Details
-
Task
-
Resolution: Duplicate
-
Major
-
None
-
None
-
None
-
%
Description
TL;DR:
We will take 3 approaches to manifesting
1) MW Prod Sec manifesting - ( Already done for Camel K TP1, I will append CKC to these results )
2) MW KBF - Need you to produce this, here to help with any issues or
questions
3) Container/Go manifesting with Cachito
#2
This is a mature tool developed by prod core but one that so far,
unfortunately, hasn't seen much use; work is ongoing to integrate this
into PNC 2.0, so this is something that will be available by default in
the future, however for the time being and as a stop gap solution I'd
ask if its possible this tool could be used and the files it generates
be made available as part of a manual step?
There are a number ways to run KBF -
https://github.com/release-engineering/koji-build-finder
I've containerised it with minimal config for (hopefully) easier use
---------------------------------------------------------------------
Pre steps (try skipping to step 4 first)
1) Login to
https://registry-console-default.cloud.registry.upshift.redhat.com
2) Scroll the bottom of the page and copy the "Log into the registry"
command
3) Login like -
podman login -p UUUIDhunter29DeVkc -u unused docker-registry.upshift.redhat.com
4) Then run it
podman run --rm -v /tmp/kbf/:/home/jboss/kbfmnt/:z -it docker-registry.upshift.redhat.com/mw-ps/koji-build-finder:latest redhat-integration-1.0.0-camel-k-maven-repository.zip
This will generate a number of files -
builds.json - All the exploded artifacts and from where they where built
checksums-md5.json - All the checksums for exploded artifacts (you can
use kbf with -k if this is all you need, its a lot quicker)
output.html - A simple report of the builds.json file
nvr.txt - The brew NVRs (uniq build identifier)
gav.txt - The maven GAVs found in builds
The KBF was aimed at distribution zips, tough it will work on maven
repository zips, obviously some products do not deliver a
distribution/product zip any more and instead the java content is
dropped into a container image, its important we capture this
information to be specific about what container distributes what.
I have mine aliased for easy use -
kbf ()
{
podman run --rm -v $PWD:/home/jboss/kbfmnt/:z -it
docker-registry.upshift.redhat.com/mw-ps/koji-build-finder:latest $@
}
#3
I had been giving advise to use retrodep but this has now been deprecated in favour of Cachito but does the same job from a ProdSec perspective, it will manifest the go sources and make those manifests available to ProdSec via a git repo and a bot that updates whenever an image is rebuilt
An example OSBS config would be the teiid-operator image -
image_build_method: imagebuilder remote_source: repo: https://github.com/teiid/teiid-operator ref: 8cccdea963d810cf827b7e123fd17e95d0c57710 pkg_managers: - gomod