Goal

We are supporting building and pushing container image using buildah. This comes with a set of challenges because it can be relatively tricky to run containers in containers (which is what buildah does) and requires additional privileges for the buildah container which are not granted to pods by default. Therefore, running image builds with buildah is not allowed on the cluster by some clusters due the security concerns that comes along with it.

This epics aim to explore a different approaches for building images on OpenShift through Tekton Pipelines where users can build their project without buildah and with the security constraints that applies to all pods by default. 

Acceptance Criteria

• An "Image Build" Task exists that can build an image from a JAR file and push to Quay and internal registry
• The "Image Build" Task can run uses default service account and restricted scc
• An assessment exists on the requirements for supporting the "Image Build" Task as part of OpenShift Pipelines product (e.g. in the downstream Tekton catalog)

Related Links

• https://github.com/imjasonh/ImJasonH/tree/main/articles/moving-and-building-images
• https://gitlab.cee.redhat.com/tekton/p12n/-/merge_requests/350
• Crane 
• Cloud-Native Buildpacks
• JIB