Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Configure

builds for Red Hat OpenShift 1.7

Configuring Builds

Red Hat OpenShift Documentation Team

Abstract

This document provides information about configuring Builds.

Chapter 1. Configuring Builds
Copy link

As a platform engineer, you can define the source, strategy, parameters, outputs, retention rules, and volumes in a Build custom resource (CR) to configure builds. A Build CR enables consistent build pod configuration and provides a namespace-scoped method for managing build execution on the cluster.

1.1. Configurable fields in build
Copy link

Configure a Build custom resource (CR) by specifying its inputs, execution settings, outputs, and lifecycle behavior. These parameters control the configuration and behavior of a Build CR.

The following table describes the required fields in your Build CR:

Expand
Table 1.1. Required fields in the Build CR
FieldDescription

apiVersion

Specifies the API version of the resource, for example, shipwright.io/v1beta1.

kind

Specifies the type of the resource, for example, Build.

metadata

Specifies the metadata that identifies the custom resource definition instance, for example, the name of the Build resource.

spec.source

Specifies the location of the source code, for example, a Git repository or source bundle image.

spec.strategy

Specifies the name and type of the strategy used for the Build resource.

spec.output

Specifies the location where the system pushes the generated image.

spec.output.pushSecret

Specifies an existing secret to gain access to the container registry.

The following table describes the optional fields in your Build CR:

Expand
Table 1.2. Optional fields in the Build CR
FieldDescription

spec.paramValues

Specifies a name-value list to set values for parameters defined in the build strategy.

spec.timeout

Defines a custom timeout. The default value is ten minutes. You can overwrite this field value in your BuildRun resource.

spec.output.annotations

Specifies a list of key-value pairs that you can use to annotate the output image.

spec.output.labels

Specifies a list of key-value pairs that you can use to label the output image.

spec.env

Defines additional environment variables that you can pass to the build container. The available variables depend on the tool used by your build strategy.

spec.retention.ttlAfterFailed

Specifies the duration for which a failed build run can exist.

spec.retention.ttlAfterSucceeded

Specifies the duration for which a successful build run can exist.

spec.retention.failedLimit

Specifies the number of failed build runs that can exist.

spec.retention.succeededLimit

Specifies the number of successful build runs that can exist.

spec.nodeSelector

Specifies which nodes Builds should run on.

spec.tolerations

Specifies the tolerations for the Builds pod.

spec.schedulerName

Specifies the scheduler for the Builds pod

1.2. Source definition
Copy link

Configure the source code location for your build in the Build custom resource (CR).

The following source fields specify how the build accesses the Git repository and selects the source content:

  • source.git.url: The Git repository location.
  • source.git.cloneSecret: The secret containing SSH keys for private repositories.
  • source.git.revision: The specific commit, tag, or branch (defaults to the default branch).
  • source.contextDir: The subdirectory containing the source code.

The build controller does not validate the Git repository by default. To enable validation, set shipwright.io/verify.repository annotation to true in your Build CR, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-golang-build
  annotations:
    build.shipwright.io/verify.repository: "true"
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-go
    contextDir: docker-build

The build controller validates the existence of a Git repository in the following scenarios:

  • When you use the endpoint URL with an HTTP or HTTPS protocol.
  • When you have defined an SSH protocol, such as git@, but not a referenced secret, such as source.git.cloneSecret.

The following configurations show how you can configure a build with different set of source inputs.

Configure a build with credentials

Configure a build to access a private Git repository by referencing a secret that contains the repository credentials, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-build
spec:
  source:
    git:
      url: https://github.com/sclorg/nodejs-ex
      cloneSecret: source-repository-credentials
Configure a build with a context path

Configure a build to use a specific context directory within the Git repository when the source code is not located at the repository root, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-custom-context-dockerfile
spec:
  source:
    git:
      url: https://github.com/userjohn/npm-simple
    contextDir: docker-build
Configure a build with a tag

Configure a build to use a specific Git tag, such as v0.1.0, as the source revision, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-golang-build
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-go
      revision: v0.1.0
Configure a build with environment variables

Configure a build to pass environment variables to the build container during build execution, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-golang-build
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-go
    contextDir: docker-build
  env:
    - name: <example_var_1>
      value: "<example_value_1>"
    - name: <example_var_2>
      value: "<example_value_2>"

1.3. Strategy definition
Copy link

The build strategy determines how source code transforms into a container image. Supported strategies include buildah, source-to-image, and buildpacks. Define the strategy in the spec.strategy field of your Build CR.

To configure a build strategy, define the spec.strategy.name and spec.strategy.kind fields in the Build CR, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-build
spec:
  strategy:
    name: buildah
    kind: ClusterBuildStrategy

1.4. Parameter values definition for a build
Copy link

You can set build strategy parameters in your Build custom resource (CR). These settings control how your build runs. For every parameter, you must provide a value. You can provide the values directly or reference keys in ConfigMaps or Secrets.

Note

You can only use ConfigMaps or Secrets if the parameter appears in a command, argument, or environment variable in the build strategy.

The following are the requirements of using parameters values definition for a build:

  • Mapping: Every spec.paramValues name must match a parameter defined in the BuildStrategy CR.
  • Reserved names: Do not use reserved names like BUILDER_IMAGE, CONTEXT_DIR, or any name starting with shp-.
  • Resources: You can only use ConfigMaps or Secrets if the parameter is used in a command, argument, or environment variable.

The following examples show how to set parameters in a build strategy. You can use a Build custom resource (CR) to give these parameters specific values. You can also assign values to array parameters.

Define parameters in a ClusterBuildStrategy CR

The following example shows a ClusterBuildStrategy CR with several parameters: 

apiVersion: shipwright.io/v1beta1
kind: ClusterBuildStrategy
metadata:
  name: buildah
spec:
  parameters:
    - name: build-args
      description: "The values for the args in the Dockerfile. Values must be in the format KEY=VALUE."
      type: array
      defaults: []
    # ...
    - name: storage-driver
      description: "The storage driver to use, such as 'overlay' or 'vfs'."
      type: string
      default: "vfs"
# ...
steps:
# ...
Assign values to parameters in a Build CR

As shown in the previous example, the ClusterBuildStrategy CR defines a storage-driver parameter. You can change its value in your Build CR like this: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: <your_build>
  namespace: <your_namespace>
spec:
  paramValues:
  - name: storage-driver
    value: "overlay"
  strategy:
    name: buildah
    kind: ClusterBuildStrategy
  output:
  # ...

where:

<your_build>
Specifies the name of the build CR.
<your_namespace>
Specifies the namespace of the build CR.
Creating a ConfigMap CR to control a parameter centrally
To use the same value for a parameter for multiple builds, use a ConfigMap. This allows you to change the value in one place and control its usage centrally. See the following example configuration: 
apiVersion: v1
kind: ConfigMap
metadata:
  name: buildah-configuration
  namespace: <your_namespace>
data:
  storage-driver: overlay

+

where:

<your_namespace>
Specifies the namespace of the ConfigMap CR.

+ You can use the created ConfigMap CR as a parameter value in your Build CR, as shown in the following example:

+ 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: <your_build>
  namespace: <your_namespace>
spec:
  paramValues:
  - name: storage-driver
    configMapValue:
      name: buildah-configuration
      key: storage-driver
  strategy:
    name: buildah
    kind: ClusterBuildStrategy
  output:
  # ...

+

where:

metadata
Specifies the metadata for your build CR.
Assign value to a parameter of the array type in a Build CR

You can also assign values to parameters of the type array. For example, use registries-search to tell the build where to look for images, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: <your_build>
  namespace: <your_namespace>
spec:
  paramValues:
  - name: storage-driver
    configMapValue:
      name: buildah-configuration
      key: storage-driver
  - name: registries-search
    values:
    - value: registry.redhat.io
  strategy:
    name: buildah
    kind: ClusterBuildStrategy
  output:
  # ...

where:

metadata
Specifies the metadata for your build CR.
Reference a secret in a Build CR

You can reference to a Secret to a parameter. The following example shows how to block specific registries using a Secret: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: <your_build>
  namespace: <your_namespace>
spec:
  paramValues:
  - name: storage-driver
    configMapValue:
      name: buildah-configuration
      key: storage-driver
  - name: registries-block
    values:
    - secretValue:
        name: registry-configuration
        key: reg-blocked
  strategy:
    name: buildah
    kind: ClusterBuildStrategy
  output:
  # ...

where:

metadata
Specifies the metadata for your build CR.
values.secretValue
Specifies the value that references a secret.

1.5. Builder or docker file definition
Copy link

Use the spec.paramValues field in your Build custom resource (CR) to specify the image or file used to build your output image.

The following example specifies a Dockerfile image in a Build CR: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-golang-build
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-go
    contextDir: docker-build
  strategy:
    name: buildah
    kind: ClusterBuildStrategy
  paramValues:
  - name: dockerfile
    value: Dockerfile

You can also use a builder image as part of the source-to-image build strategy in your Build CR, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: s2i-nodejs-build
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-nodejs
    contextDir: source-build/
  strategy:
    name: source-to-image
    kind: ClusterBuildStrategy
  paramValues:
  - name: builder-image
    value: docker.io/centos/nodejs-10-centos7

1.6. Output definition
Copy link

In your Build custom resource (CR), you must choose an output location. This is where the system pushes your finished image. If you use a private registry, you must also provide a secret to log in. You can also add annotations and labels to your image.

Note

If you add annotations or labels, the system pushes the image twice. The first push comes from build strategy. The second push changes the image configuration and adds the annotations and labels.

The following example defines a public registry where the image is pushed: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: s2i-nodejs-build
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-nodejs
    contextDir: source-build/
  strategy:
    name: source-to-image
    kind: ClusterBuildStrategy
  paramValues:
  - name: builder-image
    value: docker.io/centos/nodejs-10-centos7
  output:
    image: image-registry.openshift-image-registry.svc:5000/build-examples/nodejs-ex

The following example defines a private registry where the image is pushed: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: s2i-nodejs-build
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-nodejs
    contextDir: source-build/
  strategy:
    name: source-to-image
    kind: ClusterBuildStrategy
  paramValues:
  - name: builder-image
    value: docker.io/centos/nodejs-10-centos7
  output:
    image: us.icr.io/source-to-image-build/nodejs-ex
    pushSecret: icr-knbuild

The following example defines annotations and labels for the image: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: s2i-nodejs-build
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-nodejs
    contextDir: source-build/
  strategy:
    name: source-to-image
    kind: ClusterBuildStrategy
  paramValues:
  - name: builder-image
    value: docker.io/centos/nodejs-10-centos7
  output:
    image: us.icr.io/source-to-image-build/nodejs-ex
    pushSecret: icr-knbuild
    annotations:
      "org.opencontainers.image.source": "https://github.com/org/repo"
      "org.opencontainers.image.url": "https://my-company.com/images"
    labels:
      "maintainer": "team@my-company.com"
      "description": "This is my cool image"

1.7. Retention parameters definition for a build
Copy link

Define retention parameters in your Build custom resource (CR). These parameters manage the lifecycle of your BuildRun instances.

You can define retention parameters for the following purposes:

  • To specify how long a completed build run can exist
  • To specify the number of succeeded or failed build runs that can exist for a build

You can set the value of the following retention parameters in your Build custom resource (CR):

  • retention.succeededLimit: The number of successful build runs that can exist for a build.
  • retention.failedLimit: The number of failed build runs that can exist for a build.
  • retention.ttlAfterFailed: The duration for which a failed build run can exist.
  • retention.ttlAfterSucceeded: The duration for which a successful build run can exist.
Note

If you change a limit, it is applied immediately. If you change a time to live (TTL), it only applies to new build runs.

The following example shows the usage of retention parameters in a Build CR: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: build-retention-ttl
spec:
  source:
    git:
      url: "https://github.com/shipwright-io/sample-go"
    contextDir: docker-build
  strategy:
    kind: ClusterBuildStrategy
    name: buildah
  output:
  # ...
  retention:
    ttlAfterFailed: 30m
    ttlAfterSucceeded: 1h
    failedLimit: 10
    succeededLimit: 20
  # ...
Note

When you change the value of the retention.failedLimit and retention.succeededLimit parameters, the new limit is applied immediately. However, when you change the value of the retention.ttlAfterFailed and retention.ttlAfterSucceeded parameters, the new retention duration is enforced only on the new build runs. Old build runs adhere to the old retention duration. If you have defined retention duration in both BuildRun and Build CRs, the BuildRun CR gets the priority.

1.8. Volumes definition for a build
Copy link

Define volumes in your Build custom resource (CR) to override the volumes specified in the BuildStrategy resource. The build run fails if a volume is not explicitly overridden.

The following example shows the usage of the volumes field in a Build CR: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: <build_name>
spec:
  source:
    git:
      url: https://github.com/example/url
  strategy:
    name: buildah
    kind: ClusterBuildStrategy
  paramValues:
  - name: dockerfile
    value: Dockerfile
  output:
    image: registry/namespace/image:latest
  volumes:
    - name: <volume_name>
      configMap:
        name: <configmap_name>

where:

<build_name>
Specifies the name of the build.
<volume_name>
Specifies the name of the volume.
<configmap_name>
Specifies the name of the ConfigMap.

1.9. Pod configuration
Copy link

Configure pod scheduling and placement for Builds by using optional BuildRun Custom Resource (CR) fields

Use the following optional Build CR fields to configure Builds pods:

  • The spec.tolerations field specifies the tolerations for the Builds pod with the following limitation:

    • Only the NoSchedule taint effect is supported.
  • The spec.nodeSelector field specifies which nodes the Builds pod should run on.
  • The spec.schedulerName field specifies the scheduler for the Builds pod.
Note

If you define these fields in the Build and BuildRun CRs, the BuildRun values take priority.

Chapter 2. Configuring build strategies
Copy link

As a platform engineer, you can define consistent build strategies by specifying parameters, system settings, resource requirements, annotations, and volumes in BuildStrategy or ClusterBuildStrategy custom resources (CR). These strategies enable controlled and reusable build execution across the cluster.

2.1. Strategy parameters definition
Copy link

Define parameters in a BuildStrategy or ClusterBuildStrategy custom resource (CR). You can then set or modify these values in your Build or BuildRun CRs.

Consider the following points before defining parameters for your strategy:

  • Define a list of parameters in the spec.parameters field of your build strategy CR. Each item includes a name, description, type, and optionally a default value (or values for array types). If no default value is set, you must define a value in the Build or BuildRun CR.
  • Define parameters of string or array type in the spec.steps field of your build strategy.

  • Specify a parameter of string type by using the $(params.your-parameter-name) syntax. You can set a value for the your-parameter-name parameter in your Build or BuildRun CR that references your strategy. You can define the following string parameters based on your needs:

    Expand
    Table 2.1. String parameters
    ParameterDescription

    image

    Use this parameter to define a custom tag, such as golang:$(params.go-version)

    args

    Use this parameter to pass data into your builder commands

    env

    Use this parameter to provide a value for an environment variable

  • Specify a parameter of array type by using the $(params.your-array-parameter-name[*]) syntax. After specifying the array, you can use it in an argument or a command. For each item in the array, an argument will be set. The following example uses an array parameter in the spec.steps field of the build strategy: 

    apiVersion: shipwright.io/v1beta1
kind: ClusterBuildStrategy
metadata:
  name: <cluster_build_strategy_name>
  # ...
spec:
  parameters:
    - name: tool-args
      description: Parameters for the tool
      type: array
  steps:
    - name: a-step
      command:
        - some-tool
      args:
        - --tool-args
        - $(params.tool-args[*])
  • Provide parameter values as simple strings or as references to keys in config maps or secrets. For a parameter, you can use a config map or secret value only if it is defined in the command, args, or env section of the spec.steps field.

2.2. System parameters definition
Copy link

Use system parameters to define the steps of a build strategy to access system information, or user-defined information in a Build or BuildRun custom resource (CR). You cannot configure or modify system parameters as they are defined at runtime by the build run controller.

You can define the following system parameters in your build strategy definition:

Expand
Table 2.2. System parameters
ParameterDescription

$(params.shp-source-root)

Specifies the absolute path to the directory that contains the source code.

$(params.shp-source-context)

Specifies the absolute path to the context directory of the source code. If you do not specify any value for spec.source.contextDir in the Build CR, this parameter uses the value of the $(params.shp-source-root) system parameter.

$(params.shp-output-image)

Specifies the URL of the image to push as defined in the spec.output.image field of your Build or BuildRun CR.

2.3. Step resources definition
Copy link

Define CPU, memory, and disk limits for each step in a build strategy. If a strategy has multiple steps, you can allocate different resource amounts to each.

As an administrator, you can provide different versions of the same strategy (for example, buildah-small and buildah-large) so users can choose the resource profile that fits their build requirements.

2.3.1. Strategies with different resources
Copy link

Define multiple variants of the same strategy to apply different resource limits for different build requirements.

The following examples use the same buildah strategy with small and medium limits defined for the resources.These examples provide a strategy administrator more control over the step resources definition.

You can define the spec.steps[].resources field with a small resource limit for the buildah strategy, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: ClusterBuildStrategy
metadata:
  name: buildah-small
spec:
  steps:
    - name: build-and-push
      image: quay.io/containers/buildah:v1.31.0
      workingDir: $(params.shp-source-root)
      securityContext:
        capabilities:
          add:
          - "SETFCAP"
      command:
        - /bin/bash
      args:
        - -c
        - |
          set -euo pipefail
          # Parse parameters
        # ...
        # That's the separator between the shell script and its args
        - --
        - --context
        - $(params.shp-source-context)
        - --dockerfile
        - $(build.dockerfile)
        - --image
        - $(params.shp-output-image)
        - --build-args
        - $(params.build-args[*])
        - --registries-block
        - $(params.registries-block[*])
        - --registries-insecure
        - $(params.registries-insecure[*])
        - --registries-search
        - $(params.registries-search[*])
      resources:
        limits:
          cpu: 250m
          memory: 65Mi
        requests:
          cpu: 250m
          memory: 65Mi
  parameters:
    - name: build-args
      description: "The values for the args in the Dockerfile. Values must be in the format KEY=VALUE."
      type: array
      defaults: []
    # ...

You can define the spec.steps[].resources field with a medium resource limit for the buildah strategy, as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: ClusterBuildStrategy
metadata:
  name: buildah-medium
spec:
  steps:
    - name: build-and-push
      image: quay.io/containers/buildah:v1.31.0
      workingDir: $(params.shp-source-root)
      securityContext:
        capabilities:
          add:
          - "SETFCAP"
      command:
        - /bin/bash
      args:
        - -c
        - |
          set -euo pipefail
          # Parse parameters
        # ...
        # That's the separator between the shell script and its args
        - --
        - --context
        - $(params.shp-source-context)
        - --dockerfile
        - $(build.dockerfile)
        - --image
        - $(params.shp-output-image)
        - --build-args
        - $(params.build-args[*])
        - --registries-block
        - $(params.registries-block[*])
        - --registries-insecure
        - $(params.registries-insecure[*])
        - --registries-search
        - $(params.registries-search[*])
      resources:
        limits:
          cpu: 500m
          memory: 1Gi
        requests:
          cpu: 500m
          memory: 1Gi
  parameters:
    - name: build-args
      description: "The values for the args in the Dockerfile. Values must be in the format KEY=VALUE."
      type: array
      defaults: []
    # ...

After configuring the resource definition for a strategy, you must reference the strategy in your Build custom resource (CR), as shown in the following example: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-medium
spec:
  source:
    git:
      url: https://github.com/shipwright-io/sample-go
    contextDir: docker-build
  strategy:
    name: buildah-medium
    kind: ClusterBuildStrategy
  # ...

2.3.2. Resource management in Tekton pipelines
Copy link

The build controller works with the Tekton pipeline controller to schedule pods that run strategy steps. At runtime, the build controller creates a Tekton TaskRun, which executes a Task and records status and results. The TaskRun creates a pod in the target namespace that runs all steps sequentially.

2.4. Annotations definition
Copy link

Define annotations for a BuildStrategy or ClusterBuildStrategy in the same way as for any Kubernetes object. The build strategy passes these annotations to the TaskRun resource. Then, Tekton passes them to the pod.

You can use annotations for the following purposes:

  • Network bandwidth: Use kubernetes.io/ingress-bandwidth or kubernetes.io/egress-bandwidth to limit the network bandwidth.
  • Security profiles: Use container.apparmor.security.beta.kubernetes.io/<container_name> to define AppArmor profiles of a container.

The following example shows the usage of annotations in a build strategy: 

apiVersion: shipwright.io/v1beta1
kind: ClusterBuildStrategy
metadata:
  name: <cluster_build_strategy_name>
  annotations:
    container.apparmor.security.beta.kubernetes.io/step-build-and-push: unconfined
    container.seccomp.security.alpha.kubernetes.io/step-build-and-push: unconfined
spec:
  # ...

The following annotations are not passed to resources:

  • kubectl.kubernetes.io/last-applied-configuration
  • clusterbuildstrategy.shipwright.io/*
  • buildstrategy.shipwright.io/*
  • build.shipwright.io/*
  • buildrun.shipwright.io/*

A strategy administrator can further restrict the usage of annotations by using policy engines.

2.5. Secure referencing of string parameters
Copy link

Use the $(params.your-parameter-name) syntax to reference string parameters in your build strategy. When the build runs, the system replaces the variable with the actual strings.

Note

You can use the $(params.your-parameter-name) syntax for system and strategy parameters.

To prevent command injection vulnerabilities when using inline scripts, use one of the following secure methods:

  • Use environment variables

  • Use arguments

    Reference a string parameter into an environment variable

    Pass the parameter into an environment variable. Then, use quotes around that variable in your script. The following example uses an environment variable inside the script to reference a string parameter: 

    apiVersion: shipwright.io/v1beta1
kind: BuildStrategy
metadata:
  name: sample-strategy
spec:
  parameters:
    - name: sample-parameter
      description: A sample parameter
      type: string
  steps:
    - name: sample-step
      env:
        - name: PARAM_SAMPLE_PARAMETER
          value: $(params.sample-parameter)
      command:
        - /bin/bash
      args:
        - -c
        - |
          set -euo pipefail

          some-tool --sample-argument "${PARAM_SAMPLE_PARAMETER}"
    Reference a string parameter into an argument

    Pass the parameter as an argument to the script. Then, use a shell variable to read it. The following example uses an argument defined within your script to reference a string parameter: 

    apiVersion: shipwright.io/v1beta1
kind: BuildStrategy
metadata:
  name: sample-strategy
spec:
  parameters:
    - name: sample-parameter
      description: A sample parameter
      type: string
  steps:
    - name: sample-step
      command:
        - /bin/bash
      args:
        - -c
        - |
          set -euo pipefail

          SAMPLE_PARAMETER="$1"

          some-tool --sample-argument "${SAMPLE_PARAMETER}"
        - --
        - $(params.sample-parameter)

2.6. System results definition
Copy link

Store the image size and digest or content hash produced by the build strategy in a set of result files. Error details for debugging can also be recorded when a BuildRun resource fails.

The following result parameters can be defined in the BuildStrategy or ClusterBuildStrategy custom resource (CR):

Expand
Table 2.3. Result parameters
ParameterDescription

$(results.shp-image-digest.path)

Specifies the path to the file that stores the digest or the content hash of the image.

$(results.shp-image-size.path)

Specifies the path to the file that stores the compressed size of the image.

$(results.shp-error-reason.path)

Specifies the path to the file that stores the error reason.

$(results.shp-error-message.path)

Specifies the path to the file that stores the error message.

The following example shows the size and digest or the content hash of the image in the .status.output field of the BuildRun CR: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
# ...
status:
 # ...
  output:
    digest: sha256:07626e3c7fdd28d5328a8d6df8d29cd3da760c7f5e2070b534f9b880ed093a53
    size: 1989004
  # ...

The following example shows the error reason and message in the .status.failureDetails field of the BuildRun CR: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
# ...
status:
  # ...
  failureDetails:
    location:
      container: step-source-default
      pod: baran-build-buildrun-gzmv5-b7wbf-pod-bbpqr
    message: The source repository does not exist, or you have insufficient permission
      to access it.
    reason: GitRemotePrivate

2.7. Volumes and volume mounts definition
Copy link

Build strategies use volumes and volume mounts to manage data during build steps. By default, you cannot override the volumes in a BuildStrategy. To allow a Build or BuildRun to use a custom volume, you must set overridable field to true in the strategy.

Note

The volume mount defined in build steps allows you to access volumes defined in a BuildStrategy, Build or BuildRun resource.

Volumes in build strategy use an overridable boolean flag, which is set to false by default. If a Build or BuildRun resource tries to override the volumes defined in a BuildStrategy resource, it will fail because the default value of the overridable flag is false.

The following example shows a BuildStrategy resource that defines the volumes and volumeMounts fields: 

apiVersion: shipwright.io/v1beta1
kind: BuildStrategy
metadata:
  name: buildah
spec:
  steps:
    - name: build
      image: quay.io/containers/buildah:v1.23.3
      # ...
      volumeMounts:
        - name: varlibcontainers
          mountPath: /var/lib/containers
  volumes:
    - name: varlibcontainers
      overridable: true
      emptyDir: {}

Chapter 3. Configuring build runs
Copy link

As a platform engineer, you can configure build runs by defining the build reference, parameters, service account, output settings, retention rules, and volumes in a BuildRun custom resource (CR). You can use a BuildRun CR to manage how individual builds execute within a namespace on the cluster.

3.1. Configurable fields in build run
Copy link

Configure a BuildRun custom resource (CR) by specifying input parameters, service account, outputs, and lifecycle settings.

The following table describes the required fields in your BuildRun custom resource (CR):

Expand
Table 3.1. Required fields in the BuildRun CR
FieldDescription

apiVersion

Specifies the API version of the resource. For example, shipwright.io/v1beta1.

kind

Specifies the type of the resource. For example, BuildRun.

metadata

Indicates the metadata that identifies the custom resource definition instance. For example, the name of the BuildRun resource.

The following table describes optional fields in your BuildRun custom resource (CR):

Expand
Table 3.2. Optional fields in the BuildRun CR
FieldDescription

spec.build.name

Specifies an existing Build resource instance to use. You cannot use this field with the spec.build.spec field.

spec.build.spec

Specifies an embedded Build resource instance to use. You cannot use this field with the spec.build.name field.

spec.serviceAccount

Indicates the service account to use when building the image.

spec.timeout

Defines a custom timeout. This field value overwrites the value of the spec.timeout field defined in your Build resource.

spec.paramValues

Indicates a name-value list to specify values for parameters defined in the build strategy. The parameter value overwrites the value of the parameter that is defined with the same name in your Build resource.

spec.output.image

Indicates a custom location where the generated image will be pushed. This field value overwrites the value of the output.image field defined in your Build resource.

spec.output.pushSecret

Indicates an existing secret to get access to the container registry. This secret will be added to the service account along with other secrets requested by the Build resource.

spec.env

Defines additional environment variables that you can pass to the build container. This field value overrides any environment variables that are specified in the Build resource. The available variables depend on the tool used by your build strategy.

spec.nodeSelector

Specifies which nodes Builds should run on.

spec.tolerations

Specifies the tolerations for the Builds pod.

spec.schedulerName

Specifies the scheduler for the Builds pod

Important

You cannot use the spec.build.name and spec.build.spec fields together in the same CR because they are mutually exclusive.

3.2. Build reference definition
Copy link

Configure the spec.build.name field in your BuildRun resource to reference a Build resource that indicates an image to build. The following example shows a BuildRun custom resource (CR) that configures the spec.build.name field: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: buildah-buildrun
spec:
  build:
    name: buildah-build

3.3. Build specification definition
Copy link

Define a complete build specification into your BuildRun resource using the spec.build.spec field. This builds an image without creating and maintaining a dedicated Build custom resource. The following example shows a BuildRun custom resource (CR) that configures the spec.build.spec field: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: standalone-buildrun
spec:
   build:
    spec:
      source:
        git:
          url: https://github.com/shipwright-io/sample-go.git
        contextDir: source-build
      strategy:
        kind: ClusterBuildStrategy
        name: buildah
      output:
        image: <path_to_image>

where

<path_to_image>
Specifies the path to the image file.
Note

You cannot use the spec.build.name and spec.build.spec fields together in the same CR because they are mutually exclusive.

3.4. Parameter values definition for a build run
Copy link

You can define values for build strategy parameters in your BuildRun custom resource (CR). Values set in the BuildRun resource override any values with the same name in the Build resource.

In the following example, the cache value in the BuildRun overrides the cache value in the Build resource: 

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: <your_build>
  namespace: <your_namespace>
spec:
  paramValues:
  - name: cache
    value: disabled
  strategy:
    name: <your_strategy>
    kind: ClusterBuildStrategy
  source:
  # ...
  output:
  # ...

where

<your_build>
Specifies the name of the Build CR.
<your_namespace>
Specifies the namespace of the Build CR.
<your_strategy>
Specifies the strategy used for the Build CR. 
apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: <your_buildrun>
  namespace: <your_namespace>
spec:
  build:
    name: <your_build>
  paramValues:
  - name: cache
    value: registry

where

<your_buildrun>
Specifies the name of the Buildrun CR.
<your_namespace>
Specifies the namespace of the Buildrun CR.
<your_build>
Specifies the name of the Build.

3.5. Service account definition
Copy link

Define a service account in your BuildRun resource to provide access to the secrets referenced by your Build resource, as shown in the following example. 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: buildah-buildrun
spec:
  build:
    name: buildah-build
  serviceAccount: pipeline

  • spec.serviceAccount:: Defines the name of the generated service account corresponding to the name of the BuildRun resource. You can also set the value to ".generate" to generate the service account during runtime.

    Note

    When you do not define the service account, the BuildRun resource uses the pipeline service account if it exists in the namespace. Otherwise, the BuildRun resource uses the default service account.

Use retention parameters in your BuildRun custom resource (CR) to automatically delete completed build runs. In your BuildRun custom resource (CR), use the following retention parameters:

  • retention.ttlAfterFailed: Duration a failed build run remains before deletion.
  • retention.ttlAfterSucceeded: Duration a successful build run remains before deletion.

The following example shows how to define retention parameters in your BuildRun CR: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: buidrun-retention-ttl
spec:
  build:
    name: build-retention-ttl
  retention:
    ttlAfterFailed: 10m
    ttlAfterSucceeded: 10m
Note

If you have defined a retention parameter in both BuildRun and Build CRs, the value defined in the BuildRun CR overrides the value of the retention parameter defined in the Build CR.

3.7. Volumes definition for a build run
Copy link

Define volumes in your BuildRun custom resource (CR) to override the volumes in the BuildStrategy resource. If a volume isn’t overridden, the build run fails. If both Build and BuildRun override the same volume, the value in BuildRun takes precedence.

The following example shows a BuildRun CR that uses the volumes field: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: <buildrun_name>
spec:
  build:
    name: <build_name>
  volumes:
    - name: <volume_name>
      configMap:
        name: <configmap_name>

where:

<build_name>
Specifies the name of the Buildrun CR.
<buildrun_name>
Specifies the name of the Build CR.
<volume_name>
Specifies the name of the volume of the Build CR.
<configmap_name>
Specifies the name of the ConfigMap of the Build CR.

3.8. Environment variables definition
Copy link

You can set environment variables in your BuildRun custom resource (CR). These variables pass information to the build container. You can use literal values or the Kubernetes downward API.

The following example shows how to define environment variables: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: buildah-buildrun
spec:
  build:
    name: buildah-build
  env:
    - name: <example_var_1>
      value: "<example_value_1>"
    - name: <example_var_2>
      value: "<example_value_2>"

where:

env.name
Defines the names of the environment variables in the BuildRun CR.
env.value
Defines the values of the environment variables in the BuildRun CR.

The following example shows a BuildRun resource that uses the Kubernetes downward API to expose a pod as an environment variable: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: buildah-buildrun
spec:
  build:
    name: buildah-build
  env:
    - name: <pod_name>
      valueFrom:
        fieldRef:
          fieldPath: metadata.name

where:

<pod_name>
Specifies the name of the pod.

The following example shows a BuildRun resource that uses the Kubernetes downward API to expose a container as an environment variable: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: buildah-buildrun
spec:
  build:
    name: buildah-build
  env:
    - name: MEMORY_LIMIT
      valueFrom:
        resourceFieldRef:
          containerName: <my_container>
          resource: limits.memory

where:

<my_container>
Specifies the name of the container.

3.9. Build run status
Copy link

Monitor the progress and completion of your image builds by checking the status of the BuildRun custom resource (CR). A BuildRun CR stores status information in the status.conditions field. This field includes the status, the reason for that status, and a descriptive message. For example, a Succeeded condition type means the build finished successfully.

The following examples show how to view the status of a specific BuildRun CR.

Unknown status
An Unknown status indicates the build is still starting or in progress. The following example shows a BuildRun with Unknown status: 
$ oc get buildrun buildah-buildrun-mp99r

Example output: 

NAME                    SUCCEEDED   REASON    STARTTIME   COMPLETIONTIME
buildah-buildrun-mp99r  Unknown     Unknown      1s
True status
A True status indicates that the build completed successfully. The following example shows a BuildRun` with True status: 
$ oc get buildrun buildah-buildrun-mp99r

Example output: 

NAME                   SUCCEEDED     REASON     STARTTIME   COMPLETIONTIME
buildah-buildrun-mp99r  True        Succeeded      29m       20m

A BuildRun CR stores the status-related information in the status.conditions field. For example, a condition with the type Succeeded indicates that resources have successfully completed their operation. The status.conditions field includes significant information like status, reason, and message for the BuildRun CR.

3.9.1. Build run statuses description
Copy link

A BuildRun custom resource (CR) can have different statuses during the image building process. Track the state of your build using the status field.

The following table covers the different statuses of a build run:

Expand
Table 3.3. Statuses of a build run
StatusCauseDescription

Unknown

Pending

The BuildRun resource waits for a pod in status Pending.

Unknown

Running

The controller validates and starts the BuildRun.

Unknown

BuildRunCanceled

The user has requested to cancel the build run. This request triggers the build run controller to make a request for canceling the related task runs. Cancellation is still under process when this status is present.

True

Succeeded

The pod for the BuildRun resource is created.

False

Failed

The BuildRun resource is failed in one of the steps.

False

BuildRunTimeout

The execution of the BuildRun` resource is timed out.

False

UnknownStrategyKind

The strategy type defined in the Kind field is unknown. You can define these strategy types: ClusterBuildStrategy and BuildStrategy.

False

ClusterBuildStrategyNotFound

The referenced cluster-scoped strategy was not found in the cluster.

False

BuildStrategyNotFound

The referenced namespace-scoped strategy was not found in the cluster.

False

SetOwnerReferenceFailed

Setting the ownerReferences field from the BuildRun resource to the related TaskRun resource failed.

False

TaskRunIsMissing

The TaskRun resource related to the BuildRun resource was not found.

False

TaskRunGenerationFailed

The generation of a TaskRun specification has failed.

False

MissingParameterValues

You have not provided any value for some parameters that are defined in the build strategy without any default. You must provide the values for those parameters in the Build or the BuildRun CR.

False

RestrictedParametersInUse

A value for a system parameter was provided, which is not allowed.

False

UndefinedParameter

A value for a parameter was provided that is not defined in the build strategy.

False

WrongParameterValueType

The system detected an incorrectly typed build strategy parameter value. For example, if the parameter is defined as an array or a string in the build strategy, you must provide a set of values or a direct value accordingly.

False

InconsistentParameterValues

A value for a parameter contained more than one of these values: value, configMapValue, and secretValue. You must provide only one of the mentioned values to maintain consistency.

False

EmptyArrayItemParameterValues

An item inside the values of an array parameter contained none of these values: value,configMapValue, and secretValue. You must provide only one of the mentioned values as null array items are not allowed.

False

IncompleteConfigMapValueParameterValues

A value for a parameter contained a configMapValue value where the name or the value field was empty. You must specify the empty field to point to an existing config map key in your namespace.

False

IncompleteSecretValueParameterValues

A value for a parameter contained a secretValue value where the name or the value field was empty. You must specify the empty field to point to an existing secret key in your namespace.

False

ServiceAccountNotFound

The referenced service account was not found in the cluster.

False

BuildRegistrationFailed

The referenced build in the BuildRun resource is in a Failed state.

False

BuildNotFound

The referenced build in the BuildRun resource was not found.

False

BuildRunCanceled

The BuildRun and related TaskRun resources were canceled successfully.

False

BuildRunNameInvalid

The defined build run name in the metadata.name field is invalid. You must provide a valid label value for the build run name in your BuildRun CR.

False

BuildRunNoRefOrSpec

The BuildRun resource does not have either the spec.build.name or spec.build.spec field defined.

False

BuildRunAmbiguousBuild

The defined BuildRun resource uses both the spec.build.name and spec.build.spec fields. Only one of the parameters is allowed at a time.

False

BuildRunBuildFieldOverrideForbidden

The defined spec.build.name field uses an override in combination with the spec.build.spec field, which is not allowed. Use the spec.build.spec field to directly specify the respective value.

False

PodEvicted

The build run pod was evicted from the node it was running on.

3.9.2. Failed build runs
Copy link

If a build fails, check the status.failureDetails field in the BuildRun custom resource (CR). This field provides the error message, the reason for the failure, and the specific container or pod where the error occurred. You can see the message and reason for failure only if it is defined in your build strategy.

The following example shows a failed build run: 

# ...
status:
  # ...
  failureDetails:
    location:
      container: step-source-default
      pod: baran-build-buildrun-gzmv5-b7wbf-pod-bbpqr
    message: The source repository does not exist, or you have insufficient permission
      to access it.
    reason: GitRemotePrivate
Note

The status.failureDetails field also provides error details for all operations related to Git.

3.9.3. Step results in build run status
Copy link

After a BuildRun custom resource (CR) completes its execution, the .status field contains the .status.taskResults result emitted from the steps generated by the build run controller. The result includes the image digest or the commit SHA of the source code that is used for building the image. In a BuildRun CR, the .status.sources field contains the result from the execution of source steps and the .status.output field contains the result from the execution of output steps.

The following example shows a BuildRun CR with step results for a Git source: 

# ...
status:
  buildSpec:
    # ...
  output:
    digest: sha256:07626e3c7fdd28d5328a8d6df8d29cd3da760c7f5e2070b534f9b880ed093a53
    size: 1989004
  sources:
  - name: default
    git:
      commitAuthor: xxx xxxxxx
      commitSha: f25822b85021d02059c9ac8a211ef3804ea8fdde
      branchName: main

The following example shows a BuildRun CR with step results for a local source code: 

# ...
status:
  buildSpec:
    # ...
  output:
    digest: sha256:07626e3c7fdd28d5328a8d6df8d29cd3da760c7f5e2070b534f9b880ed093a53
    size: 1989004
  sources:
  - name: default
    bundle:
      digest: sha256:0f5e2070b534f9b880ed093a537626e3c7fdd28d5328a8d6df8d29cd3da760c7
Note

You get to see the digest and size of the output image only if it is defined in your build strategy.

3.9.4. Build snapshot
Copy link

A build snapshot records the exact configuration used for a specific build run.

When a build run reconciles, the status.buildSpec field in the BuildRun custom resource (CR) updates. This field stores a complete copy of the original Build specification used for that specific image build. You can use this snapshot to verify the settings used during execution, even if the original Build CR changes later.

3.10. Relationship of build run with Tekton tasks
Copy link

A BuildRun uses Tekton TaskRun resources to build your image. The TaskRun follows the steps defined in your build strategy until the build finishes or fails.

When you create a BuildRun, the build controller starts a new TaskRun. The BuildRun resource assigns the task of image construction to this TaskRun. The TaskRun then runs every step defined in your build strategy.

3.11. Build run cancellation
Copy link

To stop an active BuildRun resource, set the state field of the BuildRun resource to BuildRunCanceled. Canceling a BuildRun also cancels the underlying TaskRun resource.

The following example shows a canceled build run for a BuildRun resource: 

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  name: buildah-buildrun
spec:
  # [...]
  state: "BuildRunCanceled"

3.12. Automatic build run deletion
Copy link

Automatically manage the lifecycle of build runs by defining retention and TTL parameters.

Add the following retention parameters in the build or buildrun specification to automatically delete a build run:

  • buildrun TTL parameters: Ensures that build runs only exist for a defined duration of time after completion.

    • buildrun.spec.retention.ttlAfterFailed: The build run is deleted if the specified time has passed and the build run has failed.
    • buildrun.spec.retention.ttlAfterSucceeded: The build run is deleted if the specified time has passed and the build run has succeeded.

  • build TTL parameters: Ensures that build runs for a build only exist for a defined duration of time after completion.

    • build.spec.retention.ttlAfterFailed: The build run is deleted if the specified time has passed and the build run has failed for the build.
    • build.spec.retention.ttlAfterSucceeded: The build run is deleted if the specified time has passed and the build run has succeeded for the build.

  • build limit parameters: Ensures that only a limited number of succeeded or failed build runs can exist for a build.

    • build.spec.retention.succeededLimit: Defines the number of succeeded build runs that can exist for the build.
    • build.spec.retention.failedLimit: Defines the number of failed build runs that can exist for the build.

3.13. Pod configuration
Copy link

Configure pod scheduling and placement for Builds by using optional BuildRun Custom Resource (CR) fields.

Use the following fields to configure Builds pods:

  • spec.tolerations: Specifies pod tolerations. Note: Only the NoSchedule taint effect is supported.
  • spec.nodeSelector: Specifies the nodes where the pod must run.
  • spec.schedulerName: Specifies a custom scheduler for the pod.
Note

If you define these fields in both the Build and BuildRun CRs, the BuildRun values take priority.

Legal Notice
Copy link

Copyright © Red Hat

OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

Modified versions must remove all Red Hat trademarks.

Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.

Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of the OpenJS Foundation.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top