arguments)
 	if err != nil {

diff --git a/pipeline-runner/model/pipelineInfo.go b/pipeline-runner/model/pipelineInfo.go
@@ -78,6 +78,16 @@ type PipelineArguments struct {
 	ImageBuilder string
 	// BuildKitImageBuilder Points to the BuildKit compliant image builder
 	BuildKitImageBuilder string
+	// GitCloneNsLookupImage defines image containing nslookup.
+	// Used as option to the CloneInitContainers function.
+	GitCloneNsLookupImage string
+	// GitCloneGitImage defines image containing git cli.
+	// Must support running as user 65534.
+	// Used as option to the CloneInitContainers function.
+	GitCloneGitImage string
+	// GitCloneBashImage defines image with bash.
+	// Used as option to the CloneInitContainers function.
+	GitCloneBashImage string
 	// SeccompProfileFileName Filename of the seccomp profile injected by daemonset, relative to the /var/lib/kubelet/seccomp directory on node
 	SeccompProfileFileName string
 	// Used for tagging meta-information

diff --git a/pipeline-runner/steps/build/build_acr.go b/pipeline-runner/steps/build/build_acr.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/equinor/radix-common/utils/pointers"
 	"github.com/equinor/radix-operator/pipeline-runner/internal/commandbuilder"
+	internalgit "github.com/equinor/radix-operator/pipeline-runner/internal/git"
 	"github.com/equinor/radix-operator/pipeline-runner/model"
 	"github.com/equinor/radix-operator/pkg/apis/defaults"
 	"github.com/equinor/radix-operator/pkg/apis/kube"
@@ -54,7 +55,10 @@ func (step *BuildStepImplementation) buildContainerImageBuildingJobsForACRTasks(
 
 	log.Ctx(ctx).Debug().Msg("build a build-job")
 	hash := strings.ToLower(utils.RandStringStrSeed(5, pipelineInfo.PipelineArguments.JobName))
-	job := buildContainerImageBuildingJob(ctx, rr, pipelineInfo, buildSecrets, hash, &radixv1.Runtime{Architecture: radixv1.RuntimeArchitectureAmd64}, buildComponentImages...)
+	job, err := buildContainerImageBuildingJob(ctx, rr, pipelineInfo, buildSecrets, hash, &radixv1.Runtime{Architecture: radixv1.RuntimeArchitectureAmd64}, buildComponentImages...)
+	if err != nil {
+		return nil, err
+	}
 	return []*batchv1.Job{job}, nil
 }
 
@@ -66,7 +70,10 @@ func (step *BuildStepImplementation) buildContainerImageBuildingJobsForBuildKit(
 			log.Ctx(ctx).Debug().Msgf("build a job for the image %s", componentImage.ImageName)
 			hash := strings.ToLower(utils.RandStringStrSeed(5, fmt.Sprintf("%s-%s-%s", pipelineInfo.PipelineArguments.JobName, envName, componentImage.ComponentName)))
 
-			job := buildContainerImageBuildingJob(ctx, rr, pipelineInfo, buildSecrets, hash, componentImage.Runtime, componentImage)
+			job, err := buildContainerImageBuildingJob(ctx, rr, pipelineInfo, buildSecrets, hash, componentImage.Runtime, componentImage)
+			if err != nil {
+				return nil, err
+			}
 
 			job.ObjectMeta.Labels[kube.RadixEnvLabel] = envName
 			job.ObjectMeta.Labels[kube.RadixComponentLabel] = componentImage.ComponentName
@@ -76,12 +83,15 @@ func (step *BuildStepImplementation) buildContainerImageBuildingJobsForBuildKit(
 	return jobs, nil
 }
 
-func buildContainerImageBuildingJob(ctx context.Context, rr *radixv1.RadixRegistration, pipelineInfo *model.PipelineInfo, buildSecrets []corev1.EnvVar, hash string, jobRuntime *radixv1.Runtime, buildComponentImages ...pipeline.BuildComponentImage) *batchv1.Job {
+func buildContainerImageBuildingJob(ctx context.Context, rr *radixv1.RadixRegistration, pipelineInfo *model.PipelineInfo, buildSecrets []corev1.EnvVar, hash string, jobRuntime *radixv1.Runtime, buildComponentImages ...pipeline.BuildComponentImage) (*batchv1.Job, error) {
 	appName := rr.Name
 	branch := pipelineInfo.PipelineArguments.Branch
 	imageTag := pipelineInfo.PipelineArguments.ImageTag
 	pipelineJobName := pipelineInfo.PipelineArguments.JobName
-	initContainers := git.CloneInitContainers(rr.Spec.CloneURL, branch)
+	initContainers, err := git.CloneInitContainers(rr.Spec.CloneURL, branch, internalgit.CloneConfigFromPipelineArgs(pipelineInfo.PipelineArguments))
+	if err != nil {
+		return nil, err
+	}
 	buildContainers := createContainerImageBuildingContainers(appName, pipelineInfo, buildComponentImages, buildSecrets)
 	timestamp := time.Now().Format("20060102150405")
 	defaultMode, backOffLimit := int32(256), int32(0)
@@ -132,7 +142,7 @@ func buildContainerImageBuildingJob(ctx context.Context, rr *radixv1.RadixRegist
 			},
 		},
 	}
-	return job
+	return job, nil
 }
 
 func getContainerImageBuildingJobVolumes(defaultMode *int32, buildSecrets []corev1.EnvVar, isUsingBuildKit bool, containers []corev1.Container) []corev1.Volume {

diff --git a/pipeline-runner/steps/build/step.go b/pipeline-runner/steps/build/step.go
@@ -99,6 +99,7 @@ func (step *BuildStepImplementation) createACRBuildJobs(ctx context.Context, pip
 
 	g := errgroup.Group{}
 	for _, job := range jobs {
+		job := job
 		g.Go(func() error {
 			logger := log.Ctx(ctx).With().Str("job", job.Name).Logger()
 			job.OwnerReferences = ownerReference