Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14544

Camel K and CKC requires a manifest generated by KBF tool


    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:



      We will take 3 approaches to manifesting

      1) MW Prod Sec manifesting - ( Already done for Camel K TP1, I will append CKC to these results )

      2) MW KBF - Need you to produce this, here to help with any issues or

      3) Container/Go manifesting with Cachito

      This is a mature tool developed by prod core but one that so far,
      unfortunately, hasn't seen much use; work is ongoing to integrate this
      into PNC 2.0, so this is something that will be available by default in
      the future, however for the time being and as a stop gap solution I'd
      ask if its possible this tool could be used and the files it generates
      be made available as part of a manual step?

      There are a number ways to run KBF -

      I've containerised it with minimal config for (hopefully) easier use

      Pre steps (try skipping to step 4 first)

      1) Login to
      2) Scroll the bottom of the page and copy the "Log into the registry"
      3) Login like -

      podman login -p UUUIDhunter29DeVkc -u unused

      4) Then run it

      podman run --rm -v /tmp/kbf/:/home/jboss/kbfmnt/:z -it

      This will generate a number of files -

      builds.json - All the exploded artifacts and from where they where built

      checksums-md5.json - All the checksums for exploded artifacts (you can
      use kbf with -k if this is all you need, its a lot quicker)

      output.html - A simple report of the builds.json file

      nvr.txt - The brew NVRs (uniq build identifier)

      gav.txt - The maven GAVs found in builds

      The KBF was aimed at distribution zips, tough it will work on maven
      repository zips, obviously some products do not deliver a
      distribution/product zip any more and instead the java content is
      dropped into a container image, its important we capture this
      information to be specific about what container distributes what.

      I have mine aliased for easy use -

      kbf ()
          podman run --rm -v $PWD:/home/jboss/kbfmnt/:z -it
      docker-registry.upshift.redhat.com/mw-ps/koji-build-finder:latest $@

      I had been giving advise to use retrodep but this has now been deprecated in favour of Cachito but does the same job from a ProdSec perspective, it will manifest the go sources and make those manifests available to ProdSec via a git repo and a bot that updates whenever an image is rebuilt

      An example OSBS config would be the teiid-operator image -

      image_build_method: imagebuilder
          repo: https://github.com/teiid/teiid-operator
          ref: 8cccdea963d810cf827b7e123fd17e95d0c57710
              - gomod

        Gliffy Diagrams




              • Assignee:
                jonnychristison Jonathan Christison
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: