INSTA-37986: Add fedramp-pipeline.yaml to handle manual build & publish for fedramp cases#273
INSTA-37986: Add fedramp-pipeline.yaml to handle manual build & publish for fedramp cases#273FredrikAtIBM wants to merge 10 commits intomainfrom
Conversation
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
4 times, most recently
from
14982ff to
6f88cbd
Compare
FredrikAtIBM
changed the title
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
from
6f88cbd to
a481ace
Compare
ci/fedramp-pipeline.yaml
Outdated
| type: dummy | ||
| config: | ||
| vars: &prerelease-container-registry | ||
| repository: delivery.instana.io/int-docker-agent-fedramp-prerelease-local/instana-agent-operator/fedramp-v1.0.0/instana-agent-operator |
There was a problem hiding this comment.
We can't hard code v1.0.0 here as versions will change in subsequent releases, we need instead to use the bucket version instead, like here: https://github.ibm.com/instana/autotrace-mutating-webhook/pull/560/files#diff-6f63be971f649e60f9e0bf2ff76948e553f4616d50da84311800a89f5d77014bR127-R135. Then, since image_registry resource doesn't let us use variables, pushes to artifactory would need to be manual. The webhook pipeline has an example how to do this.
ci/fedramp-pipeline.yaml
Outdated
| type: dummy | ||
| config: | ||
| vars: | ||
| repository: delivery.instana.io/int-docker-agent-fedramp-release-local/instana-agent-operator/fedramp-v1.0.0/instana-agent-operator |
There was a problem hiding this comment.
same here as above
ci/fedramp-pipeline.yaml
Outdated
| type: dummy | ||
| config: | ||
| vars: | ||
| repository: https://delivery.instana.io/artifactory/int-generic-agent-fedramp-release-local/instana-agent-operator/fedramp-v1.0.0/instana-agent-operator |
There was a problem hiding this comment.
same here as above
ci/fedramp-pipeline.yaml
Outdated
| - put: instana-agent-operator-fedramp-image-amd64 | ||
| params: | ||
| image: image-amd64/image.tar | ||
| additional_tags: image-tags/amd64 | ||
| - put: instana-agent-operator-fedramp-image-arm64 | ||
| params: | ||
| image: image-arm64/image.tar | ||
| additional_tags: image-tags/arm64 | ||
| - put: instana-agent-operator-fedramp-image-ppc64le | ||
| params: | ||
| image: image-ppc64le/image.tar | ||
| additional_tags: image-tags/ppc64le | ||
| - put: instana-agent-operator-fedramp-image-s390x | ||
| params: | ||
| image: image-s390x/image.tar | ||
| additional_tags: image-tags/s390x |
There was a problem hiding this comment.
Since fedramp version will be parametrized, we won't be able to use put with image_registry resource. Instead, you can use a similar script as we have for the webhook: ci/fedramp/deploy-image.yml
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
from
74dc40b to
d35e9ec
Compare
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
from
fa9bf65 to
6af040a
Compare
…sh for fedramp cases Signed-off-by: Fredrik Gundersen <fredrik.gundersen@ibm.com>
Signed-off-by: Fredrik Gundersen <fredrik.gundersen@ibm.com>
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
from
6af040a to
343179f
Compare
|
Checks Summary Last run: 2025-07-23T15:20:23.401Z Code Risk Analyzer vulnerability scan found 2 vulnerabilities:
|
…ployments Signed-off-by: Fredrik Gundersen <fredrik.gundersen@ibm.com>
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
from
d6b2d9d to
96ead64
Compare
cvrkota
left a comment
cvrkota
left a comment
There was a problem hiding this comment.
Looking at the artifactory, we don't push the images with the version tags, but just sha's and latest. We want to stay consistent with the old approach, where we don't just promote images with the same sha, but we push them with the real version in the release repository
Co-authored-by: Milica Cvrkota <43457560+cvrkota@users.noreply.github.com>
Signed-off-by: Fredrik Gundersen <fredrik.gundersen@ibm.com>
| echo "${PRERELEASE_CONTAINER_REPO_URL}" > variables/prerelease-container-repo-url | ||
| echo "${RELEASE_CONTAINER_REPO_URL}" > variables/release-container-repo-url | ||
| echo "${RELEASE_GENERIC_REPO}" > variables/release-generic-repo-url | ||
| echo "fedramp-release-v${FEDRAMP_VERSION}" > variables/release-branch |
There was a problem hiding this comment.
The branch should actually come from fedramp-version-default instead of the bucket as the branch won't change for every e.g. patch release. The branch changes only once every 6 months (for each new minor release)
There was a problem hiding this comment.
I don't understand this. The source of truth in what version we build is the bucket version like in the PRs that were provided to me. The default value is the initial value. Did I misunderstand something about this from previous ones?
There was a problem hiding this comment.
Yes, but the release branch won't change every time the fedramp branch changes. The branch will get changes only for new minor releases, but we will keep using fedramp-release-v1.0.0 even when bumping patch releases. Probably the branch name should've been fedramp-release-v1.0.x, but this decision was done outside of our team. So we need here two inputs:
fedramp-versionresource that should be used for artifactory paths- ((local-variables:fedramp-version-default)) which should be used for the branch resource
| file: variables/release-branch | ||
| reveal: true | ||
| # Copy the source code as now we know which version to release with the right branch | ||
| - task: clone-source-code |
There was a problem hiding this comment.
Why is the clone manual? You can just define a resource with type: git with the branch name, and then to use get for fetching the resource
There was a problem hiding this comment.
The clone is manual as it seemed that manipulating a git resource is not possible if I'm not mistaken. Dynamic branching from the bucket will pull source as get to the point of figuring out what we're pulling. That was the point of the bucket right?
There was a problem hiding this comment.
It's possible to define the git resource with the release-branch pointing to fedramp branch. Pls take a look here: https://github.ibm.com/instana/autotrace-mutating-webhook/blob/main/ci/fedramp/pipeline.yml#L23-L38
| image_resource: | ||
| <<: *e2e-test-base-image | ||
| inputs: | ||
| - name: source-code |
There was a problem hiding this comment.
| - name: source-code | |
| - name: <source-code-git-resource> |
and then you don't need the previous task
There was a problem hiding this comment.
I don't exactly understand what this is. Can you elaborate?
There was a problem hiding this comment.
This is in reference to using the git concourse resource instead of manually cloning the repo. Pls check previous comment with the example
| docker://${PRERELEASE_CONTAINER_REPO_URL}@${DIGEST} \ | ||
| docker://${RELEASE_CONTAINER_REPO_URL}:latest |
There was a problem hiding this comment.
Here we are pushing now both images at the same time. We should keep the existing approach and keep the pipelines as similar to regular releases: push to prerelease, running e2e tests with the prerelease pipeline, pushing to release only images that pass the test.
Also in the release repository, we don't need to copy images with git tag, we can only push them with the v + latest
There was a problem hiding this comment.
I'm don't understand what is exactly meant by these points. Can you elaborate?
There was a problem hiding this comment.
The skopeo command pushes both to prerelease and release paths:
docker://${PRERELEASE_CONTAINER_REPO_URL}@${DIGEST} \
docker://${RELEASE_CONTAINER_REPO_URL}:latest
We don't want to do this. The approach we want is to:
- push to prerelease
- run e2e tests with prerelease image
- promote the image to release repo
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
from
f14ee89 to
0823e14
Compare
…ing scheme Signed-off-by: Fredrik Gundersen <fredrik.gundersen@ibm.com>
FredrikAtIBM
force-pushed
the
INSTA-37986
branch
from
b11d1f5 to
f8fa40d
Compare
| - | | ||
| echo "Using FedRAMP version: ${FEDRAMP_VERSION}" | ||
| # Define the updated repository paths with the correct version | ||
| PRERELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-prerelease-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" |
There was a problem hiding this comment.
| PRERELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-prerelease-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" | |
| PRERELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-prerelease-local/instana-agent-operator/fedramp-${FEDRAMP_VERSION}/instana-agent-operator" |
| echo "Using FedRAMP version: ${FEDRAMP_VERSION}" | ||
| # Define the updated repository paths with the correct version | ||
| PRERELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-prerelease-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" | ||
| RELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-release-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" |
There was a problem hiding this comment.
| RELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-release-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" | |
| RELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-release-local/instana-agent-operator/fedramp-${FEDRAMP_VERSION}/instana-agent-operator" |
| # Define the updated repository paths with the correct version | ||
| PRERELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-prerelease-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" | ||
| RELEASE_CONTAINER_REPO_URL="delivery.instana.io/int-docker-agent-fedramp-release-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" | ||
| RELEASE_GENERIC_REPO="https://delivery.instana.io/artifactory/int-generic-agent-fedramp-release-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" |
There was a problem hiding this comment.
| RELEASE_GENERIC_REPO="https://delivery.instana.io/artifactory/int-generic-agent-fedramp-release-local/instana-agent-operator/fedramp-v${FEDRAMP_VERSION}/instana-agent-operator" | |
| RELEASE_GENERIC_REPO="https://delivery.instana.io/artifactory/int-generic-agent-fedramp-release-local/instana-agent-operator/fedramp-${FEDRAMP_VERSION}/instana-agent-operator" |
| echo "${PRERELEASE_CONTAINER_REPO_URL}" > variables/prerelease-container-repo-url | ||
| echo "${RELEASE_CONTAINER_REPO_URL}" > variables/release-container-repo-url | ||
| echo "${RELEASE_GENERIC_REPO}" > variables/release-generic-repo-url | ||
| echo "fedramp-release-v${FEDRAMP_VERSION}" > variables/release-branch |
There was a problem hiding this comment.
Yes, but the release branch won't change every time the fedramp branch changes. The branch will get changes only for new minor releases, but we will keep using fedramp-release-v1.0.0 even when bumping patch releases. Probably the branch name should've been fedramp-release-v1.0.x, but this decision was done outside of our team. So we need here two inputs:
fedramp-versionresource that should be used for artifactory paths- ((local-variables:fedramp-version-default)) which should be used for the branch resource
| file: variables/release-branch | ||
| reveal: true | ||
| # Copy the source code as now we know which version to release with the right branch | ||
| - task: clone-source-code |
There was a problem hiding this comment.
It's possible to define the git resource with the release-branch pointing to fedramp branch. Pls take a look here: https://github.ibm.com/instana/autotrace-mutating-webhook/blob/main/ci/fedramp/pipeline.yml#L23-L38
| image_resource: | ||
| <<: *e2e-test-base-image | ||
| inputs: | ||
| - name: source-code |
There was a problem hiding this comment.
This is in reference to using the git concourse resource instead of manually cloning the repo. Pls check previous comment with the example
| docker://${PRERELEASE_CONTAINER_REPO_URL}@${DIGEST} \ | ||
| docker://${RELEASE_CONTAINER_REPO_URL}:latest |
There was a problem hiding this comment.
The skopeo command pushes both to prerelease and release paths:
docker://${PRERELEASE_CONTAINER_REPO_URL}@${DIGEST} \
docker://${RELEASE_CONTAINER_REPO_URL}:latest
We don't want to do this. The approach we want is to:
- push to prerelease
- run e2e tests with prerelease image
- promote the image to release repo
4 participants
Why
Needed to have a explicitly a version for fedramp-cases
What
Add fedramp-pipeline.yaml to handle manual build & publish for fedramp-cases.
References