add build expiry

api/v1alpha1/imagebuild_types.go

@@ -93,6 +93,13 @@ type ImageBuildSpec struct {
 	// OperatorConfig at request time to prevent TOCTOU races.
 	// +optional
 	TaskBundleRef string `json:"taskBundleRef,omitempty"`
+
+	// TTL is the time-to-live for this build. The build is automatically deleted
+	// after this duration past its completion (or creation if still in progress).
+	// Uses Go duration format (e.g. "24h", "72h", "168h").
+	// Empty uses the OperatorConfig default. Set to "0" to disable expiry.
+	// +optional
+	TTL string `json:"ttl,omitempty"`
 }
 
 // FlashSpec defines configuration for flashing images to hardware via Jumpstarter
@@ -256,6 +263,11 @@ type ImageBuildStatus struct {
 	// LeaseID is the Jumpstarter lease ID acquired during flash
 	// +optional
 	LeaseID string `json:"leaseId,omitempty"`
+
+	// ExpiresAt is when this build will be automatically deleted.
+	// Nil if expiry is disabled (TTL "0" or no-expire annotation).
+	// +optional
+	ExpiresAt *metav1.Time `json:"expiresAt,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -511,3 +523,8 @@ func (s *ImageBuildSpec) GetFlashLeaseName() string {
 	}
 	return ""
 }
+
+// GetTTL returns the per-build TTL string, or empty if not set
+func (s *ImageBuildSpec) GetTTL() string {
+	return s.TTL
+}

api/v1alpha1/operatorconfig_types.go

@@ -60,6 +60,12 @@ const (
 	// DefaultAutoPauseTimeoutMinutes is the default idle timeout in minutes before a workspace is auto-paused
 	DefaultAutoPauseTimeoutMinutes int32 = 30
 
+	// DefaultBuildTTL is the default time-to-live for builds (all phases, including in-progress).
+	DefaultBuildTTL = "24h"
+
+	// NoExpireAnnotation prevents automatic expiry when set to "true" on an ImageBuild
+	NoExpireAnnotation = "automotive.sdv.cloud.redhat.com/no-expire"
+
 	// BuildServiceAccountName is the dedicated SA used by build pods and token minting.
 	// Using a dedicated SA avoids collisions with the shared "pipeline" SA.
 	BuildServiceAccountName = "ado-build"
@@ -543,6 +549,19 @@ type OSBuildsConfig struct {
 	// Example: "quay.io/rh-sdv-cloud/automotive-dev-tekton-tasks:v0.1.0@sha256:abc123..."
 	// +optional
 	TaskBundleRef string `json:"taskBundleRef,omitempty"`
+
+	// DefaultBuildTTL is the default time-to-live for builds (all phases, including in-progress).
+	// Builds are automatically deleted after this duration. Uses Go duration format (e.g. "24h", "72h").
+	// Set to "0" to disable expiry by default.
+	// Default: "24h"
+	// +optional
+	DefaultBuildTTL string `json:"defaultBuildTTL,omitempty"`
+
+	// MaxBuildTTL is the maximum TTL that users can request for individual builds.
+	// Build requests specifying a TTL greater than this value are rejected.
+	// Set to "0" for no maximum. Uses Go duration format (e.g. "168h" for 1 week).
+	// +optional
+	MaxBuildTTL string `json:"maxBuildTTL,omitempty"`
 }
 
 // CertificateSourceRef references a Secret or ConfigMap that contains trusted CA certificates.
@@ -578,6 +597,22 @@ func (c *OSBuildsConfig) GetFlashTimeoutMinutes() int32 {
 	return DefaultFlashTimeoutMinutes
 }
 
+// GetDefaultBuildTTL returns the default build TTL string, falling back to the hardcoded default
+func (c *OSBuildsConfig) GetDefaultBuildTTL() string {
+	if c != nil && c.DefaultBuildTTL != "" {
+		return c.DefaultBuildTTL
+	}
+	return DefaultBuildTTL
+}
+
+// GetMaxBuildTTL returns the max build TTL string, or empty if no max is set
+func (c *OSBuildsConfig) GetMaxBuildTTL() string {
+	if c != nil {
+		return c.MaxBuildTTL
+	}
+	return ""
+}
+
 // GetUsePVCScratchVolumes returns whether to use PVC-backed scratch volumes (default: true)
 func (c *OSBuildsConfig) GetUsePVCScratchVolumes() bool {
 	if c.UsePVCScratchVolumes != nil {

cmd/caib/buildcmd/build.go

@@ -75,6 +75,7 @@ type Options struct {
 	InternalRegistryTag       *string
 
 	SecureBuild *bool
+	TTL         *string
 
 	InsecureSkipTLS *bool
 
@@ -451,6 +452,7 @@ func (h *Handler) RunBuild(cmd *cobra.Command, args []string) {
 		BuilderImage:           *h.opts.BuilderImage,
 		RebuildBuilder:         *h.opts.RebuildBuilder,
 		SecureBuild:            *h.opts.SecureBuild,
+		TTL:                    *h.opts.TTL,
 	}
 
 	if err := h.applyRegistryCredentialsToRequest(&req); err != nil {
@@ -563,6 +565,7 @@ func (h *Handler) RunDisk(cmd *cobra.Command, args []string) {
 		Compression:            *h.opts.CompressionAlgo,
 		ExportOCI:              *h.opts.ExportOCI,
 		SecureBuild:            *h.opts.SecureBuild,
+		TTL:                    *h.opts.TTL,
 	}
 
 	if err := h.applyRegistryCredentialsToRequest(&req); err != nil {
@@ -692,6 +695,7 @@ func (h *Handler) RunBuildDev(cmd *cobra.Command, args []string) {
 		Compression:            *h.opts.CompressionAlgo,
 		ExportOCI:              *h.opts.ExportOCI,
 		SecureBuild:            *h.opts.SecureBuild,
+		TTL:                    *h.opts.TTL,
 	}
 
 	if err := h.applyRegistryCredentialsToRequest(&req); err != nil {

cmd/caib/buildcmd/build_disk_test.go

@@ -46,6 +46,7 @@ func newTestDiskOpts() Options {
 		internalRegImageName string
 		internalRegTag       string
 		secureBuild          bool
+		buildTTL             string
 		insecureSkipTLS      bool
 	)
 	return Options{
@@ -83,6 +84,7 @@ func newTestDiskOpts() Options {
 		InternalRegistryImageName: &internalRegImageName,
 		InternalRegistryTag:       &internalRegTag,
 		SecureBuild:               &secureBuild,
+		TTL:                       &buildTTL,
 		InsecureSkipTLS:           &insecureSkipTLS,
 	}
 }

cmd/caib/image/image.go

@@ -70,6 +70,7 @@ type Options struct {
 	InternalRegistryTag       *string
 
 	SecureBuild *bool
+	TTL         *string
 
 	SealedBuilderImage      *string
 	SealedArchitecture      *string
@@ -160,6 +161,7 @@ func NewImageCmd(opts Options) *cobra.Command {
 	buildCmd.Flags().StringVar(opts.ExporterSelector, "exporter", "", "direct exporter selector for flash (alternative to --target lookup)")
 	// Secure build
 	buildCmd.Flags().BoolVar(opts.SecureBuild, "secure", false, "resolve tasks from signed Tekton Bundle (requires OperatorConfig taskBundleRef)")
+	buildCmd.Flags().StringVar(opts.TTL, "ttl", "", "time-to-live for the build (e.g. 24h, 72h, 168h); empty=server default, 0=no expiry")
 	// Internal registry options
 	buildCmd.Flags().BoolVar(opts.UseInternalRegistry, "internal-registry", false, "push to OpenShift internal registry")
 	buildCmd.Flags().StringVar(opts.InternalRegistryImageName, "image-name", "", "override image name for internal registry (default: build name)")
@@ -217,6 +219,7 @@ func NewImageCmd(opts Options) *cobra.Command {
 	diskCmd.Flags().StringVar(opts.ExporterSelector, "exporter", "", "direct exporter selector for flash (alternative to --target lookup)")
 	// Secure build
 	diskCmd.Flags().BoolVar(opts.SecureBuild, "secure", false, "resolve tasks from signed Tekton Bundle (requires OperatorConfig taskBundleRef)")
+	diskCmd.Flags().StringVar(opts.TTL, "ttl", "", "time-to-live for the build (e.g. 24h, 72h, 168h); empty=server default, 0=no expiry")
 	// Internal registry options
 	diskCmd.Flags().BoolVar(opts.UseInternalRegistry, "internal-registry", false, "push to OpenShift internal registry")
 	diskCmd.Flags().StringVar(opts.InternalRegistryImageName, "image-name", "", "override image name for internal registry (default: build name)")
@@ -261,6 +264,7 @@ func NewImageCmd(opts Options) *cobra.Command {
 	buildDevCmd.Flags().StringVar(opts.ExporterSelector, "exporter", "", "direct exporter selector for flash (alternative to --target lookup)")
 	// Secure build
 	buildDevCmd.Flags().BoolVar(opts.SecureBuild, "secure", false, "resolve tasks from signed Tekton Bundle (requires OperatorConfig taskBundleRef)")
+	buildDevCmd.Flags().StringVar(opts.TTL, "ttl", "", "time-to-live for the build (e.g. 24h, 72h, 168h); empty=server default, 0=no expiry")
 	// Internal registry options
 	buildDevCmd.Flags().BoolVar(opts.UseInternalRegistry, "internal-registry", false, "push to OpenShift internal registry")
 	buildDevCmd.Flags().StringVar(opts.InternalRegistryImageName, "image-name", "", "override image name for internal registry (default: build name)")

cmd/caib/main.go

@@ -62,6 +62,9 @@ var (
 	// Secure build
 	secureBuild bool
 
+	// Build TTL
+	buildTTL string
+
 	// TLS options
 	insecureSkipTLS bool
 

cmd/caib/runtime_wiring.go

@@ -55,6 +55,7 @@ type runtimeState struct {
 	InternalRegistryTag       *string
 
 	SecureBuild *bool
+	TTL         *string
 
 	InsecureSkipTLS *bool
 
@@ -115,6 +116,7 @@ func newRuntimeState() runtimeState {
 		InternalRegistryTag:       &internalRegistryTag,
 
 		SecureBuild: &secureBuild,
+		TTL:         &buildTTL,
 
 		InsecureSkipTLS: &insecureSkipTLS,
 
@@ -180,6 +182,7 @@ func (s runtimeState) newHandlers() handlerSet {
 			InternalRegistryImageName: s.InternalRegistryImageName,
 			InternalRegistryTag:       s.InternalRegistryTag,
 			SecureBuild:               s.SecureBuild,
+			TTL:                       s.TTL,
 			InsecureSkipTLS:           s.InsecureSkipTLS,
 			HandleError:               handleError,
 		}),
@@ -302,6 +305,7 @@ func (s runtimeState) imageOptions(h handlerSet) image.Options {
 		InternalRegistryTag:       s.InternalRegistryTag,
 
 		SecureBuild: s.SecureBuild,
+		TTL:         s.TTL,
 
 		SealedBuilderImage:      s.SealedBuilderImage,
 		SealedArchitecture:      s.SealedArchitecture,

config/crd/bases/automotive.sdv.cloud.redhat.com_imagebuilds.yaml

@@ -215,6 +215,13 @@ spec:
                   used for this build. Set automatically by the Build API from the
                   OperatorConfig at request time to prevent TOCTOU races.
                 type: string
+              ttl:
+                description: |-
+                  TTL is the time-to-live for this build. The build is automatically deleted
+                  after this duration past its completion (or creation if still in progress).
+                  Uses Go duration format (e.g. "24h", "72h", "168h").
+                  Empty uses the OperatorConfig default. Set to "0" to disable expiry.
+                type: string
               workspace:
                 description: |-
                   Workspace is the name of the Workspace CR this build belongs to.
@@ -296,6 +303,12 @@ spec:
                   - type
                   type: object
                 type: array
+              expiresAt:
+                description: |-
+                  ExpiresAt is when this build will be automatically deleted.
+                  Nil if expiry is disabled (TTL "0" or no-expire annotation).
+                format: date-time
+                type: string
               flashTaskRunName:
                 description: FlashTaskRunName is the name of the TaskRun for flashing
                   to hardware

config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml

@@ -722,6 +722,13 @@ spec:
                       Required for bootc builds to allow nested containers to pull builder images
                       Example: "default-route-openshift-image-registry.apps.mycluster.example.com"
                     type: string
+                  defaultBuildTTL:
+                    description: |-
+                      DefaultBuildTTL is the default time-to-live for builds (all phases, including in-progress).
+                      Builds are automatically deleted after this duration. Uses Go duration format (e.g. "24h", "72h").
+                      Set to "0" to disable expiry by default.
+                      Default: "24h"
+                    type: string
                   enabled:
                     default: true
                     description: Enabled determines if Tekton tasks for OS builds
@@ -733,6 +740,12 @@ spec:
                       Default: 240 (4 hours)
                     format: int32
                     type: integer
+                  maxBuildTTL:
+                    description: |-
+                      MaxBuildTTL is the maximum TTL that users can request for individual builds.
+                      Build requests specifying a TTL greater than this value are rejected.
+                      Set to "0" for no maximum. Uses Go duration format (e.g. "168h" for 1 week).
+                    type: string
                   memoryVolumeSize:
                     description: |-
                       MemoryVolumeSize specifies the size limit for memory-backed volumes

docs/openapi.yaml

@@ -170,6 +170,9 @@ components:
           type: array
           items:
             type: string
+        ttl:
+          type: string
+          description: 'Time-to-live for the build (e.g. "24h", "72h"). Empty uses server default, "0" disables expiry.'
     BuildResponse:
       type: object
       properties:
@@ -179,6 +182,10 @@ components:
           type: string
         message:
           type: string
+        expiresAt:
+          type: string
+          format: date-time
+          description: When the build will be automatically deleted (RFC 3339)
     BuildListItem:
       type: object
       properties:

internal/buildapi/openapi.yaml

@@ -218,6 +218,9 @@ components:
         internalRegistryTag:
           type: string
           description: Tag for internal registry image (default is build name)
+        ttl:
+          type: string
+          description: 'Time-to-live for the build (e.g. "24h", "72h"). Empty uses server default, "0" disables expiry.'
     BuildResponse:
       type: object
       properties:
@@ -230,6 +233,10 @@ components:
         requestedBy:
           type: string
           nullable: true
+        expiresAt:
+          type: string
+          format: date-time
+          description: When the build will be automatically deleted (RFC 3339)
     BuildListItem:
       type: object
       properties: