Merge pull request #251 from jordigilh/konflux/main/enable_hermetic_f…

…lag_to_avoid_konflux_failures

[Konflux] Enable hermetic builds as required by Konflux

.tekton/controller-rhel9-operator-pull-request.yaml

@@ -75,7 +75,7 @@ spec:
       description: Skip ecosystem checks against built image
       name: skip-ecosystem-checks
       type: string
-    - default: "false"
+    - default: "true"
       description: Execute the build with network isolation
       name: hermetic
       type: string
@@ -331,6 +331,23 @@ spec:
         operator: in
         values:
         - "false"
+    - name: rpms-signature-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: rpms-signature-scan
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
+        - name: kind
+          value: task
+        resolver: bundles
     - name: ecosystem-cert-preflight-checks
       params:
       - name: image-url

.tekton/controller-rhel9-operator-push.yaml

@@ -72,7 +72,7 @@ spec:
       description: Skip ecosystem checks against built image
       name: skip-ecosystem-checks
       type: string
-    - default: "false"
+    - default: "true"
       description: Execute the build with network isolation
       name: hermetic
       type: string
@@ -328,6 +328,23 @@ spec:
         operator: in
         values:
         - "false"
+    - name: rpms-signature-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: rpms-signature-scan
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
+        - name: kind
+          value: task
+        resolver: bundles
     - name: ecosystem-cert-preflight-checks
       params:
       - name: image-url

.tekton/orchestrator-operator-bundle-pull-request.yaml

@@ -75,7 +75,7 @@ spec:
       description: Skip ecosystem checks against built image
       name: skip-ecosystem-checks
       type: string
-    - default: "false"
+    - default: "true"
       description: Execute the build with network isolation
       name: hermetic
       type: string
@@ -331,6 +331,23 @@ spec:
         operator: in
         values:
         - "false"
+    - name: rpms-signature-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: rpms-signature-scan
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
+        - name: kind
+          value: task
+        resolver: bundles
     - name: ecosystem-cert-preflight-checks
       params:
       - name: image-url

.tekton/orchestrator-operator-bundle-push.yaml

@@ -72,7 +72,7 @@ spec:
       description: Skip ecosystem checks against built image
       name: skip-ecosystem-checks
       type: string
-    - default: "false"
+    - default: "true"
       description: Execute the build with network isolation
       name: hermetic
       type: string
@@ -328,6 +328,23 @@ spec:
         operator: in
         values:
         - "false"
+    - name: rpms-signature-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: rpms-signature-scan
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
+        - name: kind
+          value: task
+        resolver: bundles
     - name: ecosystem-cert-preflight-checks
       params:
       - name: image-url

bundle.konflux.Dockerfile

@@ -2,8 +2,11 @@ FROM registry.access.redhat.com/ubi9:latest as builder
 ARG IMG=registry.redhat.io/rhdh-orchestrator-dev-preview-beta/controller-rhel9-operator@sha256:9f4671e180ea94a47fcb235cd7edea0eccae0667c14f8a453642eedf492f41da
 WORKDIR /operator
 COPY . .
-RUN dnf install make -y && make bundle IMG=${IMG}
+RUN VERSION=$(grep "^VERSION ?="  Makefile | awk -F'= ' '{print $2}') && \
+	IMAGE_TAG_BASE=$(grep "^IMAGE_TAG_BASE ?=" Makefile | awk -F'= ' '{print $2}') && \
+	sed -i 's|version: .*|version: '${VERSION}'|; s|name: orchestrator-operator.v.*|name: orchestrator-operator.v.'${VERSION}'|; s|image: '${IMAGE_TAG_BASE}'|image: '$IMG'|' bundle/manifests/orchestrator-operator.clusterserviceversion.yaml
 
+# Build bundle
 FROM scratch
 
 USER 1001