Migration to Konflux for a Secure FCOS Release Supply Chain - Phase 1

[joelcapitao]

• Phase 1 - build the container image with Konflux, run the tests with Jenkins, release with Jenkins
• Phase 2 - build all artifacts (i.e container image and diskimages) with Konflux, run test with Jenkins, release with Jenkins
• Phase 3 - build all artifacts with Konflux, run the tests with Jenkins, release with Konflux
• Phase 4 - build all artifacts with Konflux, run the tests with Konflux, release with Konflux

The primary goal is to ensure we can produce the same artifacts while leveraging the security and compliance benefits of Konflux. This build system adheres to the SLSA framework which helps to ensure the integrity and security of artifacts by creating detailed, immutable records (i.e build provenance) of every build step. Konflux also integrates automated security checks for dependencies and source code, providing real-time vulnerability scanning and policy enforcement. This proactive approach ensures a more secure software supply chain from the very beginning of the build process.

Community value

• Trust and transparency: by providing a verifiable, end-to-end record of how FCOS is built and where its components come from, the build provenance will help end users mitigate supply chain risks, build trust and confidence in their OS integrity. This embodies the "trust but verify" philosophy.
• Enhanced security with automated vulnerability scanning: by performing automated vulnerability scanning on FCOS artifacts, Konflux will proactively identify and address vulnerabilities. This proactive security measure ensures a safer experience for the end user by helping to prevent potential
• Enhanced security with policy-as-code enforcement: by providing a verifiable and auditable record of the entire build process and using the policy checker Conforma, Konflux will provide a safeguard against releasing FCOS builds that fail to meet compliance requirements. End users will have the ability to run the artifacts against their own policy and decide whether to accept them or not.

Acceptance criteria of phase 1(proposal)

• Jenkins successfully releases a final artifact of rawhide stream using a Konflux container image as build input. It won't push artifacts initially, but later once it's stable.
• a verifiable, signed build provenance record is generated for the container image, capturing all build steps and dependencies.
• the redhat Conforma policy is executed and pass without critical failures.

Status of the next Steps

Make Konflux drive the release pipeline

• feat: Add 'trigger-jenkins-build' task and update release pipeline
• Draft: feat(coreos): use Jenkins in Tenant release pipeline
• Draft PR: skip build by importing konflux built OCI Image in build-arch fedora-coreos-pipeline#1236
• feat(pipeline): enable ppc64le and s390x architectures fedora-coreos-config#3796

Build hermetically

• cmd-fetch: Derive konflux lockfiles from rpm-ostree coreos-assembler#4298
• DNM konflux: hermetic builds fedora-coreos-config#3723

Tag the images with the version

• prepare-build-context: add version as annotation
• coreos-tenant: tag images with version
• fix: get annotations for oci_version konflux-ci/release-service-catalog#1456

Misc

• fcos-buildroot: Add Conforma (EC) policy and integration test
• konflux: update pipeline ref automatically fedora-coreos-config#3751

xref of https://issues.redhat.com/browse/COS-3535

[joelcapitao]

Part of the job have been achieved in Build OCI using Fedora Konflux which was addressing and targeting Build FCOS based on Fedora 43 using podman build. More details in #1986 (comment).

For the next couple of weeks, we'll focus on:

• building hermetically
• starting to comply to some Conforma policy
• making Konflux drive the release pipeline