Skip to content

RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline#1163

Closed
yashvardhannanavati wants to merge 2 commits intonetobserv:release-1.8from
yashvardhannanavati:add-fbc-fips-check-release-1.8
Closed

RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline#1163
yashvardhannanavati wants to merge 2 commits intonetobserv:release-1.8from
yashvardhannanavati:add-fbc-fips-check-release-1.8

Conversation

@yashvardhannanavati
Copy link
Contributor

Who should merge this?

All products building FBC fragments in Konflux are requested to merge this change irrespective of whether the product is intended for FIPS mode or not.

Beginning March 1, 2025, the fbc-fips-task is going to be a required task in the Konflux
pipeline. This means, your release will be blocked if this task is not present in your pipeline run.

What if our product is not designed to operate in FIPS mode? Do we still need this task?

The answer is yes. If your product is not designed to operate in FIPS mode, the task will identify that and will
automatically skip the FIPS scan. However, the task still needs to be a part of your pipeline.

What changes are included in this PR?

  • This commit adds the fbc-fips-check task to your pipeline yaml.
  • It also adds a file named images-mirror-set.yaml to your .tekton directory with an example in it. This file is an ImageDigestMirrorSet required by the task to access any unreleased bundle image in your FBC fragment. For example, say your FBC fragment contains an unreleased bundle pullspec registry.redhat.io/my-namespace/my-repo which will be unavailable at build time on the prod registry. You can specify a mirror like quay.io/my-namespace/my-public-repo from where the task can access the unreleased image. Mirrors can be specified for bundle images and their related images.

What should we do after this PR is merged?

  • Your bundle image pullspec and relatedImages pullspec are examples of pullspecs that may not be valid at build time but will only be pullable after the release. We recommend updating the .tekton/images-mirror-set.yaml file with mirrors for those pullspecs so the task can access them during build time. Please keep the .tekton/images-mirror-set.yaml file updated to avoid delays in releases.
  • Add an ImagePullSecret for registry.redhat.io to your Konflux workspace. You can do this via Konflux UI.

This commit adds the fbc-fips-check to the FBC pipeline.
It also adds a template file named images-mirror-set.yaml which is required by
the FIPS task itself and will be used by other tasks in the future.

Signed-off-by: yashvardhannanavati <22090997+yashvardhannanavati@users.noreply.github.com>
@openshift-ci
Copy link

openshift-ci bot commented Feb 17, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kalmanmeth for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Feb 17, 2025

Hi @yashvardhannanavati. Thanks for your PR.

I'm waiting for a netobserv member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jotak
Copy link
Member

jotak commented Feb 18, 2025

Thanks @yashvardhannanavati for opening this PR
I added our mirroring config as a suggestion - cc @OlivierCazade

@codecov
Copy link

codecov bot commented Feb 18, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.46%. Comparing base (6396aaa) to head (235304c).
Report is 7 commits behind head on release-1.8.

Additional details and impacted files
@@               Coverage Diff               @@
##           release-1.8    #1163      +/-   ##
===============================================
+ Coverage        62.40%   62.46%   +0.06%     
===============================================
  Files               77       77              
  Lines            11581    11581              
===============================================
+ Hits              7227     7234       +7     
+ Misses            3896     3889       -7     
  Partials           458      458              
Flag Coverage Δ
unittests 62.46% <ø> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

@OlivierCazade OlivierCazade added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Feb 18, 2025
@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Feb 18, 2025
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Feb 18, 2025
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:2de9abb
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-2de9abb
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-2de9abb

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:2de9abb make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-2de9abb

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-2de9abb
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

1 similar comment
@github-actions
Copy link

New images:

  • quay.io/netobserv/network-observability-operator:2de9abb
  • quay.io/netobserv/network-observability-operator-bundle:v0.0.0-2de9abb
  • quay.io/netobserv/network-observability-operator-catalog:v0.0.0-2de9abb

They will expire after two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:2de9abb make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-2de9abb

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-2de9abb
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@jotak
Copy link
Member

jotak commented Feb 20, 2025

closing, it has been merged on the main branch instead: #1166

@jotak jotak closed this Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test To set manually when a PR is safe to test. Triggers image build on PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants