RELEASE BLOCKER(March 1, 2025): add fbc-fips-check task to FBC pipeline #51
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds the fbc-fips-check to the FBC pipeline. It also adds a template file named images-mirror-set.yaml which is required by the FIPS task itself and will be used by other tasks in the future. Signed-off-by: yashvardhannanavati <[email protected]>
|
Apologies for the late PR, the script that generated automatic PRs for FBC repos skipped this earlier |
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Who should merge this?
All products building FBC fragments in Konflux are requested to merge this change irrespective of whether the product is intended for FIPS mode or not.
Beginning March 1, 2025, the fbc-fips-task is going to be a required task in the Konflux
pipeline. This means, your release will be blocked if this task is not present in your pipeline run.
What if our product is not designed to operate in FIPS mode? Do we still need this task?
The answer is yes. If your product is not designed to operate in FIPS mode, the task will identify that and will
automatically skip the FIPS scan. However, the task still needs to be a part of your pipeline.
What changes are included in this PR?
images-mirror-set.yamlto your.tektondirectory with an example in it. This file is anImageDigestMirrorSetrequired by the task to access any unreleased bundle image in your FBC fragment. For example, say your FBC fragment contains an unreleased bundle pullspecregistry.redhat.io/my-namespace/my-repowhich will be unavailable at build time on the prod registry. You can specify a mirror likequay.io/my-namespace/my-public-repofrom where the task can access the unreleased image. Mirrors can be specified for bundle images and their related images.What should we do after this PR is merged?
.tekton/images-mirror-set.yamlfile with mirrors for those pullspecs so the task can access them during build time. Please keep the.tekton/images-mirror-set.yamlfile updated to avoid delays in releases.