October 28th, 2024 Community Meeting

[qu1queee]

• Please add a topic in this thread and add a link to the GitHub issue associated with the topic.
• Please make sure you give folks enough time to review/discuss the topic offline on GitHub before coming into the meeting
• (optional) Paste the image of an animal 😸

[SaschaSchwarze0]

I figured out why our PR automation opens PRs with commits that are authored by the openshift merge robot. Trying to address this here: shipwright-io/build#1698

[SaschaSchwarze0]

shipwright-io/build#1689 is a pain we need to look at. Something that I have set up at home is the following:

kubectl -n shipwright-build set env deployment/shipwright-build-controller 'IMAGE_PROCESSING_CONTAINER_TEMPLATE={"image": "ghcr.io/shipwright-io/build/image-processing:latest", "command": ["/ko-app/image-processing"], "env": [{"name": "HOME","value": "/shared-home"}], "envFrom": [{"secretRef": {"name": "trivy-user", "optional": true}}], "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"add": ["DAC_OVERRIDE"], "drop": ["ALL"]}, "runAsUser": 0, "runAsgGroup": 0}}'

The relevant addition is the envFrom pointing to an optional secret trivy-user. That secret is opaque and contains the keys TRIVY_USER (GitHub username) and TRIVY_PASSWORD (GitHub token). That way, the two environment variables are available and it should authenticate for the database download as Trivy supports it based on aquasecurity/trivy#3915 - though those flags are not documented in trivy image --help. Therefore need to check if they are really supported.

Other idea: in the image-processing step implementation, we can try to determine that Trivy failed to download the database based on the command output, and retry the command.

[SaschaSchwarze0]

Tekton v0.65 will release soon (reference: https://tektoncd.slack.com/archives/CLCCEBUMU/p1730113043463369). It will be an LTS I think which based on the rules we wanted to establish, means we should cut a Shipwright release.

[SaschaSchwarze0]

On our Trivy scan issues:

• Environment variables are really existing for the --username and --password flags.
• Next step: try the solution in e2e and integration
• Sascha to open PR with retry of trivy if it fails during database download
  -> we then have two PRs that potentially fix the problem and we can take both or just one
• Matthias: side note, noticed that we use different Ginkgo terms for the vulnerability tests = you must skip two things to skip them all