stackrox · tommartensen · Feb 16, 2024 · Oct 16, 2023 · Oct 16, 2023 · Oct 16, 2023
@@ -1,4 +1,4 @@
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 
 metadata:
@@ -38,7 +38,7 @@ spec:
   # TODO(ROX-20234): Enable hermetic builds
   # - name: hermetic
   #   value: "true"
-  # No language dependencies are required for central-db image.
+  # No language dependencies are required for collector image.
   - name: prefetch-input
     value: ''
 
@@ -58,6 +58,7 @@ spec:
     secret:
       secretName: '{{ git_auth_secret }}'
 
+  # The pipeline regularly takes >1h to finish.
   timeouts:
     pipeline: 1h30m0s
 
@@ -179,6 +180,7 @@ spec:
         - name: kind
           value: task
         resolver: bundles
+
     - name: clone-repository
       params:
       - name: url
@@ -205,6 +207,7 @@ spec:
         workspace: workspace
       - name: basic-auth
         workspace: git-auth
+
     - name: prefetch-dependencies
       params:
       - name: input
@@ -224,6 +227,22 @@ spec:
       - name: source
         workspace: workspace
 
+    - name: fetch-support-package
+      runAfter:
+      - init
+      - clone-repository
+      taskSpec:
+        steps:
+          - name: fetch-support-package
+            image: registry.access.redhat.com/ubi8-minimal:latest
+            script: |
+              #!/usr/bin/env bash
+              "$(workspaces.source.path)/source/collector/container/scripts/download-support-package.sh" \
+                "$(workspaces.source.path)/source/staging"
+      workspaces:
+      - name: source
+        workspace: workspace
+
     - name: build-container
       params:
       - name: IMAGE
@@ -242,6 +261,7 @@ spec:
         value: $(tasks.clone-repository.results.commit)
       runAfter:
       - prefetch-dependencies
+      - fetch-support-package
       taskRef:
         params:
         - name: name

@@ -1,4 +1,4 @@
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 
 metadata:
@@ -38,7 +38,7 @@ spec:
   # TODO(ROX-20234): Enable hermetic builds
   # - name: hermetic
   #   value: "true"
-  # No language dependencies are required for central-db image.
+  # No language dependencies are required for collector image.
   - name: prefetch-input
     value: ''
 
@@ -58,6 +58,10 @@ spec:
     secret:
       secretName: '{{ git_auth_secret }}'
 
+  # The pipeline regularly takes >1h to finish.
+  timeouts:
+    pipeline: 1h30m0s
+
   pipelineSpec:
 
     finally:

@@ -96,34 +96,24 @@ RUN ./builder/install/install-dependencies.sh && \
     ctest -V --test-dir ${CMAKE_BUILD_DIR} && \
     strip -v --strip-unneeded "${CMAKE_BUILD_DIR}/collector/collector"
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS support-packages-downloader
-
-WORKDIR /staging
-
-COPY kernel-modules/MODULE_VERSION kernel-modules/MODULE_VERSION
-COPY collector/container/scripts/download-support-package.sh download-support-package.sh
-
-RUN ./download-support-package.sh
-
-# Do NOT use follow_tag here, as we do not need or want collector to be rebuilt
-# with each drivers build (which may become very frequent)
+# 0.1.0 is a floating tag and it's used intentionally to pick up the most recent downstream drivers build without
+# having to routinely and frequently bump tags here.
 FROM brew.registry.redhat.io/rh-osbs/rhacs-drivers-build-rhel8:0.1.0 AS drivers-build
-# FROM registry-proxy.engineering.redhat.com/rh-osbs/rhacs-drivers-build-rhel8:0.1.0 AS drivers-build
 
 # TODO(ROX-20312): we can't pin image tag or digest because currently there's no mechanism to auto-update that.
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS unpacker
 
 RUN microdnf install -y unzip findutils
 WORKDIR /staging
 
-COPY --from=support-packages-downloader /staging/support-pkg.zip /staging/
+COPY staging/support-pkg.zip /staging/
 COPY kernel-modules/MODULE_VERSION MODULE_VERSION.txt
-# Creating this directory ensures the scratch build with dummy support-pkg.zip will not fail.
 RUN mkdir -p "/staging/kernel-modules/$(cat MODULE_VERSION.txt)"
+
 # First, unpack upstream support package, only on x86_64
 RUN if [[ "$(uname -m)" == x86_64 ]]; then unzip support-pkg.zip ; fi
-# Fail non-scratch build if there were no drivers matching the module version.
-RUN if [[ "$(uname -m)" == x86_64 && "$(ls -A /staging/kernel-modules/$(cat MODULE_VERSION.txt))" == "" && "$(unzip -Z1 support-pkg.zip)" != "dummy-support-pkg" ]] ; then \
+# Fail build if there were no drivers in the support package matching the module version.
+RUN if [[ "$(uname -m)" == x86_64 && "$(ls -A /staging/kernel-modules/$(cat MODULE_VERSION.txt))" == "" ]] ; then \
       >&2 echo "Did not find any kernel drivers for the module version $(cat MODULE_VERSION.txt) in the support package"; \
       exit 1; \
     fi
@@ -140,8 +130,7 @@ RUN mkdir /kernel-modules
 # Move files for the current version to /kernel-modules
 RUN find "/staging/kernel-modules/$(cat MODULE_VERSION.txt)/" -type f -exec mv -t /kernel-modules {} +
 # Fail the build if at the end there were no drivers matching the module version.
-RUN if [[ "$(ls -A /kernel-modules)" == "" && \
-        !("$(uname -m)" == x86_64 && "$(unzip -Z1 support-pkg.zip)" == "dummy-support-pkg") ]]; then \
+RUN if [[ "$(ls -A /kernel-modules)" == "" ]]; then \
         >&2 echo "Did not find any kernel drivers for the module version $(cat MODULE_VERSION.txt)."; \
         exit 1; \
     fi

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
-## Adapted from https://gitlab.cee.redhat.com/stackrox/rhacs-midstream/-/blob/rhacs-1.0-rhel-8/distgit/containers/rhacs-collector/pre-build-script.
+## Adapted from https://gitlab.cee.redhat.com/stackrox/rhacs-midstream/-/blob/rhacs-1.0-rhel-8/distgit/containers/rhacs-collector/pre-build-script
 
-set -euxo pipefail
+set -euo pipefail
 
 verify_downloaded_file() {
     file=$1
@@ -14,6 +14,8 @@ verify_downloaded_file() {
 }
 
 main() {
+    TARGET_DIR="$1"
+
     # TODO(ROX-22429): Set up process for Fast Stream Releases to update the support package version.
     # Make sure to update this URL when releasing the new version of ACS.
     # Get the most current link at https://cdn.stackrox.io/collector/support-packages/index.html
@@ -37,13 +39,14 @@ main() {
     curl --fail --location --max-redirs 0 --output "${zip_file}" "${support_pkg}"
     curl --fail --location --max-redirs 0 --output "${zip_file}.sha256" "${support_pkg}.sha256"
 
-    verify_downloaded_file "$zip_file"
+    verify_downloaded_file "${zip_file}"
     verify_downloaded_file "${zip_file}.sha256"
 
     sha256sum -c "${zip_file}.sha256"
 
     # Rename the support package so the docker build can find it in the same place every build.
-    mv "$zip_file" "support-pkg.zip"
+    mkdir -p "${TARGET_DIR}"
+    mv "${zip_file}" "${TARGET_DIR}/support-pkg.zip"
 }
 
-main
+main "$@"