-
Story
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
1
-
True
-
-
False
-
-
As noted in RHIDP-7998, we need an exception to allow building the plugin images based on a centralized builder image.
The purpose of this image is to:
- reuse the same environment for all plugin exports (same nodejs version, yq, jq, etc.)
- save time & compute resources in Konflux by not having to rebuild the environment (builds now take 10-15 mins instead of >1hr)
- accelerate development by making it possible to churn out 80 builds in a few hours instead of several days w/ timeouts due to resource constraints / long queues
The base builder image ( https://quay.io/rhdh/plugin-catalog-builder-rhel9 ) is created in Konflux with:
- https://gitlab.cee.redhat.com/rhidp/rhdh-plugin-catalog/-/blob/rhdh-1-rhel-9/build/containerfiles/builder.Containerfile
- https://gitlab.cee.redhat.com/rhidp/rhdh-plugin-catalog/-/blob/rhdh-1-rhel-9/.tekton/plugin-catalog-builder-1-push.yaml
I've spoken with rogue@redhat.com and rbean@redhat.com and they've agreed that since we need an exception for reg.stage usage as a base image, we can use the image in quay instead, as this saves a procedural step and is the same image anyway.
so we don't want to allow [reg.stage or quay.io] as a general-purpose source for base images, because then people can daisy-chain and copy content through to prod, bypassing conforma indirectly.
in your case, we talked about it and it makes sense.
in the allowed_registry_prefixes rule data for your prod policy, we should allow that specific image essentially document in-line what it's for
------------
According to Konflux ECP violation:
✕ [Violation] base_image_registries.base_image_permitted ImageRef: quay.io/rhdh/backstage-community-plugin-acr@sha256:53d01d4b38a2c756f93a83f17adcd870b312278809d10e571b7a3db29d0a69f5 Reason: Base image "quay.io/rhdh/plugin-catalog-builder-rhel9@sha256:8f45b4e4430f8a135813e7025fb8c2605bc9ba68d7b7518bead4629870851b50" is from a disallowed registry Term: quay.io/rhdh/plugin-catalog-builder-rhel9 Title: Base image comes from permitted registry Description: Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually. To exclude this rule add "base_image_registries.base_image_permitted:quay.io/rhdh/plugin-catalog-builder-rhel9" to the `exclude` section of the policy configuration. To exclude this rule add "base_image_registries.base_image_permitted:quay.io/rhdh/plugin-catalog-builder-rhel9" to the `exclude` section of the policy configuration. Solution: Make sure the image used in each task comes from a trusted registry. The list of trusted registries is a configurable https://conforma.dev/docs/cli/configuration.html#_data_sources.
Therefore the new exception we need is:
- base_image_registries.base_image_permitted:quay.io/rhdh/plugin-catalog-builder-rhel9
------------
Once in place we can then use the plugin-catalog-builder image as a base image when generating the pipelinerun code for the 80+ plugins:
