Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NO-JIRA: RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline #230

Open
wants to merge 1 commit into
base: release-1.14
Choose a base branch
from
Open

NO-JIRA: RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline #230

wants to merge 1 commit into from
+34 −0

Conversation

yashvardhannanavati
Copy link

Who should merge this?

All products building FBC fragments in Konflux are requested to merge this change irrespective of whether the product is intended for FIPS mode or not.

Beginning March 1, 2025, the fbc-fips-task is going to be a required task in the Konflux
pipeline. This means, your release will be blocked if this task is not present in your pipeline run.

What if our product is not designed to operate in FIPS mode? Do we still need this task?

The answer is yes. If your product is not designed to operate in FIPS mode, the task will identify that and will
automatically skip the FIPS scan. However, the task still needs to be a part of your pipeline.

What changes are included in this PR?

  • This commit adds the fbc-fips-check task to your pipeline yaml.
  • It also adds a file named images-mirror-set.yaml to your .tekton directory with an example in it. This file is an ImageDigestMirrorSet required by the task to access any unreleased bundle image in your FBC fragment. For example, say your FBC fragment contains an unreleased bundle pullspec registry.redhat.io/my-namespace/my-repo which will be unavailable at build time on the prod registry. You can specify a mirror like quay.io/my-namespace/my-public-repo from where the task can access the unreleased image. Mirrors can be specified for bundle images and their related images.

What should we do after this PR is merged?

  • Your bundle image pullspec and relatedImages pullspec are examples of pullspecs that may not be valid at build time but will only be pullable after the release. We recommend updating the .tekton/images-mirror-set.yaml file with mirrors for those pullspecs so the task can access them during build time. Please keep the .tekton/images-mirror-set.yaml file updated to avoid delays in releases.
  • Add an ImagePullSecret for registry.redhat.io to your Konflux workspace. You can do this via Konflux UI.

@yashvardhannanavati
feat(KONFLUX-4158): add fbc-fips-check task to FBC pipeline
ca89f52 
This commit adds the fbc-fips-check to the FBC pipeline.
It also adds a template file named images-mirror-set.yaml which is required by
the FIPS task itself and will be used by other tasks in the future.

Signed-off-by: yashvardhannanavati <[email protected]>
@bharath-b-rh
Copy link
Contributor

/ok-to-test
/retitle NO-JIRA: RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline
/approve
/lgtm

@openshift-ci openshift-ci bot changed the title RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline NO-JIRA: RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline Feb 25, 2025
@openshift-ci openshift-ci bot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Feb 25, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 25, 2025
@openshift-ci-robot
Copy link

@yashvardhannanavati: This pull request explicitly references no jira issue.

In response to this:

Who should merge this?

All products building FBC fragments in Konflux are requested to merge this change irrespective of whether the product is intended for FIPS mode or not.

Beginning March 1, 2025, the fbc-fips-task is going to be a required task in the Konflux
pipeline. This means, your release will be blocked if this task is not present in your pipeline run.

What if our product is not designed to operate in FIPS mode? Do we still need this task?

The answer is yes. If your product is not designed to operate in FIPS mode, the task will identify that and will
automatically skip the FIPS scan. However, the task still needs to be a part of your pipeline.

What changes are included in this PR?

  • This commit adds the fbc-fips-check task to your pipeline yaml.
  • It also adds a file named images-mirror-set.yaml to your .tekton directory with an example in it. This file is an ImageDigestMirrorSet required by the task to access any unreleased bundle image in your FBC fragment. For example, say your FBC fragment contains an unreleased bundle pullspec registry.redhat.io/my-namespace/my-repo which will be unavailable at build time on the prod registry. You can specify a mirror like quay.io/my-namespace/my-public-repo from where the task can access the unreleased image. Mirrors can be specified for bundle images and their related images.

What should we do after this PR is merged?

  • Your bundle image pullspec and relatedImages pullspec are examples of pullspecs that may not be valid at build time but will only be pullable after the release. We recommend updating the .tekton/images-mirror-set.yaml file with mirrors for those pullspecs so the task can access them during build time. Please keep the .tekton/images-mirror-set.yaml file updated to avoid delays in releases.
  • Add an ImagePullSecret for registry.redhat.io to your Konflux workspace. You can do this via Konflux UI.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 25, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh, yashvardhannanavati

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bharath-b-rh bharath-b-rh Awaiting requested review from bharath-b-rh

@TrilokGeer TrilokGeer Awaiting requested review from TrilokGeer

Assignees

@bharath-b-rh bharath-b-rh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yashvardhannanavati @bharath-b-rh @openshift-ci-robot