Red Hat Konflux kflux-prd-rh02 update kartograph-openshell-gateway

[red-hat-konflux-kflux-prd-rh02]

Pipelines as Code configuration proposal

To start the PipelineRun, add a new comment with content /ok-to-test

For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation Running the PipelineRun

To customize the proposed PipelineRuns after merge, please refer to Build Pipeline customization

Please follow the block sequence indentation style introduced by the proprosed PipelineRuns YAMLs, or keep using consistent indentation level through your customized PipelineRuns. When different levels are mixed, it will be changed to the proposed style.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Introduced automated build and verification pipelines for the OpenShell gateway component, including container image building, security scanning, compliance checks, and artifact publishing triggered on pull requests and push events.

Walkthrough

Two new Tekton PipelineRun manifests are added under .tekton/ for the kartograph-openshell-gateway component: one triggered on pull request events targeting main and one on push events. Both embed an identical pipelineSpec defining a buildah-based container image build pipeline. The task chain is: init → clone-repository (OCI storage) → prefetch-dependencies → build-container → build-image-index → conditional build-source-image. Post-build, a suite of security/compliance tasks (deprecated base image check, Clair scan, ecosystem cert preflight, SAST/Snyk, ClamAV, shell/unicode SAST, RPM signature scan) runs conditionally on skip-checks=false. apply-tags and push-dockerfile finalize publishing. Both runs use a dedicated service account and bind git-auth to a templated Kubernetes secret.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Security notes (no praise, direct findings):

• CWE-20 / supply chain: {{ git_auth_secret }} is a raw template variable injected into a Kubernetes secretName field. If the templating engine is not tightly scoped, an attacker controlling the PAC event payload could influence secret resolution. Verify the PaC controller sanitizes this before rendering.
• CWE-693 / skip-checks bypass: skip-checks is a user-supplied pipeline parameter with no enforcement mechanism in the manifest itself. A caller can trivially set skip-checks: "true" to suppress all Clair, Snyk, ClamAV, RPMS, and SAST tasks. This is a CI/CD security gate bypass surface — enforce the default at the PaC policy layer, not just the param default.
• CWE-829 / uncontrolled OCI artifact expiry: artifact-expiration and oci-artifact-expires-after are also user-supplied params with defaults. Premature expiry of OCI artifacts used in downstream scan tasks could silently skip scans without triggering a failure.
• Supply chain / service account scope: build-pipeline-kartograph-openshell-gateway service account RBAC scope is not visible here. Confirm it does not have cluster-wide secret read or image push permissions beyond the target registry.
• The PR and push manifests are nearly identical — any drift between them (e.g., a scan task present in one but not the other) is a security gap. Diff the two files explicitly during review.

🚥 Pre-merge checks | ✅ 9 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	Title is vague and generic, using the pattern 'Vendor platform identifier update component-name' without specifying what was actually changed or added.	Clarify the title to reflect the main change, e.g., 'Add Pipelines as Code configuration for kartograph-openshell-gateway' or 'Configure kartograph-openshell-gateway pull request and push PipelineRuns'.
Description check	❓ Inconclusive	Description discusses PipelineRun execution and YAML formatting conventions but does not explain the actual content or purpose of the configuration files being added.	Add context describing what the PipelineRun configurations do, which build stages they execute, and why these specific pipeline files are needed for the kartograph-openshell-gateway component.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR contains only YAML Tekton pipeline manifests with no logging statements. No Go code present. No secrets/credentials found in any log output context.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets detected. All sensitive references use Tekton template variables ({{ }}). SHA256 digests, image URIs, and placeholder variables are legitimate.
No Weak Cryptography	✅ Passed	No weak cryptographic primitives (MD5, DES, RC4, SHA1 for security) or unsafe patterns found. PR contains only Tekton YAML pipeline configs with external task references, no inline crypto code.
No Injection Vectors	✅ Passed	No injection vectors found. PR adds only Tekton YAML pipeline configs with no SQL (CWE-89), exec (CWE-78), template.HTML (CWE-79), or yaml.Unmarshal (CWE-502) patterns. Template variables are frame...
No Privileged Containers	✅ Passed	Tekton PipelineRun manifests contain no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or runAsUser: 0 settings. CI/CD manifests (.tekton/) are excluded from...
No Pii Or Sensitive Data In Logs	✅ Passed	PR adds Tekton PipelineRun YAML files with no logging statements, inline scripts, or exposed PII. All tasks reference external bundles; credentials use templated Kubernetes secret references.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux-kartograph-openshell-gateway

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch konflux-kartograph-openshell-gateway

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.tekton/kartograph-openshell-gateway-push.yaml (1)

88-93: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Same missing type: string as pull-request manifest.

Apply consistent fix here.

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string
     - default: "true"
       description: Use the package registry proxy when prefetching dependencies
       name: enable-package-registry-proxy
+      type: string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-openshell-gateway-push.yaml around lines 88 - 93, The
parameter definitions for enable-cache-proxy and enable-package-registry-proxy
are missing the type field specification. Add type: string to both parameter
definitions in the Tekton manifest to maintain consistency with the pull-request
manifest and ensure proper type validation for these parameters.

.tekton/kartograph-openshell-gateway-pull-request.yaml (1)

91-96: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Missing type: string on two parameters.

enable-cache-proxy and enable-package-registry-proxy lack explicit type declarations while all other string params in this block declare type: string. Tekton defaults to string, so runtime behavior is correct, but inconsistency may confuse future maintainers.

     - default: "false"
       description: Enable cache proxy configuration
       name: enable-cache-proxy
+      type: string
     - default: "true"
       description: Use the package registry proxy when prefetching dependencies
       name: enable-package-registry-proxy
+      type: string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-openshell-gateway-pull-request.yaml around lines 91 - 96,
Two parameters in the Tekton configuration are missing explicit type
declarations. Add `type: string` to both the enable-cache-proxy parameter and
the enable-package-registry-proxy parameter to maintain consistency with other
string parameters defined in the same block. This ensures explicit type clarity
and prevents confusion for future maintainers, even though Tekton defaults to
string type.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.tekton/kartograph-openshell-gateway-pull-request.yaml:
- Around line 91-96: Two parameters in the Tekton configuration are missing
explicit type declarations. Add `type: string` to both the enable-cache-proxy
parameter and the enable-package-registry-proxy parameter to maintain
consistency with other string parameters defined in the same block. This ensures
explicit type clarity and prevents confusion for future maintainers, even though
Tekton defaults to string type.

In @.tekton/kartograph-openshell-gateway-push.yaml:
- Around line 88-93: The parameter definitions for enable-cache-proxy and
enable-package-registry-proxy are missing the type field specification. Add
type: string to both parameter definitions in the Tekton manifest to maintain
consistency with the pull-request manifest and ensure proper type validation for
these parameters.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 36afb5d8-1507-479b-b89a-4a9a7f5bd2bd

📥 Commits

Reviewing files that changed from the base of the PR and between a632b6e and da7fbe5.

📒 Files selected for processing (2)

• .tekton/kartograph-openshell-gateway-pull-request.yaml
• .tekton/kartograph-openshell-gateway-push.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[aredenba-rh]

Closing as superseded by #737, which merged the Konflux pipeline configuration for kartograph-openshell-gateway to main (including customized push/PR pipelines with hp-fleet-gitops deploy-tag automation).

No need to merge this Konflux bootstrap PR — the .tekton/kartograph-openshell-gateway-*.yaml files are already on main.