Skip to content

CLID-663: Create Dockerfile.konflux for konflux release pipeline#1438

Open
dorzel wants to merge 1 commit into
openshift:mainfrom
dorzel:CLID-663
Open

CLID-663: Create Dockerfile.konflux for konflux release pipeline#1438
dorzel wants to merge 1 commit into
openshift:mainfrom
dorzel:CLID-663

Conversation

@dorzel

@dorzel dorzel commented Jun 11, 2026

Copy link
Copy Markdown
Member

Description

Creates Dockerfile.konflux for konflux release pipeline consumption as part of our transition out of the release payload. See the linked jira issue for more info.

Also removes the operator=true from our .art Dockerfile.

Github / Jira issue: https://redhat.atlassian.net/browse/CLID-663

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Expected Outcome

Please describe the outcome expected from the tests.

Summary by CodeRabbit

  • Chores
    • Updated container image metadata labels to improve compatibility and standardize formatting.
    • Added a new containerized build configuration for the Konflux CDN pipeline, producing oc-mirror artifacts for both UBI8 and UBI9 environments and assembling them into a final release-ready image.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 11, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 11, 2026

Copy link
Copy Markdown

@dorzel: This pull request references CLID-663 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Description

Creates Dockerfile.konflux for konflux release pipeline consumption as part of our transition out of the release payload. See the linked jira issue for more info.

Also removes the operator=true from our .art Dockerfile.

Github / Jira issue: https://redhat.atlassian.net/browse/CLID-663

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Expected Outcome

Please describe the outcome expected from the tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 11, 2026
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Walkthrough

The PR updates Docker build configurations for the oc-mirror CLI images. The existing OpenShift Dockerfile's metadata labels are adjusted by removing the io.openshift.release.operator=true label and reformatting the tags label. A new Konflux CDN release pipeline Dockerfile is added to build and package oc-mirror binaries for multiple Red Hat UBI versions with different Go toolsets.

Changes

Docker Build Configuration Updates

Layer / File(s) Summary
Label cleanup in OpenShift Dockerfiles
images/cli/Dockerfile.art, images/cli/Dockerfile.ci
Both Dockerfiles remove the io.openshift.release.operator=true label from their LABEL blocks. Dockerfile.art additionally reformats io.openshift.tags="openshift,cli,mirror" with updated line continuation.
Konflux CDN release pipeline multi-stage build
images/cli/Dockerfile.konflux
A new multi-stage Dockerfile builds oc-mirror binaries on UBI8 (Go 1.24) and UBI9 (Go 1.26), compresses each into tarballs, copies both artifacts into /releases/ in a minimal final image, and defines required Kubernetes/EC container metadata labels.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly addresses the main change: creation of a new Dockerfile.konflux for the konflux release pipeline, which is the primary feature introduced in this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The custom check for Ginkgo test name stability is not applicable to this PR, which only modifies Docker container image definitions. No test files or Ginkgo test patterns are present in the changes.
Test Structure And Quality ✅ Passed This PR contains only Docker configuration file changes (Dockerfiles for .art, .ci, and .konflux). The custom check for Ginkgo test structure is not applicable as there are no test files in this PR.
Microshift Test Compatibility ✅ Passed This PR only modifies Dockerfile files (Dockerfile.art, Dockerfile.ci, Dockerfile.konflux) and does not add any Ginkgo e2e tests. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR contains only Dockerfile changes and does not add any Ginkgo e2e tests. The custom check is inapplicable since it specifically targets "new Ginkgo e2e tests" and this PR has no test code mo...
Topology-Aware Scheduling Compatibility ✅ Passed Check is not applicable: PR only modifies Dockerfiles (container build specs), not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract ✅ Passed This PR modifies only Docker image configuration files (Dockerfile metadata labels). The OTE Binary Stdout Contract check applies to Go logging behavior in OTE binaries. The included test extension...
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR contains only Dockerfile changes (labels, multi-stage builds), not Ginkgo e2e tests. The check for IPv6/disconnected network compatibility is not applicable.
No-Weak-Crypto ✅ Passed No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) or insecure crypto practices detected in Dockerfile changes.
Container-Privileges ✅ Passed PR contains only Dockerfile modifications with no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation settings; no K8s manifests added.
No-Sensitive-Data-In-Logs ✅ Passed PR changes do not introduce logging that exposes sensitive data. Changes remove labels, modify Dockerfile.art/ci (pre-existing cat commands unchanged), and add new Dockerfile.konflux with no secret...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from aguidirh and r4f4 June 11, 2026 15:24
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dorzel
Once this PR has been reviewed and has the lgtm label, please assign aguidirh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
images/cli/Dockerfile.konflux (1)

23-38: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a HEALTHCHECK to the delivery image.

No HEALTHCHECK is defined in the final stage (Lines 23-38), which violates the container baseline in this repository.

Suggested fix
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 RUN mkdir -p /releases/
 COPY --from=builder_rhel8 /output/ /releases/
 COPY --from=builder_rhel9 /output/ /releases/
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD test -s /releases/oc-mirror-linux-$(uname -m).tar.gz || exit 1

As per coding guidelines, "**/{Dockerfile,Containerfile}*: HEALTHCHECK defined."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/cli/Dockerfile.konflux` around lines 23 - 38, Add a HEALTHCHECK to the
final stage of Dockerfile.konflux: in the final image (after COPY from
builder_rhel8 and builder_rhel9 and the LABEL block) add a HEALTHCHECK
instruction that periodically validates the delivered oc-mirror binary (refer to
the "oc-mirror" LABEL and the files copied into /releases/) — e.g., invoke the
shipped executable with a lightweight command such as a version or a minimal
self-check and return non-zero on failure; include sensible options like
interval and timeout so the check is not too frequent.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/cli/Dockerfile.konflux`:
- Line 7: Replace the unsafe "COPY . ." usages in the builder stages with
explicit COPY instructions that only add required files and directories (e.g.,
COPY package.json yarn.lock ./, COPY go.mod go.sum ./, COPY src/ ./ or COPY app/
./) to the build context used by the builder; update the builder-stage
Dockerfile steps (look for the "COPY . ." occurrences) to list the exact files
needed and add/update a .dockerignore to exclude secrets, config, and
Dockerfiles so sensitive or extraneous files are never sent to the build
context.
- Around line 23-27: Final Docker stage uses root by default; create a non-root
user, ensure ownership of /releases and any needed dirs, and set USER to that
user in the final stage. Specifically, in the final stage (the FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest stage) add steps to create a
user/group (e.g. addgroup/adduser or groupadd/useradd), chown /releases to that
user, drop privileges with USER <username> before the image is finished so the
container runs non-root. Ensure files copied from builder stages remain
accessible to the non-root account.

---

Outside diff comments:
In `@images/cli/Dockerfile.konflux`:
- Around line 23-38: Add a HEALTHCHECK to the final stage of Dockerfile.konflux:
in the final image (after COPY from builder_rhel8 and builder_rhel9 and the
LABEL block) add a HEALTHCHECK instruction that periodically validates the
delivered oc-mirror binary (refer to the "oc-mirror" LABEL and the files copied
into /releases/) — e.g., invoke the shipped executable with a lightweight
command such as a version or a minimal self-check and return non-zero on
failure; include sensible options like interval and timeout so the check is not
too frequent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 41476995-2c8f-4eaa-8733-1c1167240c1a

📥 Commits

Reviewing files that changed from the base of the PR and between ceb66d9 and c1d9346.

📒 Files selected for processing (2)
  • images/cli/Dockerfile.art
  • images/cli/Dockerfile.konflux

# Stage 1: Build and compress RHEL 8 binary
FROM registry.access.redhat.com/ubi8/go-toolset:1.24 AS builder_rhel8
WORKDIR /go/src/github.com/openshift/oc-mirror
COPY . .

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Avoid COPY . . in builder stages.

At Lines 7 and 16, copying the entire context increases leak risk (including accidental sensitive files) and weakens build reproducibility. Copy only required files/directories.

Suggested direction
-WORKDIR /go/src/github.com/openshift/oc-mirror
-COPY . .
+WORKDIR /go/src/github.com/openshift/oc-mirror
+COPY Makefile go.mod go.sum ./
+COPY cmd/ cmd/
+COPY internal/ internal/
+COPY pkg/ pkg/
+COPY docs/ docs/

As per coding guidelines, "**/{Dockerfile,Containerfile}*: COPY specific files, not entire context."

Also applies to: 16-16

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/cli/Dockerfile.konflux` at line 7, Replace the unsafe "COPY . ."
usages in the builder stages with explicit COPY instructions that only add
required files and directories (e.g., COPY package.json yarn.lock ./, COPY
go.mod go.sum ./, COPY src/ ./ or COPY app/ ./) to the build context used by the
builder; update the builder-stage Dockerfile steps (look for the "COPY . ."
occurrences) to list the exact files needed and add/update a .dockerignore to
exclude secrets, config, and Dockerfiles so sensitive or extraneous files are
never sent to the build context.

Source: Coding guidelines

@dorzel dorzel changed the title [WIP] CLID-663: Create Dockerfile.konflux for konflux release pipeline CLID-663: Create Dockerfile.konflux for konflux release pipeline Jun 17, 2026
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 17, 2026

@aguidirh aguidirh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @dorzel, I added few comments, please let me know if you have questions about them.

Comment thread images/cli/Dockerfile.art
# packages them as compressed tarballs in /releases/ for push-artifacts-to-cdn.

# Stage 1: Build and compress RHEL 8 binary
FROM registry.access.redhat.com/ubi8/go-toolset:1.24 AS builder_rhel8

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the Dockerfile.art we have the following:

COPY $REMOTE_SOURCES $REMOTE_SOURCES_DIR
WORKDIR $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/app
RUN cat $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/cachito.env
RUN mkdir -p /go/src/github.com/openshift/oc-mirror
RUN ln -s $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/app /go/src/github.com/openshift/oc-mirror
WORKDIR /go/src/github.com/openshift/oc-mirror
COPY . .
RUN source $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/cachito.env \
    && make build

These REMOTE_SOURCES env vars are related to the go proxy where the dependencies are stored (since we are not using vendor directory). Should we have this kind of thing also in the Dockerfile.konflux?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to know more about the konflux environment for this. Seemingly they use cachi2 instead and may inject something automatically for this. Need to confirm.

Comment thread images/cli/Dockerfile.konflux Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/cli/Dockerfile.konflux`:
- Around line 23-27: The final image stage (the one starting with FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest) is missing a HEALTHCHECK
instruction, which violates the container baseline requirements. Add a
HEALTHCHECK instruction to this final stage after the existing COPY commands to
define a health probe for the container. The HEALTHCHECK should verify that the
container is functioning properly according to its intended purpose.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 40fdc1db-bd5e-4bc9-a05d-a52c15cf5371

📥 Commits

Reviewing files that changed from the base of the PR and between c1d9346 and ecd43c5.

📒 Files selected for processing (3)
  • images/cli/Dockerfile.art
  • images/cli/Dockerfile.ci
  • images/cli/Dockerfile.konflux
✅ Files skipped from review due to trivial changes (1)
  • images/cli/Dockerfile.ci
🚧 Files skipped from review as they are similar to previous changes (1)
  • images/cli/Dockerfile.art

Comment on lines +23 to +27
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
RUN mkdir -p /releases/
COPY --from=builder_rhel8 /output/ /releases/
COPY --from=builder_rhel9 /output/ /releases/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a HEALTHCHECK to the final image.

The final stage publishes artifacts but defines no health probe, which violates the container baseline.

Suggested patch
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 RUN mkdir -p /releases/
 COPY --from=builder_rhel8 /output/ /releases/
 COPY --from=builder_rhel9 /output/ /releases/
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD test -n "$(find /releases -maxdepth 1 -name 'oc-mirror-*.tar.gz' -print -quit)" || exit 1

As per coding guidelines, "**/{Dockerfile,Containerfile}*: HEALTHCHECK defined."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/cli/Dockerfile.konflux` around lines 23 - 27, The final image stage
(the one starting with FROM registry.access.redhat.com/ubi9/ubi-minimal:latest)
is missing a HEALTHCHECK instruction, which violates the container baseline
requirements. Add a HEALTHCHECK instruction to this final stage after the
existing COPY commands to define a health probe for the container. The
HEALTHCHECK should verify that the container is functioning properly according
to its intended purpose.

Source: Coding guidelines

@dorzel

dorzel commented Jun 22, 2026

Copy link
Copy Markdown
Member Author

Also holding off on the recommended coderabbit changes until we can confirm what the konflux environment does automatically.

@dorzel

dorzel commented Jun 23, 2026

Copy link
Copy Markdown
Member Author

/retest

@openshift-ci

openshift-ci Bot commented Jun 23, 2026

Copy link
Copy Markdown

@dorzel: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@aguidirh

Copy link
Copy Markdown
Contributor

@dorzel should we hold this on and wait for ART?

@dorzel

dorzel commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants