chore: release resources

.github/workflows/test-e2e.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ "main" ]
 
+env:
+  MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:3c870f9fe54b8c1ad625f7bc54420c8af2d877045d327598bea32e33edd9ee11
+
 permissions:
   contents: read
 
@@ -34,6 +37,9 @@ jobs:
           kubectl wait --for=condition=Ready --namespace=kube-system pod --all --timeout=300s
           echo "Cluster is ready"
 
+      - name: Swap to dev images
+        run: make dev-images
+
       - name: Run E2E tests
         run: |
-          make test-e2e-ci
+          make test-e2e-ci MODEL_TRANSPARENCY_IMG=${{ env.MODEL_TRANSPARENCY_IMG }}

.tekton/model-validation-operator-bundle-pull-request.yaml

@@ -28,20 +28,26 @@ spec:
     value: 5d
   - name: dockerfile
     value: bundle.Dockerfile.model-validation.rh
+  - name: path-context
+    value: .
   - name: hermetic
     value: "true"
   - name: prefetch-input
     value: '{"type": "generic", "path": "."}'
   - name: build-source-image
     value: "true"
+  - name: manager-pipelinerun-selector
+    value: appstudio.openshift.io/application=model-validation-operator,appstudio.openshift.io/component=model-validation-operator,pipelinesascode.tekton.dev/sha={{revision}},pipelinesascode.tekton.dev/event-type=pull_request
+  - name: manager-registry-url
+    value: registry.redhat.io/rhtas/model-validation-rhel9-operator
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/bundle-build-oci-ta.yaml
     resolver: git
   taskRunTemplate:
     serviceAccountName: build-pipeline-model-validation-operator-bundle

.tekton/model-validation-operator-bundle-push.yaml

@@ -31,14 +31,18 @@ spec:
     value: '{"type": "generic", "path": "."}'
   - name: build-source-image
     value: "true"
+  - name: manager-pipelinerun-selector
+    value: appstudio.openshift.io/application=model-validation-operator,appstudio.openshift.io/component=model-validation-operator,pipelinesascode.tekton.dev/sha={{revision}},pipelinesascode.tekton.dev/event-type=push
+  - name: manager-registry-url
+    value: registry.redhat.io/rhtas/model-validation-rhel9-operator
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/bundle-build-oci-ta.yaml
     resolver: git
   taskRunTemplate:
     serviceAccountName: build-pipeline-model-validation-operator-bundle

.tekton/model-validation-operator-pull-request.yaml

@@ -28,6 +28,11 @@ spec:
     value: 5d
   - name: dockerfile
     value: Dockerfile
+  - name: path-context
+    value: .
+  - name: build-platforms
+    value:
+    - linux/x86_64
   - name: hermetic
     value: "true"
   - name: build-source-image
@@ -41,7 +46,7 @@ spec:
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunTemplate:
     serviceAccountName: build-pipeline-model-validation-operator

.tekton/model-validation-operator-push.yaml

@@ -25,6 +25,11 @@ spec:
     value: quay.io/securesign/model-validation-operator:{{revision}}
   - name: dockerfile
     value: Dockerfile
+  - name: path-context
+    value: .
+  - name: build-platforms
+    value:
+    - linux/x86_64
   - name: hermetic
     value: "true"
   - name: build-source-image
@@ -38,7 +43,7 @@ spec:
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunTemplate:
     serviceAccountName: build-pipeline-model-validation-operator

Makefile

@@ -99,6 +99,12 @@ help: ## Display this help.
 
 ##@ Development
 
+# Switch images from `registry.redhat.io` images to the dev images
+.PHONY: dev-images
+dev-images:
+	sed -E -i 's#registry.redhat.io/rhtas/model-transparency-rhel9#quay.io/securesign/model-transparency#g' \
+		internal/constants/images.go
+
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
@@ -453,9 +459,9 @@ e2e-sign-test-model: e2e-generate-test-keys
 	$(CONTAINER_TOOL) run --rm \
 		-v $(PWD)/testdata/tensorflow_saved_model:/model \
 		-v $(PWD)/testdata/docker/test_private_key.priv:/test_private_key.priv \
-		--entrypoint="" \
-		ghcr.io/sigstore/model-transparency-cli:v1.0.1 \
-		/usr/local/bin/model_signing sign key /model \
+		--entrypoint "" \
+		$(MODEL_TRANSPARENCY_IMG) \
+		model_signing sign key /model \
 		--private_key /test_private_key.priv \
 		--signature /model/model.sig
 
@@ -490,8 +496,6 @@ e2e-load-images: e2e-build-image e2e-build-test-model
 	$(CONTAINER_TOOL) pull $(MODEL_TRANSPARENCY_IMG)
 	@echo "Loading manager image into Kind cluster..."
 	$(KIND) load docker-image -n $(KIND_CLUSTER) $(IMG)
-	@echo "Loading model-transparency-cli image into Kind cluster..."  
-	$(KIND) load docker-image -n $(KIND_CLUSTER) $(MODEL_TRANSPARENCY_IMG)
 	@echo "Loading test model image into Kind cluster..."
 	$(KIND) load docker-image -n $(KIND_CLUSTER) $(E2E_TEST_MODEL)
 

config/manifests/bases/model-validation-operator.clusterserviceversion.yaml

@@ -4,13 +4,27 @@ metadata:
   annotations:
     alm-examples: '[]'
     capabilities: Basic Install
-  name: model-validation-operator.v0.0.0
+    containerImage: placeholder
+    features.operators.openshift.io/cnf: "false"
+    features.operators.openshift.io/cni: "false"
+    features.operators.openshift.io/csi: "false"
+    features.operators.openshift.io/disconnected: "false"
+    features.operators.openshift.io/fips-compliant: "false"
+    features.operators.openshift.io/proxy-aware: "false"
+    features.operators.openshift.io/tls-profiles: "false"
+    features.operators.openshift.io/token-auth-aws: "false"
+    features.operators.openshift.io/token-auth-azure: "false"
+    features.operators.openshift.io/token-auth-gcp: "false"
+    operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
+    repository: https://github.com/securesign/model-validation-operator
+    support: Red Hat
+  name: model-validation-operator.v0.0.1
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
-    - description: ModelValidation is the Schema for the modelvalidations API
+    - description: ModelValidation is the Schema for the modelvalidations API.
       displayName: Model Validation
       kind: ModelValidation
       name: modelvalidations.ml.sigstore.dev
@@ -47,8 +61,12 @@ spec:
     name: Rachel Yordan
   - email: ifont@redhat.com
     name: Ivan Font
-  maturity: alpha
+  - email: asiek@redhat.com
+    name: Aleksy Siek
+  - email: kconner@redhat.com
+    name: Kevin Conner
+  maturity: tech-preview
   minKubeVersion: 1.24.0
   provider:
-    name: Sigstore
-  version: 0.0.0
+    name: Red Hat
+  version: 0.0.1-techpreview

internal/constants/images.go

@@ -23,5 +23,6 @@ const (
 var (
 	// ModelTransparencyCliImage is the default image for the model transparency CLI
 	// used as an init container to validate model signatures
-	ModelTransparencyCliImage = "ghcr.io/sigstore/model-transparency-cli:v1.0.1"
+	ModelTransparencyCliImage = "registry.redhat.io/rhtas/model-transparency-rhel9@" +
+		"sha256:3c870f9fe54b8c1ad625f7bc54420c8af2d877045d327598bea32e33edd9ee11"
 )

internal/webhooks/pod_webhook.go

@@ -121,7 +121,7 @@ func (p *podInterceptor) Handle(ctx context.Context, req admission.Request) admi
 		Name:            constants.ModelValidationInitContainerName,
 		ImagePullPolicy: corev1.PullAlways,
 		Image:           constants.ModelTransparencyCliImage,
-		Command:         []string{"/usr/local/bin/model_signing"},
+		Command:         []string{"model_signing"},
 		Args:            args,
 		VolumeMounts:    vm,
 	})

test/e2e/testdata/model-data-daemonset.yaml

@@ -26,6 +26,8 @@ spec:
           mkdir -p /host-data /host-keys
           cp -r /data/* /host-data/
           cp -r /keys/* /host-keys/
+          find /host-data /host-keys -type d -exec chmod 755 {} + 
+          find /host-data /host-keys -type f -exec chmod 644 {} +
           echo "Model data setup complete on node $NODE_NAME"
           # Keep running so DaemonSet stays active
           sleep infinity
@@ -53,4 +55,4 @@ spec:
           type: DirectoryOrCreate
       tolerations:
       - operator: Exists
-        effect: NoSchedule
+        effect: NoSchedule