Add lock file for RPMs to enable hermetic builds

This commit introduces a lock file for RPMs so that we can produce hermetic builds with Konflux, following the guidance in documentation: konflux-ci/docs#192
ComplianceAsCode · Dec 12, 2024 · c3f1d61 · c3f1d61
1 parent 9bc9fc3
commit c3f1d61
Show file tree

Hide file tree

Showing 10 changed files with 370 additions and 3 deletions.
diff --git a/.tekton/compliance-operator-must-gather-pull-request.yaml b/.tekton/compliance-operator-must-gather-pull-request.yaml
@@ -33,7 +33,7 @@ spec:
   - name: dockerfile
     value: images/must-gather/Containerfile
   - name: hermetic
-    value: "false"
+    value: "true"
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

diff --git a/.tekton/compliance-operator-must-gather-push.yaml b/.tekton/compliance-operator-must-gather-push.yaml
@@ -29,7 +29,7 @@ spec:
   - name: dockerfile
     value: images/must-gather/Containerfile
   - name: hermetic
-    value: "false"
+    value: "true"
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

diff --git a/.tekton/compliance-operator-openscap-pull-request.yaml b/.tekton/compliance-operator-openscap-pull-request.yaml
@@ -34,6 +34,8 @@ spec:
     value: images/openscap/Containerfile
   - name: path-context
     value: images/openscap
+  - name: hermetic
+    value: "true"
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

diff --git a/.tekton/compliance-operator-openscap-push.yaml b/.tekton/compliance-operator-openscap-push.yaml
@@ -30,6 +30,8 @@ spec:
     value: images/openscap/Containerfile
   - name: path-context
     value: images/openscap
+  - name: hermetic
+    value: "true"
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

diff --git a/.tekton/compliance-operator-pull-request.yaml b/.tekton/compliance-operator-pull-request.yaml
@@ -31,6 +31,8 @@ spec:
     - linux/x86_64
   - name: dockerfile
     value: images/operator/Dockerfile
+  - name: hermetic
+    value: "true"
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

diff --git a/.tekton/compliance-operator-push.yaml b/.tekton/compliance-operator-push.yaml
@@ -28,6 +28,8 @@ spec:
     - linux/x86_64
   - name: dockerfile
     value: images/operator/Dockerfile
+  - name: hermetic
+    value: "true"
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

diff --git a/images/must-gather/Containerfile b/images/must-gather/Containerfile
@@ -15,7 +15,7 @@ LABEL \
 
 # Install openshift-clients, jq, tar, and rsync, which are required for
 # must-gather.
-RUN microdnf -y install openshift-clients jq tar rsync --enablerepo="rhocp-4.16-for-rhel-9-x86_64-rpms"
+RUN microdnf -y install openshift-clients jq tar rsync
 
 WORKDIR /go/src/github.com/ComplianceAsCode/compliance-operator
 

diff --git a/redhat.repo b/redhat.repo
@@ -0,0 +1,41 @@
+[rhocp-4.16-for-rhel-9-$basearch-rpms]
+name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (RPMs)
+baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/os
+enabled = 1
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm-host/ca/redhat-uep.pem
+sslclientkey = /etc/pki/entitlement-host/1063693491304658595-key.pem
+sslclientcert = /etc/pki/entitlement-host/1063693491304658595.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 0
+
+[rhel-9-for-$basearch-baseos-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs)
+baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/os
+enabled = 1
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm-host/ca/redhat-uep.pem
+sslclientkey = /etc/pki/entitlement-host/1063693491304658595-key.pem
+sslclientcert = /etc/pki/entitlement-host/1063693491304658595.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 1
+
+[rhel-9-for-$basearch-appstream-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - AppStream (RPMs)
+baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/os
+enabled = 1
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm-host/ca/redhat-uep.pem
+sslclientkey = /etc/pki/entitlement-host/1063693491304658595-key.pem
+sslclientcert = /etc/pki/entitlement-host/1063693491304658595.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 1
diff --git a/rpms.in.yaml b/rpms.in.yaml
@@ -0,0 +1,18 @@
+contentOrigin:
+  repofiles:
+     - ./redhat.repo
+
+packages:
+  - jq
+  - openshift-clients
+  - rsync
+  - tar
+
+arches:
+  - aarch64
+  - x86_64
+  - s390x
+  - ppc64le
+
+context:
+    containerfile: images/must-gather/Containerfile