Skip to content

🐛 Fix deprecated deprecated image check #5695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 32 commits into from
Closed

🐛 Fix deprecated deprecated image check #5695

wants to merge 32 commits into from

Conversation

@mzazrivec
Copy link
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR fixes pipeline failures:

✕ [Violation] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-api-provider-aws-mce-210@sha256:dfa6ece0d3c74305bbaba741cc9f9b96a4a46ef0aa12bf85e200b5ceffa104b4
  Reason: Required task "deprecated-image-check" is required and present but not from a trusted task
  Term: deprecated-image-check
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks. To exclude this rule add
  "tasks.required_untrusted_task_found:deprecated-image-check" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-api-provider-aws-mce-210@sha256:dfa6ece0d3c74305bbaba741cc9f9b96a4a46ef0aa12bf85e200b5ceffa104b4
  Reason: Untrusted version of PipelineTask "deprecated-base-image-check" (Task "deprecated-image-check") was included in build
  chain comprised of: deprecated-base-image-check. Please upgrade the task version to:
  sha256:f59175d9a0a60411738228dfe568af4684af4aa5e7e05c832927cb917801d489
  Term: deprecated-image-check
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:deprecated-image-check" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • includes emoji in title
  • adds unit tests
  • adds or updates e2e tests

Release note:

mzazrivec and others added 30 commits September 10, 2025 16:14
@mzazrivec
Updating OWNERS file
f58126e
@serngawy
Merge pull request #1 from stolostron/upstream-merge
07aab8e 
Upstream merge
@mzazrivec
Update OWNERS_ALIASES
2216e81
@serngawy
Merge pull request #2 from stolostron/update_owners_aliases
086f864 
🐛 Update OWNERS_ALIASES
@andreadecorte
feat: add support for 'eus' channelGroupType in ROSA provider
338ea1f
@dependabot
seedling: Bump actions/setup-go from 5 to 6
156a354 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v5...v6)
@dependabot
seedling: Bump aws-actions/configure-aws-credentials from 4 to 5
aacff7b 
Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 4 to 5.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](aws-actions/configure-aws-credentials@v4...v5)
@dependabot
seedling: Bump actions/github-script from 7.0.1 to 8.0.0
006ee66 
Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 8.0.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@60a0d83...ed59741)
@dependabot
seedling: Bump the dependencies group in /hack/tools with 2 updates
16edbf3 
Bumps the dependencies group in /hack/tools with 2 updates: [github.com/mikefarah/yq/v4](https://github.com/mikefarah/yq) and [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery).

Updates `github.com/mikefarah/yq/v4` from 4.47.1 to 4.47.2
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.47.1...v4.47.2)

Updates `k8s.io/apimachinery` from 0.34.0 to 0.34.1
- [Commits](kubernetes/apimachinery@v0.34.0...v0.34.1)
@fangge1212
Add support for AMD SEV-SNP instances
5d8db8c 
This commit adds support for AMD SEV-SNP instances, so users can
utilize confidential computing technology on cluster nodes.

Signed-off-by: Fangge Jin <[email protected]>
@alexander-demicev
Fix AWSManagedClusterTemplate short name
8bc8aec 
Signed-off-by: Alexandr Demicev <[email protected]>
@serngawy
Fix RosaControlPlane sync defaulet RosaMachinePool
3e8dcdc 
Signed-off-by: serngawy <[email protected]>
@serngawy
Fix eks awsmanagedcontrolplane finalizer permission
6543001 
Signed-off-by: serngawy <[email protected]>
@tthvo
🐛 fix: backwards compatibility for AWS service endpoint resolution
4e29f52 
In AWS SDKv1, each service exports a constant EndpointsID to look up the
custom service endpoint, for example, see ref [0]. In AWS SDKv2, these
contants are no longer available.

Thus, for backwards compatibility, we copy those constants from the
SDKv1 and map them to the corresponding ServiceID in SDK v2.

Additionally, in AWS SDKv1, elb and elbv2 uses the same identifier (i.e.
same EndpointsID), thus the same custom endpoint [1][2]. For backwards
compatibility, if elbv2 endpoint is undefined, elbv2 endpoint resolver
should fall back to elb endpoint if any.

This also fixes the bug where CAPA does not recognize services that define
its serviceID with more than 1 word due to the incorrect assumption [3].

References:

[0] https://github.com/aws/aws-sdk-go/blob/070853e88d22854d2355c2543d0958a5f76ad407/service/resourcegroupstaggingapi/service.go#L33-L34
[1] https://github.com/aws/aws-sdk-go/blob/070853e88d22854d2355c2543d0958a5f76ad407/service/elbv2/service.go#L32-L33
[2] https://github.com/aws/aws-sdk-go/blob/070853e88d22854d2355c2543d0958a5f76ad407/service/elb/service.go#L32-L33
[2] https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/88cb4b92b1a76591623e9d5ef347bfdc22010622/pkg/cloud/endpoints/endpoints.go#L90-L94
@serngawy
Merge pull request #5 from openshift-cherrypick-robot/cherry-pick-4-t…
42618e4 
…o-backplane-2.10

[backplane-2.10] 🌱 Sync upstream main branch
@mzazrivec
Konflux build changes
b69e87a
@serngawy
Merge pull request #6 from stolostron/konflux_build_changes
22b2663 
✨ Konflux build changes
@serngawy
Red Hat Konflux update cluster-api-provider-aws-mce-210
7b25ddd 
Signed-off-by: red-hat-konflux <[email protected]>
@serngawy
Merge pull request #8 from stolostron/konflux-cluster-api-provider-aw…
cda5975 
…s-mce-210

✨ Red Hat Konflux update cluster-api-provider-aws-mce-210
@serngawy
Add renovate filter
5f2f27e 
Signed-off-by: serngawy <[email protected]>
@mzazrivec
Fix Konflux init-task
2e9a0f5
@mzazrivec
Fix prefetch-input & hermetic build params
86ecf29
@mzazrivec
Add build-source-image=true parameter
91b2ee9
@mzazrivec
Add multiarch builds
a9414a3
@serngawy
Merge pull request #26 from stolostron/fix_tekton_task_init
348ff43 
🐛 Fix tekton tasks
@serngawy @PanSpagetka
✨ Rosa roles config implementations (kubernetes-sigs#5667)
8873cd2 
* Add RosaRoleConfig API and CRD.

* Enable partial reconcile of Rosa Operator Roles

* Review fixes

* Add integration tests

* Add more tests

* Fix comments

Signed-off-by: serngawy <[email protected]>

---------

Signed-off-by: serngawy <[email protected]>
Co-authored-by: rknaur <[email protected]>
@mzazrivec
ROSAMachinePool: support for capacity reservations (kubernetes-sigs#5649
877628a 
)
@damdo
bump ginkgo timeout to 5h
b6abdf9 
The overall job timeout in prow is 5h, let's use all of the available
time.
@joshfrench @adammw @damdo
✨ feat: Support setting EKS authentication mode (kubernetes-sigs#5578)
ba4cf4e 
* feat: support setting EKS AuthenticationMode

* feat: support setting EKS AuthenticationMode

* Update controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go

Co-authored-by: Damiano Donati <[email protected]>

* add EOF to new files

---------

Co-authored-by: Adam Malcontenti-Wilson <[email protected]>
Co-authored-by: Damiano Donati <[email protected]>
@serngawy
Add renovate filters
72660d8 
Signed-off-by: serngawy <[email protected]>
serngawy and others added 2 commits October 2, 2025 20:42
@serngawy
Merge pull request #27 from openshift-cherrypick-robot/cherry-pick-22…
44fd6c7 
…-to-backplane-2.10

[backplane-2.10] ✨ Rebase main to upstream main branch
@mzazrivec
Fix deprecated-image-check
91a530c
@k8s-ci-robot
Copy link
Contributor

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/contains-merge-commits labels Oct 7, 2025
@k8s-ci-robot
Copy link
Contributor

Adding label do-not-merge/contains-merge-commits because PR contains merge commits, which are not allowed in this repository.
Use git rebase to reapply your commits on top of the target branch. Detailed instructions for doing so can be found here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@linux-foundation-easycla
Copy link

CLA Missing ID CLA Not Signed

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ankitasw for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 7, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @mzazrivec. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. label Oct 7, 2025
@k8s-ci-robot
Copy link
Contributor

The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the kubernetes-sigs org. You can then trigger verification by writing /verify-owners in a comment.

  • marek-veber
    • User is not a member of the org. Satisfy at least one of these conditions to make the user trusted.
  • mzazrivec
    • User is not a member of the org. Satisfy at least one of these conditions to make the user trusted.
  • capi-admins
    • User is not a member of the org. Satisfy at least one of these conditions to make the user trusted.
    • OWNERS

@mzazrivec mzazrivec closed this Oct 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dlipovetsky dlipovetsky Awaiting requested review from dlipovetsky

@serngawy serngawy Awaiting requested review from serngawy

Assignees

No one assigned

Labels

cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. do-not-merge/contains-merge-commits do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. kind/bug Categorizes issue or PR as related to a bug. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@mzazrivec @k8s-ci-robot @serngawy @andreadecorte @fangge1212 @alexander-demicev @tthvo @damdo @joshfrench