Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14544

Camel K and CKC requires a manifest generated by KBF tool

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      TL;DR:

      We will take 3 approaches to manifesting

      1) MW Prod Sec manifesting - ( Already done for Camel K TP1, I will append CKC to these results )

      2) MW KBF - Need you to produce this, here to help with any issues or
      questions

      3) Container/Go manifesting with Cachito

      #2
      This is a mature tool developed by prod core but one that so far,
      unfortunately, hasn't seen much use; work is ongoing to integrate this
      into PNC 2.0, so this is something that will be available by default in
      the future, however for the time being and as a stop gap solution I'd
      ask if its possible this tool could be used and the files it generates
      be made available as part of a manual step?

      There are a number ways to run KBF -
      https://github.com/release-engineering/koji-build-finder

      I've containerised it with minimal config for (hopefully) easier use
      ---------------------------------------------------------------------

      Pre steps (try skipping to step 4 first)

      1) Login to
      https://registry-console-default.cloud.registry.upshift.redhat.com
      2) Scroll the bottom of the page and copy the "Log into the registry"
      command
      3) Login like -

      podman login -p UUUIDhunter29DeVkc -u unused
      docker-registry.upshift.redhat.com
      

      4) Then run it

      podman run --rm -v /tmp/kbf/:/home/jboss/kbfmnt/:z -it
      docker-registry.upshift.redhat.com/mw-ps/koji-build-finder:latest
      redhat-integration-1.0.0-camel-k-maven-repository.zip
      

      This will generate a number of files -

      builds.json - All the exploded artifacts and from where they where built

      checksums-md5.json - All the checksums for exploded artifacts (you can
      use kbf with -k if this is all you need, its a lot quicker)

      output.html - A simple report of the builds.json file

      nvr.txt - The brew NVRs (uniq build identifier)

      gav.txt - The maven GAVs found in builds

      The KBF was aimed at distribution zips, tough it will work on maven
      repository zips, obviously some products do not deliver a
      distribution/product zip any more and instead the java content is
      dropped into a container image, its important we capture this
      information to be specific about what container distributes what.

      I have mine aliased for easy use -

      kbf ()
      {
          podman run --rm -v $PWD:/home/jboss/kbfmnt/:z -it
      docker-registry.upshift.redhat.com/mw-ps/koji-build-finder:latest $@
      }
      

      #3
      I had been giving advise to use retrodep but this has now been deprecated in favour of Cachito but does the same job from a ProdSec perspective, it will manifest the go sources and make those manifests available to ProdSec via a git repo and a bot that updates whenever an image is rebuilt

      An example OSBS config would be the teiid-operator image -

      image_build_method: imagebuilder
      remote_source: 
          repo: https://github.com/teiid/teiid-operator
          ref: 8cccdea963d810cf827b7e123fd17e95d0c57710
          pkg_managers: 
              - gomod
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jonnychristison Jonathan Christison
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: