feat(ISV-7320): add direct-sign-index-image task#2315
Conversation
|
It looks good in general, but not approving yet, until it's final. Also, a note on resources: From what I've seen, in many tasks, the memory had to be increased when switching to python. But maybe in this case it's ok - 1 GB is already a lot, so even if python adds some overhead, it shouldn't be that significant I'd say. |
|
The release service util is merged (konflux-ci/release-service-utils#823). Waiting for release-service-utils fix PR of a related task to be merged. I assume we want to reference the image that comes out of it in this task before merging, same as task #2301 that's also waiting for that image. |
New Tekton task for signing FBC index images via the container-signing pipeline. The task has similar functionality to old sign-index-image task, but it uses direct container signing instead of Radas/UMB solution. Also, it outsources all the existing core logic from bash to a new python util it invokes - direct_sign_index_image.py, passing all parameters as CLI arguments. - Passes signing params (pyxis-server, pipeline, pipeline-image, requester, batch-max-size, etc.) as CLI arguments to Python - Pyxis secret mounted at /etc/secrets, paths set via env vars - Includes Tekton integration test using Python mock pattern - Generated README from task YAML Assisted-by: Claude Opus 4.6 Signed-off-by: Jakub Durkac <jdurkac@redhat.com>
|
The release-service-utils fix PR was merged, the image was updated in the reference task #2301 and I've updated the image here to match it. Should be ready for final review / approval @mmalina. Thanks. |
REFERENCE PR ADDING A SIMILAR TASK (rh-direct-sign-image): #2301
Describe your changes
New Tekton task direct-sign-index-image for signing FBC index images via the container-signing pipeline. The task has similar functionality to old sign-index-image task, but it uses direct container signing instead of Radas/UMB solution. Also, it outsources all the existing core logic from bash to a new python util it invokes - direct_sign_index_image.py, passing all parameters as CLI arguments.
Assisted-by: Claude Opus 4.6
Relevant Jira
ISV-7320
Checklist before requesting a review
do not mergelabel if there's a dependency PRrelease-service-maintainershandle if you are unsure who to tagSigned-off-by: My name <email>.github/scripts/readme_generator.shand verified the results using.github/scripts/check_readme.shAssisted-By: Cursor