Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14544

Camel K and CKC requires a manifest generated by KBF tool

    XMLWordPrintable

Details

    • Task
    • Resolution: Duplicate
    • Major
    • None
    • None
    • Camel Kafka Connector, Camel-K
    • None
    • % %

    Description

      TL;DR:

      We will take 3 approaches to manifesting

      1) MW Prod Sec manifesting - ( Already done for Camel K TP1, I will append CKC to these results )

      2) MW KBF - Need you to produce this, here to help with any issues or
      questions

      3) Container/Go manifesting with Cachito

      #2
      This is a mature tool developed by prod core but one that so far,
      unfortunately, hasn't seen much use; work is ongoing to integrate this
      into PNC 2.0, so this is something that will be available by default in
      the future, however for the time being and as a stop gap solution I'd
      ask if its possible this tool could be used and the files it generates
      be made available as part of a manual step?

      There are a number ways to run KBF -
      https://github.com/release-engineering/koji-build-finder

      I've containerised it with minimal config for (hopefully) easier use
      ---------------------------------------------------------------------

      Pre steps (try skipping to step 4 first)

      1) Login to
      https://registry-console-default.cloud.registry.upshift.redhat.com
      2) Scroll the bottom of the page and copy the "Log into the registry"
      command
      3) Login like -

      podman login -p UUUIDhunter29DeVkc -u unused
docker-registry.upshift.redhat.com

      4) Then run it

      podman run --rm -v /tmp/kbf/:/home/jboss/kbfmnt/:z -it
docker-registry.upshift.redhat.com/mw-ps/koji-build-finder:latest
redhat-integration-1.0.0-camel-k-maven-repository.zip

      This will generate a number of files -

      builds.json - All the exploded artifacts and from where they where built

      checksums-md5.json - All the checksums for exploded artifacts (you can
      use kbf with -k if this is all you need, its a lot quicker)

      output.html - A simple report of the builds.json file

      nvr.txt - The brew NVRs (uniq build identifier)

      gav.txt - The maven GAVs found in builds

      The KBF was aimed at distribution zips, tough it will work on maven
      repository zips, obviously some products do not deliver a
      distribution/product zip any more and instead the java content is
      dropped into a container image, its important we capture this
      information to be specific about what container distributes what.

      I have mine aliased for easy use -

      kbf ()
{
    podman run --rm -v $PWD:/home/jboss/kbfmnt/:z -it
docker-registry.upshift.redhat.com/mw-ps/koji-build-finder:latest $@
}

      #3
      I had been giving advise to use retrodep but this has now been deprecated in favour of Cachito but does the same job from a ProdSec perspective, it will manifest the go sources and make those manifests available to ProdSec via a git repo and a bot that updates whenever an image is rebuilt

      An example OSBS config would be the teiid-operator image -

      image_build_method: imagebuilder
remote_source:     repo: https://github.com/teiid/teiid-operator
    ref: 8cccdea963d810cf827b7e123fd17e95d0c57710
    pkg_managers:         - gomod

      Attachments

        Activity

          People

            Unassigned Unassigned
            jochrist@redhat.com Jonathan Christison
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: