ROX-24283: enable strictfipsruntime in Konflux builds#12909
Conversation
|
Skipping CI for Draft Pull Request. |
|
Images are ready for the commit at 5bb384c. To use with deploy scripts, first |
|
Images are ready for the commit at f786eec. To use with deploy scripts, first |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12909 +/- ##
=======================================
Coverage 48.88% 48.88%
=======================================
Files 2496 2496
Lines 180746 180746
=======================================
+ Hits 88355 88359 +4
+ Misses 85374 85370 -4
Partials 7017 7017
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
/ok-to-test |
it doesn't need this, I was adding it as an un-needed ack or approval for testing this. |
|
/test ? |
|
@davdhacs: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test ocp-4-17-fips-qa-e2e-tests |
1 similar comment
|
/test ocp-4-17-fips-qa-e2e-tests |
|
/test ocp-4-17-fips-qa-e2e-tests ocp-4-17-qa-e2e-tests |
f786eec to
5137c9e
Compare
tommartensen
left a comment
There was a problem hiding this comment.
Added the konflux-build label and an empty commit to trigger Konflux pipelines.
I am Requesting Changes to avoid this PR to be merged without green Konflux builds.
porridge
left a comment
There was a problem hiding this comment.
No issues from myself apart from missing . at the end of sentences in comments.
|
Sorry @porridge, I just misclicked and re-requested a review from you instead of Misha |
116ad4f to
0bb5541
Compare
|
Hi yall! Apologies for the delay. Could you give another round of reviews? I'm also not entirely sure what's going on with Konflux. Any pointers on how to resolve those errors? |
msugakov
left a comment
There was a problem hiding this comment.
Please don't forget the label #12909 (comment)
+1 It is not required to have this on 4.6.x, but it will be nice to have it so that we get a alternative/preview of the konflux fips check (although it looks like the konflux fips check is not available yet: tasks like the operator check are added but not visible in the catalog afaict: konflux-ci/build-definitions#1681) |
davdhacs
left a comment
There was a problem hiding this comment.
+1
I did not find konflux built images for this (to verify the tags on the binaries), but when the konflux builds work I expect this to apply like it did before.
-->
I am going to leave the validation of the Konflux images up to you. |
ty for the ref. I'll try it. And np, I want to finish making a github-action so we can run and share the results easily (#13765 -- I veered into having it check across multiple versions in that PR. I intend to restore a simple action we can run ad-hoc on an image). |
|
A run of check-payload directly on the main image passes (and shows no warning that the strictfipsruntime tag is missing): https://github.com/stackrox/stackrox/actions/runs/12939946035/job/36093214095#step:11:1 |
0bb5541 to
5bb384c
Compare
|
Rebasing + resolving conflicts. Enabled auto-merge. |
Description
Enables the
strictfipsruntimebuild flag for Konflux builds.For more info about the
strictfipsruntimeflag, see this doc (there might be a better resource but this is the one David and I found), and for our general research regarding the linked ticket, see this doc.Related scanner v2 PR: stackrox/scanner#1709
User-facing documentation
Testing and quality
How I validated my change
Verified the build works via Konflux CI and verified the
check-payloadresults of the following images:quay.io/rhacs-eng/main:4.7.x-121-gfd7fbe926b-fastquay.io/rhacs-eng/scanner-v4:4.7.x-121-gfd7fbe926b-fastquay.io/rhacs-eng/roxctl:4.7.x-121-gfd7fbe926b-fastquay.io/rhacs-eng/stackrox-operator:4.7.0-121-gfd7fbe926b-fast