Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Hermetic Build #55

Open
wants to merge 6 commits into
base: konflux
Choose a base branch
from
Open

Enable Hermetic Build #55

wants to merge 6 commits into from

Conversation

Vincent056
Copy link

What type of PR is this?

/kind cleanup
/

What this PR does / why we need it:

This enables the hermetic Build on Konflux.

Which issue(s) this PR fixes:

None

Does this PR have test?

N/A.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

@openshift-ci openshift-ci bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Jan 15, 2025
@openshift-ci openshift-ci bot requested a review from saschagrunert January 15, 2025 10:14
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 20, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm Indicates that a PR is ready to be merged. labels Jan 20, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 21, 2025

New changes are detected. LGTM label has been removed.

@Vincent056
Update rpm-lock file
38f18e4 
To update rpm-lock file base on latest dockerfile
@Vincent056
Update konflux file
8e13636
rhmdnd
rhmdnd reviewed Feb 5, 2025
View reviewed changes
Copy link

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm working on an alternative approach in the Compliance Operator that doesn't rely on a script to build the manifest data, which should eliminate the need to pre-fetch golang/python dependencies.

I'll share that back here once I have it working.

bundle-hack/update_csv.go
// replaceImages updates the operator/SELinuxD images.
func replaceImages(m map[string]interface{}) error {
const (
SPO_OPERATOR_IMAGE_PULLSPEC = "quay.io/redhat-user-workloads/ocp-isc-tenant/security-profiles-operator"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these will need to point to a registry.redhat.io reference for the bundle image to be something we can ship, right?

bundle-hack/update_csv.go
SPO_OPERATOR_IMAGE_PULLSPEC = "quay.io/redhat-user-workloads/ocp-isc-tenant/security-profiles-operator"
SPO_SELINUXD_IMAGE_PULLSPEC = "quay.io/redhat-user-workloads/ocp-isc-tenant/containers-selinux"
SPO_SELINUXD_EL9_IMAGE_PULLSPEC = "quay.io/redhat-user-workloads/ocp-isc-tenant/openshift-selinuxd-rhel9-container"
SPO_RBAC_PROXY_IMAGE_PULLSPEC = "registry.redhat.io/openshift4/ose-kube-rbac-proxy:latest"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think these need to be image digests. Have we configured Konflux to bump the image references we need to build a bundle image with the correct references?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, these need to point to specific builds referenced by image digests.
Otherwise build nudging won't work.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grab any successful build in Konflux and add them here. They should be nudged to the latest when this PR gets merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato left review comments

@rhmdnd rhmdnd rhmdnd left review comments

@saschagrunert saschagrunert saschagrunert approved these changes

Assignees

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Vincent056 @saschagrunert @yuumasato @rhmdnd