For a part of the build pipeline, at least. Since November 14th, we started importing the container used by Konflux into our Jenkins pipeline rather than rebuilding it, in opur rawhide stream.
This works well with the containerfile change as we could simply onboard that container build on Konflux.
We now have Konflux building a container for every PR, and running some preliminary compliance tests. These container images are published to a devel-namespace for now : quay.io/coreos-devel/fedora-coreos.
From there they are imported into our Jenkins pipeline which build the disk images, run tests, then sign the container image and republish them to their definitive place under the quay.io/fedora org. Right now, only the containers are published to the final registry, without the attestations and SBOMs. See below for more details.
This switch has been in the making for a long time, and while it’s only a small part of the pipeline it’s the baseline artefact that gets reused for everything else. It was also a good opportunity to question how we’ve been doing things until now, learn about Konflux, and also let newer members of the CoreOS team learn about our pipeline. We now have a foot in the door, and we will continue working to migrate more steps from Jenkins to Konflux.
So what are these next steps ?
We will let the rawhide stream bake a little bit to weed out any inconsistencies with the Jenkins build. Once we are confident things are stable enough we will roll it to testing-devel, our dev stream, then the production streams. There is not defined timeline for this yet.
We are looking at how we can execute our kola testsuite in Testing Farm. Right now we would like to enable it for our CI, as this would allow us to run CI on the 4 architectures we support rather than only x86 as we do now. If that works well we will enable it as a Konflux Integration test as well. While we ultimately want to run our own set of tests, we also want to gain experience with TMT to be able to work towards a base of common shared tests with bootc.
We would also like to enable hermetic builds (we’re almost there!), in order to leverage Konflux capabilities of providing a complete SBOM for our builds. This is an essential part of the supply-chain trust, and one of the preliminary reasons we are migrating to konflux. Unfortunately right now we can’t make use of the generated SBOMS and provenance attestation because the Konflux signatures are not distributed by fedora yet. Hopefully they will land to https://fedoraproject.org/security soon.
Another thing we want to explore is building our disk-images in Konflux leveraging bootc-image-builder.
You can follow the next step of our journey in the issue tracker : https://github.com/coreos/fedora-coreos-tracker/issues/2031
We would like to thank all the Konflux developers and infra folks that are managing Fedora’s konflux instance for their help when we encountered difficulties (and we will encounter some more, for sure !).