CLID-663: Create Dockerfile.konflux for konflux release pipeline#1438
CLID-663: Create Dockerfile.konflux for konflux release pipeline#1438dorzel wants to merge 1 commit into
Conversation
|
@dorzel: This pull request references CLID-663 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThe PR updates Docker build configurations for the oc-mirror CLI images. The existing OpenShift Dockerfile's metadata labels are adjusted by removing the ChangesDocker Build Configuration Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dorzel The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
images/cli/Dockerfile.konflux (1)
23-38:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd a HEALTHCHECK to the delivery image.
No
HEALTHCHECKis defined in the final stage (Lines 23-38), which violates the container baseline in this repository.Suggested fix
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest RUN mkdir -p /releases/ COPY --from=builder_rhel8 /output/ /releases/ COPY --from=builder_rhel9 /output/ /releases/ +HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ + CMD test -s /releases/oc-mirror-linux-$(uname -m).tar.gz || exit 1As per coding guidelines, "
**/{Dockerfile,Containerfile}*: HEALTHCHECK defined."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/cli/Dockerfile.konflux` around lines 23 - 38, Add a HEALTHCHECK to the final stage of Dockerfile.konflux: in the final image (after COPY from builder_rhel8 and builder_rhel9 and the LABEL block) add a HEALTHCHECK instruction that periodically validates the delivered oc-mirror binary (refer to the "oc-mirror" LABEL and the files copied into /releases/) — e.g., invoke the shipped executable with a lightweight command such as a version or a minimal self-check and return non-zero on failure; include sensible options like interval and timeout so the check is not too frequent.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/cli/Dockerfile.konflux`:
- Line 7: Replace the unsafe "COPY . ." usages in the builder stages with
explicit COPY instructions that only add required files and directories (e.g.,
COPY package.json yarn.lock ./, COPY go.mod go.sum ./, COPY src/ ./ or COPY app/
./) to the build context used by the builder; update the builder-stage
Dockerfile steps (look for the "COPY . ." occurrences) to list the exact files
needed and add/update a .dockerignore to exclude secrets, config, and
Dockerfiles so sensitive or extraneous files are never sent to the build
context.
- Around line 23-27: Final Docker stage uses root by default; create a non-root
user, ensure ownership of /releases and any needed dirs, and set USER to that
user in the final stage. Specifically, in the final stage (the FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest stage) add steps to create a
user/group (e.g. addgroup/adduser or groupadd/useradd), chown /releases to that
user, drop privileges with USER <username> before the image is finished so the
container runs non-root. Ensure files copied from builder stages remain
accessible to the non-root account.
---
Outside diff comments:
In `@images/cli/Dockerfile.konflux`:
- Around line 23-38: Add a HEALTHCHECK to the final stage of Dockerfile.konflux:
in the final image (after COPY from builder_rhel8 and builder_rhel9 and the
LABEL block) add a HEALTHCHECK instruction that periodically validates the
delivered oc-mirror binary (refer to the "oc-mirror" LABEL and the files copied
into /releases/) — e.g., invoke the shipped executable with a lightweight
command such as a version or a minimal self-check and return non-zero on
failure; include sensible options like interval and timeout so the check is not
too frequent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 41476995-2c8f-4eaa-8733-1c1167240c1a
📒 Files selected for processing (2)
images/cli/Dockerfile.artimages/cli/Dockerfile.konflux
| # Stage 1: Build and compress RHEL 8 binary | ||
| FROM registry.access.redhat.com/ubi8/go-toolset:1.24 AS builder_rhel8 | ||
| WORKDIR /go/src/github.com/openshift/oc-mirror | ||
| COPY . . |
There was a problem hiding this comment.
Avoid COPY . . in builder stages.
At Lines 7 and 16, copying the entire context increases leak risk (including accidental sensitive files) and weakens build reproducibility. Copy only required files/directories.
Suggested direction
-WORKDIR /go/src/github.com/openshift/oc-mirror
-COPY . .
+WORKDIR /go/src/github.com/openshift/oc-mirror
+COPY Makefile go.mod go.sum ./
+COPY cmd/ cmd/
+COPY internal/ internal/
+COPY pkg/ pkg/
+COPY docs/ docs/As per coding guidelines, "**/{Dockerfile,Containerfile}*: COPY specific files, not entire context."
Also applies to: 16-16
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@images/cli/Dockerfile.konflux` at line 7, Replace the unsafe "COPY . ."
usages in the builder stages with explicit COPY instructions that only add
required files and directories (e.g., COPY package.json yarn.lock ./, COPY
go.mod go.sum ./, COPY src/ ./ or COPY app/ ./) to the build context used by the
builder; update the builder-stage Dockerfile steps (look for the "COPY . ."
occurrences) to list the exact files needed and add/update a .dockerignore to
exclude secrets, config, and Dockerfiles so sensitive or extraneous files are
never sent to the build context.
Source: Coding guidelines
| # packages them as compressed tarballs in /releases/ for push-artifacts-to-cdn. | ||
|
|
||
| # Stage 1: Build and compress RHEL 8 binary | ||
| FROM registry.access.redhat.com/ubi8/go-toolset:1.24 AS builder_rhel8 |
There was a problem hiding this comment.
In the Dockerfile.art we have the following:
COPY $REMOTE_SOURCES $REMOTE_SOURCES_DIR
WORKDIR $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/app
RUN cat $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/cachito.env
RUN mkdir -p /go/src/github.com/openshift/oc-mirror
RUN ln -s $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/app /go/src/github.com/openshift/oc-mirror
WORKDIR /go/src/github.com/openshift/oc-mirror
COPY . .
RUN source $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/cachito.env \
&& make build
These REMOTE_SOURCES env vars are related to the go proxy where the dependencies are stored (since we are not using vendor directory). Should we have this kind of thing also in the Dockerfile.konflux?
There was a problem hiding this comment.
I think we need to know more about the konflux environment for this. Seemingly they use cachi2 instead and may inject something automatically for this. Need to confirm.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/cli/Dockerfile.konflux`:
- Around line 23-27: The final image stage (the one starting with FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest) is missing a HEALTHCHECK
instruction, which violates the container baseline requirements. Add a
HEALTHCHECK instruction to this final stage after the existing COPY commands to
define a health probe for the container. The HEALTHCHECK should verify that the
container is functioning properly according to its intended purpose.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 40fdc1db-bd5e-4bc9-a05d-a52c15cf5371
📒 Files selected for processing (3)
images/cli/Dockerfile.artimages/cli/Dockerfile.ciimages/cli/Dockerfile.konflux
✅ Files skipped from review due to trivial changes (1)
- images/cli/Dockerfile.ci
🚧 Files skipped from review as they are similar to previous changes (1)
- images/cli/Dockerfile.art
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest | ||
| RUN mkdir -p /releases/ | ||
| COPY --from=builder_rhel8 /output/ /releases/ | ||
| COPY --from=builder_rhel9 /output/ /releases/ | ||
|
|
There was a problem hiding this comment.
Add a HEALTHCHECK to the final image.
The final stage publishes artifacts but defines no health probe, which violates the container baseline.
Suggested patch
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
RUN mkdir -p /releases/
COPY --from=builder_rhel8 /output/ /releases/
COPY --from=builder_rhel9 /output/ /releases/
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+ CMD test -n "$(find /releases -maxdepth 1 -name 'oc-mirror-*.tar.gz' -print -quit)" || exit 1As per coding guidelines, "**/{Dockerfile,Containerfile}*: HEALTHCHECK defined."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@images/cli/Dockerfile.konflux` around lines 23 - 27, The final image stage
(the one starting with FROM registry.access.redhat.com/ubi9/ubi-minimal:latest)
is missing a HEALTHCHECK instruction, which violates the container baseline
requirements. Add a HEALTHCHECK instruction to this final stage after the
existing COPY commands to define a health probe for the container. The
HEALTHCHECK should verify that the container is functioning properly according
to its intended purpose.
Source: Coding guidelines
|
Also holding off on the recommended coderabbit changes until we can confirm what the konflux environment does automatically. |
|
/retest |
|
@dorzel: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@dorzel should we hold this on and wait for ART? |
|
/hold |
Description
Creates Dockerfile.konflux for konflux release pipeline consumption as part of our transition out of the release payload. See the linked jira issue for more info.
Also removes the
operator=truefrom our .art Dockerfile.Github / Jira issue: https://redhat.atlassian.net/browse/CLID-663
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Expected Outcome
Please describe the outcome expected from the tests.
Summary by CodeRabbit
oc-mirrorartifacts for both UBI8 and UBI9 environments and assembling them into a final release-ready image.