ROX-24276: Enable release builds on Konflux with GOTAGS by tommartensen · Pull Request #13348 · stackrox/stackrox

tommartensen · 2024-11-15T12:04:05Z

Description

Enabling the release builds for Konflux builds.

User-facing documentation

CHANGELOG update is not needed
documentation PR is not needed

Testing and quality

the change is production ready: the change is GA or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

No new tests are required.

How I validated my change

#13348 (comment)

openshift-ci · 2024-11-15T12:04:09Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

rhacs-bot · 2024-11-15T12:37:26Z

Images are ready for the commit at b5a19bd.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.7.x-126-gb5a19bd2c5.

codecov · 2024-11-15T13:07:05Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 48.50%. Comparing base (be035c3) to head (b5a19bd).
Report is 73 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #13348   +/-   ##
=======================================
  Coverage   48.50%   48.50%           
=======================================
  Files        2470     2470           
  Lines      178320   178320           
=======================================
+ Hits        86487    86492    +5     
+ Misses      84900    84896    -4     
+ Partials     6933     6932    -1

Flag	Coverage Δ
go-unit-tests	`48.50% <ø> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

kylape · 2024-11-15T18:14:30Z

Looks like it worked when testing with the Konflux image locally:

$ curl -H "Authorization: Bearer $ROX_API_TOKEN" -sk https://localhost:8443/v1/metadata | jq
{
  "version": "4.7.x-126-gb5a19bd2c5-fast",
  "buildFlavor": "release",
  "releaseBuild": true,
  "licenseStatus": "VALID"
}

That said, shouldn't these changes be made on the release branch instead of master?

tommartensen · 2024-11-18T10:41:14Z

That said, shouldn't these changes be made on the release branch instead of master?

I think it should be done on both branches for ROX-24276. In the scope of stable and fast stream work, we want Konflux builds to be "release" type builds.

The code mentions ROX-20240 for when we intend to use Konflux as a daily-driver as a replacement for GHA (which we won't do now!). That issue is to set the GOTAG depending on whether this is a dev or fast or stable release build.

BradLugo · 2024-11-19T05:48:05Z

@tommartensen Would setting CI and BUILD_TAG be preferred? Since the env.mk will set GOTAGS for us:

stackrox/make/env.mk

Lines 43 to 48 in fa62c32

    
           # Use a release go -tag when CI is targetting a tag 
        
           ifdef CI 
        
           ifneq ($(BUILD_TAG),) 
        
           GOTAGS := $(RELEASE_GOTAGS) 
        
           endif 
        
           endif

tommartensen · 2024-11-19T08:08:24Z

Would setting CI and BUILD_TAG be preferred? Since the env.mk will set GOTAGS for us:

I don't know too much about that mechanism and what (value) BUILD_TAG should be set to...
@msugakov can you chime in?

image/rhel/konflux.Dockerfile

tommartensen · 2024-11-26T09:26:15Z

/test ocp-4-12-scanner-v4-tests

`MAIN_TAG_SUFFIX` became redundant the moment we start injecting `BUILD_TAG`. Two others, i.e. `COLLECTOR_TAG_SUFFIX` and `SCANNER_TAG_SUFFIX` will be used only when the image flavor is `development_build` and when it's not a release build. We know Konflux builds are release builds since #13348. We also know that Konflux builds will have `rhacs` image flavor and that one relies on the unified tagging, i.e. only `BUILD_TAG` is needed and `COLLECTOR_TAG_SUFFIX` and `SCANNER_TAG_SUFFIX` aren't. I thought it's good to be a bit aggressive removing environment variables because there's a lot of them already and dragging around unused ones is worse than leaving them for the future when we'll be onboarding non-release `development_build`-s on Konflux as a daily driver. Besides, that future might look very differently (e.g. we may want to have unified Dockerfiles).

ROX-24276: Enable release builds builds with GOTAGS

b5a19bd

openshift-ci bot added the do-not-merge/work-in-progress label Nov 15, 2024

github-actions bot added area/helm area/operator area/scanner labels Nov 15, 2024

tommartensen mentioned this pull request Nov 18, 2024

ROX-24283: enable strictfipsruntime in Konflux builds #12909

Merged

8 tasks

tommartensen added the backport-for-4.6-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1730134914487439 label Nov 18, 2024