Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-79217

Reduce JCasC script approvals by using trusted shared library

XMLWordPrintable

    • Quality / Stability / Reliability
    • 0.42
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None

      Description:
      We want to stop growing the Script Approval list in JCasC and keep casc.yaml.in maintainable. The current approvals list exists mainly because pipelines load the shared library via legacySCM (job SCM), which is treated as untrusted sandbox code and requires per-call approvals.

      Background:
      We still need the ability to test unmerged changes in contra/cnv (shared library changes) from Jenkins. That testing should happen using a trusted global library with an explicit branch override or a dedicated trusted dev library, instead of legacySCM.

      Plan (contra/cnv repo changes):
      1) Update global library config in casc.yaml.in to allow version overrides (allowVersionOverride: true) OR add a second trusted library entry for dev testing (e.g. cnv-qe-shared-lib-dev-lbednar pointing to fork/branch).
      2) Update Jenkinsfiles/Job DSL to use the global trusted library (e.g. @Library('cnv-qe-shared-lib@<branch>') _ or the dev library), and remove legacySCM(scm) usage.
      3) After migration, clear or minimize security.scriptApproval.approvedSignatures in casc.yaml.in, then verify that pipelines no longer request new approvals.
      4) Document the testing flow (how to point to a dev branch and revert to master).

      Steps to reproduce:
      1) Run a deployment pipeline that loads shared library via legacySCM (example: Jenkinsfile-cnv-4.21).
      2) Observe new entries added to Script Approval in Jenkins and reflected in casc.yaml.in.

      Expected result:
      Pipelines use trusted shared library and no new script approvals are generated; casc.yaml.in has no growing approval list.

      Actual result:
      Script approvals keep growing because library code is executed in the sandbox when loaded via legacySCM.

      Proposed docs/HowToTestChanges.md update (new testing flow):

      • Replace legacySCM-based testing with trusted global library testing.
      • Keep the local job generation workflow (tox -e jobdsl, create-dev-job.sh) to create a dev job that points to your fork/branch; this is still valid for testing Jenkinsfile/Job DSL changes.
      • For shared library changes:
        1) Ensure JCasC has a trusted global library with version override enabled or a dedicated dev library entry.
        2) In your testing branch, update Jenkinsfiles to load the trusted library (example: @Library('cnv-qe-shared-lib@<branch>') _ or @Library('cnv-qe-shared-lib-dev-<user>@<branch>') _).
        3) Run the dev job; no script approvals should be generated.
      • After testing, revert the Jenkinsfile library reference to master or the standard library name.

              dkeler@redhat.com Daniel Keler
              lbednar@redhat.com Lukas Bednar
              Daniel Keler Daniel Keler
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: