From a324c3d1acdcf059e6829716c977db1f84615920 Mon Sep 17 00:00:00 2001 From: Jan Hutar Date: Mon, 5 Aug 2024 16:54:42 +0200 Subject: [PATCH 1/3] feat(KONFLUX-1503): Set some requests and limits so pods can spread across cluster nodes --- task/buildah/0.2/buildah.yaml | 64 ++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 4 deletions(-) diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 8f2d13ec50..392618410b 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -168,10 +168,11 @@ spec: name: build computeResources: limits: - memory: 4Gi + memory: 8Gi + cpu: '4' requests: - memory: 512Mi - cpu: 250m + memory: 2Gi + cpu: '1' env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) @@ -380,6 +381,13 @@ spec: # Respect Syft configuration if the user has it in the root of their repository # (need to set the workdir, see https://github.com/anchore/syft/issues/2465) workingDir: $(workspaces.source.path)/source + computeResources: + limits: + memory: 4Gi + cpu: '2' + requests: + memory: 1Gi + cpu: 500m script: | echo "Running syft on the source directory" syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json @@ -393,6 +401,13 @@ spec: name: shared - name: analyse-dependencies-java-sbom image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m script: | if [ -f /var/lib/containers/java ]; then /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) @@ -410,6 +425,13 @@ spec: - name: merge-syft-sboms image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m script: | #!/bin/python3 import json @@ -445,6 +467,13 @@ spec: - name: merge-cachi2-sbom image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" @@ -459,6 +488,13 @@ spec: - name: create-purl-sbom image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m script: | #!/bin/python3 import json @@ -477,6 +513,13 @@ spec: - name: create-base-images-sbom image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840 + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m script: | python3 /app/base_images_sbom_script.py \ --sbom=sbom-cyclonedx.json \ @@ -488,7 +531,13 @@ spec: - name: inject-sbom-and-push image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 - computeResources: {} + computeResources: + limits: + memory: 4Gi + cpu: '4' + requests: + memory: 1Gi + cpu: '1' script: | #!/bin/bash set -e @@ -566,6 +615,13 @@ spec: fi cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m volumeMounts: - name: trusted-ca mountPath: /mnt/trusted-ca From e98164583030e10a90c97f3a748f1ed9d087ad82 Mon Sep 17 00:00:00 2001 From: Jan Hutar Date: Mon, 5 Aug 2024 17:56:06 +0200 Subject: [PATCH 2/3] chore: Make PR checks happy --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 63 +++++++++++++++- .../0.2/buildah-remote-oci-ta.yaml | 71 ++++++++++++++++--- task/buildah-remote/0.2/buildah-remote.yaml | 71 ++++++++++++++++--- 3 files changed, 180 insertions(+), 25 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 5259d29da0..8842207481 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -422,10 +422,11 @@ spec: echo "$BASE_IMAGES" >/shared/base_images_from_dockerfile computeResources: limits: - memory: 4Gi + cpu: "4" + memory: 8Gi requests: - cpu: 250m - memory: 512Mi + cpu: "1" + memory: 2Gi securityContext: capabilities: add: @@ -444,6 +445,13 @@ spec: find $(cat /shared/container_path) -xtype l -delete echo "Running syft on the image filesystem" syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json + computeResources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 500m + memory: 1Gi - name: analyse-dependencies-java-sbom image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 volumeMounts: @@ -458,6 +466,13 @@ spec: else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) fi + computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi securityContext: runAsUser: 0 - name: merge-syft-sboms @@ -492,6 +507,13 @@ spec: # write the CycloneDX unified SBOM with open("./sbom-cyclonedx.json", "w") as f: json.dump(image_sbom, f, indent=4) + computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi securityContext: runAsUser: 0 - name: merge-cachi2-sbom @@ -505,6 +527,13 @@ spec: else echo "Skipping step since no Cachi2 SBOM was produced" fi + computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi securityContext: runAsUser: 0 - name: create-purl-sbom @@ -522,6 +551,13 @@ spec: with open("sbom-purl.json", "w") as output_file: json.dump(purl_content, output_file, indent=4) + computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi securityContext: runAsUser: 0 - name: create-base-images-sbom @@ -532,6 +568,13 @@ spec: --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests + computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi securityContext: runAsUser: 0 - name: inject-sbom-and-push @@ -596,6 +639,13 @@ spec: sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" # The SBOM_BLOB_URL is created by `cosign attach sbom`. echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi securityContext: capabilities: add: @@ -617,3 +667,10 @@ spec: fi cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 68f202b4c0..fbb14b4699 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -206,10 +206,11 @@ spec: - $(params.BUILD_ARGS[*]) computeResources: limits: - memory: 4Gi + cpu: "4" + memory: 8Gi requests: - cpu: 250m - memory: 512Mi + cpu: "1" + memory: 2Gi env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) @@ -502,7 +503,13 @@ spec: name: ssh readOnly: true workingDir: /var/workdir - - computeResources: {} + - computeResources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 500m + memory: 1Gi image: quay.io/redhat-appstudio/syft:v0.105.1@sha256:1910b829997650c696881e5fc2fc654ddf3184c27edb1b2024e9cb2ba51ac431 name: sbom-syft-generate script: | @@ -522,7 +529,13 @@ spec: - mountPath: /shared name: shared workingDir: /var/workdir/source - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 name: analyse-dependencies-java-sbom script: | @@ -544,7 +557,13 @@ spec: name: varlibcontainers - mountPath: /shared name: shared - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d name: merge-syft-sboms script: | @@ -579,7 +598,13 @@ spec: securityContext: runAsUser: 0 workingDir: /var/workdir - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | @@ -598,7 +623,13 @@ spec: securityContext: runAsUser: 0 workingDir: /var/workdir - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d name: create-purl-sbom script: | @@ -616,7 +647,13 @@ spec: securityContext: runAsUser: 0 workingDir: /var/workdir - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840 name: create-base-images-sbom script: | @@ -632,7 +669,13 @@ spec: securityContext: runAsUser: 0 workingDir: /var/workdir - - computeResources: {} + - computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: inject-sbom-and-push script: | @@ -703,7 +746,13 @@ spec: name: trusted-ca readOnly: true workingDir: /var/workdir - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom script: | diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 6e9f563083..04e9fa1f06 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -188,10 +188,11 @@ spec: - $(params.BUILD_ARGS[*]) computeResources: limits: - memory: 4Gi + cpu: "4" + memory: 8Gi requests: - cpu: 250m - memory: 512Mi + cpu: "1" + memory: 2Gi env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) @@ -484,7 +485,13 @@ spec: name: ssh readOnly: true workingDir: $(workspaces.source.path) - - computeResources: {} + - computeResources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 500m + memory: 1Gi image: quay.io/redhat-appstudio/syft:v0.105.1@sha256:1910b829997650c696881e5fc2fc654ddf3184c27edb1b2024e9cb2ba51ac431 name: sbom-syft-generate script: | @@ -504,7 +511,13 @@ spec: - mountPath: /shared name: shared workingDir: $(workspaces.source.path)/source - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 name: analyse-dependencies-java-sbom script: | @@ -526,7 +539,13 @@ spec: name: varlibcontainers - mountPath: /shared name: shared - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d name: merge-syft-sboms script: | @@ -561,7 +580,13 @@ spec: securityContext: runAsUser: 0 workingDir: $(workspaces.source.path) - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | @@ -580,7 +605,13 @@ spec: securityContext: runAsUser: 0 workingDir: $(workspaces.source.path) - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d name: create-purl-sbom script: | @@ -598,7 +629,13 @@ spec: securityContext: runAsUser: 0 workingDir: $(workspaces.source.path) - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840 name: create-base-images-sbom script: | @@ -614,7 +651,13 @@ spec: securityContext: runAsUser: 0 workingDir: $(workspaces.source.path) - - computeResources: {} + - computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi image: quay.io/konflux-ci/buildah:latest@sha256:7cb5a35b7fe44e397fbf3b834f3bd8dcd9403a7c0a0b51469e6ec75b107d0846 name: inject-sbom-and-push script: | @@ -685,7 +728,13 @@ spec: name: trusted-ca readOnly: true workingDir: $(workspaces.source.path) - - computeResources: {} + - computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 name: upload-sbom script: | From e98c5dad8ecf8bd1e55c24e501126351cafee254 Mon Sep 17 00:00:00 2001 From: Jan Hutar Date: Wed, 7 Aug 2024 09:34:45 +0200 Subject: [PATCH 3/3] feat: Adding another 2 big players to the mix --- task/clair-scan/0.1/clair-scan.yaml | 21 +++++++++++++++++++++ task/clamav-scan/0.1/clamav-scan.yaml | 14 +++++++++++--- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/task/clair-scan/0.1/clair-scan.yaml b/task/clair-scan/0.1/clair-scan.yaml index b95b8613cc..7d4df084dc 100644 --- a/task/clair-scan/0.1/clair-scan.yaml +++ b/task/clair-scan/0.1/clair-scan.yaml @@ -30,6 +30,13 @@ spec: - name: get-image-manifests image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 # the clair-in-ci image neither has skopeo or jq installed. Hence, we create an extra step to get the image manifest digests + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m env: - name: IMAGE_URL value: $(params.image-url) @@ -58,6 +65,13 @@ spec: fi - name: get-vulnerabilities image: quay.io/redhat-appstudio/clair-in-ci:v1 # explicit floating tag, daily updates, per arch call this is exempt for now for use of image digest + computeResources: + limits: + memory: 4Gi + cpu: '2' + requests: + memory: 1Gi + cpu: 500m imagePullPolicy: Always env: - name: IMAGE_URL @@ -94,6 +108,13 @@ spec: image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent + computeResources: + limits: + memory: 2Gi + cpu: 500m + requests: + memory: 256Mi + cpu: 100m securityContext: capabilities: add: diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml index dddbc43f85..941a9defe2 100644 --- a/task/clamav-scan/0.1/clamav-scan.yaml +++ b/task/clamav-scan/0.1/clamav-scan.yaml @@ -43,10 +43,11 @@ spec: value: $(params.image-digest) computeResources: limits: - memory: 4Gi + memory: 8Gi + cpu: '2' requests: - memory: 512Mi - cpu: 10m + memory: 2Gi + cpu: 500m script: | #!/usr/bin/env bash set -euo pipefail @@ -144,6 +145,13 @@ spec: name: work - name: upload image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820 + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m env: - name: IMAGE_URL value: $(params.image-url)