Merge pull request #635 from rhmdnd/enable-hermetic-builds

Add lock file for RPMs to enable hermetic builds
ComplianceAsCode · Jan 20, 2025 · d9c9b9d · d9c9b9d
2 parents 434ba48 + 3f10e79
commit d9c9b9d
Show file tree

Hide file tree

Showing 15 changed files with 1,510 additions and 8 deletions.
diff --git a/.tekton/compliance-operator-must-gather-pull-request.yaml b/.tekton/compliance-operator-must-gather-pull-request.yaml
@@ -33,7 +33,9 @@ spec:
   - name: dockerfile
     value: images/must-gather/Containerfile
   - name: hermetic
-    value: "false"
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "images/must-gather/"}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -187,6 +189,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/.tekton/compliance-operator-must-gather-push.yaml b/.tekton/compliance-operator-must-gather-push.yaml
@@ -29,7 +29,9 @@ spec:
   - name: dockerfile
     value: images/must-gather/Containerfile
   - name: hermetic
-    value: "false"
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "images/must-gather/"}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -183,6 +185,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/.tekton/compliance-operator-openscap-pull-request.yaml b/.tekton/compliance-operator-openscap-pull-request.yaml
@@ -34,6 +34,10 @@ spec:
     value: images/openscap/Containerfile
   - name: path-context
     value: images/openscap
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "images/openscap/"}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -187,6 +191,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/.tekton/compliance-operator-openscap-push.yaml b/.tekton/compliance-operator-openscap-push.yaml
@@ -30,6 +30,10 @@ spec:
     value: images/openscap/Containerfile
   - name: path-context
     value: images/openscap
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "images/openscap/"}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -183,6 +187,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/.tekton/compliance-operator-pull-request.yaml b/.tekton/compliance-operator-pull-request.yaml
@@ -31,6 +31,10 @@ spec:
     - linux/x86_64
   - name: dockerfile
     value: images/operator/Dockerfile
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "images/operator/"}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -184,6 +188,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/.tekton/compliance-operator-push.yaml b/.tekton/compliance-operator-push.yaml
@@ -28,6 +28,10 @@ spec:
     - linux/x86_64
   - name: dockerfile
     value: images/operator/Dockerfile
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "images/operator/"}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -181,6 +185,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/images/must-gather/Containerfile b/images/must-gather/Containerfile
@@ -15,7 +15,7 @@ LABEL \
 
 # Install openshift-clients, jq, tar, and rsync, which are required for
 # must-gather.
-RUN microdnf -y install openshift-clients jq tar rsync --enablerepo="rhocp-4.16-for-rhel-9-x86_64-rpms"
+RUN microdnf -y install openshift-clients jq tar rsync
 
 WORKDIR /go/src/github.com/ComplianceAsCode/compliance-operator
 

diff --git a/images/must-gather/rpms.in.yaml b/images/must-gather/rpms.in.yaml
@@ -0,0 +1,18 @@
+contentOrigin:
+  repofiles:
+     - ./redhat.repo
+
+packages:
+  - jq
+  - openshift-clients
+  - rsync
+  - tar
+
+arches:
+  - aarch64
+  - x86_64
+  - s390x
+  - ppc64le
+
+context:
+    containerfile: images/must-gather/Containerfile