Add support for platform 010

[natalieparellano]

There are still some open TODOs but this is ready for detailed feedback

Summary of larger changes

• Configures the build pod for extensions when they are present in the order (note changes to the security context such as running as root and added capabilities)
• Adds new resources and reconcilers for Extensions and ClusterExtensions for parity with Buildpacks and ClusterBuildpacks
• Refactors “buildpack resolver” to reduce duplication

Unresolved

• The integration tests will fail until the lifecycle version is bumped to 0.18.0+ due to a regression in 0.17.x that broke Platform 0.10 - we should bump the lifecycle version in this PR when 0.18.0 is out (likely this or next week)
• Platforms can opt-in to using extensions by specifying them in the builder. Do we need any additional opting-in like setting “experimental = true” somewhere?
• Note that rebuilds on stack changes are disabled when extensions are used (see here) - this should be improved later but I didn’t want to do it in this PR to avoid making the changeset even larger
• See other small questions in the conversations below

[codecov-commenter]

Codecov Report

Merging #1332 (d6036e4) into main (6f4bd45) will decrease coverage by 0.17%.
Report is 2 commits behind head on main.
The diff coverage is 66.79%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

@@            Coverage Diff             @@
##             main    #1332      +/-   ##
==========================================
- Coverage   67.34%   67.17%   -0.17%     
==========================================
  Files         133      138       +5     
  Lines        8210     8503     +293     
==========================================
+ Hits         5529     5712     +183     
- Misses       2231     2343     +112     
+ Partials      450      448       -2     

Files	Coverage Δ
pkg/apis/build/v1alpha2/build.go	28.16% <ø> (+1.14%)	⬆️
pkg/apis/build/v1alpha2/build_conversion.go	94.59% <100.00%> (ø)
pkg/apis/build/v1alpha2/build_pod.go	97.18% <100.00%> (+0.10%)	⬆️
pkg/apis/build/v1alpha2/build_types.go	100.00% <ø> (ø)
pkg/apis/build/v1alpha2/builder_conversion.go	94.59% <100.00%> (ø)
pkg/apis/build/v1alpha2/builder_types.go	22.22% <ø> (ø)
pkg/apis/build/v1alpha2/builder_validation.go	88.42% <100.00%> (+3.91%)	⬆️
pkg/apis/build/v1alpha2/buildpack_validation.go	100.00% <ø> (ø)
pkg/apis/build/v1alpha2/image_builds.go	69.48% <ø> (ø)
pkg/buildchange/buildpack_change.go	82.35% <100.00%> (ø)
... and 26 more

[natalieparellano]

Still to do:

• Add reconcilers for Extensions and ClusterExtensions
• Add end-to-end test(s)
• Actually use extensions in the build pod

Before I proceed further, I'd like to confirm that we indeed want to add these additional resources ^^ (Slack thread)

Maintainers, please opine!

[natalieparellano]

We don't have to add this... but I like it

[natalieparellano]

Is this a forgotten .Focus?

[tomkennedy513]

I suspect that it works because its the only thing in the function but it probably should not be a focus

[natalieparellano]

Perhaps we could build the sample extension and push it along with all the other images from hack/local.sh or equivalent?

[tomkennedy513]

that feels slightly odd to me since we don't do that with buildpacks. maybe we can put a sample extension in the projects ghcr repo or something

[chenbh]

I would prefer to use a properly released (read: maintained) extension, does CNB have a sample one? What about paketo or other well known buildpack authors?

[natalieparellano]

I have no idea what this is testing or why it's failing. Maintainers, please help!

[chenbh]

The tracker is a thing we use to force reconciliation of related objects. The usage is that it is first added as an event handler to a specific informer, and then during each reconcile loop we can decide to register individual things to track. Then when these things get modified (by the user or other controllers), it triggers a reconcile loop on a separate reconciler.

To give an example, the Builder reconciler sets up a tracker for all Buildpack objects. This is so that if a buildpack was changed (i.e. user updated the .spec.image field), we want to force a reconciliation of any builders that uses it:

kpack/pkg/reconciler/builder/builder.go

Lines 97 to 101 in b14fce9

	buildpackInformer.Informer().AddEventHandler(controller.HandleAll(
	controller.EnsureTypeMeta(
	c.Tracker.OnChanged,
	buildapi.SchemeGroupVersion.WithKind(buildapi.BuildpackKind)),
	))

Once the tracker is set to handle events for all Buildpacks, it can register individual objects (in this case a ClusterStore) for tracking

kpack/pkg/reconciler/builder/builder.go

Lines 175 to 184 in b14fce9

	c.Tracker.Track(reconciler.Key{
	NamespacedName: types.NamespacedName{
	Name: builder.Spec.Store.Name,
	Namespace: metav1.NamespaceAll,
	},
	GroupKind: schema.GroupKind{
	Group: "kpack.io",
	Kind: buildapi.ClusterStoreKind,
	},
	}, builder.NamespacedName())

Or track all group kind (in this case Buildpacks) in a namespace

kpack/pkg/reconciler/builder/builder.go

Lines 192 to 195 in b14fce9

	c.Tracker.TrackKind(schema.GroupKind{
	Group: "kpack.io",
	Kind: buildapi.BuildpackKind,
	}, builder.NamespacedName())

The test injects a fake tracker into the reconciler and asserts that it's setting up the expected namespaced-objects/group-version-kind to track.

[chenbh]

So you'll probably have to setup the tracker in the builder reconciler to also watch for changes to the [Cluster]Extension resource. If you don't, the builder won't be reconciled if a new extension is added, or if an existing extension changes.

[natalieparellano]

I have no idea what this is testing or why it's failing. Maintainers, please help!

[chenbh]

Same as #1332 (comment), with the only difference being that it only watches for ClusterExtensions instead of both Extension and ClusterExtension

[natalieparellano]

Without this, if extensions are used to switch the runtime base image, the image will never stop building because the reconciler always sees a stack change. Future versions of kpack should improve this by (somehow) tying the image back to a "stack" that includes the runtime base image that was switched to.

[natalieparellano]

The integration tests won't run in CI until this is merged, but here is my local output if that's helpful:

PASS | KpackE2E (651.78s)
PASS |   KpackE2E/CreateImage (547.52s)
PASS |     KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources (36.75s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/blob-image-custom-builder (74.87s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/registry-image-custom-cluster-builder-with-extensions (84.18s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/registry-image-custom-builder (85.01s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/git-image-custom-cluster-builder-with-extensions (87.26s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/registry-image-custom-cluster-builder (90.64s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/git-image-custom-builder-with-extensions (124.00s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/blob-image-custom-cluster-builder (134.21s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/blob-image-custom-builder-with-extensions (156.83s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/git-image-custom-builder (157.49s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/blob-image-custom-cluster-builder-with-extensions (170.88s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/registry-image-custom-builder-with-extensions (174.89s)
PASS |       KpackE2E/CreateImage/builds_and_rebases_git,_blob,_and_registry_images_from_unauthenticated_sources/git-image-custom-cluster-builder (193.01s)
PASS |     KpackE2E/CreateImage/builds_and_rebases_git_sources_from_authenticated_sources (22.24s)
PASS |     KpackE2E/CreateImage/can_trigger_rebuilds_with_volume_cache (136.48s)
PASS |     KpackE2E/CreateImage/can_trigger_rebuilds_with_registry_cache (159.04s)
PASS |   KpackE2E/SignBuilder (104.26s)
PASS |     KpackE2E/SignBuilder/Signs_a_Builder_image_successfully_when_the_key_is_not_password-protected (15.04s)
PASS |     KpackE2E/SignBuilder/Signs_a_Builder_image_successfully_when_the_key_is_password-protected (13.44s)
PASS |     KpackE2E/SignBuilder/Generates_more_than_one_signature_for_a_Builder_image_successfully_when_multiple_secrets_are_present (16.17s)
PASS |     KpackE2E/SignBuilder/Saves_a_failure_in_the_Builder_record_when_signing_fails (9.76s)
PASS |     KpackE2E/SignBuilder/Signs_a_ClusterBuilder_image_successfully_when_the_key_is_not_password-protected (8.60s)
PASS |     KpackE2E/SignBuilder/Signs_a_ClusterBuilder_image_successfully_when_the_key_is_password-protected (13.19s)
PASS |     KpackE2E/SignBuilder/Generates_more_than_one_signature_for_a_ClusterBuilder_image_successfully_when_multiple_secrets_are_present (17.22s)
PASS |     KpackE2E/SignBuilder/Saves_a_failure_in_the_ClusterBuilder_record_when_signing_fails (10.85s)
PASS | github.com/pivotal/kpack/test 652.960s

[natalieparellano]

Discussed in 10/31 Working Group, run as root is unnecessary if all we're doing is switching the runtime base. We should make this configurable by the end user (and default to the most secure setting).

[natalieparellano]

@tomkennedy513 @chenbh did you have a chance to go through all the changes? If so I can pick this up again