- Date 2023-06-08
Accepted
One of the supported component types within Konflux are File-based Catalogs (FBC).
These catalogs can either be used in isolation with a version of opm packaged in the container
itself or in conjunction with other catalog configurations via a service such as
IIB Image Builder. Red Hat OpenShift Container Platform (OCP) is one example of a platform that
leverages FBCs for defining the operator graphs. In order to enable operator support to vary on a
version-by-version basis, Red Hat maintains one catalog per OpenShift version.
In order to support being able to target FBC components to specific versions of Red Hat OpenShift,
Konflux needs to be able to keep track of the specific targeted version. In addition to the concerns
around releasing FBC components to OpenShift, the version of opm used by each version of OpenShift
may differ, so the Konflux integration process will need to ensure that tests are run using an appropriate
binary version.
All FBC components intending to be released to OCP will be built using a OCP-specific parent image containing
the target version number as a tag. This will result in a FROM instruction like
# The base image is expected to contain
# /bin/opm (with a serve subcommand) and /bin/grpc_health_probe
FROM registry.redhat.io/openshift4/ose-operator-registry:v4.12
While the annotation "org.opencontainers.image.base.name" is populated by buildah, any additional image build
processes for the FBC components will also need to include this annotation indicating the pullspec of the base
image. The annotation will enable all components to use skopeo to inspect the artifact to retrieve the pullspec:
$ skopeo inspect --raw docker://quay.io/hacbs-release-tests/managed-release-team-tenant/sample-fbc-application/sample-fbc-component@sha256:da4bf45ba45b72aa306dc2889572e92bbac43da08de0a0146e2421f506c5517e | jq
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:c83abcfb3af92d9b8ccea573fce6560a90919e77a8024c8269969b7799a2385c",
"size": 21327
},
"layers": [
[...]
],
"annotations": {
"org.opencontainers.image.base.digest": "sha256:e5a07eff6865b2761889ee275d9fc940237c90d05d63b00f60350841ecf42df2",
"org.opencontainers.image.base.name": "registry.redhat.io/openshift4/ose-operator-registry:v4.12"
}
}The target Red Hat OpenShift version will then be able to be pulled from the image tag on the
"org.opencontainers.image.base.name" annotation. If a task within the Konflux pipeline needs to access
an appropriate opm binary for performing validation, it can determine the base image and use the binary from
that container if it is trusted (for example, if it is an image from the
registry.redhat.io/openshift4/ose-operator-registry repository), or fail if the base image isn't trusted.
- Konflux services should be able to avoid directly using the
opmversion packaged in FBC components to prevent the execution of untrusted binaries by a process in the trusted control plane. - No additional kubernetes objects need to be created to track the target OCP versions
- There is a desire to use FBC templates within Konflux in the future. The current decision can be re-evaluated if and when that functionality is introduced.