diff --git a/.tekton/netobserv-ebpf-agent-1-8-pull-request.yaml b/.tekton/netobserv-ebpf-agent-1-8-pull-request.yaml
index 2cb58f59e1697dc43957e292e11247b66c84d918..138d2fb98cbe35c45d81f06c6958c5aa5a0debc0 100644
--- a/.tekton/netobserv-ebpf-agent-1-8-pull-request.yaml
+++ b/.tekton/netobserv-ebpf-agent-1-8-pull-request.yaml
@@ -26,24 +26,11 @@ spec:
value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/netobserv-ebpf-agent:on-pr-{{revision}}
- name: image-expires-after
value: 5d
+ - name: build-args-file
+ value: Dockerfile-args.downstream
- name: dockerfile
value: Dockerfile.downstream
+ - name: build-platforms
+ value: ["linux/x86_64"]
pipelineRef:
name: build-pipeline
- taskRunTemplate: {}
- workspaces:
- - name: workspace
- volumeClaimTemplate:
- metadata:
- creationTimestamp: null
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 1Gi
- status: {}
- - name: git-auth
- secret:
- secretName: '{{ git_auth_secret }}'
-status: {}
diff --git a/.tekton/netobserv-ebpf-agent-1-8-push.yaml b/.tekton/netobserv-ebpf-agent-1-8-push.yaml
index 4e60be79678c1723a2da60ae2321ed58932bebea..43c0fdf7a7d2a6a0521d408ab480581f5fdb6f18 100644
--- a/.tekton/netobserv-ebpf-agent-1-8-push.yaml
+++ b/.tekton/netobserv-ebpf-agent-1-8-push.yaml
@@ -5,8 +5,8 @@ metadata:
build.appstudio.openshift.io/repo: https://github.com/netobserv/netobserv-ebpf-agent?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
- build.appstudio.openshift.io/build-nudge-files: "hack/container_digest.sh"
pipelinesascode.tekton.dev/max-keep-runs: "3"
+ build.appstudio.openshift.io/build-nudge-files: "hack/nudging/container_digest.sh"
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
== "release-1.8"
creationTimestamp: null
@@ -24,24 +24,11 @@ spec:
value: '{{revision}}'
- name: output-image
value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/netobserv-ebpf-agent:{{revision}}
+ - name: image-expires-after
+ value: 14d
+ - name: build-args-file
+ value: Dockerfile-args.downstream
- name: dockerfile
value: Dockerfile.downstream
pipelineRef:
name: build-pipeline
- taskRunTemplate: {}
- workspaces:
- - name: workspace
- volumeClaimTemplate:
- metadata:
- creationTimestamp: null
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 1Gi
- status: {}
- - name: git-auth
- secret:
- secretName: '{{ git_auth_secret }}'
-status: {}
diff --git a/.tekton/netobserv-ebpf-agent-pull-request.yaml b/.tekton/netobserv-ebpf-agent-pull-request.yaml
index 32602f9a22b76f2b6e5c0382d6eedb3344235bf6..e2ce52ac085a6e1626d742a22139887de8c02cfe 100644
--- a/.tekton/netobserv-ebpf-agent-pull-request.yaml
+++ b/.tekton/netobserv-ebpf-agent-pull-request.yaml
@@ -26,24 +26,11 @@ spec:
value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/netobserv-ebpf-agent:on-pr-{{revision}}
- name: image-expires-after
value: 5d
+ - name: build-args-file
+ value: Dockerfile-args.downstream
- name: dockerfile
value: Dockerfile.downstream
+ - name: build-platforms
+ value: ["linux/x86_64"]
pipelineRef:
name: build-pipeline
- taskRunTemplate: {}
- workspaces:
- - name: workspace
- volumeClaimTemplate:
- metadata:
- creationTimestamp: null
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 1Gi
- status: {}
- - name: git-auth
- secret:
- secretName: '{{ git_auth_secret }}'
-status: {}
diff --git a/.tekton/netobserv-ebpf-agent-push.yaml b/.tekton/netobserv-ebpf-agent-push.yaml
index 4f10c2f289ec46b0312ad4a6342b0aa00a7e2cba..dbf6161aac4e9b7d64258efe0ff3027e42a22ad9 100644
--- a/.tekton/netobserv-ebpf-agent-push.yaml
+++ b/.tekton/netobserv-ebpf-agent-push.yaml
@@ -6,7 +6,7 @@ metadata:
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
- build.appstudio.openshift.io/build-nudge-files: "hack/container_digest.sh"
+ build.appstudio.openshift.io/build-nudge-files: "hack/nudging/container_digest.sh"
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
== "main"
creationTimestamp: null
@@ -24,24 +24,11 @@ spec:
value: '{{revision}}'
- name: output-image
value: quay.io/redhat-user-workloads/ocp-network-observab-tenant/netobserv-operator/netobserv-ebpf-agent:{{revision}}
+ - name: image-expires-after
+ value: 14d
+ - name: build-args-file
+ value: Dockerfile-args.downstream
- name: dockerfile
value: Dockerfile.downstream
pipelineRef:
name: build-pipeline
- taskRunTemplate: {}
- workspaces:
- - name: workspace
- volumeClaimTemplate:
- metadata:
- creationTimestamp: null
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 1Gi
- status: {}
- - name: git-auth
- secret:
- secretName: '{{ git_auth_secret }}'
-status: {}
diff --git a/.tekton/pipeline-ref.yaml b/.tekton/pipeline-ref.yaml
index 7998ec9112e99bd42948c8d6deba177d79182344..7d3870307000458ad35885d171c804044924e8f4 100644
--- a/.tekton/pipeline-ref.yaml
+++ b/.tekton/pipeline-ref.yaml
@@ -247,7 +247,6 @@ spec:
operator: in
values:
- "true"
-
- name: build-source-image
params:
- name: BINARY_IMAGE
@@ -298,20 +297,20 @@ spec:
operator: in
values:
- "false"
- - name: clair-scan
+ - name: rpms-signature-scan
params:
- - name: image-digest
- value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
+ - name: image-digest
+ value: $(tasks.build-image-index.results.IMAGE_DIGEST)
runAfter:
- build-image-index
taskRef:
params:
- name: name
- value: clair-scan
+ value: rpms-signature-scan
- name: bundle
- value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:03383b5a8674edef0ae184dd81f00386017624a5af255cb0b5803d7659483ba5
+ value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d00d159c370e3c99447516970c316ef57dfd27c29e0ce3cff50727c9c40936d8
- name: kind
value: task
resolver: bundles
@@ -320,8 +319,10 @@ spec:
operator: in
values:
- "false"
- - name: ecosystem-cert-preflight-checks
+ - name: clair-scan
params:
+ - name: image-digest
+ value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
runAfter:
@@ -329,9 +330,9 @@ spec:
taskRef:
params:
- name: name
- value: ecosystem-cert-preflight-checks
+ value: clair-scan
- name: bundle
- value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:2ad615f9b8141ed2e0b060ebda366ce43cf55a9dd7c98e2d93970ff328dca8b2
+ value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:03383b5a8674edef0ae184dd81f00386017624a5af255cb0b5803d7659483ba5
- name: kind
value: task
resolver: bundles
@@ -340,24 +341,18 @@ spec:
operator: in
values:
- "false"
- - name: sast-snyk-check
+ - name: ecosystem-cert-preflight-checks
params:
- - name: image-digest
- value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- - name: SOURCE_ARTIFACT
- value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- - name: CACHI2_ARTIFACT
- value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-image-index
taskRef:
params:
- name: name
- value: sast-snyk-check-oci-ta
+ value: ecosystem-cert-preflight-checks
- name: bundle
- value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:540f585f8abc3790e9e1285330d5610c1101173d9b26a61924586c220e4024e6
+ value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:2ad615f9b8141ed2e0b060ebda366ce43cf55a9dd7c98e2d93970ff328dca8b2
- name: kind
value: task
resolver: bundles
@@ -366,20 +361,24 @@ spec:
operator: in
values:
- "false"
- - name: rpms-signature-scan
+ - name: sast-snyk-check
params:
- - name: image-url
- value: $(tasks.build-image-index.results.IMAGE_URL)
- name: image-digest
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+ - name: image-url
+ value: $(tasks.build-image-index.results.IMAGE_URL)
+ - name: SOURCE_ARTIFACT
+ value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+ - name: CACHI2_ARTIFACT
+ value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-image-index
taskRef:
params:
- name: name
- value: rpms-signature-scan
+ value: sast-snyk-check-oci-ta
- name: bundle
- value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d00d159c370e3c99447516970c316ef57dfd27c29e0ce3cff50727c9c40936d8
+ value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:540f585f8abc3790e9e1285330d5610c1101173d9b26a61924586c220e4024e6
- name: kind
value: task
resolver: bundles
diff --git a/Dockerfile-args.downstream b/Dockerfile-args.downstream
new file mode 100644
index 0000000000000000000000000000000000000000..adecb80a5bab867246363d863dbfbca0473088e7
--- /dev/null
+++ b/Dockerfile-args.downstream
@@ -0,0 +1 @@
+BUILDVERSION=1.8.1
diff --git a/Dockerfile.downstream b/Dockerfile.downstream
index 1710d02bb81f9829def3d6918a7db5ae41c893c9..7c0e20a6b8d09a233507aa75d31ae63a0ad04b8f 100644
--- a/Dockerfile.downstream
+++ b/Dockerfile.downstream
@@ -1,12 +1,8 @@
-ARG TARGETARCH
-ARG COMMIT
+ARG BUILDVERSION
# Build the manager binary
-FROM --platform=linux/$TARGETARCH brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23 as builder
-
-ARG TARGETARCH=amd64
-ARG BUILDVERSION="1.8.0"
-ARG COMMIT
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23 as builder
+ARG BUILDVERSION
WORKDIR /opt/app-root
@@ -20,14 +16,17 @@ COPY go.sum go.sum
# Build
ENV GOEXPERIMENT strictfipsruntime
-RUN GOARCH=$TARGETARCH go build -tags strictfipsruntime -ldflags "-X 'main.buildVersion=${BUILDVERSION}' -X 'main.buildDate=`date +%Y-%m-%d\ %H:%M`'" -mod vendor -a -o bin/netobserv-ebpf-agent cmd/netobserv-ebpf-agent.go
+RUN go build -tags strictfipsruntime -ldflags "-X 'main.buildVersion=${BUILDVERSION}' -X 'main.buildDate=`date +%Y-%m-%d\ %H:%M`'" -mod vendor -a -o bin/netobserv-ebpf-agent cmd/netobserv-ebpf-agent.go
# Create final image from minimal + built binary
-FROM --platform=linux/$TARGETARCH registry.access.redhat.com/ubi9/ubi-minimal:9.5-1741850109
-ARG COMMIT
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1741850109
+ARG BUILDVERSION
WORKDIR /
COPY --from=builder /opt/app-root/bin/netobserv-ebpf-agent .
+COPY LICENSE /licenses/
+COPY bpf/LICENSE /licenses/LICENSE-GPL
+COPY README.downstream /licenses/README
USER 65532:65532
ENTRYPOINT ["/netobserv-ebpf-agent"]
@@ -39,7 +38,5 @@ LABEL io.k8s.description="Network Observability eBPF Agent"
LABEL summary="Network Observability eBPF Agent"
LABEL maintainer="support@redhat.com"
LABEL io.openshift.tags="network-observability-ebpf-agent"
-LABEL upstream-vcs-ref=$COMMIT
-LABEL upstream-vcs-type="git"
LABEL description="The Network Observability eBPF Agent allows collecting and aggregating all the ingress and egress flows on a Linux host."
LABEL version=$BUILDVERSION
diff --git a/README.downstream b/README.downstream
new file mode 100644
index 0000000000000000000000000000000000000000..a299efcfb8ab85212254031a972e1d4b3c7d774a
--- /dev/null
+++ b/README.downstream
@@ -0,0 +1,8 @@
+Network Observability eBPF Agent
+
+Licenses
+
+Two licenses are used for the source code in this repository:
+
+- GPL v2 (file: LICENSE-GPL) covers only the eBPF code in `./bpf` source code directory.
+- Apache v2 (file: LICENSE) covers everything else.