MGMT-22814: day 2 sync of clair vulnerability data (import execution in tekton)

[maorfr]

part of https://issues.redhat.com/browse/MGMT-22814

related to https://github.com/gori-project/GoRI/issues/799

keep vulnerability export in LZ as part of bootstrap. in this PR we also add this to sync, which is an activity performed prior to content update, such as mirroring.

we are also adding a tekton pipeline to perform the vulnerability data import within the management cluster instead of as part of bootstrap. this is to enable multiple executions of this operations in case of failure.

the import operation is also more fragile, and removing it from the e2e bootstrap makes the initial bootstrap more resilient.

Summary by CodeRabbit

• New Features

  • Added an automated Clair import workflow with status reporting and a 1-hour timeout.
  • Introduced RBAC-based Clair access for disconnected environments, replacing direct in‑pod execution.

• Chores

  • Updated deployment automation to create and wire the Clair import pipeline.
  • Added a sync step to run Clair-disconnected tasks during automated deployments.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a Tekton-based Clair import workflow (ServiceAccount, Task, Pipeline), switches Quay operator disconnected flow to RBAC (Role/RoleBinding) instead of in-pod exec, registers the pipeline via an Ansible task, and invokes the new play from sync.sh.

Changes

Cohort / File(s)	Summary
Tekton Clair import manifest operators/openshift-pipelines-operator-rh/clair_import_pipeline.yaml	Adds ServiceAccount clair-import, a Tekton Task (clair-import) that runs clairctl via the Clair pod and writes Task results exit-code and status-report, and a Pipeline (clair-import) that executes the Task with a 1-hour timeout.
Ansible task registration operators/openshift-pipelines-operator-rh/tasks.yaml	Adds Ansible task "Create Clair Import Pipeline" that includes clair_import_pipeline.yaml.
Quay operator RBAC changes operators/quay-operator/clair_disconnected.yaml	Removes prior get-pod / in-pod exec steps; adds Role clair-import (pods: get/list, pods/exec: create) in quay-enterprise and RoleBinding binding openshift-pipelines ServiceAccount clair-import to that Role.
Orchestration script sync.sh	Inserts a block to run the clair-disconnected Ansible play (ansible-playbook --tags clair-disconnected) between Quay-disconnected and ACM ClusterImageSets, logging output and timestamps.

Sequence Diagram(s)

sequenceDiagram
    participant Sync as sync.sh
    participant Ansible as Ansible Playbook
    participant RBAC as Kubernetes RBAC
    participant Tekton as Tekton API
    participant Clair as Clair Pod

    Sync->>Ansible: run playbook --tags clair-disconnected
    Ansible->>RBAC: create Role & RoleBinding (clair-import)
    Ansible->>Tekton: apply ServiceAccount, Task, Pipeline
    Tekton->>Clair: schedule Task / exec clairctl (via pods/exec)
    Clair-->>Tekton: command output & exit code
    Tekton-->>Ansible: task/pipeline results
    Ansible-->>Sync: playbook completed

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• execute clairctl export on landing zone itself and not within container #30: Modifies Clair disconnected/import workflow and RBAC vs in-pod exec flow similar to changes in operators/quay-operator/clair_disconnected.yaml.

Suggested reviewers

• agonzalezrh
• eurijon

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main change: adding a day-2 sync of Clair vulnerability data with import execution moved into Tekton pipelines, matching the file additions and objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sync-clair

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

operators/openshift-pipelines-operator-rh/tasks.yaml (1)

18-20: Consider gating Clair pipeline creation behind a feature/disconnected flag.

This include is unconditional; adding a when: guard (for the Clair-disconnected use case) would avoid provisioning unused pipeline assets in clusters that don’t need this flow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operators/openshift-pipelines-operator-rh/tasks.yaml` around lines 18 - 20,
The "Create Clair Import Pipeline" task currently includes
clair_import_pipeline.yaml unconditionally; add a conditional guard so the
include only runs when the pipeline should be provisioned, e.g. add a when:
clause to that task using variables like clair_pipeline_enabled and
clair_disconnected (example logic: when: (clair_pipeline_enabled |
default(false)) and not (clair_disconnected | default(false))), referencing the
task name "Create Clair Import Pipeline" and the include_tasks file
"clair_import_pipeline.yaml" so callers can toggle provisioning via those vars.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@operators/openshift-pipelines-operator-rh/clair_import_pipeline.yaml`:
- Around line 44-50: The step captures the `oc exec` exit code to
$(results.exit-code.path) but the shell then exits with 0, masking failures;
update the inline shell block that runs `oc exec` (where `clair_pod_name` is
computed and the commands download and run `/usr/bin/clairctl`) to capture the
command exit status (e.g., rc=$?) immediately after `oc exec`, write rc to
$(results.exit-code.path) and then `exit $rc` so the step process exits with the
same status; ensure the write to $(results.status-report.path) still occurs
before exiting and that the `exit $rc` happens inside the same quoted shell
fragment so Tekton receives the proper non-zero exit code when the import fails.
- Around line 62-70: The Pipeline defines task-level "results" under the
clair-import PipelineTask, which is invalid; move those result declarations to
the Pipeline's top-level spec.results and keep the references to the task
outputs where needed (use the task output syntax
$(tasks.clair-import.results.exit-code) and
$(tasks.clair-import.results.status-report)); specifically remove the results
block from the tasks entry for name "clair-import" and add corresponding entries
under spec.results with names "exit-code" and "status-report", then update any
downstream references to use $(tasks.clair-import.results.<name>) as needed.

In `@operators/quay-operator/clair_disconnected.yaml`:
- Around line 62-74: The Role definition for clair-import grants an invalid verb
"exec" on pods; update the Role named "clair-import" so the rule targets the
pods/exec subresource (resource "pods/exec") and uses the "create" verb instead
of "exec" so oc exec is authorized (leave other fields like apiVersion/namespace
unchanged).

---

Nitpick comments:
In `@operators/openshift-pipelines-operator-rh/tasks.yaml`:
- Around line 18-20: The "Create Clair Import Pipeline" task currently includes
clair_import_pipeline.yaml unconditionally; add a conditional guard so the
include only runs when the pipeline should be provisioned, e.g. add a when:
clause to that task using variables like clair_pipeline_enabled and
clair_disconnected (example logic: when: (clair_pipeline_enabled |
default(false)) and not (clair_disconnected | default(false))), referencing the
task name "Create Clair Import Pipeline" and the include_tasks file
"clair_import_pipeline.yaml" so callers can toggle provisioning via those vars.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a459e5bf-a008-419a-a0c3-a437e4f0cb96

📥 Commits

Reviewing files that changed from the base of the PR and between 997e4ce and 7f0c6cc.

📒 Files selected for processing (4)

• operators/openshift-pipelines-operator-rh/clair_import_pipeline.yaml
• operators/openshift-pipelines-operator-rh/tasks.yaml
• operators/quay-operator/clair_disconnected.yaml
• sync.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@operators/quay-operator/clair_disconnected.yaml`:
- Around line 89-91: The Pipeline and Task in clair_import_pipeline.yaml are
missing serviceAccountName, causing RBAC failures with the clair-import
ServiceAccount bound in the RoleBinding; update the Pipeline spec and the Task
spec to include serviceAccountName: clair-import (or alternatively ensure every
PipelineRun invoking this Pipeline sets serviceAccountName: clair-import) so the
pipeline steps run with the clair-import ServiceAccount rather than the
namespace default.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 35be5344-0af3-4cf0-a894-17c911f5dedd

📥 Commits

Reviewing files that changed from the base of the PR and between 7f0c6cc and 5aecaf5.

📒 Files selected for processing (2)

• operators/openshift-pipelines-operator-rh/clair_import_pipeline.yaml
• operators/quay-operator/clair_disconnected.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• operators/openshift-pipelines-operator-rh/clair_import_pipeline.yaml

[coderabbitai]

🧹 Nitpick comments (1)

operators/quay-operator/clair_disconnected.yaml (1)

79-95: Treat this binding as privileged.

This gives openshift-pipelines/clair-import exec access into quay-enterprise. Make sure only the day-2 automation can create or modify PipelineRuns/TaskRuns that use this service account, and audit that path if you don’t already; otherwise this becomes a broader cross-namespace shell path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operators/quay-operator/clair_disconnected.yaml` around lines 79 - 95, The
RoleBinding granting openshift-pipelines/clair-import access to quay-enterprise
(RoleBinding name clair-import, Role clair-import, ServiceAccount
openshift-pipelines/clair-import, target namespace quay-enterprise) must be
treated as privileged: mark the resource (e.g., add a metadata annotation like
security.kubernetes.io/privileged="true"), and lock down who can create/modify
PipelineRuns/TaskRuns that reference this ServiceAccount by restricting RBAC in
the openshift-pipelines namespace to only the day-2 automation principals (or a
dedicated Role/RoleBinding), and ensure audit logging/alerts are enabled for
creation/modification of PipelineRun/TaskRun objects that reference this SA.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@operators/quay-operator/clair_disconnected.yaml`:
- Around line 79-95: The RoleBinding granting openshift-pipelines/clair-import
access to quay-enterprise (RoleBinding name clair-import, Role clair-import,
ServiceAccount openshift-pipelines/clair-import, target namespace
quay-enterprise) must be treated as privileged: mark the resource (e.g., add a
metadata annotation like security.kubernetes.io/privileged="true"), and lock
down who can create/modify PipelineRuns/TaskRuns that reference this
ServiceAccount by restricting RBAC in the openshift-pipelines namespace to only
the day-2 automation principals (or a dedicated Role/RoleBinding), and ensure
audit logging/alerts are enabled for creation/modification of
PipelineRun/TaskRun objects that reference this SA.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 98de471b-622e-4480-a06b-7c93e98d0887

📥 Commits

Reviewing files that changed from the base of the PR and between 5aecaf5 and 5a30d30.

📒 Files selected for processing (4)

• operators/openshift-pipelines-operator-rh/clair_import_pipeline.yaml
• operators/openshift-pipelines-operator-rh/tasks.yaml
• operators/quay-operator/clair_disconnected.yaml
• sync.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• sync.sh
• operators/openshift-pipelines-operator-rh/clair_import_pipeline.yaml