Using OpenShift Pipelines CI/CD and Quay for Container Certification

OpenShift Pipelines is a Kubernetes-native CI/CD solution based on Tekton, providing a CI/CD experience through tight integration with OpenShift and Red Hat developer tools. OpenShift Pipelines is designed to run each step of the CI/CD pipeline in its own container, allowing each step to scale independently to meet the demands of the pipeline. 

Red Hat Quay is a private container registry that stores, builds, and deploys container images. Quay analyzes images for security vulnerabilities, delivers geo replication and BitTorrent distribution to increase performance across distributed development sites and increase resiliency and redundancy for disaster recovery.

You may leverage OpenShift Pipelines and Red Hat Quay in tandem to rebuild and certify your container images automatically when new UBI base image updates are released. This automation will support and enhance your CI/CD container development workflows and will prevent security vulnerability concerns and outdated Red Hat certifications. 

Prerequisites:

• Register as a technology partner here [in order to complete certification] if not already a partner. 
• OpenShift Cluster [installed and hosted wherever you prefer]
• UBI container base image
• RHEL OS
• Review the container certification workflow documentation 
• Create your container certification projectwithin the Partner Connect portal

Install Red Hat Quay

You must use a private Quay image registry to store the desired base image that OpenShift Pipelines will consume and use as a source to trigger image builds. A Quay mirror registry is required and is only available using a private Quay instance. 

*Note: Quay.io cannot be used. 

Your private Quay registry is installed on an OpenShift cluster. Please ensure the OpenShift cluster has enough storage to host all available tags of the base image you rebuild.

1. As a cluster administrator, install Red Hat Quay Operator from the embedded OperatorHub
   1. Red Hat Quay Operator documentation

Image

Configure Red Hat Quay

1. Create a Quay private image repository for the application code
2. Create a 2nd Quay private image repository for mirroring the desired UBI base image
   1. Configure this repository to point to your desired UBI base image in Red Hat’s official UBI repository
      1. Mirroring an image registry

Create a Quay robot account which can read from the UBI repository and write to the application repository

1. Download the credentials for this account to be used by OpenShift Pipelines later

Install OpenShift Pipelines

1. As a cluster administrator, install the Red Hat OpenShift Pipelines Operator from the embedded OperatorHub within OpenShift

Image

Create Your Pipeline

Create a pipeline that consumes a base image (i.e. UBI) along with application code and rebuilds every time that base image is updated. 

Prerequisites:

1. Create an OpenShift project for this pipeline 
2. Create a pipeline within this new project
   1. Create a tekton task for to run the preflight certification tool
      1. Task submits results and docker config file if and when all certification checks pass
         1. See all image requirements and their related checks
         2. View the preflight certification workflow
            1. You will need your certification project ID and your pyxis API key [both obtained from within your Partner Connect account]
      2. See preflight recipes
      3. An example of a preflight tekton task within our operator certification pipeline
3. Create a secret from the Quay robot credentials created earlier
4. Add the secret to the Service Account for the pipeline

oc secrets link default <pull_secret_name> --for=pull

[The default service account is default]

5. Create a pipeline trigger, via a webhook. This trigger will initiate the pipeline to run.
   1. Learn more about OpenShift Pipelines webhooks.

Create a Quay Notification to Start the Pipeline

1. Configure Quay to push a notification via a webhook to the OpenShift Pipelines webhook URL anytime a new UBI image is pushed to the repository
   1. How to set repository notifications with Quay

Publish Image

Once your image is built, certified, and results are submitted to the Partner Connect portal, you can then manually publish your image to be listed in the Red Hat Ecosystem Catalog. This step cannot currently be automated.

1. From the Partner Connect portal, publish the newly certified image once it successfully passes vulnerability scanning.

Image

Getting Help

Any issues related specifically to the certification steps can be directed to our Technology Partner Success Desk.

If you have any questions related to this guidance and the functionality of the automated build pipeline, please reach out to epm@redhat.com to connect with our Engineering Partner Management team.