Konflux Re-org Tas-Components

[tommyd450]

User description

Tas Components side of the Konflux Re-org, This pr is in draft whilst we repair the Snapshot automation tooling for Tas-Tools, Once we repaired we should be able to comfortably merge this Pr.

---

PR Type

Enhancement

---

Description

• Add three new Konflux projects: rekor-monitor, segment-backup-job, tas-components

• Define project overlays with kustomization, templates, and component patches

• Create development streams for new projects with configurable variables

• Exclude segment-backup-job from main stream and rekor-monitor from v1-2 stream

---

Diagram Walkthrough

flowchart LR
  A["Kustomization Root"] -->|adds overlays| B["rekor-monitor"]
  A -->|adds overlays| C["segment-backup-job"]
  A -->|adds overlays| D["tas-components"]
  B -->|defines| E["Project + Template"]
  C -->|defines| F["Project + Template"]
  D -->|defines| G["Project + Template + 11 Patches"]
  E -->|creates stream| H["rekor-monitor-stream"]
  F -->|creates stream| I["segment-backup-job-stream"]
  G -->|creates stream| J["tas-components-stream"]
  I -->|excluded from| K["main overlay"]
  B -->|excluded from| L["v1-2 overlay"]

Loading

File Walkthrough

	Relevant files
Configuration changes	18 files kustomization.yaml Register three new project overlays                                            +3/-0      kustomization.yaml Define rekor-monitor project kustomization structure          +16/-0    project.yaml Define rekor-monitor project metadata                                        +8/-0      template.yaml Define rekor-monitor development stream template                  +33/-0    kustomization.yaml Define segment-backup-job project kustomization structure +16/-0    project.yaml Define segment-backup-job project metadata                              +8/-0      template.yaml Define segment-backup-job development stream template        +33/-0    kustomization.yaml Define tas-components project with eleven component patches +56/-0    project.yaml Define tas-components project metadata                                      +8/-0      template.yaml Define tas-components development stream template                +33/-0    kustomization.yaml Register three new development stream resources                    +4/-1      rekor-monitor-stream.yaml Create rekor-monitor development stream instance                  +15/-0    segment-backup-job-stream.yaml Create segment-backup-job development stream instance        +15/-0    tas-components-stream.yaml Create tas-components development stream instance                +15/-0    kustomization.yaml Add patch to exclude segment-backup-job from main                +2/-0      exclude-segment-backup-job.yaml Exclude segment-backup-job stream from main overlay            +5/-0      kustomization.yaml Add patch to exclude rekor-monitor from v1-2                          +1/-0      exclude-rekor-monitor.yaml Exclude rekor-monitor stream from v1-2 overlay
Enhancement	13 files rekor-monitor.yaml Add rekor-monitor component and image repository                  +42/-0    segment-backup-job.yaml Add segment-backup-job component and image repository        +42/-0    backfill-redis.yaml Add backfill-redis component and image repository                +42/-0    certificate-transparency-go.yaml Add certificate-transparency-go component and image repository +42/-0    fulcio-server.yaml Add fulcio-server component and image repository                  +42/-0    rekor-search.yaml Add rekor-search component and image repository                    +42/-0    rekor-server.yaml Add rekor-server component and image repository                    +42/-0    timestamp-authority.yaml Add timestamp-authority component and image repository      +42/-0    trillian-createtree.yaml Add trillian createtree component and image repository      +42/-0    trillian-database.yaml Add trillian database component and image repository          +42/-0    trillian-logserver.yaml Add trillian logserver component and image repository        +42/-0    trillian-logsigner.yaml Add trillian logsigner component and image repository        +42/-0    trillian-redis.yaml Add trillian redis component and image repository                +42/-0
Formatting	1 files kustomization.yaml Remove trailing whitespace from kustomization file              +1/-2

---

[github-actions]

Configuration Diff

17 document(s) impacted:

+ 13 added
- 0 removed
! 4 modified

Diff

@@ spec.resources.appstudio.redhat.com/v1alpha1/ReleasePlan/promote-to-candidate-{{.application}}{{.nameSuffix}}.spec.tenantPipeline.params @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/ansible-template
! - one list entry removed:
- - name: revision
-   value: RHTAS-build-bot_candidate-images-{{.version}}

@@ spec.resources.appstudio.redhat.com/v1alpha1/ReleasePlan/promote-to-candidate-{{.application}}{{.nameSuffix}}.spec.tenantPipeline.params @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/operator-template
! - one list entry removed:
- - name: revision
-   value: RHTAS-build-bot_candidate-images-{{.version}}

@@ spec.resources.appstudio.redhat.com/v1alpha1/ReleasePlan/promote-to-candidate-{{.application}}{{.nameSuffix}}.spec.tenantPipeline.params @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/tas-tools-template
! - one list entry removed:
- - name: revision
-   value: RHTAS-build-bot_candidate-images-{{.version}}

@@ spec.resources.appstudio.redhat.com/v1alpha1/ReleasePlan/promote-to-candidate-{{.application}}{{.nameSuffix}}.spec.tenantPipeline.params @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/tough-template
! - one list entry removed:
- - name: revision
-   value: RHTAS-build-bot_candidate-images-{{.version}}

@@ (root level) @@
# projctl.konflux.dev/v1beta1/Project/rhtas-tenant/rekor-monitor
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: Project
+   metadata:
+     name: rekor-monitor
+     namespace: rhtas-tenant
+   spec:
+     description: "Rekor transparency log monitoring"
+     displayName: "Red Hat Trusted Artifact Signer Rekor Monitor"

@@ (root level) @@
# projctl.konflux.dev/v1beta1/Project/rhtas-tenant/segment-backup-job
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: Project
+   metadata:
+     name: segment-backup-job
+     namespace: rhtas-tenant
+   spec:
+     description: |
+       Segment backup job for TAS (deprecated in 1.4+)
+       
+     displayName: "Red Hat Trusted Artifact Signer Segment Backup Job"

@@ (root level) @@
# projctl.konflux.dev/v1beta1/Project/rhtas-tenant/tas-components
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: Project
+   metadata:
+     name: tas-components
+     namespace: rhtas-tenant
+   spec:
+     description: |
+       Dependencies of the TAS Operator
+       
+     displayName: tas-components

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStream/rhtas-tenant/rekor-monitor-main
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStream
+   metadata:
+     name: rekor-monitor-main
+     namespace: rhtas-tenant
+   spec:
+     project: rekor-monitor
+     template:
+       name: rekor-monitor-template
+       values:
+       - name: version
+         value: main
+       - name: branch
+         value: main
+       - name: nameSuffix
+         value:

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStream/rhtas-tenant/rekor-monitor-v1-3
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStream
+   metadata:
+     name: rekor-monitor-v1-3
+     namespace: rhtas-tenant
+   spec:
+     project: rekor-monitor
+     template:
+       name: rekor-monitor-template
+       values:
+       - name: version
+         value: v1.3
+       - name: branch
+         value: release-1.3

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStream/rhtas-tenant/segment-backup-job-v1-2
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStream
+   metadata:
+     name: segment-backup-job-v1-2
+     namespace: rhtas-tenant
+   spec:
+     project: segment-backup-job
+     template:
+       name: segment-backup-job-template
+       values:
+       - name: version
+         value: v1.2
+       - name: branch
+         value: release-1.2
+       - name: mintmakerDisabled
+         value: "true"

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStream/rhtas-tenant/segment-backup-job-v1-3
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStream
+   metadata:
+     name: segment-backup-job-v1-3
+     namespace: rhtas-tenant
+   spec:
+     project: segment-backup-job
+     template:
+       name: segment-backup-job-template
+       values:
+       - name: version
+         value: v1.3
+       - name: branch
+         value: release-1.3

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStream/rhtas-tenant/tas-components-main
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStream
+   metadata:
+     name: tas-components-main
+     namespace: rhtas-tenant
+   spec:
+     project: tas-components
+     template:
+       name: tas-components-template
+       values:
+       - name: version
+         value: main
+       - name: branch
+         value: main
+       - name: nameSuffix
+         value:

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStream/rhtas-tenant/tas-components-v1-2
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStream
+   metadata:
+     name: tas-components-v1-2
+     namespace: rhtas-tenant
+   spec:
+     project: tas-components
+     template:
+       name: tas-components-template
+       values:
+       - name: version
+         value: v1.2
+       - name: branch
+         value: release-1.2
+       - name: mintmakerDisabled
+         value: "true"

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStream/rhtas-tenant/tas-components-v1-3
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStream
+   metadata:
+     name: tas-components-v1-3
+     namespace: rhtas-tenant
+   spec:
+     project: tas-components
+     template:
+       name: tas-components-template
+       values:
+       - name: version
+         value: v1.3
+       - name: branch
+         value: release-1.3

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/rekor-monitor-template
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStreamTemplate
+   metadata:
+     name: rekor-monitor-template
+     namespace: rhtas-tenant
+     labels:
+       build.rhtas.com/ec: registry-rhtas
+       build.rhtas.com/type: component
+   spec:
+     resources:
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: Application
+       metadata:
+         name: {{.application}}{{.nameSuffix}}
+         annotations:
+           application.thumbnail: 5
+       spec:
+         displayName: "{{.application}} ({{.version}})"
+     - apiVersion: appstudio.redhat.com/v1beta2
+       kind: IntegrationTestScenario
+       metadata:
+         name: {{.application}}{{.nameSuffix}}-enterprise-contract
+         annotations:
+           test.appstudio.openshift.io/kind: enterprise-contract
+       spec:
+         application: {{.application}}{{.nameSuffix}}
+         params:
+         - name: POLICY_CONFIGURATION
+           value: rhtap-releng-tenant/registry-rhtas
+         resolverRef:
+           params:
+           - name: url
+             value: "https://github.com/konflux-ci/build-definitions"
+           - name: revision
+             value: main
+           - name: pathInRepo
+             value: pipelines/enterprise-contract.yaml
+           resolver: git
+           resourceKind: pipeline
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: ReleasePlan
+       metadata:
+         name: promote-to-candidate-{{.application}}{{.nameSuffix}}
+         labels:
+           release.appstudio.openshift.io/auto-release: "true"
+           release.appstudio.openshift.io/standing-attribution: "true"
+       spec:
+         application: {{.application}}{{.nameSuffix}}
+         tenantPipeline:
+           params:
+           - name: git-url
+             value: "https://github.com/securesign/releases"
+           - name: code-freeze
+             value: "false"
+           - name: type
+             value: component
+           pipelineRef:
+             params:
+             - name: url
+               value: "https://github.com/securesign/pipelines"
+             - name: revision
+               value: main
+             - name: pathInRepo
+               value: pipelines/promote-to-candidate.yaml
+             resolver: git
+           serviceAccountName: rhtas-build-bot
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: Component
+       metadata:
+         name: rekor-monitor{{.nameSuffix}}
+         annotations:
+           build.appstudio.openshift.io/pipeline: "{\"name\":\"docker-build-oci-ta\",\"bundle\":\"latest\"}"
+           git-provider: github
+           git-provider-url: "https://github.com"
+           mintmaker.appstudio.redhat.com/disabled: {{.mintmakerDisabled}}
+       spec:
+         source:
+           git:
+             url: "https://github.com/securesign/rekor-monitor"
+             dockerfileUrl: Dockerfile.rekor-monitor.rh
+             revision: {{.branch}}
+         application: {{.application}}{{.nameSuffix}}
+         componentName: rekor-monitor
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: ImageRepository
+       metadata:
+         name: rekor-monitor{{.nameSuffix}}
+         annotations:
+           image-controller.appstudio.redhat.com/update-component-image: "true"
+         labels:
+           appstudio.redhat.com/application: {{.application}}{{.nameSuffix}}
+           appstudio.redhat.com/component: rekor-monitor{{.nameSuffix}}
+       spec:
+         image:
+           name: rhtas-tenant/rekor-monitor
+           visibility: public
+         notifications:
+         - config:
+             url: "https://bombino.api.redhat.com/v1/sbom/quay/push"
+           event: repo_push
+           method: webhook
+           title: SBOM-event-to-Bombino
+     project: rekor-monitor
+     variables:
+     - name: version
+       description: "A version number for a new development stream"
+     - name: branch
+       defaultValue: main
+       description: "Git branch"
+     - name: nameSuffix
+       defaultValue: "-{{hyphenize .version}}"
+       description: "A suffix which will be added to K8s resource name"
+     - name: application
+       defaultValue: rekor-monitor
+       description: "The application name"
+     - name: mintmakerDisabled
+       defaultValue: "false"
+       description: "Whether to disable mintmaker annotation on the Component"

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/segment-backup-job-template
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStreamTemplate
+   metadata:
+     name: segment-backup-job-template
+     namespace: rhtas-tenant
+     labels:
+       build.rhtas.com/ec: registry-rhtas
+       build.rhtas.com/type: component
+   spec:
+     resources:
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: Application
+       metadata:
+         name: {{.application}}{{.nameSuffix}}
+         annotations:
+           application.thumbnail: 5
+       spec:
+         displayName: "{{.application}} ({{.version}})"
+     - apiVersion: appstudio.redhat.com/v1beta2
+       kind: IntegrationTestScenario
+       metadata:
+         name: {{.application}}{{.nameSuffix}}-enterprise-contract
+         annotations:
+           test.appstudio.openshift.io/kind: enterprise-contract
+       spec:
+         application: {{.application}}{{.nameSuffix}}
+         params:
+         - name: POLICY_CONFIGURATION
+           value: rhtap-releng-tenant/registry-rhtas
+         resolverRef:
+           params:
+           - name: url
+             value: "https://github.com/konflux-ci/build-definitions"
+           - name: revision
+             value: main
+           - name: pathInRepo
+             value: pipelines/enterprise-contract.yaml
+           resolver: git
+           resourceKind: pipeline
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: ReleasePlan
+       metadata:
+         name: promote-to-candidate-{{.application}}{{.nameSuffix}}
+         labels:
+           release.appstudio.openshift.io/auto-release: "true"
+           release.appstudio.openshift.io/standing-attribution: "true"
+       spec:
+         application: {{.application}}{{.nameSuffix}}
+         tenantPipeline:
+           params:
+           - name: git-url
+             value: "https://github.com/securesign/releases"
+           - name: code-freeze
+             value: "false"
+           - name: type
+             value: component
+           pipelineRef:
+             params:
+             - name: url
+               value: "https://github.com/securesign/pipelines"
+             - name: revision
+               value: main
+             - name: pathInRepo
+               value: pipelines/promote-to-candidate.yaml
+             resolver: git
+           serviceAccountName: rhtas-build-bot
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: Component
+       metadata:
+         name: segment-backup-job{{.nameSuffix}}
+         annotations:
+           build.appstudio.openshift.io/pipeline: "{\"name\":\"docker-build-oci-ta\",\"bundle\":\"latest\"}"
+           git-provider: github
+           git-provider-url: "https://github.com"
+           mintmaker.appstudio.redhat.com/disabled: {{.mintmakerDisabled}}
+       spec:
+         source:
+           git:
+             url: "https://github.com/securesign/segment-backup-job"
+             dockerfileUrl: Dockerfile.segment-backup-job.rh
+             revision: {{.branch}}
+         application: {{.application}}{{.nameSuffix}}
+         componentName: segment-backup-job
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: ImageRepository
+       metadata:
+         name: segment-backup-job{{.nameSuffix}}
+         annotations:
+           image-controller.appstudio.redhat.com/update-component-image: "true"
+         labels:
+           appstudio.redhat.com/application: {{.application}}{{.nameSuffix}}
+           appstudio.redhat.com/component: segment-backup-job{{.nameSuffix}}
+       spec:
+         image:
+           name: rhtas-tenant/segment-backup-job
+           visibility: public
+         notifications:
+         - config:
+             url: "https://bombino.api.redhat.com/v1/sbom/quay/push"
+           event: repo_push
+           method: webhook
+           title: SBOM-event-to-Bombino
+     project: segment-backup-job
+     variables:
+     - name: version
+       description: "A version number for a new development stream"
+     - name: branch
+       defaultValue: main
+       description: "Git branch"
+     - name: nameSuffix
+       defaultValue: "-{{hyphenize .version}}"
+       description: "A suffix which will be added to K8s resource name"
+     - name: application
+       defaultValue: segment-backup-job
+       description: "The application name"
+     - name: mintmakerDisabled
+       defaultValue: "false"
+       description: "Whether to disable mintmaker annotation on the Component"

@@ (root level) @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/tas-components-template
! + one document added:
+   ---
+   apiVersion: projctl.konflux.dev/v1beta1
+   kind: ProjectDevelopmentStreamTemplate
+   metadata:
+     name: tas-components-template
+     namespace: rhtas-tenant
+     labels:
+       build.rhtas.com/ec: registry-rhtas
+       build.rhtas.com/type: component
+   spec:
+     resources:
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: Application
+       metadata:
+         name: {{.application}}{{.nameSuffix}}
+         annotations:
+           application.thumbnail: 5
+       spec:
+         displayName: "{{.application}} ({{.version}})"
+     - apiVersion: appstudio.redhat.com/v1beta2
+       kind: IntegrationTestScenario
+       metadata:
+         name: {{.application}}{{.nameSuffix}}-enterprise-contract
+         annotations:
+           test.appstudio.openshift.io/kind: enterprise-contract
+       spec:
+         application: {{.application}}{{.nameSuffix}}
+         params:
+         - name: POLICY_CONFIGURATION
+           value: rhtap-releng-tenant/registry-rhtas
+         resolverRef:
+           params:
+           - name: url
+             value: "https://github.com/konflux-ci/build-definitions"
+           - name: revision
+             value: main
+           - name: pathInRepo
+             value: pipelines/enterprise-contract.yaml
+           resolver: git
+           resourceKind: pipeline
+     - apiVersion: appstudio.redhat.com/v1alpha1
+       kind: ReleasePlan
... (diff truncated, showing first 500 lines)

---

_{📦 Artifacts: base-output.yaml, head-output.yaml, dyff-output.txt}

[osmman]

The konflux-configs/base/stream/overlay/ directory is orphaned and can be safely deleted. It's not referenced anywhere in the codebase (only rhtas/overlay is used via base/stream/kustomization.yaml), and its kustomization files reference non-existent resources like rhtas-operator-stream.yaml and patch/mintmaker.yaml. All active stream configuration lives in konflux-configs/base/stream/rhtas/overlay/.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned git revision Description: The development stream templates allow building Components from an unpinned Git ref via the user-controlled branch variable (defaulting to main), which can enable unintended or malicious code to be built if a stream value is changed or the upstream branch is compromised. template.yaml [10-24] Referred Code variables: - name: version description: A version number for a new development stream - name: branch description: Git branch defaultValue: "main" - name: nameSuffix description: A suffix which will be added to K8s resource name defaultValue: "-{{hyphenize .version}}" - name: application description: The application name defaultValue: "tas-components" - name: mintmakerDisabled description: Whether to disable mintmaker annotation on the Component defaultValue: "false"
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🔴	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Misleading identifier: The Component named backfill-redis{{.nameSuffix}} sets spec.componentName to certificate-transparency-go, which is misleading and undermines self-documentation. Referred Code name: "backfill-redis{{.nameSuffix}}" spec: application: "{{.application}}{{.nameSuffix}}" componentName: "certificate-transparency-go" source: Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Audit scope unclear: The PR only adds Konflux project/stream configuration and does not show any runtime audit logging coverage for the deployed components, so audit-trail compliance cannot be verified from this diff alone. Referred Code - op: add path: /spec/resources/- value: apiVersion: appstudio.redhat.com/v1alpha1 kind: Component metadata: annotations: build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}' git-provider: github git-provider-url: https://github.com mintmaker.appstudio.redhat.com/disabled: "{{.mintmakerDisabled}}" name: "backfill-redis{{.nameSuffix}}" spec: application: "{{.application}}{{.nameSuffix}}" componentName: "certificate-transparency-go" source: git: url: https://github.com/securesign/rekor revision: "{{.branch}}" dockerfileUrl: Dockerfile.backfill-redis.rh - op: add ... (clipped 21 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Runtime errors unseen: The PR adds build/deployment resource definitions but contains no application/runtime code paths where error handling and edge cases can be assessed. Referred Code - op: add path: /spec/resources/- value: apiVersion: appstudio.redhat.com/v1alpha1 kind: Component metadata: annotations: build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}' git-provider: github git-provider-url: https://github.com mintmaker.appstudio.redhat.com/disabled: "{{.mintmakerDisabled}}" name: "rekor-monitor{{.nameSuffix}}" spec: application: "{{.application}}{{.nameSuffix}}" componentName: "rekor-monitor" source: git: url: https://github.com/securesign/rekor-monitor revision: "{{.branch}}" dockerfileUrl: Dockerfile.rekor-monitor.rh - op: add ... (clipped 21 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Error surface unknown: Only Konflux resource configuration is introduced, so user-facing error messages and potential sensitive error leakage cannot be evaluated from this diff. Referred Code - op: add path: /spec/resources/- value: apiVersion: appstudio.redhat.com/v1alpha1 kind: Component metadata: annotations: build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}' git-provider: github git-provider-url: https://github.com mintmaker.appstudio.redhat.com/disabled: "{{.mintmakerDisabled}}" name: "segment-backup-job{{.nameSuffix}}" spec: application: "{{.application}}{{.nameSuffix}}" componentName: "segment-backup-job" source: git: url: https://github.com/securesign/segment-backup-job revision: "{{.branch}}" dockerfileUrl: Dockerfile.segment-backup-job.rh - op: add ... (clipped 21 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Logging not shown: The PR adds CI/CD resource definitions (components/image repositories) but does not include application logging implementation, so secure logging practices cannot be confirmed from this change alone. Referred Code - op: add path: /spec/resources/- value: apiVersion: appstudio.redhat.com/v1alpha1 kind: Component metadata: annotations: build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}' git-provider: github git-provider-url: https://github.com mintmaker.appstudio.redhat.com/disabled: "{{.mintmakerDisabled}}" name: "rekor-server{{.nameSuffix}}" spec: application: "{{.application}}{{.nameSuffix}}" componentName: "rekor-server" source: git: url: https://github.com/securesign/rekor revision: "{{.branch}}" dockerfileUrl: Dockerfile.rekor-server.rh - op: add ... (clipped 21 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Input handling unknown: This PR primarily introduces project/stream templates and does not include the application code that would demonstrate validation/sanitization of external inputs. Referred Code apiVersion: projctl.konflux.dev/v1beta1 kind: ProjectDevelopmentStreamTemplate metadata: name: tas-components-template labels: build.rhtas.com/ec: registry-rhtas build.rhtas.com/type: component spec: project: tas-components variables: - name: version description: A version number for a new development stream - name: branch description: Git branch defaultValue: "main" - name: nameSuffix description: A suffix which will be added to K8s resource name defaultValue: "-{{hyphenize .version}}" - name: application description: The application name defaultValue: "tas-components" ... (clipped 12 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Consolidate component definitions to reduce duplication The tas-components project defines 11 components via 11 nearly identical patch files, leading to high code duplication. Consolidate these into a single, more maintainable template. Examples: konflux-configs/base/project/overlay/tas-components/kustomization.yaml [12-56] patches: - target: name: tas-components-template kind: ProjectDevelopmentStreamTemplate path: patch/trillian-database.yaml - target: name: tas-components-template kind: ProjectDevelopmentStreamTemplate path: patch/backfill-redis.yaml - target: ... (clipped 35 lines) konflux-configs/base/project/overlay/tas-components/patch/backfill-redis.yaml [1-42] - op: add path: /spec/resources/- value: apiVersion: appstudio.redhat.com/v1alpha1 kind: Component metadata: annotations: build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}' git-provider: github git-provider-url: https://github.com ... (clipped 32 lines) Solution Walkthrough: Before: # konflux-configs/base/project/overlay/tas-components/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization patches: - target: name: tas-components-template path: patch/component-1.yaml - target: name: tas-components-template path: patch/component-2.yaml # ... 9 more similar patch definitions # konflux-configs/base/project/overlay/tas-components/patch/component-1.yaml - op: add path: /spec/resources/- value: # ... Component and ImageRepository definition for component-1 After: # konflux-configs/base/project/overlay/tas-components/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization # No patches needed for components # konflux-configs/base/project/overlay/tas-components/template.yaml ... spec: project: tas-components variables: - name: components defaultValue: - name: component-1 repo: ... - name: component-2 repo: ... # ... 9 more component configs resources: # {{ range .components }} - apiVersion: appstudio.redhat.com/v1alpha1 kind: Component # ... generic component definition using range variables - apiVersion: appstudio.redhat.com/v1alpha1 kind: ImageRepository # ... generic image repo definition using range variables # {{ end }} Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies significant code duplication across 11 patch files for tas-components and proposes a valid architectural improvement that would greatly enhance maintainability.	High
Possible issue	✅ Correct component name Suggestion Impact: Updated the componentName field to "backfill-redis" as suggested, ensuring the component is configured correctly. code diff: application: "{{.application}}{{.nameSuffix}}" - componentName: "certificate-transparency-go" + componentName: "backfill-redis" In backfill-redis.yaml, change the componentName from certificate-transparency-go to backfill-redis to ensure the component is configured correctly. konflux-configs/base/project/overlay/tas-components/patch/backfill-redis.yaml [13-15] spec: application: "{{.application}}{{.nameSuffix}}" - componentName: "certificate-transparency-go" + componentName: "backfill-redis" [Suggestion processed] Suggestion importance[1-10]: 9 __ Why: This suggestion identifies a critical copy-paste error where the componentName is incorrect, which would lead to misconfiguration and functional failure of the component.	High
General	Remove inconsistent .git suffix from URL Remove the .git suffix from the url in konflux-configs/base/project/overlay/tas-components/patch/timestamp-authority.yaml for consistency. konflux-configs/base/project/overlay/tas-components/patch/timestamp-authority.yaml [16-20] source: git: - url: https://github.com/securesign/timestamp-authority.git + url: https://github.com/securesign/timestamp-authority revision: "{{.branch}}" dockerfileUrl: Dockerfile.tsa.rh Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion correctly points out an inconsistency in the git URL format. Removing the .git suffix improves consistency across the configuration files, which enhances maintainability.	Low
	✅ Trim trailing whitespace Suggestion Impact: The commit removes the trailing space after the application label value, matching the suggested whitespace trim. code diff: - appstudio.redhat.com/application: "{{.application}}{{.nameSuffix}}" + appstudio.redhat.com/application: "{{.application}}{{.nameSuffix}}" Remove the trailing whitespace from the appstudio.redhat.com/application label value in trillian-logsigner.yaml. konflux-configs/base/project/overlay/tas-components/patch/trillian-logsigner.yaml [30-32] labels: - appstudio.redhat.com/application: "{{.application}}{{.nameSuffix}}" + appstudio.redhat.com/application: "{{.application}}{{.nameSuffix}}" appstudio.redhat.com/component: "logsigner{{.nameSuffix}}" [Suggestion processed] Suggestion importance[1-10]: 3 __ Why: The suggestion correctly identifies and removes a trailing whitespace. This is a minor style fix that improves code quality and prevents potential, though unlikely, parsing issues.	Low
Update