Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-28458

[Konflux Announce] Make sure a correct name and cpe label is set on your images

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • ACM 2.16.0
    • Release Management
    • [Konflux Announce] Make sure a correct name and cpe label is set on your images
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • In Progress
    • 24% To Do, 6% In Progress, 71% Done
    • Moderate

      Epic Goal

      change to release policy for on-prem products (tracked in KONFLUX-6210). This change is needed to make sure that clair, ACS, and third-party scanners can correctly interpret Red Hat images. 

       

      You need to ensure that your images explicitly set correct name and cpe labels. The name label must match the destination repository name (example: rhoso/openstack-netutils-rhel9) and the cpe must match the product's CPE (Common Platform Enumeration) identifier defined in the prodsec/ directory of the release engineering repo (example: cpe:/a:redhat:openstack:18.0::el9).

       

      Most products already comply with this and were updated earlier last year with pull requests from the Konflux team.

       

      You do not need to add the org.opencontainers.image.created label yourself. Recent updates to the buildah task should do it for you (#3019).

       

      In the next few days, you should expect to see merge requests appear in the konflux-release-data repo for your product ReleasePlanAdmissions (RPAs) adding a new enforceContainerFirstSecurityLabels field (example: !12369). When set to true, this field will block your releases if the wrong values are set.

       

      How do you check if your labels are right and it is safe to merge the RPA change? Look at one of your recent release pipeline runs and find the check-labels task, which was put into production on January 8th. Its logs will indicate if your images pass the check. If they do, then you can merge the change to your RPAs.

       

      We won’t merge these without explicit approval from your team and we're of course ready to work with you to make these changes in a way that works with your plans and schedule. Please reach out to me off thread if you expect that you won't be able to get the correct labels on your images and set your RPA to enforcing mode before the end of January, 2026. We’ll work through any issues together.

       

      Thank you-

      -Ralph

      Why is this important?

      ...

      Scenarios

      ...

      Acceptance Criteria

      ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions:

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub
        Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Doc issue opened with a completed template. Separate doc issue
        opened for any deprecation, removal, or any current known
        issue/troubleshooting removal from the doc, if applicable.
      • Considerations were made for Extended Update Support (EUS)

              Unassigned Unassigned
              gparvin-redhat Gus Parvin
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: