feat: introduce content manifest with content sets

[ralphbean]

For backwards compatibility with image scanners that still expect https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json

Looking forward, clair and other scanners are going to adapt to start reading the content sets from the dnf database and later from our sboms - but they're not ready for that yet. Add this file to support them while they migrate.

See also containerbuildsystem/atomic-reactor#2140

https://issues.redhat.com/browse/KONFLUX-6200

[ralphbean]

I thought this change would be simple at first, but the complexity is growing.

• We still need to transform ubi repo ids into rhel repo ids, because ubi is intentionally absent from the repository to cpe mapping.
  • Ok, discussed with Rogue, we're going to start adding those ubi repos to the repository-to-cpe mapping so that third party scanners don't need a translation.
• Consider if we want to try to apply an archful translation for archless repo ids.
  • This doesn't seem to be necessary.
• Get the task size back down. The current state of this change made the task larger than the limit that tekton can handle.
  • I think I got it! In any case, the bug is fixed in upstream tekton and should be available in our environments soon.

[brianwcook]

this all looks good to me 👍 with the exception that it is referencing an image in your personal quay repo.

[ralphbean]

Thanks, the image is now updated with quay.io/konflux-ci/icm-injection-scripts

[ralphbean]

There was an e2e test failure here, but it looks unrelated.

[e2e-tests : e2e-test]   [FAIL] [build-service-suite Build templates E2E test] HACBS pipelines [It] should eventually finish successfully for component with Git source URL https://github.com/konflux-qe-bd/fbc-sample-repo and Pipeline fbc-builder [build, build-templates, HACBS, pipeline, build-templates-e2e, source-build-e2e]

That's a failure in the fbc pipeline which doesn't use the buildah task(s) being changed here.

[arewm]

The FBC pipeline issue could be legitimate. Its e2e tests now utilize the local operating mode for the buildah-remote-oci-ta task.

[arewm]

/konflux-e2e/tests/build/build_templates.go:337
  PipelineRun test-comp-owtz-on-pull-request-ff55p reason: CouldntGetTask
  attempt 1/3: PipelineRun "test-comp-owtz-on-pull-request-ff55p" failed:   [FAILED] in [It] - /konflux-e2e/tests/build/build_templates.go:341 @ 12/20/24 18:51:02.014
• [FAILED] [1.554 seconds]
[build-service-suite Build templates E2E test] HACBS pipelines [It] should eventually finish successfully for component with Git source URL https://github.com/konflux-qe-bd/fbc-sample-repo and Pipeline fbc-builder [build, build-templates, HACBS, pipeline, build-templates-e2e, source-build-e2e]
/konflux-e2e/tests/build/build_templates.go:337

  [FAILED] Expected success, but got an error:
      <*errors.errorString | 0xc000f021b0>: 
      failed to delete PipelineRun "test-comp-owtz-on-pull-request-ff55p" from "build-templates-e2e" namespace with error: pipelineruns.tekton.dev "test-comp-owtz-on-pull-request-ff55p" not found
      {
          s: "failed to delete PipelineRun \"test-comp-owtz-on-pull-request-ff55p\" from \"build-templates-e2e\" namespace with error: pipelineruns.tekton.dev \"test-comp-owtz-on-pull-request-ff55p\" not found",
      }
  In [It] at: /konflux-e2e/tests/build/build_templates.go:341 @ 12/20/24 18:51:02.014

That maps to https://github.com/konflux-qe-bd/fbc-sample-repo/pull/2792/checks?check_run_id=34724758501 which is a failure case of tektoncd/pipeline#8388

We need to deploy a new version of Tekton to resolve this issue. I think that that is planned on Monday with redhat-appstudio/infra-deployments#5201.

[ralphbean]

Good catch, thank you!

[cgwalters]

Two questions:

• Where is the source code to this thing?
• Why is the container image missing standard metadata to describe its sources? (Its "org.opencontainers.image.url": "https://fedoraproject.org/" is apparently inherited from Fedora 40)

[cgwalters]

answering the first part of my own question by searching github, looks like it's in https://github.com/konflux-ci/build-tasks-dockerfiles/tree/main/icm-injection-scripts

[arewm]

The answer to the second part is that the labels are not overwritten in the Containerfile: https://github.com/konflux-ci/build-tasks-dockerfiles/blob/main/icm-injection-scripts/Containerfile#L7

The fact that they persisted to this image means that they were also not overwritten in the parent images, i.e. https://github.com/konflux-ci/buildah-container/blob/main/Containerfile.task and https://github.com/konflux-ci/buildah-container/blob/main/Containerfile.buildah