Skip to content

fix(ci): retarget Konflux deploy-tag to fleet-apps on GitLab#780

Merged
aredenba-rh merged 1 commit into
mainfrom
fix/ci-fleet-apps-deploy-tag
Jun 30, 2026
Merged

fix(ci): retarget Konflux deploy-tag to fleet-apps on GitLab#780
aredenba-rh merged 1 commit into
mainfrom
fix/ci-fleet-apps-deploy-tag

Conversation

@aredenba-rh

Copy link
Copy Markdown
Collaborator

Summary

  • Point the push pipeline finally deploy-tag task at fleet-apps (GitLab), which is what ArgoCD deploys for stage — not hp-fleet-gitops on GitHub
  • Use secret kartograph-fleet-apps-auth with GitLab PAT (see .tekton/kartograph-fleet-apps-auth.secret.example.yaml)
  • Open deploy MRs via git push -o merge_request.create instead of GitHub PR API
  • Deprecate kartograph-hp-fleet-gitops-auth.secret.example.yaml (GitHub hp-fleet-gitops)

Fixes Konflux "Build failed" when kartograph-agent-runtime-build (and other build tasks) succeed but update-deploy-tag fails with 403.

Prerequisites

kartograph-fleet-apps-auth must exist in Konflux namespace kartograph-tenant (Konflux UI → Secrets → Key/value secret with .gitconfig, .git-credentials, .netrc).

Test plan

  • Merge PR
  • Retrigger one component push pipeline (e.g. kartograph-api)
  • Confirm update-deploy-tag opens MR on fleet-apps GitLab
  • Confirm PipelineRun status is Succeeded (not Failed)

Made with Cursor

ArgoCD stage reads fleet-apps, not hp-fleet-gitops. The finally task
was failing with 403 when pushing to openshift-online/hp-fleet-gitops,
marking successful image builds as Failed.

Use kartograph-fleet-apps-auth (GitLab PAT) and git push merge_request
options to open MRs against hybrid-platforms-gitops/tenant-apps/fleet-apps.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Deployment updates now use a GitLab-based workflow that automatically creates merge requests for changes.
  • Bug Fixes

    • Updated authentication handling for deployment updates to use the new shared credentials setup.
    • Improved error messages when required credentials are missing.
  • Documentation

    • Added a new example for the updated credentials format and marked the previous example as deprecated.

Walkthrough

Four Tekton PipelineRun definitions (agent-runtime, api, dev-ui, openshell-gateway pushes) had their update-deploy-tag finally-task workspace secret bindings repointed from hp-fleet-gitops-auth to fleet-apps-auth. Clone source switched from GitHub hp-fleet-gitops to GitLab fleet-apps.git. Push logic switched from plain branch push (plus prior PR-creation step) to GitLab merge-request creation via push options. A new kartograph-fleet-apps-auth secret example manifest was added; the old hp-fleet-gitops-auth example was annotated as deprecated.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes


CWE-798 (Use of Hard-coded Credentials): kartograph-fleet-apps-auth.secret.example.yaml templates .git-credentials/.netrc with REPLACE_WITH_GITLAB_PAT placeholders — confirm no real PAT is ever committed and that .gitattributes/.gitignore exclude any populated copies from version control.

CWE-295/CWE-300 (Improper Certificate/Channel Validation, MITM): verify the new GitLab clone URL (gitlab.cee.redhat.com/.../fleet-apps.git) and merge-request push options are not vulnerable to credential leakage over the CI network — confirm TLS verification is enforced for the GitLab endpoint, unlike potential insecure flags sometimes added during repo migrations.

CWE-862 (Missing Authorization): the merge-request creation push options (merge_request.create, target, title, description) execute with whatever scope the PAT in fleet-apps-auth carries — confirm PAT scope is least-privilege (no api/admin scope beyond what's needed to open MRs) since these YAMLs are CI/CD config and direct supply-chain attack surface.

CWE-668 (Exposure of Resource to Wrong Sphere): removal of the old create-pull-request step / /tekton/run metadata in agent-runtime and openshell-gateway pipelines — confirm no residual references to the removed GitHub PR flow remain elsewhere, and that kartograph-hp-fleet-gitops-auth secret is fully decommissioned (not just deprecated in comments) to avoid dangling credential exposure.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly names the CI deploy-tag retargeting to fleet-apps on GitLab.
Description check ✅ Passed The description matches the changeset and explains the repo, secret, and MR flow updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No non-test/non-example log calls interpolate tokens/passwords/credentials/secrets; Tekton only has static missing-secret notices. CWE-532 not triggered.
No Hardcoded Secrets ✅ Passed Only placeholder PATs appear in .example secret fixtures; non-example Tekton YAMLs show no literal creds, tokens, passwords, or embedded-auth URLs. No CWE-798/CWE-259.
No Weak Cryptography ✅ Passed Touched Tekton YAMLs only; no banned crypto primitives, ECB mode, or secret/token compares found (CWE-327/CWE-208).
No Injection Vectors ✅ Passed No CWE-78/89/79/502 patterns: the changed Tekton scripts use constants plus hex-validated COMMIT_SHA, and scans found no exec.Command, template.HTML, yaml.Unmarshal, or query concatenation.
No Privileged Containers ✅ Passed No privileged, host*, allowPrivilegeEscalation, runAsUser: 0, SYS_ADMIN, or USER root found in changed manifests/Dockerfiles; no CWE-250.
No Pii Or Sensitive Data In Logs ✅ Passed No CWE-532 exposure: logs only print COMMIT_SHA, repo/secret names, and skip/MR status; no PII, session IDs, raw bodies, or credential-bearing hostnames.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ci-fleet-apps-deploy-tag
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/ci-fleet-apps-deploy-tag

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/kartograph-agent-runtime-push.yaml:
- Around line 712-718: The deploy push in the branch creation step is not
idempotent, because a retry can fail when the same deterministic branch already
exists on origin. Update the push logic around the git push invocation in the
deploy/MR creation flow so it first checks whether $BRANCH already exists
remotely and skips or safely reuses it on retries, while keeping the existing
merge request creation behavior in the same script section. Ensure the guard is
tied to the branch-handling logic near the git push command so repeated
PipelineRun executions for the same commit do not fail.

In @.tekton/kartograph-api-push.yaml:
- Around line 704-710: The deploy push in the push step is not retry-safe
because it always reuses the same deterministic branch name and can fail if that
branch already exists. Update the push flow around the git push invocation and
branch creation logic so retries become idempotent: before pushing, detect
whether the deploy branch already exists for the same commit and reuse or
refresh it instead of blindly creating a conflicting branch. Keep the fix
localized to the deploy push step that uses BRANCH/SHORT_SHA/COMMIT_SHA and the
merge_request options.

In @.tekton/kartograph-dev-ui-push.yaml:
- Around line 704-710: The deploy push in the git push block is not retry-safe
because the deterministic branch name can already exist on reruns. Update the
push logic around the existing git push command to make it idempotent for the
same commit, using the branch name and commit SHA to detect an already-created
deploy branch/MR and skip or safely reuse it instead of failing. Keep the change
local to this deploy push step so retries in the pipeline complete successfully.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6bef8a22-1611-4b5e-b652-e64cd4d34c9a

📥 Commits

Reviewing files that changed from the base of the PR and between 6e902ab and 4c5cc8a.

📒 Files selected for processing (6)
  • .tekton/kartograph-agent-runtime-push.yaml
  • .tekton/kartograph-api-push.yaml
  • .tekton/kartograph-dev-ui-push.yaml
  • .tekton/kartograph-fleet-apps-auth.secret.example.yaml
  • .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml
  • .tekton/kartograph-openshell-gateway-push.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

Comment on lines +712 to 718
git push -u origin "$BRANCH" \
-o merge_request.create \
-o merge_request.target=main \
-o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \
-o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}."
echo "Merge request created for branch ${BRANCH}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Make the deploy push idempotent on retries.

Line 712 pushes a deterministic branch name. If this PipelineRun is retried for the same commit while the prior deploy branch still exists, git push can fail and mark the build failed again. CWE/CVE: N/A.

Proposed retry-safe guard
+                if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+                  echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+                  exit 0
+                fi
+
                 git checkout -b "$BRANCH"
                 git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
                 git push -u origin "$BRANCH" \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-agent-runtime-push.yaml around lines 712 - 718, The
deploy push in the branch creation step is not idempotent, because a retry can
fail when the same deterministic branch already exists on origin. Update the
push logic around the git push invocation in the deploy/MR creation flow so it
first checks whether $BRANCH already exists remotely and skips or safely reuses
it on retries, while keeping the existing merge request creation behavior in the
same script section. Ensure the guard is tied to the branch-handling logic near
the git push command so repeated PipelineRun executions for the same commit do
not fail.

Comment on lines +704 to 710
git push -u origin "$BRANCH" \
-o merge_request.create \
-o merge_request.target=main \
-o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \
-o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}."
echo "Merge request created for branch ${BRANCH}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Make the deploy push idempotent on retries.

Line 704 pushes a deterministic branch name. A rerun for the same commit can collide with an existing deploy branch and fail the final task. CWE/CVE: N/A.

Proposed retry-safe guard
+                if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+                  echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+                  exit 0
+                fi
+
                 git checkout -b "$BRANCH"
                 git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
                 git push -u origin "$BRANCH" \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-api-push.yaml around lines 704 - 710, The deploy push in
the push step is not retry-safe because it always reuses the same deterministic
branch name and can fail if that branch already exists. Update the push flow
around the git push invocation and branch creation logic so retries become
idempotent: before pushing, detect whether the deploy branch already exists for
the same commit and reuse or refresh it instead of blindly creating a
conflicting branch. Keep the fix localized to the deploy push step that uses
BRANCH/SHORT_SHA/COMMIT_SHA and the merge_request options.

Comment on lines +704 to 710
git push -u origin "$BRANCH" \
-o merge_request.create \
-o merge_request.target=main \
-o "merge_request.title=chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" \
-o "merge_request.description=Auto-generated by Konflux push pipeline. Updates newTag for ${IMAGE_SELECTOR} to ${COMMIT_SHA}."
echo "Merge request created for branch ${BRANCH}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Make the deploy push idempotent on retries.

Line 704 pushes a deterministic branch name. A rerun for the same commit can collide with an existing deploy branch and fail the final task. CWE/CVE: N/A.

Proposed retry-safe guard
+                if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+                  echo "Deploy branch ${BRANCH} already exists; assuming merge request was already created"
+                  exit 0
+                fi
+
                 git checkout -b "$BRANCH"
                 git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}"
                 git push -u origin "$BRANCH" \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/kartograph-dev-ui-push.yaml around lines 704 - 710, The deploy push
in the git push block is not retry-safe because the deterministic branch name
can already exist on reruns. Update the push logic around the existing git push
command to make it idempotent for the same commit, using the branch name and
commit SHA to detect an already-created deploy branch/MR and skip or safely
reuse it instead of failing. Keep the change local to this deploy push step so
retries in the pipeline complete successfully.

@aredenba-rh aredenba-rh merged commit 2d76a14 into main Jun 30, 2026
9 checks passed
@aredenba-rh aredenba-rh deleted the fix/ci-fleet-apps-deploy-tag branch June 30, 2026 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant