Missing Jobs/SAST-IaC.latest.gitlab-ci.yml Job Failed #1750575921

Job #1750575921 failed for e490ffee:

added main-jh broken label

assigned to @memorycancel

By Zhu Shung on 2021-11-05T01:14:28 (imported from GitLab)

mentioned in merge request !165 (closed)

By Zhu Shung on 2021-11-05T01:26:17 (imported from GitLab)

assigned to @prajnamas and unassigned @memorycancel

By Zhu Shung on 2021-11-05T02:45:15 (imported from GitLab)

@godfat-gitlab @hfyngvason Here we encountered a problem.

In this MR we introduced

module Ci
  module TemplateHelpers
    def secure_analyzers_prefix
      'registry.gitlab.com/gitlab-org/security-products/analyzers'
    end
  end
end

Ci::TemplateHelpers.prepend_mod

so that in upstream the prefix is registry.gitlab.com/gitlab-org/security-products/analyzers,while in jihu it will be gitlab-jh-public.tencentcloudcr.com/security-products/analyzers.

But here I noticed that for cluster-image-scanning image it's actually uploaded to gitlab.com/security-products so the previous trick doesn't work.

I'm wondering if this is the trend of moving all production artifacts to gitlab.com/security-products? Shall we introduce another prefix in the Ci::TemplateHelper?

Thanks, Fu

By Fu Zhang on 2021-11-08T00:27:36 (imported from GitLab)

cc @kwiebers This is currently a blocking issue which causes JH repo pipeline failed.

By Qian Zhang on 2021-11-08T00:27:25 (imported from GitLab)

But here I noticed that for cluster-image-scanning image it's actually uploaded to gitlab.com/security-products so the previous trick doesn't work.

How did you tell this?

I'm wondering if this is the trend of moving all production artifacts to gitlab.com/security-products?

Why do you think so?

I am not familiar with security-products and don't know how this works. Please help me understand the context better.

By Lin Jen-Shin on 2021-11-08T12:42:02 (imported from GitLab)

Thanks for raising this issue. It looks like https://gitlab.com/gitlab-org/gitlab/-/issues/338300 did move the image from registry.gitlab.com/gitlab-org/security-products/analyzers/ to registry.gitlab.com/security-products/cluster-image-scanning.

@godfat-gitlab - I think @prajnamas is correct that there may be more movement into gitlab.com/security-products based on https://gitlab.com/gitlab-org/gitlab/-/issues/297525 which is a confidential issue. I asked for clarification on the timeframe at https://gitlab.com/gitlab-org/gitlab/-/issues/297525#note_727161656

@qianzhangxa @prajnamas - Can you create logic to manage the override for specific templates to gitlab.com/security-products as they are migrated over like Jobs/SAST-IaC.latest.gitlab-ci.yml?

By Kyle Wiebers on 2021-11-08T19:21:01 (imported from GitLab)

@qianzhangxa @kwiebers Yes, the images are being moved. Apologies for missing the potential impact on JiHu when reviewing https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72940/

That being said, it is not the cause of the failing spec. The failing spec seems to be caused by a newly introduced template not getting resolved in JiHu. I see that a fix MR for that was already opened https://gitlab.com/gitlab-jh/gitlab/-/merge_requests/165

I don't think the helper needs immediate action, as the failing spec does not refer to it or make assertions on the image used.

By Hordur Freyr Yngvason on 2021-11-08T19:29:14 (imported from GitLab)

Thanks for your replies.

@hfyngvason Actually I did try to fix cluster-image-scanning in the 165 MR, but soon I realized it has a brand new address so it's been reverted.

As @kwiebers said, if there will be more movements for security-products, do you think that we should introduce another prefix in Ci::TemplateHelper? At least for now, cluster-image-scanning needs such a prefix.

By Fu Zhang on 2021-11-09T13:14:40 (imported from GitLab)

@godfat-gitlab @kwiebers I think we should discuss a long-term plan for CI templates/images, now all of they are being handled manually.

By Fu Zhang on 2021-11-09T12:31:16 (imported from GitLab)

if there will be more movements for security-products, do you think that we should introduce another prefix in Ci::TemplateHelper? At least for now, cluster-image-scanning needs such a prefix

@prajnamas This prefix is a test helper, and as far as I could tell, the tests for the new template did not make assertions on the prefix.

But I do see that there are a couple of instances of the registry hardcoded in the tests (for other templates), which should probably be extracted into a test helper:

./ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb:80:              CIS_ANALYZER_IMAGE: 'registry.gitlab.com/security-products/cluster-image-scanning:0'
./ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb:55:          image = 'registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'

Did these not fail for JiHu?

By Hordur Freyr Yngvason on 2021-11-09T20:06:25 (imported from GitLab)

I think we should discuss a long-term plan for CI templates/images, now all of they are being handled manually.

I added a question and suggestion at https://gitlab.com/gitlab-jh/gitlab/-/issues/347#note_728789673

I think my main question is what do we need to manually change for now, beside the image URL?

By Lin Jen-Shin on 2021-11-09T23:56:41 (imported from GitLab)

I found the merge request resolving the URL change: https://gitlab.com/gitlab-jh/gitlab/-/merge_requests/154

By Lin Jen-Shin on 2021-11-10T00:59:09 (imported from GitLab)

@hfyngvason

Did these not fail for JiHu?

It doesn't fail because for now JiHu template is the same as upstream CI template, both of them are registry.gitlab.com

I did try to change it to gitlab-jh.tencentcloudcr.com, but it's been reverted. You can check the MR commits.

By Fu Zhang on 2021-11-10T02:20:28 (imported from GitLab)

added priority1 label

mentioned in issue #347 (closed)

By Lin Jen-Shin on 2021-11-10T00:07:18 (imported from GitLab)

@prajnamas It looks like this issue is actually resolved by https://gitlab.com/gitlab-jh/gitlab/-/merge_requests/168 because it also contains:

• jh/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
• jh/lib/gitlab/ci/templates/Security/SAST-IaC.latest.gitlab-ci.yml

Is this correct? If so, what about closing this issue and move further discussions over https://gitlab.com/gitlab-jh/gitlab/-/issues/347 ?

By Lin Jen-Shin on 2021-11-10T02:21:55 (imported from GitLab)

Yes, I think we can close this issue and move to #347 (closed)

By Fu Zhang on 2021-11-10T02:21:55 (imported from GitLab)