rh-ecosystem-edge · openshift-merge-bot · Apr 3, 2025 · Mar 20, 2025 · Mar 20, 2025 · Mar 20, 2025
diff --git a/.konflux/Dockerfile b/.konflux/Dockerfile
@@ -1,35 +1,22 @@
+# See README.Konflux.md before editing this Dockerfile
+
 # build stage
 FROM registry.redhat.io/rhel9-4-els/rhel:9.4-1044 AS build-image
 WORKDIR app
 COPY . .
 
-RUN subscription-manager register --org $(cat "/activation-key/org") --activationkey $(cat "/activation-key/activationkey") \
-    && subscription-manager refresh \
-    && subscription-manager repos --disable=* \
-    --enable=rhel-9-for-x86_64-baseos-rpms \
-    --enable=rhel-9-for-x86_64-appstream-rpms \
-    --enable=codeready-builder-for-rhel-9-x86_64-rpms
-
 RUN PKGS="rust-toolset protobuf-compiler" \
     && dnf install -y $PKGS \
-    && dnf clean all \
-    && subscription-manager unregister
+    && dnf clean all
 
 RUN cargo build --release --bin recert
 
 # runtime stage
 FROM registry.redhat.io/rhel9-4-els/rhel-minimal:9.4-149 AS runtime-image
 
-RUN microdnf install -y 'subscription-manager' \
-    && subscription-manager register --org $(cat "/activation-key/org") --activationkey $(cat "/activation-key/activationkey") \
-    && subscription-manager refresh \
-    && subscription-manager repos --disable=* \
-    --enable=rhel-9-for-x86_64-baseos-rpms
-
 RUN PKGS="openssh-clients" \
     && microdnf install -y $PKGS \
-    && microdnf clean all \
-    && subscription-manager unregister
+    && microdnf clean all
 
 WORKDIR app
 COPY --from=build-image /app/target/release/recert /usr/local/bin

diff --git a/.konflux/README.Konflux.md b/.konflux/README.Konflux.md
@@ -0,0 +1,49 @@
+# RPM lock files in Konflux
+
+## Overview
+When installing external software via RPMs in Konflux builds, we need to integrate a RPM lock file management in our workflow: the primary goal is to ensure that hermetic builds ,required by Konflux Conforma, can pre-fetch RPM dependencies before building the Docker image. A hermetic build without lock files, relying on dynamic downloads exclusively, would fail due to no internet access otherwise.
+
+More information about the hermetic builds in the [Konflux Hermetic Builds FAQ](https://konflux.pages.redhat.com/docs/users/faq/hermetic.html)
+
+## RPM lock file management
+
+### Generate a rpm lock file
+
+We will be using a generator named `rpm-lock-file-prototype` according to the directions provided by that project in the [rpm-lockfile-prototype README](https://github.com/konflux-ci/rpm-lockfile-prototype?tab=readme-ov-file#installation) to generate the `rpms.lock.yaml`.
+
+The recert image has a build stage and final runtime stage which requires different rpms to be installed.To that end, we have encapsulated the `rpms.in.yaml` and the resolved `rpms.lock.yaml` under two specific dirs which correspond to the specific stage: `lock-build` and `lock-runtime`.
+
+The `rpms.lock.yaml` has been generated from the input provided by `rpms.in.yaml`: this file must be manually created from scratch by Konflux developers with the following fields:
+
+1. `repofiles`: the .repo file extracted from the runtime base image for recert (a `redhat.repo` file from rhel9 so far)
+2. `packages`: the rpms we depend on
+3. `arches`: the supported architectures for building
+4. `Containerfile`: the Containerfile used to build the recert image.
+
+### Introduce rpms based on new subscriptions
+
+A subscription-manager/activation-key config has been carried out to fetch RPMs.See how to activate subscriptions in the   [Konflux activation key doc](https://konflux.pages.redhat.com/docs/users/how-tos/configuring/activation-keys-subscription.html#_configuring_an_rpm_lockfile_for_hermetic_builds).
+
+### Configure the .tekton yaml files
+
+The push/pull tekton yaml files in `.tekton` have been configured to setup a hermetic build workflow according to the [Konflux prefetch doc](https://konflux.pages.redhat.com/docs/users/how-tos/configuring/prefetching-dependencies.html#_procedure)
+
+1. Enable hermetic builds
+```yaml
+   - name: hermetic
+     value: "true"
+```
+2. Enable rpm pre-fetch per stage, configuring two directories 
+```yaml
+   - name: prefetch-input
+     value: '[{"type": "rpm", "path": ".konflux/lock-build"}, {"type": "rpm", "path": ".konflux/lock-runtime"}]'
+```
+
+3. Enable dev package managers
+```yaml
+   - name: dev-package-managers
+     value: "true"
+```
+
+### Update  rpms
+Konflux provides a mechanism (Mintmaker) to automatically file PRs to update RPM versions and generate the updated lockfile. At time of writing, this is limited to a `rpm.locks.yaml` file present in the project root.