Seed new trusted task data#218
Conversation
f134666 to
a48b908
Compare
a48b908 to
e8a2cd0
Compare
e8a2cd0 to
5376ed4
Compare
| # Konflux task catalogs for tasks not maintained in build-definitions | ||
| - pattern: oci://quay.io/konflux-ci/integration-service-catalog/task-* | ||
| - pattern: oci://quay.io/konflux-ci/konflux-vanguard/* |
There was a problem hiding this comment.
I don't think we should allow these, the intent is for all Konflux tasks to be in konflux-ci/tekton-catalog
I believe the integration and vanguard teams have corrected their release configuration.
There was a problem hiding this comment.
I believe the integration and vanguard teams have corrected their release configuration.
@dirgim @yftacherzog could you confirm?
There was a problem hiding this comment.
Okay cool, if everything is in one place, I think it's a good thing.
There was a problem hiding this comment.
Leaving this in draft until we can confirm all the tasks are now in the one tekton catalog.
There was a problem hiding this comment.
Vanguard external task is under quay.io/konflux-ci/tekton-catalog.
There was a problem hiding this comment.
Seems like the integration-service-catalog tasks are also consolidated into tekton-catalog also. I'll go ahead and simplify so we have just one tekton-catalog.
(This might impact users who are still using the other catalogs, so we should give some extra time for people to prepare.)
| # Found in quay.io/konflux-ci/ose-osc-tenant/data-acceptable-bundles | ||
| # (Probably should be moved out of here and placed in the appropriate | ||
| # ECP since I assume it's for one specific team.) | ||
| - oci://quay.io/konflux-ci/ose-osc-tenant/build-dm-verity-image-task |
There was a problem hiding this comment.
(Probably should be moved out of here and placed in the appropriate ECP since I assume it's for one specific team.)
+1
There was a problem hiding this comment.
Cool, I'll take this out in next revision.
|
Found a bug in the policy code for matching git resolvers - conforma/policy#1743 |
5376ed4 to
899299c
Compare
We're still in the conforma/trusted-task-bundle branch for testing purposes only. This commit should not be in main branch ever. Should be thrown away eventually.
017ac44 to
8c8a028
Compare
8c8a028 to
b0c33a5
Compare
|
See also this announcement. |
|
After some discussion today: We'd prefer it if this could be merged without it immediately cutting over to the new trusted task mechanism. Also this would make it easier to prepare the custom trusted task data needed for the teams who already have their own custom trusted tasks. conforma/policy#1758 is designed to enable that. Once that policy change is merged and deployed to production, it is safe to merge this PR ahead of the announced changeover schedule. |
Add two new rule data files `data/trusted_task_rules.yaml` with an allow rule that trusts all tasks from the known Konflux task catalogs. Also add a `data/trusted_task_rules_deprecated.yaml` for some additional deprecated tasks that we want to allow for a little while longer. The bash script was used to generate the deny rule data. It's not useful from here on, bu I'm checking it so we can see how this data was generated. Also it might be adapted later into a script that can handle the ongoing maintenance of this file. Ref: https://issues.redhat.com/browse/EC-1539 Assisted-by: Claude Code <noreply@anthropic.com>
b0c33a5 to
d41a33a
Compare
|
We can merge this after 7/6 |
Note that merging this will immediately cause the new trusted task mechanism to go live for everyone. There will be an announcement email sent to let people know about the change. At this stage the plan is to merge it on
June 30July 7, but we'll coordinate with @joejstuart for the final go ahead.Update: Actually once conforma/policy#1758 reaches RH Konflux production, this can be merged more safely, but it will take some time for that change to be merged and promoted all the way to production via konflux-ci/release-service-catalog#2313 , hence this remains in draft for a while longer.
To test this right now, do something like this in your ECP:
Ref: https://redhat.atlassian.net/browse/EC-1542