CLID-663: Create Dockerfile.konflux for konflux release pipeline#1438
CLID-663: Create Dockerfile.konflux for konflux release pipeline#1438dorzel wants to merge 1 commit into
Conversation
|
@dorzel: This pull request references CLID-663 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThe PR updates CLI image metadata and adds a Konflux multi-stage Dockerfile that builds and packages ChangesCLI image builds
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant UBI8Builder
participant UBI9Builder
participant DeliveryImage
UBI8Builder->>DeliveryImage: RHEL 8 oc-mirror tarballs
UBI9Builder->>DeliveryImage: RHEL 9 oc-mirror tarballs
DeliveryImage->>DeliveryImage: Store artifacts in /releases/
Suggested reviewers: Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
images/cli/Dockerfile.konflux (1)
23-38:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd a HEALTHCHECK to the delivery image.
No
HEALTHCHECKis defined in the final stage (Lines 23-38), which violates the container baseline in this repository.Suggested fix
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest RUN mkdir -p /releases/ COPY --from=builder_rhel8 /output/ /releases/ COPY --from=builder_rhel9 /output/ /releases/ +HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ + CMD test -s /releases/oc-mirror-linux-$(uname -m).tar.gz || exit 1As per coding guidelines, "
**/{Dockerfile,Containerfile}*: HEALTHCHECK defined."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/cli/Dockerfile.konflux` around lines 23 - 38, Add a HEALTHCHECK to the final stage of Dockerfile.konflux: in the final image (after COPY from builder_rhel8 and builder_rhel9 and the LABEL block) add a HEALTHCHECK instruction that periodically validates the delivered oc-mirror binary (refer to the "oc-mirror" LABEL and the files copied into /releases/) — e.g., invoke the shipped executable with a lightweight command such as a version or a minimal self-check and return non-zero on failure; include sensible options like interval and timeout so the check is not too frequent.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/cli/Dockerfile.konflux`:
- Line 7: Replace the unsafe "COPY . ." usages in the builder stages with
explicit COPY instructions that only add required files and directories (e.g.,
COPY package.json yarn.lock ./, COPY go.mod go.sum ./, COPY src/ ./ or COPY app/
./) to the build context used by the builder; update the builder-stage
Dockerfile steps (look for the "COPY . ." occurrences) to list the exact files
needed and add/update a .dockerignore to exclude secrets, config, and
Dockerfiles so sensitive or extraneous files are never sent to the build
context.
- Around line 23-27: Final Docker stage uses root by default; create a non-root
user, ensure ownership of /releases and any needed dirs, and set USER to that
user in the final stage. Specifically, in the final stage (the FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest stage) add steps to create a
user/group (e.g. addgroup/adduser or groupadd/useradd), chown /releases to that
user, drop privileges with USER <username> before the image is finished so the
container runs non-root. Ensure files copied from builder stages remain
accessible to the non-root account.
---
Outside diff comments:
In `@images/cli/Dockerfile.konflux`:
- Around line 23-38: Add a HEALTHCHECK to the final stage of Dockerfile.konflux:
in the final image (after COPY from builder_rhel8 and builder_rhel9 and the
LABEL block) add a HEALTHCHECK instruction that periodically validates the
delivered oc-mirror binary (refer to the "oc-mirror" LABEL and the files copied
into /releases/) — e.g., invoke the shipped executable with a lightweight
command such as a version or a minimal self-check and return non-zero on
failure; include sensible options like interval and timeout so the check is not
too frequent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 41476995-2c8f-4eaa-8733-1c1167240c1a
📒 Files selected for processing (2)
images/cli/Dockerfile.artimages/cli/Dockerfile.konflux
| # Stage 1: Build and compress RHEL 8 binary | ||
| FROM registry.access.redhat.com/ubi8/go-toolset:1.24 AS builder_rhel8 | ||
| WORKDIR /go/src/github.com/openshift/oc-mirror | ||
| COPY . . |
There was a problem hiding this comment.
Avoid COPY . . in builder stages.
At Lines 7 and 16, copying the entire context increases leak risk (including accidental sensitive files) and weakens build reproducibility. Copy only required files/directories.
Suggested direction
-WORKDIR /go/src/github.com/openshift/oc-mirror
-COPY . .
+WORKDIR /go/src/github.com/openshift/oc-mirror
+COPY Makefile go.mod go.sum ./
+COPY cmd/ cmd/
+COPY internal/ internal/
+COPY pkg/ pkg/
+COPY docs/ docs/As per coding guidelines, "**/{Dockerfile,Containerfile}*: COPY specific files, not entire context."
Also applies to: 16-16
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@images/cli/Dockerfile.konflux` at line 7, Replace the unsafe "COPY . ."
usages in the builder stages with explicit COPY instructions that only add
required files and directories (e.g., COPY package.json yarn.lock ./, COPY
go.mod go.sum ./, COPY src/ ./ or COPY app/ ./) to the build context used by the
builder; update the builder-stage Dockerfile steps (look for the "COPY . ."
occurrences) to list the exact files needed and add/update a .dockerignore to
exclude secrets, config, and Dockerfiles so sensitive or extraneous files are
never sent to the build context.
Source: Coding guidelines
| # packages them as compressed tarballs in /releases/ for push-artifacts-to-cdn. | ||
|
|
||
| # Stage 1: Build and compress RHEL 8 binary | ||
| FROM registry.access.redhat.com/ubi8/go-toolset:1.24 AS builder_rhel8 |
There was a problem hiding this comment.
In the Dockerfile.art we have the following:
COPY $REMOTE_SOURCES $REMOTE_SOURCES_DIR
WORKDIR $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/app
RUN cat $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/cachito.env
RUN mkdir -p /go/src/github.com/openshift/oc-mirror
RUN ln -s $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/app /go/src/github.com/openshift/oc-mirror
WORKDIR /go/src/github.com/openshift/oc-mirror
COPY . .
RUN source $REMOTE_SOURCES_DIR/cachito-gomod-with-deps/cachito.env \
&& make build
These REMOTE_SOURCES env vars are related to the go proxy where the dependencies are stored (since we are not using vendor directory). Should we have this kind of thing also in the Dockerfile.konflux?
There was a problem hiding this comment.
I think we need to know more about the konflux environment for this. Seemingly they use cachi2 instead and may inject something automatically for this. Need to confirm.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/cli/Dockerfile.konflux`:
- Around line 23-27: The final image stage (the one starting with FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest) is missing a HEALTHCHECK
instruction, which violates the container baseline requirements. Add a
HEALTHCHECK instruction to this final stage after the existing COPY commands to
define a health probe for the container. The HEALTHCHECK should verify that the
container is functioning properly according to its intended purpose.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 40fdc1db-bd5e-4bc9-a05d-a52c15cf5371
📒 Files selected for processing (3)
images/cli/Dockerfile.artimages/cli/Dockerfile.ciimages/cli/Dockerfile.konflux
✅ Files skipped from review due to trivial changes (1)
- images/cli/Dockerfile.ci
🚧 Files skipped from review as they are similar to previous changes (1)
- images/cli/Dockerfile.art
|
Also holding off on the recommended coderabbit changes until we can confirm what the konflux environment does automatically. |
|
/retest |
|
@dorzel should we hold this on and wait for ART? |
|
/hold |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dorzel The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/cli/Dockerfile.konflux`:
- Around line 23-27: Update the final ubi-minimal image stage after the release
files are copied to assign ownership of /releases/ to a non-root user, declare
that user with the Dockerfile USER instruction (for example, UID 1001), and
ensure the image runs as that user by default.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: b50db5cd-704e-4949-bb05-ba0bc88a0051
📒 Files selected for processing (3)
images/cli/Dockerfile.artimages/cli/Dockerfile.ciimages/cli/Dockerfile.konflux
🚧 Files skipped from review as they are similar to previous changes (2)
- images/cli/Dockerfile.ci
- images/cli/Dockerfile.art
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest | ||
| RUN mkdir -p /releases/ | ||
| COPY --from=builder_rhel8 /output/ /releases/ | ||
| COPY --from=builder_rhel9 /output/ /releases/ | ||
|
|
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set a non-root user in the final image.
The final image stage uses ubi-minimal, which defaults to the root user. As per path instructions and static analysis, containers must not run as root. Define a non-root user (e.g., USER 1001) and ensure that the copied files have the appropriate ownership.
🔒 Proposed fix
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
-RUN mkdir -p /releases/
-COPY --from=builder_rhel8 /output/ /releases/
-COPY --from=builder_rhel9 /output/ /releases/
+RUN mkdir -p /releases/ && chown 1001:0 /releases/
+USER 1001
+COPY --chown=1001:0 --from=builder_rhel8 /output/ /releases/
+COPY --chown=1001:0 --from=builder_rhel9 /output/ /releases/📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest | |
| RUN mkdir -p /releases/ | |
| COPY --from=builder_rhel8 /output/ /releases/ | |
| COPY --from=builder_rhel9 /output/ /releases/ | |
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest | |
| RUN mkdir -p /releases/ && chown 1001:0 /releases/ | |
| USER 1001 | |
| COPY --chown=1001:0 --from=builder_rhel8 /output/ /releases/ | |
| COPY --chown=1001:0 --from=builder_rhel9 /output/ /releases/ |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@images/cli/Dockerfile.konflux` around lines 23 - 27, Update the final
ubi-minimal image stage after the release files are copied to assign ownership
of /releases/ to a non-root user, declare that user with the Dockerfile USER
instruction (for example, UID 1001), and ensure the image runs as that user by
default.
Sources: Path instructions, Linters/SAST tools
|
@dorzel: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
Creates Dockerfile.konflux for konflux release pipeline consumption as part of our transition out of the release payload. See the linked jira issue for more info.
Also removes the
operator=truefrom our .art Dockerfile.Github / Jira issue: https://redhat.atlassian.net/browse/CLID-663
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Expected Outcome
Please describe the outcome expected from the tests.
Summary by CodeRabbit
oc-mirror, producing artifacts aligned to both UBI8 and UBI9 environments and packaging them into a final release-ready image.