Certify UBI images with `preflight` binary
Summary
Red Hat has changed the way that certification of images is processed. No longer can an API be hit to trigger the scan of an image and the image needs to be scanned with the preflight
binary that they provide. The scan results are emitted in JSON format and the JSON results are now uploaded to Red Hat's certification portal.
Basic process
Each UBI image will need to be provided as an argument to the preflight
binary and the resulting JSON captured to a file. This file is then sent to the Red Hat API using the existing token used for the previous certification efforts (token is stored in the Build vault of 1Password).
Example output of the JSON results can be viewed at https://gitlab.com/ghickey/preflight/-/blob/main/README.md.
I have a packaged preflight
in a container at registry.gitlab.com/ghickey/preflight:1.1.0
. Repo for building this image is at https://gitlab.com/ghickey/preflight/.
This has been forked to the gitlab-org/cloud-native
namespace, and can be found in registry.gitlab.com/gitlab-org/cloud-native/preflight
(currently at 1.2.1
)
Benefits
This process better fits GitLab's build model in the pipelines as we will have immediate results and can fail the certification job in the pipeline if there are any results that have failed. Prior to this it was necessary to manually visit the Red Hat Connect portal to inspect the results of each image tested.
In addition this same process can be leveraged by the GitLab Operator and GitLab Runner projects.