Enabling build pipelines

Before users can create an application in Konflux, you must enable build pipelines in your instance of Konflux. At the time of publication, this process includes configuring a smee channel, to listen for users' pull requests, and creating a GitHub App, so Konflux can access those PRs.

Prerequisites:

Install Konflux
Read/write access to your Konflux instance’s repository

Procedure:

Start a new smee channel.
In the repository for your instance of Konflux, edit the file /smee/smee-client.yaml. Replace <smee-channel> with the webhook proxy URL from the previous step.
Create a GitHub App according to these Pipelines as Code instructions. For the Webhook URL field, use the webhook proxy URL for your smee channel.

Verification

To verify that you successfully enabled build pipelines, a user should try to create an application.

The PipelineRun will run only for submitters who have permission to run PipelineRuns or who receive an /ok-to-test comment from an authorized user.
For further details on PipelineRun permissions, please refer to the PipelinesAsCode documentation.

Enabling component creation with the UI

A controller can be deployed to simplify the lifecycle management of image repositories in quay.io. Documentation for this process can be found in the installation docs.

Creating components with the UI requires that an additional controller is deployed to manage the automatic creation of quay image repositories.

This controller can be used to create image repositories scoped to individual components. It is also required to be deployed in order to enable creating components from the Konflux UI.

Customizing the available build pipelines

The build service uses a ConfigMap to determine what Tekton pipelines can be configured when onboarding components. By default, there are two pipelines available. In order to update the pipelines to more recent versions of the pipelines or to add additional pipelines for configuration, update the build-pipeline-config resource.

This ConfigMap can contain references to any Tekton pipeline bundles. Additional pipelines can be created, pushed to an image repository using tkn bundle, and added to the ConfigMap.

Build pipelines available in quay.io/konflux-ci

In order to support different use cases within Konflux, multiple Tekton pipeline bundles are available in the quay.io/konflux-ci organization.

The tasks included in the pipeline definitions can be discovered using yq or jq. For example,

$ tkn bundle list -o yaml quay.io/konflux-ci/tekton-catalog/pipeline-docker-build:devel pipeline docker-build 2>/dev/null | yq ".spec.tasks.[].name"
init
clone-repository
prefetch-dependencies
build-container
build-image-index
build-source-image
deprecated-base-image-check
clair-scan
ecosystem-cert-preflight-checks
sast-snyk-check
clamav-scan
apply-tags
push-dockerfile

pipeline-docker-build

This pipeline is ideal for building container images from a Containerfile while reducing network traffic.

Uses buildah to create a container image. It also optionally creates a source images and runs some build-time tests. EC will flag a violation for trusted_task.trusted if any tasks are added to the pipeline. (quay.io link, parameter documentation)

pipeline-docker-build-oci-ta

This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.

Uses buildah to create a container image leveraging trusted artifacts. It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the trusted_task.trusted policy as long as all data used to build the artifact is generated from trusted tasks. (quay.io link, parameter documentation)

pipeline-docker-build-multi-platform-oci-ta

This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

Uses buildah to create a multi-platform container image leveraging trusted artifacts. It also optionally creates a source images and runs some build-time tests. This pipeline requires that the multi platform controller is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the trusted_task.trusted policy as long as all data used to build the artifact is generated from trusted tasks. (quay.io link, parameter documentation)

pipeline-fbc-builder

This pipeline is ideal for building and verifying file-based catalogs.

Uses buildah to create a container image. Its build-time tests are limited to verifying the included catalog and not to scanning the image itself. (quay.io link, parameter documentation)