wip

tekton/README.md

@@ -0,0 +1,80 @@
+# Multi-architecture Tekton Pipeline
+
+## Share RHEL SCA entitlement with Tekton Pipelines
+
+```sh
+oc create -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etc-pki-entitlement
+type: Opaque
+data:
+  aarch64.pem: $(base64 -w0 /etc/pki/entitlement/XXX.pem)
+  aarch64-key.pem: $(base64 -w0 /etc/pki/entitlement/XXX-key.pem)
+  x86_64.pem: $(base64 -w0 /etc/pki/entitlement/YYY.pem)
+  x86_64-key.pem: $(base64 -w0 /etc/pki/entitlement/YYY-key.pem)
+EOF
+```
+
+## Flightctl CLI container image
+
+```sh
+cd flightctl-image
+./build.sh
+```
+
+## Tekton configuration
+
+```sh
+oc patch tektonconfig/config -n openshift-pipelines --type=merge -p '{"spec":{"pipeline":{"coschedule":"disabled","disable-affinity-assistant":true}}}'
+```
+
+## Pipeline manifests
+
+```sh
+oc apply -k common/
+oc apply -f pipeline.yaml
+```
+
+## Authentication to the registries
+
+```sh
+export REGISTRY_AUTH_FILE="$PWD/auth.json"
+podman login quay.io
+podman login registry.redhat.io
+oc apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    tekton.dev/docker-0: https://quay.io
+    tekton.dev/docker-1: https://registry.redhat.io
+  name: quay-authentication
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: $(base64 -w0 "$PWD/auth.json")
+EOF
+```
+
+## Authentication to GitHub
+
+```sh
+cat > gitconfig <<EOF
+[credential]
+  helper=store
+EOF
+oc create secret generic github-authentication --from-literal=.git-credentials=https://user:password@github.com --from-file=.gitconfig=gitconfig
+```
+
+## Authentication to Flightctl
+
+```sh
+oc create secret generic flightctl-config --from-file=client.yaml=$HOME/.config/flightctl/client.yaml
+```
+
+## Build the base image
+
+```sh
+oc create -f pipelinerun-base.yaml
+```

tekton/common/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- serviceaccount-buildbot.yaml
+- task-flightctl-update-digest.yaml
+- task-buildah-build.yaml
+- task-buildah-push.yaml
+- task-git.yaml

tekton/common/serviceaccount-buildbot.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: buildbot
+imagePullSecrets:
+- name: registry-authentication
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: buildbot-scc
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: buildbot-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: buildbot-scc
+subjects:
+- kind: ServiceAccount
+  name: buildbot

tekton/common/task-buildah-build.yaml

@@ -0,0 +1,112 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  annotations:
+    io.openshift.builder: 'true'
+  name: buildah-build
+spec:
+  params:
+  - name: context-dir
+    type: string
+    default: .
+  - name: containerfile-path
+    type: string
+    default: Containerfile
+  - name: override-from
+    description: Replaces the "FROM" instruction in the Containerfile with this value if set.
+    type: string
+    default: ""
+  workspaces:
+  - name: source-workspace
+    description: Workspace containing source code
+  - name: oci-images
+    mountPath: /srv/oci-images
+  - description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson.
+    name: dockerconfig
+    optional: true
+  - name: etc-pki-entitlement
+    description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images.
+    mountPath: /etc/pki/entitlement
+    optional: true
+  volumes:
+  - name: container-storage
+    emptyDir: {}
+  steps:
+  - name: build
+    image: registry.redhat.io/rhel9/buildah:9.6
+    env:
+    - name: STORAGE_DRIVER
+      value: vfs
+    - name: SCRIPT_DEBUG
+      value: "false"
+    - name: OVERRIDE_FROM
+      value: "$(params.override-from)"
+    script: |
+      #!/bin/bash
+      set -Eeuo pipefail
+
+      # If debug is enabled, print out command that are executed
+      if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then
+        set -x
+      fi
+
+      # Print versions of the program we use
+      echo "=== Environment ==="
+      echo "---> Buildah"
+      buildah version
+      echo
+      echo "---> bash"
+      bash --version
+      echo
+      echo "---> OS"
+      cat /etc/redhat-release
+      echo
+      echo "---> Host"
+      uname -a
+      echo
+      echo "---> Current user"
+      id
+      echo
+
+      # Checks if etc-pki-entitlement workspace is bound
+      if [[ "$(workspaces.etc-pki-entitlement.bound)" == "true" ]]; then
+        echo "---> Entitlement certificates"
+        ls -lL /etc/pki/entitlement/*.pem
+        echo
+      fi
+
+      # Handle registry credentials
+      if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then
+        if test -f "$(workspaces.dockerconfig.path)/config.json"; then
+          export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
+        elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then
+          cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json"
+          export DOCKER_CONFIG="$HOME/.docker"
+        else
+          echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root"
+          exit 1
+        fi
+      fi
+
+      echo "=== Build ==="
+      echo "---> Building image for $(uname -m)"
+      declare -a BUILDAH_OPTS=( )
+      BUILDAH_OPTS+=( "-f" "$(workspaces.source-workspace.path)/$(params.containerfile-path)" )
+      BUILDAH_OPTS+=( "--no-cache" )
+      BUILDAH_OPTS+=( "-t" "localhost/image:$(uname -m)" )
+      BUILDAH_OPTS+=( "$(workspaces.source-workspace.path)/$(params.context-dir)" )
+      if [ -n "${OVERRIDE_FROM:-}" ]; then
+        echo "Overriding FROM instruction with: $OVERRIDE_FROM"
+        BUILDAH_OPTS+=( "--from" "$OVERRIDE_FROM" )
+      fi
+      buildah build "${BUILDAH_OPTS[@]}"
+
+      echo "=== Export as tar archive ==="
+      buildah push localhost/image:$(uname -m) oci-archive:/srv/oci-images/$(uname -m).tar
+    securityContext:
+      capabilities:
+        add:
+          - SETFCAP
+    volumeMounts:
+    - name: container-storage
+      mountPath: /var/lib/containers

tekton/common/task-buildah-push.yaml

@@ -0,0 +1,87 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  annotations:
+    io.openshift.builder: 'true'
+  name: buildah-push
+spec:
+  params:
+  - name: image-name
+    type: string
+  - name: architectures
+    type: array
+  results:
+  - name: image-digest
+    description: The digest of the built image
+  workspaces:
+  - name: oci-images
+    mountPath: /srv/oci-images
+  - description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson.
+    name: dockerconfig
+    optional: true
+  volumes:
+  - name: container-storage
+    emptyDir: {}
+  steps:
+  - name: push
+    image: registry.redhat.io/rhel9/buildah:9.6
+    env:
+    - name: STORAGE_DRIVER
+      value: vfs
+    args:
+    - "$(params.architectures[*])"
+    script: |
+      #!/bin/bash
+      set -Eeuo pipefail
+
+      # If debug is enabled, print out command that are executed
+      if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then
+        set -x
+      fi
+
+      # Print versions of the program we use
+      echo "=== Environment ==="
+      echo "---> Buildah"
+      buildah version
+      echo
+      echo "---> bash"
+      bash --version
+      echo
+      echo "---> OS"
+      cat /etc/redhat-release
+      echo
+      echo "---> Current user"
+      id
+      echo
+
+      # Handle registry credentials
+      if [[ "$(workspaces.dockerconfig.bound)" == "true" ]]; then
+        if test -f "$(workspaces.dockerconfig.path)/config.json"; then
+          export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
+        elif test -f "$(workspaces.dockerconfig.path)/.dockerconfigjson"; then
+          cp "$(workspaces.dockerconfig.path)/.dockerconfigjson" "$HOME/.docker/config.json"
+          export DOCKER_CONFIG="$HOME/.docker"
+        else
+          echo "neither 'config.json' nor '.dockerconfigjson' found at workspace root"
+          exit 1
+        fi
+      fi
+
+      echo "=== Load container images from tar archives ==="
+      declare -a iids=()
+      for arch; do
+        echo "Loading image for architecture $arch..."
+        iid=$(buildah pull oci-archive:/srv/oci-images/$arch.tar)
+        iids+=("$iid")
+      done
+
+      echo "=== Create and push multi-arch manifest ==="
+      buildah manifest create localhost/multi-arch-image "${iids[@]}"
+      buildah manifest push --all localhost/multi-arch-image "--digestfile=$(results.image-digest.path)" docker://$(params.image-name)
+    securityContext:
+      capabilities:
+        add:
+          - SETFCAP
+    volumeMounts:
+    - name: container-storage
+      mountPath: /var/lib/containers

tekton/common/task-flightctl-update-digest.yaml

@@ -0,0 +1,83 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: flightctl-update-digest
+spec:
+  params:
+  - name: new-image-digest
+    type: string
+  - description: The label selector to identify the fleet(s) to update.
+    name: fleet-label-selector
+    type: string
+    default: ""
+  workspaces:
+  - description: An optional workspace that contains the flightctl configuration file (client.yaml).
+    name: flightctl-config
+    optional: true
+  steps:
+  - name: flightctl-update-digest
+    image: quay.io/nmasse-redhat/flightctl:latest
+    env:
+    - name: SCRIPT_DEBUG
+      value: "false"
+    - name: FLEET_LABEL_SELECTOR
+      value: "$(params.fleet-label-selector)"
+    script: |
+      #!/bin/bash
+      set -Eeuo pipefail
+
+      # If debug is enabled, print out command that are executed
+      if [[ "${SCRIPT_DEBUG:-false}" == "true" ]]; then
+        set -x
+      fi
+
+      # Check if the fleet label selector is set
+      if [ -z "${FLEET_LABEL_SELECTOR}" ]; then
+        echo "FLEET_LABEL_SELECTOR is not set. No action taken."
+        exit 0
+      fi
+
+      # Print versions of the program we use
+      echo "=== Environment ==="
+      echo "---> flightctl"
+      flightctl version
+      echo
+      echo "---> bash"
+      bash --version
+      echo
+      echo "---> OS"
+      cat /etc/redhat-release
+      echo
+      echo "---> yq"
+      yq --version
+      echo
+      echo "---> Current user"
+      id
+      echo
+      echo "---> flightctl"
+      flightctl version
+      echo
+
+      # List fleets matching the label selector and update their image to the new digest
+      flightctl --config-dir $(workspaces.flightctl-config.path) get fleets --limit 0 -l "${FLEET_LABEL_SELECTOR}" -o name | while read -r fleet; do
+        echo "Updating fleet $fleet to image digest $(params.new-image-digest)"
+
+        # Get the current fleet definition
+        flightctl --config-dir $(workspaces.flightctl-config.path) get fleet/$fleet -o yaml > /tmp/fleet.yaml
+
+        # Extract the current image from the fleet definition
+        CURRENT_IMAGE="$(yq eval '.spec.template.spec.os.image' /tmp/fleet.yaml)"
+
+        # Splits the CURRENT_IMAGE on the "@" or ":" character and takes the first part (the image name without tag or digest)
+        # Using only bash built-in features to avoid dependencies on other tools
+        IMAGE_NAME="${CURRENT_IMAGE%%[@:]*}"
+
+        # Construct the new image with the new digest
+        NEW_IMAGE="${IMAGE_NAME}@$(params.new-image-digest)"
+
+        # Update the fleet definition with the new image
+        yq eval -i ".spec.template.spec.os.image = \"$NEW_IMAGE\"" /tmp/fleet.yaml
+
+        # Apply the updated fleet definition
+        flightctl --config-dir $(workspaces.flightctl-config.path) apply -f /tmp/fleet.yaml
+      done

tekton/common/task-git.yaml

@@ -0,0 +1,251 @@
+---
+# Source: task-git/templates/task.yaml
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: git
+  labels:
+    app.kubernetes.io/version: 0.2.0
+  annotations:
+    tekton.dev/source: "https://github.com/openshift-pipelines/task-git"
+    tekton.dev/categories: Git
+    tekton.dev/displayName: git
+    tekton.dev/pipelines.minVersion: 0.41.0
+    tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
+    tekton.dev/tags: git
+spec:
+  description: |
+    This Task represents Git and is able to initialize and clone a remote repository on the informed Workspace. It's likely to become the first `step` on a Pipeline. 
+
+  workspaces:
+    - name: output
+      description: |
+        The Git repository directory, data will be placed on the root of the
+        Workspace, or on the relative path defined by the SUBDIRECTORY
+        parameter.
+    - name: ssh-directory
+      optional: true
+      description: |
+        A `.ssh` directory with private key, `known_hosts`, `config`, etc.
+        Copied to the Git user's home before cloning the repository, in order to
+        server as authentication mechanismBinding a Secret to this Workspace is
+        strongly recommended over other volume types.
+    - name: basic-auth
+      optional: true
+      description: |
+        A Workspace containing a `.gitconfig` and `.git-credentials` files.
+        These will be copied to the user's home before Git commands run. All
+        other files in this Workspace are ignored. It is strongly recommended to
+        use `ssh-directory` over `basic-auth` whenever possible, and to bind a
+        Secret to this Workspace over other volume types.
+    - name: ssl-ca-directory
+      optional: true
+      description: |
+        A Workspace containing CA certificates, this will be used by Git to
+        verify the peer with when interacting with remote repositories using
+        HTTPS.
+
+  params:
+    - name: URL
+      type: string
+      description: |
+        Git repository URL.
+    - name: REVISION
+      type: string
+      default: main
+      description: |
+        Revision to checkout, an branch, tag, sha, ref, etc...
+    - name: REFSPEC
+      default: ""
+      description: |
+        Repository `refspec` to fetch before checking out the revision.
+    - name: SUBMODULES
+      type: string
+      default: "true"
+      description: |
+        Initialize and fetch Git submodules.
+    - name: DEPTH
+      type: string
+      default: "1"
+      description: |
+        Number of commits to fetch, a "shallow clone" is a single commit.
+    - name: SSL_VERIFY
+      type: string
+      default: "true"
+      description: |
+        Sets the global `http.sslVerify` value, `false` is not advised unless
+        you trust the remote repository.
+    - name: CRT_FILENAME
+      type: string
+      default: ca-bundle.crt
+      description: |
+        Certificate Authority (CA) bundle filename on the `ssl-ca-directory`
+        Workspace.
+    - name: SUBDIRECTORY
+      type: string
+      default: ""
+      description: |
+        Relative path to the `output` Workspace where the repository will be
+        cloned.
+    - name: SPARSE_CHECKOUT_DIRECTORIES
+      type: string
+      default: ""
+      description: |
+        List of directory patterns split by comma to perform "sparse checkout".
+    - name: DELETE_EXISTING
+      type: string
+      default: "true"
+      description: |
+        Clean out the contents of the `output` Workspace before cloning the
+        repository, if data exists.
+    - name: HTTP_PROXY
+      type: string
+      default: ""
+      description: |
+        HTTP proxy server (non-TLS requests).
+    - name: HTTPS_PROXY
+      type: string
+      default: ""
+      description: |
+        HTTPS proxy server (TLS requests).
+    - name: NO_PROXY
+      type: string
+      default: ""
+      description: |
+        Opt out of proxying HTTP/HTTPS requests.
+    - name: VERBOSE
+      type: string
+      default: "false"
+      description: |
+        Log the commands executed.
+    - name: USER_HOME
+      type: string
+      default: "/home/git"
+      description: |
+        Absolute path to the Git user home directory.
+
+  results:
+    - name: COMMIT
+      description: |
+        The precise commit SHA digest cloned.
+    - name: URL
+      description: |
+        The precise repository URL.
+    - name: COMMITTER_DATE
+      description: |
+        The epoch timestamp of the commit cloned.
+
+  volumes:
+    - name: user-home
+      emptyDir: {}
+    - name: scripts-dir
+      emptyDir: {}
+
+  stepTemplate:
+    env:
+      
+      - name: PARAMS_URL
+        value: "$(params.URL)"
+      - name: PARAMS_REVISION
+        value: "$(params.REVISION)"
+      - name: PARAMS_REFSPEC
+        value: "$(params.REFSPEC)"
+      - name: PARAMS_SUBMODULES
+        value: "$(params.SUBMODULES)"
+      - name: PARAMS_DEPTH
+        value: "$(params.DEPTH)"
+      - name: PARAMS_SSL_VERIFY
+        value: "$(params.SSL_VERIFY)"
+      - name: PARAMS_CRT_FILENAME
+        value: "$(params.CRT_FILENAME)"
+      - name: PARAMS_SUBDIRECTORY
+        value: "$(params.SUBDIRECTORY)"
+      - name: PARAMS_SPARSE_CHECKOUT_DIRECTORIES
+        value: "$(params.SPARSE_CHECKOUT_DIRECTORIES)"
+      - name: PARAMS_DELETE_EXISTING
+        value: "$(params.DELETE_EXISTING)"
+      - name: PARAMS_HTTP_PROXY
+        value: "$(params.HTTP_PROXY)"
+      - name: PARAMS_HTTPS_PROXY
+        value: "$(params.HTTPS_PROXY)"
+      - name: PARAMS_NO_PROXY
+        value: "$(params.NO_PROXY)"
+      - name: PARAMS_VERBOSE
+        value: "$(params.VERBOSE)"
+      - name: PARAMS_USER_HOME
+        value: "$(params.USER_HOME)"
+      - name: WORKSPACES_OUTPUT_PATH
+        value: "$(workspaces.output.path)"
+      - name: WORKSPACES_SSH_DIRECTORY_BOUND
+        value: "$(workspaces.ssh-directory.bound)"
+      - name: WORKSPACES_SSH_DIRECTORY_PATH
+        value: "$(workspaces.ssh-directory.path)"
+      - name: WORKSPACES_BASIC_AUTH_BOUND
+        value: "$(workspaces.basic-auth.bound)"
+      - name: WORKSPACES_BASIC_AUTH_PATH
+        value: "$(workspaces.basic-auth.path)"
+      - name: WORKSPACES_SSL_CA_DIRECTORY_BOUND
+        value: "$(workspaces.ssl-ca-directory.bound)"
+      - name: WORKSPACES_SSL_CA_DIRECTORY_PATH
+        value: "$(workspaces.ssl-ca-directory.path)"
+      - name: RESULTS_COMMITTER_DATE_PATH
+        value: "$(results.COMMITTER_DATE.path)"
+      - name: RESULTS_COMMIT_PATH
+        value: "$(results.COMMIT.path)"
+      - name: RESULTS_URL_PATH
+        value: "$(results.URL.path)"
+    resources:
+      limits:
+        cpu: 100m
+        memory: 256Mi
+      requests:
+        cpu: 100m
+        memory: 256Mi
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65532
+
+  steps:
+    - name: load-scripts
+      image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
+      workingDir: /scripts
+      script: |
+        printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKCmV4cG9ydCBQQVJBTVNfVVJMPSIke1BBUkFNU19VUkw6LX0iCmV4cG9ydCBQQVJBTVNfUkVWSVNJT049IiR7UEFSQU1TX1JFVklTSU9OOi19IgpleHBvcnQgUEFSQU1TX1JFRlNQRUM9IiR7UEFSQU1TX1JFRlNQRUM6LX0iCmV4cG9ydCBQQVJBTVNfU1VCTU9EVUxFUz0iJHtQQVJBTVNfU1VCTU9EVUxFUzotfSIKZXhwb3J0IFBBUkFNU19ERVBUSD0iJHtQQVJBTVNfREVQVEg6LX0iCmV4cG9ydCBQQVJBTVNfU1NMX1ZFUklGWT0iJHtQQVJBTVNfU1NMX1ZFUklGWTotfSIKZXhwb3J0IFBBUkFNU19DUlRfRklMRU5BTUU9IiR7UEFSQU1TX0NSVF9GSUxFTkFNRTotfSIKZXhwb3J0IFBBUkFNU19TVUJESVJFQ1RPUlk9IiR7UEFSQU1TX1NVQkRJUkVDVE9SWTotfSIKZXhwb3J0IFBBUkFNU19TUEFSU0VfQ0hFQ0tPVVRfRElSRUNUT1JJRVM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFUzotfSIKZXhwb3J0IFBBUkFNU19ERUxFVEVfRVhJU1RJTkc9IiR7UEFSQU1TX0RFTEVURV9FWElTVElORzotfSIKZXhwb3J0IFBBUkFNU19IVFRQX1BST1hZPSIke1BBUkFNU19IVFRQX1BST1hZOi19IgpleHBvcnQgUEFSQU1TX0hUVFBTX1BST1hZPSIke1BBUkFNU19IVFRQU19QUk9YWTotfSIKZXhwb3J0IFBBUkFNU19OT19QUk9YWT0iJHtQQVJBTVNfTk9fUFJPWFk6LX0iCmV4cG9ydCBQQVJBTVNfVkVSQk9TRT0iJHtQQVJBTVNfVkVSQk9TRTotfSIKZXhwb3J0IFBBUkFNU19VU0VSX0hPTUU9IiR7UEFSQU1TX1VTRVJfSE9NRTotfSIKCmV4cG9ydCBXT1JLU1BBQ0VTX09VVFBVVF9QQVRIPSIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTSF9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfQk9VTkQ9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTTF9DQV9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg6LX0iCgpleHBvcnQgUkVTVUxUU19DT01NSVRURVJfREFURV9QQVRIPSIke1JFU1VMVFNfQ09NTUlUVEVSX0RBVEVfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfQ09NTUlUX1BBVEg9IiR7UkVTVUxUU19DT01NSVRfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfVVJMX1BBVEg9IiR7UkVTVUxUU19VUkxfUEFUSDotfSIKCiMgZnVsbCBwYXRoIHRvIHRoZSBjaGVja291dCBkaXJlY3RvcnksIHVzaW5nIHRoZSBvdXRwdXQgd29ya3NwYWNlIGFuZCBzdWJkaXJlY3RvciBwYXJhbWV0ZXIKZXhwb3J0IGNoZWNrb3V0X2Rpcj0iJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfS8ke1BBUkFNU19TVUJESVJFQ1RPUll9IgoKIwojIEZ1bmN0aW9ucwojCgpmYWlsKCkgewogICAgZWNobyAiRVJST1I6ICR7QH0iIDE+JjIKICAgIGV4aXQgMQp9CgpwaGFzZSgpIHsKICAgIGVjaG8gIi0tLT4gUGhhc2U6ICR7QH0uLi4iCn0KCiMgSW5zcGVjdCB0aGUgZW52aXJvbm1lbnQgdmFyaWFibGVzIHRvIGFzc2VydCB0aGUgbWluaW11bSBjb25maWd1cmF0aW9uIGlzIGluZm9ybWVkLgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsKCkgewogICAgW1sgLXogIiR7UEFSQU1TX1VSTH0iIF1dICYmCiAgICAgICAgZmFpbCAiUGFyYW1ldGVyIFVSTCBpcyBub3Qgc2V0ISIKCiAgICBbWyAteiAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIgXV0gJiYKICAgICAgICBmYWlsICJPdXRwdXQgV29ya3NwYWNlIGlzIG5vdCBzZXQhIgoKICAgIFtbICEgLWQgIiR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0iIF1dICYmCiAgICAgICAgZmFpbCAiT3V0cHV0IFdvcmtzcGFjZSBkaXJlY3RvcnkgJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nIG5vdCBmb3VuZCEiCgogICAgcmV0dXJuIDAKfQoKIyBDb3B5IHRoZSBmaWxlIGludG8gdGhlIGRlc3RpbmF0aW9uLCBjaGVja2luZyBpZiB0aGUgc291cmNlIGV4aXN0cy4KY29weV9vcl9mYWlsKCkgewogICAgbG9jYWwgX21vZGU9IiR7MX0iCiAgICBsb2NhbCBfc3JjPSIkezJ9IgogICAgbG9jYWwgX2RzdD0iJHszfSIKCiAgICBpZiBbWyAhIC1mICIke19zcmN9IiAmJiAhIC1kICIke19zcmN9IiBdXTsgdGhlbgogICAgICAgIGZhaWwgIlNvdXJjZSBmaWxlL2RpcmVjdG9yeSBpcyBub3QgZm91bmQgYXQgJyR7X3NyY30nIgogICAgZmkKCiAgICBpZiBbWyAtZCAiJHtfc3JjfSIgXV07IHRoZW4KICAgICAgICBjcCAtUnYgJHtfc3JjfSAke19kc3R9CiAgICAgICAgY2htb2QgLXYgJHtfbW9kZX0gJHtfZHN0fQogICAgZWxzZQogICAgICAgIGluc3RhbGwgLS12ZXJib3NlIC0tbW9kZT0ke19tb2RlfSAke19zcmN9ICR7X2RzdH0KICAgIGZpCn0KCiMgRGVsZXRlIGFueSBleGlzdGluZyBjb250ZW50cyBvZiB0aGUgcmVwbyBkaXJlY3RvcnkgaWYgaXQgZXhpc3RzLiBXZSBkb24ndCBqdXN0ICJybSAtcmYgPGRpcj4iCiMgYmVjYXVzZSBtaWdodCBiZSAiLyIgb3IgdGhlIHJvb3Qgb2YgYSBtb3VudGVkIHZvbHVtZS4KY2xlYW5fZGlyKCkgewogICAgbG9jYWwgX2Rpcj0iJHsxfSIKCiAgICBbWyAhIC1kICIke19kaXJ9IiBdXSAmJgogICAgICAgIHJldHVybiAwCgogICAgIyBEZWxldGUgbm9uLWhpZGRlbiBmaWxlcyBhbmQgZGlyZWN0b3JpZXMKICAgIHJtIC1yZnYgJHtfZGlyOj99LyoKICAgICMgRGVsZXRlIGZpbGVzIGFuZCBkaXJlY3RvcmllcyBzdGFydGluZyB3aXRoIC4gYnV0IGV4Y2x1ZGluZyAuLgogICAgcm0gLXJmdiAke19kaXJ9Ly5bIS5dKgogICAgIyBEZWxldGUgZmlsZXMgYW5kIGRpcmVjdG9yaWVzIHN0YXJ0aW5nIHdpdGggLi4gcGx1cyBhbnkgb3RoZXIgY2hhcmFjdGVyCiAgICBybSAtcmZ2ICR7X2Rpcn0vLi4/Kgp9CgojCiMgU2V0dGluZ3MKIwoKIyB3aGVuIHRoZSBrby1hcHAgZGlyZWN0b3J5IGlzIHByZXNlbnQsIG1ha2luZyBzdXJlIGl0J3MgcGFydCBvZiB0aGUgUEFUSApbWyAtZCAiL2tvLWFwcCIgXV0gJiYgZXhwb3J0IFBBVEg9IiR7UEFUSH06L2tvLWFwcCIKCiMgbWFraW5nIHRoZSBzaGVsbCB2ZXJib3NlIHdoZW4gdGhlIHBhcmFtdGVyIGlzIHNldApbWyAiJHtQQVJBTVNfVkVSQk9TRX0iID09ICJ0cnVlIiBdXSAmJiBzZXQgLXgKCnJldHVybiAw" |base64 -d >common.sh
+        chmod +x "common.sh"
+        printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIEV4cG9ydHMgcHJveHkgYW5kIGN1c3RvbSBTU0wgQ0EgY2VydGlmaWNhdHMgaW4gdGhlIGVudmlyb21lbnQgYW5kIHJ1bnMgdGhlIGdpdC1pbml0IHdpdGggZmxhZ3MKIyBiYXNlZCBvbiB0aGUgdGFzayBwYXJhbWV0ZXJzLgojCgpzZXQgLWV1Cgpzb3VyY2UgJChDRFBBVEg9IGNkIC0tICIkKGRpcm5hbWUgLS0gJHswfSkiICYmIHB3ZCkvY29tbW9uLnNoCgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsCgojCiMgQ0EgKGBzc2wtY2EtZGlyZWN0b3J5YCBXb3Jrc3BhY2UpCiMKCmlmIFtbICIke1dPUktTUEFDRVNfU1NMX0NBX0RJUkVDVE9SWV9CT1VORH0iID09ICJ0cnVlIiAmJiAtbiAiJHtQQVJBTVNfQ1JUX0ZJTEVOQU1FfSIgXV07IHRoZW4KCXBoYXNlICJJbnNwZWN0aW5nICdzc2wtY2EtZGlyZWN0b3J5JyB3b3Jrc3BhY2UgbG9va2luZyBmb3IgJyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0nIGZpbGUiCgljcnQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEh9LyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0iCglbWyAhIC1mICIke2NydH0iIF1dICYmCgkJZmFpbCAiQ1JUIGZpbGUgKFBBUkFNU19DUlRfRklMRU5BTUUpIG5vdCBmb3VuZCBhdCAnJHtjcnR9JyIKCglwaGFzZSAiRXhwb3J0aW5nIGN1c3RvbSBDQSBjZXJ0aWZpY2F0ZSAnR0lUX1NTTF9DQUlORk89JHtjcnR9JyIKCWV4cG9ydCBHSVRfU1NMX0NBSU5GTz0ke2NydH0KZmkKCiMKIyBQcm94eSBTZXR0aW5ncwojCgpwaGFzZSAiU2V0dGluZyB1cCBIVFRQX1BST1hZPScke1BBUkFNU19IVFRQX1BST1hZfSciCltbIC1uICIke1BBUkFNU19IVFRQX1BST1hZfSIgXV0gJiYgZXhwb3J0IEhUVFBfUFJPWFk9IiR7UEFSQU1TX0hUVFBfUFJPWFl9IgoKcGhhc2UgIlNldHR0aW5nIHVwIEhUVFBTX1BST1hZPScke1BBUkFNU19IVFRQU19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfSFRUUFNfUFJPWFl9IiBdXSAmJiBleHBvcnQgSFRUUFNfUFJPWFk9IiR7UEFSQU1TX0hUVFBTX1BST1hZfSIKCnBoYXNlICJTZXR0aW5nIHVwIE5PX1BST1hZPScke1BBUkFNU19OT19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfTk9fUFJPWFl9IiBdXSAmJiBleHBvcnQgTk9fUFJPWFk9IiR7UEFSQU1TX05PX1BST1hZfSIKCiMKIyBHaXQgQ2xvbmUKIwoKcGhhc2UgIlNldHRpbmcgb3V0cHV0IHdvcmtzcGFjZSBhcyBzYWZlIGRpcmVjdG9yeSAoJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nKSIKZ2l0IGNvbmZpZyAtLWdsb2JhbCAtLWFkZCBzYWZlLmRpcmVjdG9yeSAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIKCnBoYXNlICJDbG9uaW5nICcke1BBUkFNU19VUkx9JyBpbnRvICcke2NoZWNrb3V0X2Rpcn0nIgpzZXQgLXgKZXhlYyBnaXQtaW5pdCBcCgktdXJsPSIke1BBUkFNU19VUkx9IiBcCgktcmV2aXNpb249IiR7UEFSQU1TX1JFVklTSU9OfSIgXAoJLXJlZnNwZWM9IiR7UEFSQU1TX1JFRlNQRUN9IiBcCgktcGF0aD0iJHtjaGVja291dF9kaXJ9IiBcCgktc3NsVmVyaWZ5PSIke1BBUkFNU19TU0xfVkVSSUZZfSIgXAoJLXN1Ym1vZHVsZXM9IiR7UEFSQU1TX1NVQk1PRFVMRVN9IiBcCgktZGVwdGg9IiR7UEFSQU1TX0RFUFRIfSIgXAoJLXNwYXJzZUNoZWNrb3V0RGlyZWN0b3JpZXM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFU30iCg==" |base64 -d >git-clone.sh
+        chmod +x "git-clone.sh"
+        printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNldHMgdXAgdGhlIGJhc2ljIGFuZCBTU0ggYXV0aGVudGljYXRpb24gYmFzZWQgb24gaW5mb3JtZWQgd29ya3NwYWNlcywgYXMgd2VsbCBhcyBjbGVhbmluZyB1cCB0aGUKIyBwcmV2aW91cyBnaXQtY2xvbmUgc3RhbGUgZGF0YS4KIwoKc2V0IC1ldQoKc291cmNlICQoQ0RQQVRIPSBjZCAtLSAiJChkaXJuYW1lIC0tICR7MH0pIiAmJiBwd2QpL2NvbW1vbi5zaAoKYXNzZXJ0X3JlcXVpcmVkX2NvbmZpZ3VyYXRpb25fb3JfZmFpbAoKcGhhc2UgIlByZXBhcmluZyB0aGUgZmlsZXN5c3RlbSBiZWZvcmUgY2xvbmluZyB0aGUgcmVwb3NpdG9yeSIKCmlmIFtbICIke1dPUktTUEFDRVNfQkFTSUNfQVVUSF9CT1VORH0iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkNvbmZpZ3VyaW5nIEdpdCBhdXRoZW50aWNhdGlvbiB3aXRoICdiYXNpYy1hdXRoJyBXb3Jrc3BhY2UgZmlsZXMiCgoJZm9yIGYgaW4gLmdpdC1jcmVkZW50aWFscyAuZ2l0Y29uZmlnOyBkbwoJCXNyYz0iJHtXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfUEFUSH0vJHtmfSIKCQlwaGFzZSAiQ29weWluZyAnJHtzcmN9JyB0byAnJHtQQVJBTVNfVVNFUl9IT01FfSciCgkJY29weV9vcl9mYWlsIDQwMCAke3NyY30gIiR7UEFSQU1TX1VTRVJfSE9NRX0vIgoJZG9uZQpmaQoKaWYgW1sgIiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EfSIgPT0gInRydWUiIF1dOyB0aGVuCglwaGFzZSAiQ29weWluZyAnLnNzaCcgZnJvbSBzc2gtZGlyZWN0b3J5IHdvcmtzcGFjZSAoJyR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEh9JykiCgoJZG90X3NzaD0iJHtQQVJBTVNfVVNFUl9IT01FfS8uc3NoIgoJY29weV9vcl9mYWlsIDcwMCAke1dPUktTUEFDRVNfU1NIX0RJUkVDVE9SWV9QQVRIfSAke2RvdF9zc2h9CgljaG1vZCAtUnYgNDAwICR7ZG90X3NzaH0vKgpmaQoKaWYgW1sgIiR7UEFSQU1TX0RFTEVURV9FWElTVElOR30iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkRlbGV0aW5nIGFsbCBjb250ZW50cyBvZiBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgljbGVhbl9kaXIgJHtjaGVja291dF9kaXJ9IHx8IHRydWUKZmkKCmV4aXQgMA==" |base64 -d >prepare.sh
+        chmod +x "prepare.sh"
+        printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNjYW4gdGhlIGNsb25lZCByZXBvc2l0b3J5IGluIG9yZGVyIHRvIHJlcG9ydCBkZXRhaWxzIHdyaXR0aW5nIHRoZSByZXN1bHQgZmlsZXMuCiMKCnNldCAtZXUKCnNvdXJjZSAkKENEUEFUSD0gY2QgLS0gIiQoZGlybmFtZSAtLSAkezB9KSIgJiYgcHdkKS9jb21tb24uc2gKCmFzc2VydF9yZXF1aXJlZF9jb25maWd1cmF0aW9uX29yX2ZhaWwKCnBoYXNlICJDb2xsZWN0aW5nIGNsb25lZCByZXBvc2l0b3J5IGluZm9ybWF0aW9uICgnJHtjaGVja291dF9kaXJ9JykiCgpjZCAiJHtjaGVja291dF9kaXJ9IiB8fCBmYWlsICJOb3QgYWJsZSB0byBlbnRlciBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgpwaGFzZSAiU2V0dGluZyBvdXRwdXQgd29ya3NwYWNlIGFzIHNhZmUgZGlyZWN0b3J5ICgnJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfScpIgpnaXQgY29uZmlnIC0tZ2xvYmFsIC0tYWRkIHNhZmUuZGlyZWN0b3J5ICIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEh9IgoKcmVzdWx0X3NoYT0iJChnaXQgcmV2LXBhcnNlIEhFQUQpIgpyZXN1bHRfY29tbWl0dGVyX2RhdGU9IiQoZ2l0IGxvZyAtMSAtLXByZXR0eT0lY3QpIgoKcGhhc2UgIlJlcG9ydGluZyBsYXN0IGNvbW1pdCBkYXRlICcke3Jlc3VsdF9jb21taXR0ZXJfZGF0ZX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfY29tbWl0dGVyX2RhdGV9IiA+JHtSRVNVTFRTX0NPTU1JVFRFUl9EQVRFX1BBVEh9CgpwaGFzZSAiUmVwb3J0aW5nIHBhcnNlZCByZXZpc2lvbiBTSEEgJyR7cmVzdWx0X3NoYX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfc2hhfSIgPiR7UkVTVUxUU19DT01NSVRfUEFUSH0KCnBoYXNlICJSZXBvcnRpbmcgcmVwb3NpdG9yeSBVUkwgJyR7UEFSQU1TX1VSTH0nIgpwcmludGYgIiVzIiAiJHtQQVJBTVNfVVJMfSIgPiR7UkVTVUxUU19VUkxfUEFUSH0KCmV4aXQgMA==" |base64 -d >report.sh
+        chmod +x "report.sh"
+      volumeMounts:
+        - name: scripts-dir
+          mountPath: /scripts
+
+    - name: prepare
+      image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
+      command:
+        - /scripts/prepare.sh
+      volumeMounts:
+        - name: scripts-dir
+          mountPath: /scripts
+        - name: user-home
+          mountPath: $(params.USER_HOME)
+
+    - name: git-clone
+      image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
+      command:
+        - /scripts/git-clone.sh
+      volumeMounts:
+        - name: scripts-dir
+          mountPath: /scripts
+        - name: user-home
+          mountPath: $(params.USER_HOME)
+
+    - name: report
+      image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14
+      command:
+        - /scripts/report.sh
+      volumeMounts:
+        - name: scripts-dir
+          mountPath: /scripts

tekton/flightctl-image/Containerfile

@@ -5,8 +5,10 @@ set -Eeuo pipefail
 echo "Disabling Subscription Manager..."
 echo -e "[main]\nenabled=0" > /etc/dnf/plugins/subscription-manager.conf
 echo "Installing flightctl..."
-curl -sSfL -o /etc/yum.repos.d/flightctl-copr.repo https://copr.fedorainfracloud.org/coprs/g/redhat-et/flightctl/repo/rhel-9/group_redhat-et-flightctl-rhel-9.repo
+dnf install -y https://download.copr.fedorainfracloud.org/results/%40redhat-et/flightctl/epel-9-$(arch)/09523645-flightctl/flightctl-cli-0.9.3-1.el9.$(arch).rpm
-dnf install -y flightctl
+echo "Installing yq (from EPEL)..."
+dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+dnf install -y yq
 echo "Cleaning up..."
 dnf clean all
 EOF

tekton/flightctl-image/build.sh

@@ -2,13 +2,39 @@
 
 set -euo pipefail
 
+TARGET_IMAGE="quay.io/nmasse-redhat/flightctl:latest"
+SOURCE_IMAGE="registry.access.redhat.com/ubi9/ubi:latest"
+SOURCE_REF=ubi9
+TARGET_REF=flightctl
+
 echo "Logging into quay.io..."
 podman login quay.io
 
-echo "Building and pushing the flightctl image..."
+echo "Pulling source image $SOURCE_IMAGE for x86_64..."
-podman build -t quay.io/nmasse-redhat/flightctl:latest .
+podman rmi -i "$SOURCE_IMAGE"
-podman push quay.io/nmasse-redhat/flightctl:latest
+podman pull --platform linux/amd64 "$SOURCE_IMAGE"
+podman tag "$SOURCE_IMAGE" "localhost/$SOURCE_REF-x86_64"
+podman rmi -i "$SOURCE_IMAGE"
+
+echo "Pulling source image $SOURCE_IMAGE for aarch64..."
+podman pull --platform linux/arm64/v8 "$SOURCE_IMAGE"
+podman tag "$SOURCE_IMAGE" "localhost/$SOURCE_REF-aarch64"
+podman rmi -i "$SOURCE_IMAGE"
+
+echo "Building target image $TARGET_IMAGE for x86_64 architecture..."
+buildah build --platform linux/amd64 -t localhost/$TARGET_REF-x86_64 --from "localhost/$SOURCE_REF-x86_64" .
+
+echo "Building target image $TARGET_IMAGE for aarch64 architecture..."
+buildah build --platform linux/arm64/v8 -t localhost/$TARGET_REF-aarch64 --from "localhost/$SOURCE_REF-aarch64" .
+
+echo "Creating multi-arch manifest..."
+if podman manifest exists localhost/$TARGET_REF; then
+  podman manifest rm localhost/$TARGET_REF
+fi
+podman manifest create localhost/$TARGET_REF
+podman manifest add localhost/$TARGET_REF localhost/$TARGET_REF-x86_64
+podman manifest add localhost/$TARGET_REF localhost/$TARGET_REF-aarch64
 
-echo "Build and push completed successfully."
+echo "pushing to $TARGET_IMAGE..."
-echo "Image available at: https://quay.io/repository/nmasse-redhat/flightctl?tab=tags"
+read -p "Press enter to continue "
-exit 0
+podman manifest push --all --format v2s2 localhost/$TARGET_REF "docker://$TARGET_IMAGE"

tekton/pipeline.yaml

@@ -0,0 +1,138 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: bootc
+spec:
+
+  workspaces:
+  - name: source-workspace
+    description: Workspace containing source code (from git)
+  - name: oci-images
+    description: Workspace for storing OCI images temporarily as tar files before pushing to a registry
+  - name: registry-token
+    description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json or .dockerconfigjson.
+    optional: true
+  - name: git-auth
+    description: An optional workspace that allows providing SSH keys or .gitconfig file for git authentication. The SSH keys should be placed at the root of the Workspace with names id_rsa and id_rsa.pub. The .gitconfig file should also be placed at the root of the Workspace with name .gitconfig.
+    optional: true
+  - name: flightctl-config
+    description: An optional workspace that contains the flightctl configuration file (client.yaml).
+    optional: true
+  - name: etc-pki-entitlement-x86_64
+    description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images, for x86_64 architecture.
+    optional: true
+  - name: etc-pki-entitlement-aarch64
+    description: A workspace that provides access to the Red Hat entitlement certificate for pulling Red Hat UBI and RHEL container images, for aarch64 architecture.
+    optional: true
+
+  params:
+  - name: git-url
+    type: string
+  - name: git-revision
+    type: string
+    default: main
+  - name: image-name
+    type: string
+  - name: override-from
+    description: Replaces the "FROM" instruction in the Containerfile with this value if set.
+    type: string
+    default: ""
+  - name: context-dir
+    type: string
+    default: "."
+  - name: containerfile-path
+    type: string
+    default: "Containerfile"
+  - name: fleet-label-selector
+    description: The label selector to identify the fleet(s) to update. If not provided, no fleets will be updated!
+    type: string
+    default: ""
+
+  tasks:
+
+  - name: clone-repo
+    taskRef:
+      kind: Task
+      name: git
+    params:
+    - name: URL
+      value: $(params.git-url)
+    - name: REVISION
+      value: $(params.git-revision)
+    workspaces:
+    - name: output
+      workspace: source-workspace
+    - name: basic-auth
+      workspace: git-auth
+  
+  - name: build-x86-64
+    runAfter: ["clone-repo"]
+    taskRef:
+      name: buildah-build
+    params:
+    - name: context-dir
+      value: $(params.context-dir)
+    - name: containerfile-path
+      value: $(params.containerfile-path)
+    - name: override-from
+      value: $(params.override-from)
+    workspaces:
+    - name: source-workspace
+      workspace: source-workspace
+    - name: oci-images
+      workspace: oci-images
+    - name: dockerconfig
+      workspace: registry-token
+    - name: etc-pki-entitlement
+      workspace: etc-pki-entitlement-x86_64
+
+  - name: build-aarch64
+    runAfter: ["clone-repo"]
+    taskRef:
+      name: buildah-build
+    params:
+    - name: context-dir
+      value: $(params.context-dir)
+    - name: containerfile-path
+      value: $(params.containerfile-path)
+    - name: override-from
+      value: $(params.override-from)
+    workspaces:
+    - name: source-workspace
+      workspace: source-workspace
+    - name: oci-images
+      workspace: oci-images
+    - name: dockerconfig
+      workspace: registry-token
+    - name: etc-pki-entitlement
+      workspace: etc-pki-entitlement-aarch64
+
+  - name: push-image
+    runAfter: ["build-x86-64", "build-aarch64"]
+    taskRef:
+      name: buildah-push
+    params:
+    - name: image-name
+      value: $(params.image-name)
+    - name: architectures
+      value:
+      - x86_64
+      - aarch64
+    workspaces:
+    - name: oci-images
+      workspace: oci-images
+    - name: dockerconfig
+      workspace: registry-token
+
+  - name: flightctl-update-digest
+    runAfter: ["push-image"]
+    taskRef:
+      name: flightctl-update-digest
+    params:
+    - name: new-image-digest
+      value: $(tasks.push-image.results.image-digest)
+    - name: fleet-label-selector
+      value: "$(params.fleet-label-selector)"
+    workspaces:
+    - name: flightctl-config
+      workspace: flightctl-config

tekton/pipelinerun1.yaml

@@ -0,0 +1,73 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: bootc-base-
+spec:
+  pipelineRef:
+    name: bootc
+  params:
+  - name: git-url
+    value: https://github.com/nmasse-itix/demo-edge-retail.git
+  - name: git-revision
+    value: main
+  - name: image-name
+    value: quay.io/nmasse-redhat/demo-edge-retail/base:latest
+  - name: context-dir
+    value: bootc/base
+  - name: containerfile-path
+    value: "bootc/base/Containerfile"
+  workspaces:
+  - name: oci-images
+    volumeClaimTemplate:
+      spec:
+        storageClassName: efs-csi
+        accessModes:
+        - ReadWriteMany
+        resources:
+          requests:
+            storage: 10Gi
+  - name: source-workspace
+    volumeClaimTemplate:
+      spec:
+        storageClassName: efs-csi
+        accessModes:
+        - ReadWriteMany
+        resources:
+          requests:
+            storage: 1Gi
+  - name: registry-token
+    secret:
+      secretName: quay-authentication
+  - name: git-auth
+    secret:
+      secretName: github-authentication
+  - name: flightctl-config
+    secret:
+      secretName: flightctl-config
+  - name: etc-pki-entitlement-x86_64
+    secret:
+      secretName: etc-pki-entitlement
+      items:
+      - key: x86_64.pem
+        path: x86_64.pem
+      - key: x86_64-key.pem
+        path: x86_64-key.pem
+  - name: etc-pki-entitlement-aarch64
+    secret:
+      secretName: etc-pki-entitlement
+      items:
+      - key: aarch64.pem
+        path: aarch64.pem
+      - key: aarch64-key.pem
+        path: aarch64-key.pem
+  taskRunTemplate:
+    serviceAccountName: buildbot
+  taskRunSpecs:
+  - pipelineTaskName: build-aarch64
+    podTemplate:
+      nodeSelector:
+        beta.kubernetes.io/arch: arm64
+      tolerations:
+      - key: "emea-open-demo.redhat.com/arm64-architecture"
+        operator: "Exists"
+        effect: "NoSchedule"

tekton/pipelinerun2.yaml

@@ -0,0 +1,155 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: bootc-baremetal-
+spec:
+  pipelineRef:
+    name: bootc
+  params:
+  - name: git-url
+    value: https://github.com/nmasse-itix/demo-edge-retail.git
+  - name: git-revision
+    value: main
+  - name: image-name
+    value: quay.io/nmasse-redhat/demo-edge-retail/baremetal:latest
+  - name: context-dir
+    value: bootc/baremetal
+  - name: containerfile-path
+    value: "bootc/baremetal/Containerfile"
+  - name: override-from
+    value: "quay.io/nmasse-redhat/demo-edge-retail/base:latest"
+  - name: fleet-label-selector
+    value: "fleet=store-baremetal"
+  workspaces:
+  - name: oci-images
+    volumeClaimTemplate:
+      spec:
+        storageClassName: efs-csi
+        accessModes:
+        - ReadWriteMany
+        resources:
+          requests:
+            storage: 10Gi
+  - name: source-workspace
+    volumeClaimTemplate:
+      spec:
+        storageClassName: efs-csi
+        accessModes:
+        - ReadWriteMany
+        resources:
+          requests:
+            storage: 1Gi
+  - name: registry-token
+    secret:
+      secretName: quay-authentication
+  - name: git-auth
+    secret:
+      secretName: github-authentication
+  - name: flightctl-config
+    secret:
+      secretName: flightctl-config
+  - name: etc-pki-entitlement-x86_64
+    secret:
+      secretName: etc-pki-entitlement
+      items:
+      - key: x86_64.pem
+        path: x86_64.pem
+      - key: x86_64-key.pem
+        path: x86_64-key.pem
+  - name: etc-pki-entitlement-aarch64
+    secret:
+      secretName: etc-pki-entitlement
+      items:
+      - key: aarch64.pem
+        path: aarch64.pem
+      - key: aarch64-key.pem
+        path: aarch64-key.pem
+  taskRunTemplate:
+    serviceAccountName: buildbot
+  taskRunSpecs:
+  - pipelineTaskName: build-aarch64
+    podTemplate:
+      nodeSelector:
+        beta.kubernetes.io/arch: arm64
+      tolerations:
+      - key: "emea-open-demo.redhat.com/arm64-architecture"
+        operator: "Exists"
+        effect: "NoSchedule"
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: bootc-virtualmachine-
+spec:
+  pipelineRef:
+    name: bootc
+  params:
+  - name: git-url
+    value: https://github.com/nmasse-itix/demo-edge-retail.git
+  - name: git-revision
+    value: main
+  - name: image-name
+    value: quay.io/nmasse-redhat/demo-edge-retail/virtualmachine:latest
+  - name: context-dir
+    value: bootc/virtualmachine
+  - name: containerfile-path
+    value: "bootc/virtualmachine/Containerfile"
+  - name: override-from
+    value: "quay.io/nmasse-redhat/demo-edge-retail/base:latest"
+  - name: fleet-label-selector
+    value: "fleet=store-vm-nextcloud"
+  workspaces:
+  - name: oci-images
+    volumeClaimTemplate:
+      spec:
+        storageClassName: efs-csi
+        accessModes:
+        - ReadWriteMany
+        resources:
+          requests:
+            storage: 10Gi
+  - name: source-workspace
+    volumeClaimTemplate:
+      spec:
+        storageClassName: efs-csi
+        accessModes:
+        - ReadWriteMany
+        resources:
+          requests:
+            storage: 1Gi
+  - name: registry-token
+    secret:
+      secretName: quay-authentication
+  - name: git-auth
+    secret:
+      secretName: github-authentication
+  - name: flightctl-config
+    secret:
+      secretName: flightctl-config
+  - name: etc-pki-entitlement-x86_64
+    secret:
+      secretName: etc-pki-entitlement
+      items:
+      - key: x86_64.pem
+        path: x86_64.pem
+      - key: x86_64-key.pem
+        path: x86_64-key.pem
+  - name: etc-pki-entitlement-aarch64
+    secret:
+      secretName: etc-pki-entitlement
+      items:
+      - key: aarch64.pem
+        path: aarch64.pem
+      - key: aarch64-key.pem
+        path: aarch64-key.pem
+  taskRunTemplate:
+    serviceAccountName: buildbot
+  taskRunSpecs:
+  - pipelineTaskName: build-aarch64
+    podTemplate:
+      nodeSelector:
+        beta.kubernetes.io/arch: arm64
+      tolerations:
+      - key: "emea-open-demo.redhat.com/arm64-architecture"
+        operator: "Exists"
+        effect: "NoSchedule"

tekton/taskrun.yaml

@@ -0,0 +1,16 @@
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  generateName: flightctl-update-digest-
+spec:
+  taskRef:
+    name: flightctl-update-digest
+  params:
+    - name: new-image-digest
+      value: "sha256:792784b2fd2ee28e96ed4e73a22814afbb46075cdf352f3487df34bc16e8c166" 
+    - name: fleet-label-selector
+      value: "fleet=store-baremetal"
+  workspaces:
+    - name: flightctl-config
+      secret:
+        secretName: flightctl-config