-
Task
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
-
Konflux has an ImageRepository object for each component/container, and this object has a visibility which is currently set to public:
What does it mean?
Any build and push images are stored under quay.io/redhat-user-workloads/rhwa-tenant repository, e.g., quay.io/redhat-user-workloads/rhwa-tenant/fence-agents-remediation/far-bundle-0-5 for FAR 0-5 build and push events. By making ImageRepository private, we won't be able to pull (without a secret from the cluster) or access via Quay UI to the build and push images.
Right now, all the component repositories are public, so we and anyone can interact with them. We are not bound to make them private (for the non-FBC), but it eases the process of development with the small risk of someone being able to access these intermediate images. The image names are not well-known to the public.
The ImageRepository must be public for the fbc component/containers following why internal.slack.com/archives/C04PZ7H0VA8/p1748245855342979
How to do that?
Please do something similar to https://gitlab.cee.redhat.com/releng/konflux-release-data/-/merge_requests/6911 in case we add value by making the non-FBC components available
Follow up
If we want to manage our own access, we can change to push our images to our own quay org instead of the redhat-user-workloads org. If we do this, we will need to share a pull robot token with release engineers so that the release pipelines are able to publish your images.
Without that functionality, some teams have chosen to release to the stage registry to enable common access to images.
We can also create tenant release pipelines that can mirror content to your own organization if we would prefer that approach. https://konflux.pages.redhat.com/docs/users/releasing/tenant-release-pipelines.html