ROX-20750: Onboard scanner-db-slim to Konflux

[tommartensen]

How are scanner-db-slim pipelines different from scanner-db?

-> scanner-db includes SQL definitions, scanner-db-slim ships without
-> TARGET_STAGE points to the respective stage in the Dockerfile

Multi-stage Docker build:

We have a scanner-db-common stage.
The final scanner-db-slim is just this plus updated labels and ROX_SLIM_MODE env var.
The full scanner-db, in addition to scanner-common stage, copies the SQL definitions to the container image (and has slightly different labels).

Validation

Looking at the images and confirming that slim does not have SQL definitions.

• docker run -it --entrypoint /bin/sh quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:on-pr-679696d44285c6dc3d20c72ebdd79ddabffacf99
• docker run -it --entrypoint /bin/sh quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db:on-pr-679696d44285c6dc3d20c72ebdd79ddabffacf99

Do the new pipelines match?

$ diff .tekton/scanner-db-slim-push.yaml .tekton/scanner-db-slim-pull-request.yaml 
7a8
>     build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
10c11,12
<     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master"
---
>     # TODO(ROX-21073): re-enable for all PR branches
>     pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && (source_branch.contains("konflux") || source_branch.contains("rhtap"))
16c18
<   name: scanner-db-slim-on-push
---
>   name: scanner-db-slim-on-pull-request
29c31
<       value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:{{revision}}
---
>       value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:on-pr-{{revision}}

Do the slim and full pipelines match?

$ diff .tekton/scanner-db-slim-push.yaml .tekton/scanner-db-push.yaml
14c14
<     appstudio.openshift.io/component: scanner-db-slim
---
>     appstudio.openshift.io/component: scanner-db
16c16
<   name: scanner-db-slim-on-push
---
>   name: scanner-db-on-push
29c29
<       value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:{{revision}}
---
>       value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db:{{revision}}
39c39
<     # No language dependencies are required for scanner-db-slim image.
---
>     # No language dependencies are required for scanner-db image.
195c195
<           # A shallow repo clone is sufficient for scanner-db-slim build.
---
>           # A shallow repo clone is sufficient for scanner-db build.
239a240,255
>       - name: fetch-sql-definitions
>         runAfter:
>           - clone-repository
>         taskSpec:
>           steps:
>             - name: fetch-sql-definitions
>               image: registry.access.redhat.com/ubi8/ubi-minimal:latest
>               script: |
>                 "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
>                     "$(workspaces.source.path)/source" \
>                     pg-definitions.sql.gz
>               timeout: '10m'
>         workspaces:
>           - name: source
>             workspace: workspace
> 
257c273
<             value: scanner-db-slim
---
>             value: scanner-db
259a276
>           - fetch-sql-definitions

TODO:

• this PR is based on tm/scanner-slim-konflux-onboarding, after ROX-20752: scanner-slim konflux onboarding #1429 is merged should be rebased.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[tommartensen]

Note that /docker-entrypoint-initdb.d/definitions.sql.gz is now owned by 70:70 (postgres:postgres), the user that executes the container.
It was owned root before, read allowed for all users.

[tommartensen]

Konflux EC fails because of scanner-v4, unrelated to the changes in this PR.

[msugakov]

LGTM. Just a few cosmetic notes

[msugakov]

Well, you can keep root ownership by doing this:

Suggested change

	COPY blob-pg-definitions.sql.gz \
	/docker-entrypoint-initdb.d/definitions.sql.gz
	USER 0:0
	COPY blob-pg-definitions.sql.gz \
	/docker-entrypoint-initdb.d/definitions.sql.gz
	USER 70:70

[tommartensen]

Is it necessary though or was root ownership just an artifact of the midstream Dockerfile?

[msugakov]

Technically, this isn't necessary since Dockerfile will be built until the final stage by default. Although I'm happy if you keep this for explicitness.

[msugakov]

After diffing normal and slim pipelines, a thought crossed my mind. It feels a bit wrong that this essential setting which actually differentiates slim and non-slim builds is hidden somewhere in a middle of the file.

How would you feel about introducing a top-level param (under spec.params) for this value?

[tommartensen]

7792257