ART-21345: Expand build-time EC/ITS verification to layered products#3112
ART-21345: Expand build-time EC/ITS verification to layered products#3112ashwindasr wants to merge 1 commit into
Conversation
Remove the is_ocp_group guard that restricted enterprise contract verification and SLSA attestation validation to OCP-only groups. EC now runs for any product with a configured policy (OADP, MTC, Logging, MTA, OCP). SLSA validation now runs for all non-OKD variants. - Add PRODUCT_EC_POLICY_MAP and PRODUCT_TEST_EC_POLICY_MAP to constants - Replace hardcoded OCP policy selection with product-aware lookup - Add --skip-ec-verify flag to build-layered-products pipeline - Update tests to reflect new policy-availability gating Co-authored-by: Cursor <cursoragent@cursor.com>
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughEC policy configuration in ChangesEC Policy Refactor and OKD Variant Gating
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 2 warnings)
✅ Passed checks (8 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@ashwindasr: This pull request references ART-21345 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@doozer/doozerlib/cli/images_konflux.py`:
- Around line 309-315: The `images_konflux` policy selection regresses `test`
assemblies to the non-test PREGA EC policy. Update the `runtime.assembly ==
"test"` branch in the policy lookup logic to derive `prega_ec_policy` from a
test-specific mapping or constant, using a unique symbol such as
`PRODUCT_TEST_PREGA_EC_POLICY_MAP` alongside `PRODUCT_TEST_EC_POLICY_MAP`, so
`test` builds keep the test PREGA value instead of falling back to
`PRODUCT_PREGA_EC_POLICY_MAP`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: bb3b33ea-fb88-46f9-a083-26a9aea4a8da
📒 Files selected for processing (6)
doozer/doozerlib/backend/konflux_image_builder.pydoozer/doozerlib/cli/images_konflux.pydoozer/doozerlib/constants.pydoozer/tests/backend/test_konflux_ec_verification.pydoozer/tests/backend/test_konflux_image_builder.pypyartcd/pyartcd/pipelines/build_layered_products.py
| product = runtime.product | ||
| if runtime.assembly == "test": | ||
| ec_policy = constants.KONFLUX_TEST_EC_POLICY_CONFIGURATION | ||
| prega_ec_policy = constants.KONFLUX_TEST_PREGA_EC_POLICY_CONFIGURATION | ||
| ec_policy = constants.PRODUCT_TEST_EC_POLICY_MAP.get(product) | ||
| prega_ec_policy = constants.PRODUCT_PREGA_EC_POLICY_MAP.get(product, ec_policy) | ||
| else: | ||
| ec_policy = constants.KONFLUX_DEFAULT_EC_POLICY_CONFIGURATION | ||
| prega_ec_policy = constants.KONFLUX_PREGA_EC_POLICY_CONFIGURATION | ||
| ec_policy = constants.PRODUCT_EC_POLICY_MAP.get(product) | ||
| prega_ec_policy = constants.PRODUCT_PREGA_EC_POLICY_MAP.get(product, ec_policy) |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Test-assembly PREGA policy regresses to the non-test policy.
In the test branch, ec_policy is correctly drawn from PRODUCT_TEST_EC_POLICY_MAP (e.g. conforma-build-stage-test), but prega_ec_policy is looked up from PRODUCT_PREGA_EC_POLICY_MAP, which only holds the non-test prega value (ocp → conforma-build-ec-stage). So for a test assembly OCP build in the pre-release lifecycle phase, EC verification now uses the non-test prega policy rather than conforma-build-ec-stage-test as before. The fallback get(product, ec_policy) also doesn't help here because the ocp key is present.
Consider introducing a PRODUCT_TEST_PREGA_EC_POLICY_MAP (or otherwise deriving the test prega policy in the test branch) so test assemblies stay on test policies.
#!/bin/bash
# Confirm prior behavior used a test-specific prega constant and that no test prega map exists now
rg -nP 'KONFLUX_TEST_PREGA_EC_POLICY_CONFIGURATION|PREGA_EC_POLICY_MAP|TEST_EC_POLICY_MAP' doozer/doozerlib🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@doozer/doozerlib/cli/images_konflux.py` around lines 309 - 315, The
`images_konflux` policy selection regresses `test` assemblies to the non-test
PREGA EC policy. Update the `runtime.assembly == "test"` branch in the policy
lookup logic to derive `prega_ec_policy` from a test-specific mapping or
constant, using a unique symbol such as `PRODUCT_TEST_PREGA_EC_POLICY_MAP`
alongside `PRODUCT_TEST_EC_POLICY_MAP`, so `test` builds keep the test PREGA
value instead of falling back to `PRODUCT_PREGA_EC_POLICY_MAP`.
Summary
Remove the
is_ocp_groupguard that restricted enterprise contract verificationand SLSA attestation validation to OCP-only groups. EC now runs for any product
with a configured policy (OADP, MTC, Logging, MTA, OCP). SLSA validation now
runs for all non-OKD variants.
Changes
doozer/doozerlib/constants.py: AddPRODUCT_EC_POLICY_MAP,PRODUCT_TEST_EC_POLICY_MAP,and
PRODUCT_PREGA_EC_POLICY_MAPfor product-to-policy mappingdoozer/doozerlib/backend/konflux_image_builder.py: Replaceis_ocp_groupcheck withpolicy-availability check (
ec_policy_configuration is not None); expand SLSA validationto all non-OKD variants
doozer/doozerlib/cli/images_konflux.py: Use product maps for EC policy resolutioninstead of hardcoded OCP constants
pyartcd/pyartcd/pipelines/build_layered_products.py: Add--skip-ec-verifyflagDepends on
art-mtc-tenant, art-logging-tenant, art-mta-tenant)
Test plan
make unit)--skip-ec-verifyto start)Made with Cursor
Summary by CodeRabbit
New Features
Bug Fixes