Enabling hermetic build for konflux onboarding by beraldoleal · Pull Request #23 · confidential-devhub/coco-tools

beraldoleal · 2026-06-09T21:02:35Z

Vide individual commits for details.

littlejawa

Looks nice. Can't wait to see what Konflux will do with it :-)

/lgtm
Thanks @beraldoleal !

beraldoleal · 2026-06-10T12:37:28Z

Thanks for the commit... Just hold a bit, since I noticed some versions mismatch. I'm trying to fix.

beraldoleal · 2026-06-10T12:56:01Z

No mismatch, just fixing the portugues -> ingles.

beraldoleal · 2026-06-17T21:00:34Z

Hey @littlejawa , we might not use Konflux for the coco-tools builds in 1.13, but I'd still like to test the hermetic build in this release and include it in the release pipeline, even if we keep pushing the image to quay.io directly for now.

I've updated the PR with the following changes:

Component versions (all using stable releases now):

Component	Version
guest-components	v0.20.0 + downstream patch
trustee	v0.20.0
kata-containers	3.31.0
snpguest	v0.10.0
snphost	v0.7.0
tdx-measure	v0.1.1
veritas	main (release coming soon)

What changed:

Moved guest-components and trustee from main to v0.20.0, and kata from 3.25.0 to 3.31.0
Added a small downstream patch for guest-components to fix a csv-rs vendor collision that breaks hermetic builds (cherry-pick of upstream commit 1fcebcb, not yet in any release). The patch lives in patches/ and can be removed once v0.21.0 is out
Fixed genpolicy build (disabled rust-toolchain.toml to avoid rustup in hermetic mode, fixed binary path for workspace)

Veritas is still on main for now. I'm working on a release for it and should have a tagged version shortly, just waiting on an open PR to land first.

littlejawa · 2026-06-18T14:58:00Z

+
+## Files
+
+- **hermeto-input.json**: hermeto/cachi2 configuration for dependency prefetch


The hermeto configuration is part of the .tekton files you'll get when you will onboard this repo to Konflux.
You will not need this hermeto-input.json file, but you'll have to configure/update the pipeline files.

Add hermetic build support using cachi2/hermeto for dependency prefetch. Source dependencies are git submodules pointing to downstream (openshift/) repos. Submodules: - openshift/confidential-containers-guest-components (osc-release) - openshift/trustee (main) - openshift/kata-containers (osc-release) - virtee/snpguest (v0.10.0) - virtee/snphost (v0.7.0) - virtee/tdx-measure (v0.1.1) Build changes: - Rust from UBI10 RPMs (1.92.0) instead of rustup - RPM lockfile for reproducible builds - hermeto-input.json for cargo/pip dependency prefetch - Containerfile.ubi supports both local and hermetic modes

The original --no-default-features flag worked with trustee v0.17.0 which had no default features. The downstream trustee now defaults to default-tls, and kbs_protocol requires reqwest with TLS enabled. Dropping --no-default-features aligns with how openshift/trustee builds kbs-client (make cli-static-linux).

beraldoleal · 2026-06-19T17:59:25Z

@littlejawa let me know if that works for you ^

beraldoleal requested review from bpradipt and littlejawa June 9, 2026 21:02