chore(CI): Konflux build to UBI9 #2815
Conversation
Update Konflux build configuration to use UBI9 and RHEL 9: - Update builder base image: ubi8/ubi -> ubi9/ubi Pinned to sha256:22e95731596d661ff08daabaa5ef751b20ac42d0a58492dac5efa7373f471389 - Update runtime base image: ubi8/ubi-minimal -> ubi9/ubi-minimal Pinned to sha256:90bd85dcd061d1ad6dbda70a867c41958c04a86462d05c631f8205e8870f28f8 - Add Cachi2 environment sourcing for hermetic RPM builds - Update image label: rhacs-collector-rhel8 -> rhacs-collector-rhel9 - Update Tekton CPE label: el8 -> el9 This aligns collector Konflux builds with the UBI9 migration already completed for GitHub CI builds.
Configure hermetic builds with RHEL 9 package dependencies:
- Update rpms.in.yaml:
* Change context from bare:true to UBI9 image
* Update clang version: clang-19.1.7 -> clang-20.1.8
- Add rpms.rhel.repo with RHEL 9 repository configurations
* Updated from RHEL 8 to RHEL 9 base URLs
* Includes all required repos for 4 architectures
- Add rpms.lock.yaml with locked package versions
* Generated for aarch64, ppc64le, s390x, x86_64
* Enables hermetic builds with reproducible dependencies
* Required for RHEL-only packages (elfutils-libelf-devel,
tbb-devel, c-ares-devel) not in public UBI repos
Hermetic builds ensure reproducible container images by prefetching
all RPM dependencies before the build starts.
davdhacs
force-pushed
the
konflux-ubi9-migration
branch
from
2334d7b to
23cacca
Compare
|
"This branch has conflicts that must be resolved" because the konflux base image sha's are updated in master. Until we decide to merge this branch, it is not necessary to "resolve" these conflicts because we are ignoring the updates to the UBI8 images for this change. |
|
@tommartensen does this include all of the Konflux-built collector images? I think this does what is needed: base image update, pinned to latest image shas, and updated rpm lockfiles. Is there anything missing? |
| io.openshift.tags="rhacs,collector,stackrox" \ | ||
| maintainer="Red Hat, Inc." \ | ||
| name="advanced-cluster-security/rhacs-collector-rhel8" \ | ||
| name="advanced-cluster-security/rhacs-collector-rhel9" \ |
There was a problem hiding this comment.
I think this should map to the repo name, which is yet to be decided. The proposal is to not include the RHEL version number in the name.
There was a problem hiding this comment.
I'll update it to remove the "9" for now
| - wget | ||
| - unzip | ||
| - clang-19.1.7 | ||
| - clang-20.1.8 |
There was a problem hiding this comment.
Please check with @stackrox/collector-team if this clang version is compatible.
There was a problem hiding this comment.
The kind of issues we get with incompatible versions of clang are usually detected pretty well by integration tests. Making sure that all the tests pass should be enough.
I think that clang-20 is already what is used for upstream.
There was a problem hiding this comment.
ty. This is the latest stable clang I found for ubi9. @ovalenti would it be better to un-pin clang for ubi9?
Unfortunately, github will refuse to run its pipelines unless those conflicts are resolved, it seems. |
Thank you. I'll update and fix the conflicts then. |
konflux sources the env file for every RUN already Co-authored-by: Tom Martensen <tmartens@redhat.com>
Analysis showed that bare: true and image: with SHA produce identical lockfiles (4,668 lines, 167 packages). Both correctly exclude base image packages, with only 2 packages overlapping (openssl/openssl-libs as dependencies of openssl-devel). Using bare: true is clearer for our use case since collector has two different base images (ubi9/ubi for builder, ubi9/ubi-minimal for runtime). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Source RPMs are required for build-source-image task in Konflux and GPL compliance. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2815 +/- ##
=======================================
Coverage 27.38% 27.38%
=======================================
Files 95 95
Lines 5427 5427
Branches 2548 2548
=======================================
Hits 1486 1486
Misses 3214 3214
Partials 727 727
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
rpms.rhel.repo
Outdated
| name = Red Hat Enterprise Linux 8 for $basearch - AppStream (RPMs) | ||
| baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/appstream/os | ||
| [rhel-9-for-$basearch-appstream-rpms] | ||
| name = Red Hat Enterprise Linux 9 for ARM 64 - AppStream (RPMs) |
There was a problem hiding this comment.
Hm I wonder why this is hardcoded to ARM 64 now...
There was a problem hiding this comment.
Find all occurrences of x86_64 and replace them with $basearch.
This step from documentation is missing: https://spaces.redhat.com/pages/viewpage.action?pageId=580257316&spaceKey=StackRox&title=How%2Bto%2Bprefetch%2BRPMs%2Bfor%2BACS%2BKonflux%2Bbuilds#HowtoprefetchRPMsforACSKonfluxbuilds-update-repofileHowtoupdaterpms.rhel.repo
There was a problem hiding this comment.
Thank you for catching this. I should have reviewed this file for errors like that. 💣
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
4 participants
Description
A detailed explanation of the changes in your PR.
Feel free to remove this section if it is overkill for your PR, and the title of your PR is sufficiently descriptive.
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why you did not do so. (Valid reasons include "CI is sufficient" or "No testable changes")
In addition to reviewing your code, reviewers must also review your testing instructions, and make sure they are sufficient.
For more details, ref the Confluence page about this section.