Accepted
One of the supported component types within Konflux are File-based Catalogs (FBC).
These catalogs can either be used in isolation with a version of opm
packaged in the container
itself or in conjunction with other catalog configurations via a service such as
IIB Image Builder. Red Hat OpenShift Container Platform (OCP) is one example of a platform that
leverages FBCs for defining the operator graphs. In order to enable operator support to vary on a
version-by-version basis, Red Hat maintains one catalog per OpenShift version.
In order to support being able to target FBC components to specific versions of Red Hat OpenShift,
Konflux needs to be able to keep track of the specific targeted version. In addition to the concerns
around releasing FBC components to OpenShift, the version of opm
used by each version of OpenShift
may differ, so the Konflux integration process will need to ensure that tests are run using an appropriate
binary version.
All FBC components intending to be released to OCP will be built using a OCP-specific parent image containing
the target version number as a tag. This will result in a FROM
instruction like
# The base image is expected to contain
# /bin/opm (with a serve subcommand) and /bin/grpc_health_probe
FROM registry.redhat.io/openshift4/ose-operator-registry:v4.12
While the annotation “org.opencontainers.image.base.name” is populated by buildah, any additional image build
processes for the FBC components will also need to include this annotation indicating the pullspec of the base
image. The annotation will enable all components to use skopeo
to inspect the artifact to retrieve the pullspec:
$ skopeo inspect --raw docker://quay.io/hacbs-release-tests/managed-release-team-tenant/sample-fbc-application/sample-fbc-component@sha256:da4bf45ba45b72aa306dc2889572e92bbac43da08de0a0146e2421f506c5517e | jq
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:c83abcfb3af92d9b8ccea573fce6560a90919e77a8024c8269969b7799a2385c",
"size": 21327
},
"layers": [
[...]
],
"annotations": {
"org.opencontainers.image.base.digest": "sha256:e5a07eff6865b2761889ee275d9fc940237c90d05d63b00f60350841ecf42df2",
"org.opencontainers.image.base.name": "registry.redhat.io/openshift4/ose-operator-registry:v4.12"
}
}
The target Red Hat OpenShift version will then be able to be pulled from the image tag on the
“org.opencontainers.image.base.name” annotation. If a task within the Konflux pipeline needs to access
an appropriate opm
binary for performing validation, it can determine the base image and use the binary from
that container if it is trusted (for example, if it is an image from the
registry.redhat.io/openshift4/ose-operator-registry
repository), or fail if the base image isn’t trusted.
opm
version packaged in FBC components
to prevent the execution of untrusted binaries by a process in the trusted control plane.