Skip to content

ART-21345: Expand build-time EC/ITS verification to layered products#3112

Draft
ashwindasr wants to merge 1 commit into
openshift-eng:mainfrom
ashwindasr:lp-build-time-its
Draft

ART-21345: Expand build-time EC/ITS verification to layered products#3112
ashwindasr wants to merge 1 commit into
openshift-eng:mainfrom
ashwindasr:lp-build-time-its

Conversation

@ashwindasr

@ashwindasr ashwindasr commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Remove the is_ocp_group guard that restricted enterprise contract verification
and SLSA attestation validation to OCP-only groups. EC now runs for any product
with a configured policy (OADP, MTC, Logging, MTA, OCP). SLSA validation now
runs for all non-OKD variants.

Changes

  • doozer/doozerlib/constants.py: Add PRODUCT_EC_POLICY_MAP, PRODUCT_TEST_EC_POLICY_MAP,
    and PRODUCT_PREGA_EC_POLICY_MAP for product-to-policy mapping
  • doozer/doozerlib/backend/konflux_image_builder.py: Replace is_ocp_group check with
    policy-availability check (ec_policy_configuration is not None); expand SLSA validation
    to all non-OKD variants
  • doozer/doozerlib/cli/images_konflux.py: Use product maps for EC policy resolution
    instead of hardcoded OCP constants
  • pyartcd/pyartcd/pipelines/build_layered_products.py: Add --skip-ec-verify flag

Depends on

  • konflux-release-data MR to create EC policies for LP tenants (art-oadp-tenant,
    art-mtc-tenant, art-logging-tenant, art-mta-tenant)

Test plan

  • Unit tests pass (make unit)
  • Validate with a test OADP build (e.g. --skip-ec-verify to start)
  • Enable EC for one product first, confirm pass/fail behavior
  • Roll out to remaining products

Made with Cursor

Summary by CodeRabbit

  • New Features

    • Added a new option to skip Enterprise Contract verification during layered product builds.
    • Build validation now uses product- and variant-aware rules, improving when checks run.
    • Updated policy selection to support product-specific configurations, including test and PREGA cases.
  • Bug Fixes

    • Fixed EC verification and attestation checks so they no longer depend on group naming alone.
    • Improved handling when no policy is configured, with clearer skipping behavior.

Remove the is_ocp_group guard that restricted enterprise contract
verification and SLSA attestation validation to OCP-only groups.
EC now runs for any product with a configured policy (OADP, MTC,
Logging, MTA, OCP). SLSA validation now runs for all non-OKD variants.

- Add PRODUCT_EC_POLICY_MAP and PRODUCT_TEST_EC_POLICY_MAP to constants
- Replace hardcoded OCP policy selection with product-aware lookup
- Add --skip-ec-verify flag to build-layered-products pipeline
- Update tests to reflect new policy-availability gating

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 29, 2026
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ashwindasr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

EC policy configuration in KonfluxImageBuilderConfig becomes optional (defaulting to None). Three product-to-EC-policy mapping constants are added, and the CLI now uses product-based lookups instead of fixed constants. SLSA/attestation gating switches from an OpenShift group-name check to a BuildVariant.OKD variant check. A --skip-ec-verify flag is added to the build-layered-products pipeline. Tests are updated accordingly.

Changes

EC Policy Refactor and OKD Variant Gating

Layer / File(s) Summary
Product EC policy map constants
doozer/doozerlib/constants.py
Adds PRODUCT_EC_POLICY_MAP, PRODUCT_TEST_EC_POLICY_MAP, and PRODUCT_PREGA_EC_POLICY_MAP dictionaries mapping product names to Conforma/EC policy identifiers.
KonfluxImageBuilderConfig optional fields and build gating logic
doozer/doozerlib/backend/konflux_image_builder.py
Makes ec_policy_configuration and prega_ec_policy_configuration optional with None defaults; changes SLSA/attestation gating from group-name check to BuildVariant.OKD; updates should_run_ec to require non-None policy; adjusts skip-logging.
CLI product-based EC policy lookup
doozer/doozerlib/cli/images_konflux.py
Replaces fixed KONFLUX_*_EC_POLICY_CONFIGURATION constants with PRODUCT_*_EC_POLICY_MAP lookups keyed on runtime.product; prega policy falls back to base EC policy when absent in map.
skip-ec-verify flag in build-layered-products pipeline
pyartcd/pyartcd/pipelines/build_layered_products.py
Adds skip_ec_verify: bool = False to BuildLayeredProductsPipeline.__init__, conditionally appends --skip-ec-verify to the doozer build command, and exposes --skip-ec-verify as a CLI flag.
Test updates for new gating and config
doozer/tests/backend/test_konflux_ec_verification.py, doozer/tests/backend/test_konflux_image_builder.py
Updates test setup to supply explicit EC policy config values; replaces non-OCP-group skip test with a None-policy skip test; renames SLSA-validation skip test to use BuildVariant.OKD.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • openshift-eng/art-tools#3072: Directly connected — adds/uses prega_ec_policy_configuration in konflux_image_builder.py for EC verification policy selection, which this PR then makes optional and refactors.

Suggested reviewers

  • fgallott

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name Status Explanation Resolution
Container-Privileges ❌ Error Changed K8s manifests set privileged: true and runAsUser: 0 in securityContext (artcd-task.yaml, fips-scanning/pipeline-task.yaml). Remove privileged/root securityContext settings or add a clear justification if unavoidable; also check for any allowPrivilegeEscalation/host* use.
Docstring Coverage ⚠️ Warning Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Ai-Attribution ⚠️ Warning PR/commit mentions Cursor and HEAD has only Co-authored-by: Cursor; no Assisted-by or Generated-by trailer is present. Replace the AI co-author line with a proper Assisted-by: or Generated-by: trailer (or add one) and remove Co-authored-by for the AI tool.
✅ Passed checks (8 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: expanding build-time EC/ITS verification to layered products.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed Touched files only changed EC/SLSA gating and policy maps; scan found no MD5/SHA1/DES/RC4/ECB/custom crypto or secret-compare code.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The patch only adds EC/SLSA gating and a skip message with group name; no new logging of secrets, tokens, PII, hostnames, or customer data.
No-Hardcoded-Secrets ✅ Passed No hardcoded secrets found in the changed files; added literals are EC policy names/URLs, not keys, tokens, passwords, or credentialed URLs.
No-Injection-Vectors ✅ Passed No direct injection vectors found: searches found no shell=True/eval/exec/pickle/yaml.load/os.system, and new commands use argv lists via cmd_assert_async.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@ashwindasr ashwindasr changed the title Expand build-time EC/ITS verification to layered products ART-21345: Expand build-time EC/ITS verification to layered products Jun 29, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 29, 2026

Copy link
Copy Markdown

@ashwindasr: This pull request references ART-21345 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Remove the is_ocp_group guard that restricted enterprise contract verification
and SLSA attestation validation to OCP-only groups. EC now runs for any product
with a configured policy (OADP, MTC, Logging, MTA, OCP). SLSA validation now
runs for all non-OKD variants.

Changes

  • doozer/doozerlib/constants.py: Add PRODUCT_EC_POLICY_MAP, PRODUCT_TEST_EC_POLICY_MAP,
    and PRODUCT_PREGA_EC_POLICY_MAP for product-to-policy mapping
  • doozer/doozerlib/backend/konflux_image_builder.py: Replace is_ocp_group check with
    policy-availability check (ec_policy_configuration is not None); expand SLSA validation
    to all non-OKD variants
  • doozer/doozerlib/cli/images_konflux.py: Use product maps for EC policy resolution
    instead of hardcoded OCP constants
  • pyartcd/pyartcd/pipelines/build_layered_products.py: Add --skip-ec-verify flag

Depends on

  • konflux-release-data MR to create EC policies for LP tenants (art-oadp-tenant,
    art-mtc-tenant, art-logging-tenant, art-mta-tenant)

Test plan

  • Unit tests pass (make unit)
  • Validate with a test OADP build (e.g. --skip-ec-verify to start)
  • Enable EC for one product first, confirm pass/fail behavior
  • Roll out to remaining products

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 29, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@doozer/doozerlib/cli/images_konflux.py`:
- Around line 309-315: The `images_konflux` policy selection regresses `test`
assemblies to the non-test PREGA EC policy. Update the `runtime.assembly ==
"test"` branch in the policy lookup logic to derive `prega_ec_policy` from a
test-specific mapping or constant, using a unique symbol such as
`PRODUCT_TEST_PREGA_EC_POLICY_MAP` alongside `PRODUCT_TEST_EC_POLICY_MAP`, so
`test` builds keep the test PREGA value instead of falling back to
`PRODUCT_PREGA_EC_POLICY_MAP`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bb3b33ea-fb88-46f9-a083-26a9aea4a8da

📥 Commits

Reviewing files that changed from the base of the PR and between 85f57db and b89a9df.

📒 Files selected for processing (6)
  • doozer/doozerlib/backend/konflux_image_builder.py
  • doozer/doozerlib/cli/images_konflux.py
  • doozer/doozerlib/constants.py
  • doozer/tests/backend/test_konflux_ec_verification.py
  • doozer/tests/backend/test_konflux_image_builder.py
  • pyartcd/pyartcd/pipelines/build_layered_products.py

Comment on lines +309 to +315
product = runtime.product
if runtime.assembly == "test":
ec_policy = constants.KONFLUX_TEST_EC_POLICY_CONFIGURATION
prega_ec_policy = constants.KONFLUX_TEST_PREGA_EC_POLICY_CONFIGURATION
ec_policy = constants.PRODUCT_TEST_EC_POLICY_MAP.get(product)
prega_ec_policy = constants.PRODUCT_PREGA_EC_POLICY_MAP.get(product, ec_policy)
else:
ec_policy = constants.KONFLUX_DEFAULT_EC_POLICY_CONFIGURATION
prega_ec_policy = constants.KONFLUX_PREGA_EC_POLICY_CONFIGURATION
ec_policy = constants.PRODUCT_EC_POLICY_MAP.get(product)
prega_ec_policy = constants.PRODUCT_PREGA_EC_POLICY_MAP.get(product, ec_policy)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Test-assembly PREGA policy regresses to the non-test policy.

In the test branch, ec_policy is correctly drawn from PRODUCT_TEST_EC_POLICY_MAP (e.g. conforma-build-stage-test), but prega_ec_policy is looked up from PRODUCT_PREGA_EC_POLICY_MAP, which only holds the non-test prega value (ocpconforma-build-ec-stage). So for a test assembly OCP build in the pre-release lifecycle phase, EC verification now uses the non-test prega policy rather than conforma-build-ec-stage-test as before. The fallback get(product, ec_policy) also doesn't help here because the ocp key is present.

Consider introducing a PRODUCT_TEST_PREGA_EC_POLICY_MAP (or otherwise deriving the test prega policy in the test branch) so test assemblies stay on test policies.

#!/bin/bash
# Confirm prior behavior used a test-specific prega constant and that no test prega map exists now
rg -nP 'KONFLUX_TEST_PREGA_EC_POLICY_CONFIGURATION|PREGA_EC_POLICY_MAP|TEST_EC_POLICY_MAP' doozer/doozerlib
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@doozer/doozerlib/cli/images_konflux.py` around lines 309 - 315, The
`images_konflux` policy selection regresses `test` assemblies to the non-test
PREGA EC policy. Update the `runtime.assembly == "test"` branch in the policy
lookup logic to derive `prega_ec_policy` from a test-specific mapping or
constant, using a unique symbol such as `PRODUCT_TEST_PREGA_EC_POLICY_MAP`
alongside `PRODUCT_TEST_EC_POLICY_MAP`, so `test` builds keep the test PREGA
value instead of falling back to `PRODUCT_PREGA_EC_POLICY_MAP`.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants