update kms plugin beta image to ci#80772
Open
gangwgr wants to merge 1 commit into
Open
Conversation
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (8)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (6)
WalkthroughUpdates vault-kube-kms image version from 0.0.1 to 0.1.0-beta-ubi across image mirroring config and four CI operator configs, changing registry namespace from control-plane references to ci and removing digest-pinned references in favor of tagged references. ChangesVault KMS Image Version Bump to 0.1.0-beta-ubi
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
gangwgr
force-pushed
the
new-kms-plugin-image
branch
from
355d878 to
d623fc7
Compare
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: gangwgr The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@core-services/image-mirroring/_config.yaml`:
- Around line 1076-1077: The image reference for
docker.io/hashicorp/vault-kube-kms uses a mutable tag (0.1.0-beta-ubi) instead
of an immutable digest. Replace the tag in the image field with an immutable
`@sha256` digest reference to ensure the CI input remains stable and provenance is
maintained. Update the digest intentionally whenever upstream changes require
it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 1dc2e24c-1419-459f-8b88-a2461e7d27b2
📒 Files selected for processing (8)
ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-master.yamlci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yamlci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main__periodics.yamlci-operator/config/openshift/cluster-openshift-apiserver-operator/openshift-cluster-openshift-apiserver-operator-main.yamlci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yamlci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yamlci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yamlcore-services/image-mirroring/_config.yaml
✅ Files skipped from review due to trivial changes (1)
- ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
- ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-master.yaml
- ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml
Comment on lines
+1076
to
+1077
| ci/vault-kube-kms:0.1.0-beta-ubi: | ||
| image: docker.io/hashicorp/vault-kube-kms:0.1.0-beta-ubi |
Contributor
There was a problem hiding this comment.
Pin the mirrored vault-kube-kms source by digest, not mutable tag.
Using docker.io/hashicorp/vault-kube-kms:0.1.0-beta-ubi makes the CI input mutable; upstream retags can silently change test content and weaken provenance for encryption-kms coverage. Please switch this source to an immutable @sha256 reference and bump intentionally when needed.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@core-services/image-mirroring/_config.yaml` around lines 1076 - 1077, The
image reference for docker.io/hashicorp/vault-kube-kms uses a mutable tag
(0.1.0-beta-ubi) instead of an immutable digest. Replace the tag in the image
field with an immutable `@sha256` digest reference to ensure the CI input remains
stable and provenance is maintained. Update the digest intentionally whenever
upstream changes require it.
38ffaf9 to
3a30308
Compare
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
core-services/image-mirroring/_config.yaml (1)
1076-1077:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the vault-kube-kms source image by digest for immutability.
Although the source registry has changed from docker.io/hashicorp to quay.io/redhat-isv-containers (a more controlled registry), the image reference still uses a mutable tag (
0.1.0-beta-ubi) instead of an immutable digest. This allows upstream retagging to silently change CI test inputs, weakening provenance and reproducibility for encryption-kms coverage.Replace the tag-based reference with a digest-pinned reference:
ci/vault-kube-kms:0.1.0-beta-ubi: image: quay.io/redhat-isv-containers/698df066f8d1ddf179c15ef9@sha256:<digest>You can obtain the digest with:
skopeo inspect docker://quay.io/redhat-isv-containers/698df066f8d1ddf179c15ef9:0.1.0-beta-ubi | jq -r .Digest🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@core-services/image-mirroring/_config.yaml` around lines 1076 - 1077, In the _config.yaml file, locate the ci/vault-kube-kms image entry that currently references the image with a mutable tag (0.1.0-beta-ubi). Use the skopeo inspect command provided in the comment to obtain the digest for quay.io/redhat-isv-containers/698df066f8d1ddf179c15ef9:0.1.0-beta-ubi, then update the image reference to use the immutable digest format by replacing the tag with `@sha256`: followed by the digest value.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@core-services/image-mirroring/_config.yaml`:
- Around line 1076-1077: In the _config.yaml file, locate the ci/vault-kube-kms
image entry that currently references the image with a mutable tag
(0.1.0-beta-ubi). Use the skopeo inspect command provided in the comment to
obtain the digest for
quay.io/redhat-isv-containers/698df066f8d1ddf179c15ef9:0.1.0-beta-ubi, then
update the image reference to use the immutable digest format by replacing the
tag with `@sha256`: followed by the digest value.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: fbff26e0-a2b4-4181-bb14-1ac3e30a2fac
📒 Files selected for processing (8)
ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-master.yamlci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yamlci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main__periodics.yamlci-operator/config/openshift/cluster-openshift-apiserver-operator/openshift-cluster-openshift-apiserver-operator-main.yamlci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yamlci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yamlci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yamlcore-services/image-mirroring/_config.yaml
✅ Files skipped from review due to trivial changes (1)
- ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml
🚧 Files skipped from review as they are similar to previous changes (6)
- ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml
- ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml
- ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
- ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-master.yaml
- ci-operator/config/openshift/cluster-openshift-apiserver-operator/openshift-cluster-openshift-apiserver-operator-main.yaml
- ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main__periodics.yaml
gangwgr
force-pushed
the
new-kms-plugin-image
branch
from
3a30308 to
1379e38
Compare
Contributor
|
[REHEARSALNOTIFIER]
A total of 118 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs. A full list of affected jobs can be found here Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
Contributor
|
@gangwgr: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
update kms plugin beta image to ci
Summary by CodeRabbit
This PR updates OpenShift CI configuration to run Vault KMS–based encryption e2e/tests against a newer Vault KMS plugin beta image (
0.1.0-beta-ubi). Practically, it standardizes CI to use the tag-based image referenceregistry.ci.openshift.org/ci/vault-kube-kms:0.1.0-beta-ubi(replacing older0.0.1and/or sha256-pinned references) and aligns image mirroring so the CI registry can serve that plugin image.What changed:
openshift-cluster-authentication-operator-master.yaml)base_images.vault_kube_kmstonamespace: ciandtag: 0.1.0-beta-ubi.VAULT_KMS_PLUGIN_IMAGEtoregistry.ci.openshift.org/ci/vault-kube-kms:0.1.0-beta-ubi.openshift-cluster-kube-apiserver-operator-main*.yaml)base_images.vault_kube_kmstonamespace: ciandtag: 0.1.0-beta-ubi.VAULT_KMS_PLUGIN_IMAGEin both main and periodic encryption-KMS e2e job definitions toregistry.ci.openshift.org/ci/vault-kube-kms:0.1.0-beta-ubi.openshift-cluster-openshift-apiserver-operator-main.yaml)vault_kube_kmsbase image config tonamespace: ciandtag: 0.1.0-beta-ubi.e2e-aws-operator-encryption-kmsjob’sVAULT_KMS_PLUGIN_IMAGEtoregistry.ci.openshift.org/ci/vault-kube-kms:0.1.0-beta-ubi.core-services/image-mirroring/_config.yaml)supplementalCIImagesfor Vault KMS to mirrorci/vault-kube-kms:0.1.0-beta-ubifromquay.io/redhat-isv-containers/698df066f8d1ddf179c15ef9:0.1.0-beta-ubi.VAULT_KMS_PLUGIN_IMAGE: registry.ci.openshift.org/ci/vault-kube-kms:0.1.0-beta-ubi.etcd-encryption-vault-install-ref.yamldefaultVAULT_KMS_PLUGIN_IMAGEtoregistry.ci.openshift.org/ci/vault-kube-kms:0.1.0-beta-ubiand refreshed the documentation to reflect the updated mirroring source.Impact:
vault-kube-kms:0.1.0-beta-ubiplugin image via a consistentregistry.ci.openshift.org/ci/...reference, with the CI image mirroring configuration updated accordingly.