Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 5. Promoting a build
The OpenShift GitOps Operator uses Argo CD to enable continuous deployment by using your git repository as a single source of truth for infrastructure configurations. When you update your git repository, Argo CD deploys the application update across development, staging, and production environments.
The promotion procedures provide an example deployment workflow. Customize it to fit your organization’s requirements.
Promote a build by updating your git repository.
Procedure
- In Red Hat Developer Hub (RHDH), select Catalog.
- From the Kind drop-down list, select Resource, and then select a git repository.
- Open the Overview tab and select View Source to access the repository.
(Optional) Alternatively, select Catalog, open the Overview tab, and select View TechDocs.
- In the Home > Repository section, select the git repository.
Clone your git repository.
NoteEnsure that the local clone is up-to-date.
- Create a new branch.
-
Navigate to the
component/<app_name>/overlaysdirectory, which contains subdirectories fordevelopment,stage, andprod. Follow the steps in the table to promote the application:
Expand To move your application Do this From development to stage environment
-
Open the
development/deployment-patch.yamlfile and copy the container image URL (for example,quay.io/<username>/imageName:imageHash). -
Open the
stage/deployment-patch.yamlfile and replace the container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
development/deployment-patch.yamlfile to thestage/deployment-patch.yamlfile.From stage to production environment
-
Open the
stage/deployment-patch.yamlfile and copy the containers image URL (for example,quay.io/<username>/imageName:imageHash). -
Open the
prod/deployment-patch.yamlfile and replace the container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
stage/deployment-patch.yamlfile to theprod/deployment-patch.yamlfile.-
Open the
- Commit and push your updates.
Create a pull request (PR) to start a promotion pipeline. The pipeline validates the changes against Conforma policies.
- Check the pipeline run in the CI tab of RHDH.
- Merge the PR to trigger Argo CD, which applies the changes and promotes the build to the next environment.
Verification
- Use the Topology tab in RHDH to confirm the application distribution across namespaces.
- Use the CD tab to view deployment details, including the status, updates, commit message (for example, "Promote stage to prod"), and container image changes.
5.1. About Conforma compliance
Conforma is a suite of tools designed to maintain software supply chain security. It helps maintain the integrity of container images by verifying that they meet defined requirements before promoting them to production. If an image does not comply with the set policies, Conforma generates a report identifying the issues that must be resolved.
The promotion pipeline includes several tasks to ensure secure and compliant deployments:
-
git-clone: Clones the repository into the workspace using thegit-clonetask. -
gather-deploy-images: Extracts the container images from deployment YAML files for validation. -
verify-enterprise-contract: Validates the container images using Conforma policies and Sigstore’scosigntool. -
deploy-images: Deploys images to the target environment. -
download-sbom-from-url-in-attestations: Retrieves software bill of materials (SBOMs) for images by downloading OCI blobs referenced in image attestations. -
upload-sbom-to-trustification: Uploads SBOMs to Trustification using the BOMbastic API.
The Red Hat Advanced Developer Suite - software supply chain build process generates a signed in-toto attestation of the build pipeline, which cryptographically verifies the build’s integrity. Conforma then evaluates the build against defined policies, ensuring it complies with the organizational security standards.
The insights from Conforma compliance reports help prioritize security and compliance tasks:
- Review policy compliance: Confirm that your application meets standards such as Supply Chain Levels for Software Artifacts (SLSA). Address any compliance gaps based on the recommendations in the report.
- Streamline review: Use filters in the reports to focus on critical issues, enabling a faster and more efficient review process.
Conforma compliance reports provide detailed insights into application security and adherence to policies:
- Policy compliance overview: Displays the checks performed, their status, (success, warning, or failure), and messages explaining warnings or failures.
Details provided: Policy reports detail:
- Successful checks: Lists the policies that passed validation.
- Warnings and failures: Highlights policies that triggered warnings or failed checks, with explanations.
- Rule compliance: Shows how the application adheres to individual policy rules, such as source code references or attestation validations.
5.2. Viewing Conforma compliance reports
The Pipeline Runs section, located under the CI tab in Red Hat Developer Hub, displays detailed compliance reports in a structured pop-up interface.
Procedure
Follow the steps that correspond to your CI provider:
Expand CI Provider Steps Report Display Tekton (default CI provider)
- Select Catalog and select the component you want to review.
- Select the CI tab, and in the Actions column, select the View output icon.
The report displays in a structured pop-up interface.
Other CI providers (for example, Jenkins or GitLab)
- Navigate to the application’s build logs.
-
Search for the text
Step: verify-enterprise-contract.
The report is displayed in the build logs.
Figure 5.1. The Conforma report (Tekton example)
Revised on 2026-02-04 23:24:05 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}