From a6f91f586a7969246fa5c21d879a3f7e7794d79a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Rop=C3=A9?= Date: Wed, 26 Mar 2025 17:23:46 +0100 Subject: [PATCH 1/3] Dockerfile.openshift: use build args to reduce the differences with upstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is preliminary cleanup, meant to reduce and explain the differences betweek the upstream Dockerfile, and the downstream Dockerfile.openshift. Rather than hardcoding the values we need in the Dockerfile, use build environment variables to pass the parameters during build. Also removing some comments that make the diff bigger than it should. Variables typically don't need to be commented out when we don't use them. This reduces the differences with upstream's Dockerfile, and should ease its maintenance. Signed-off-by: Julien Ropé --- .tekton/caa-build-args.env | 3 +++ .tekton/osc-caa-pull-request.yaml | 2 ++ .tekton/osc-caa-push.yaml | 2 ++ src/cloud-api-adaptor/Dockerfile.openshift | 29 +++++++++++++++------- 4 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 .tekton/caa-build-args.env diff --git a/.tekton/caa-build-args.env b/.tekton/caa-build-args.env new file mode 100644 index 000000000..d58124fda --- /dev/null +++ b/.tekton/caa-build-args.env @@ -0,0 +1,3 @@ +BUILD_TYPE=release +RELEASE_BUILD=true +YQ_VERSION=v4.35.1 diff --git a/.tekton/osc-caa-pull-request.yaml b/.tekton/osc-caa-pull-request.yaml index 30ff2322d..a3a28a484 100644 --- a/.tekton/osc-caa-pull-request.yaml +++ b/.tekton/osc-caa-pull-request.yaml @@ -31,6 +31,8 @@ spec: value: cloud-api-adaptor/Dockerfile.openshift - name: path-context value: src + - name: build-args-file + value: '.tekton/caa-build-args.env' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while reducing network traffic. diff --git a/.tekton/osc-caa-push.yaml b/.tekton/osc-caa-push.yaml index b0219f707..f084210cb 100644 --- a/.tekton/osc-caa-push.yaml +++ b/.tekton/osc-caa-push.yaml @@ -28,6 +28,8 @@ spec: value: cloud-api-adaptor/Dockerfile.openshift - name: path-context value: src + - name: build-args-file + value: '.tekton/caa-build-args.env' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while reducing network traffic. diff --git a/src/cloud-api-adaptor/Dockerfile.openshift b/src/cloud-api-adaptor/Dockerfile.openshift index fa02399e8..03a65a9ed 100644 --- a/src/cloud-api-adaptor/Dockerfile.openshift +++ b/src/cloud-api-adaptor/Dockerfile.openshift @@ -1,11 +1,21 @@ # This Dockerfile is a copy of the upstream one, customized for Openshift builds # We're commenting out everything not necessary for our build, so that it's # easy to diff and sync with upstream changes. +# The parameters for the build comes from a separate file in the .tekton folder. +# For a local build, use: +# $ podman build --build-arg-file ../../.tekton/caa-build-args.env .. -f Dockerfile.openshift +# +# Note on base images: we can't use variables in the "FROM" line of our Dockerfiles, +# because we need to be able to track down what is used to build our containers, +# and the automation we use to log that can't rely on variables. +# Also, having the URL harcoded here allows Mintmaker to make update PRs when +# our image can be updated. +# ############ -ARG BUILD_TYPE=release -#ARG BUILDER_BASE=quay.io/confidential-containers/golang-fedora:1.22.7-40 -#ARG BASE=registry.fedoraproject.org/fedora:40 +ARG BUILD_TYPE=dev +ARG BUILDER_BASE=quay.io/confidential-containers/golang-fedora:1.22.11-40 +ARG BASE=registry.fedoraproject.org/fedora:40 # This dockerfile uses Go cross-compilation to build the binary, # we build on the host platform ($BUILDPLATFORM) and then copy the @@ -13,7 +23,7 @@ ARG BUILD_TYPE=release # that was specified with --platform. For more details see: # https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/ FROM registry.access.redhat.com/ubi9/go-toolset:1.22.9-1739801907 AS builder-release -ARG YQ_VERSION=v4.35.1 +ARG YQ_VERSION # "USER root" is required for podman builds USER root # the build process assumes go is under "/go", so let's make sure it works @@ -39,7 +49,7 @@ RUN --mount=type=bind,source=activation-key,target=/activation-key \ RUN dnf install -y libvirt-devel && dnf clean all FROM builder-${BUILD_TYPE} AS builder -ARG RELEASE_BUILD=true +ARG RELEASE_BUILD ARG COMMIT ARG VERSION ARG TARGETARCH @@ -64,11 +74,12 @@ ENV PATH=/opt/app-root/src/go/bin:$PATH RUN CC=gcc make ARCH=$TARGETARCH COMMIT=$COMMIT VERSION=$VERSION RELEASE_BUILD=$RELEASE_BUILD cloud-api-adaptor # FROM builder-release AS iptables -# -#ARG TARGETARCH -# + +ARG TARGETARCH + +# Downstream change: our target image (RHEL/ubi9) doesn't use iptables, but nftables. +# We don't need all those things in our image. # WORKDIR /iptables -# ENV PATH=/opt/app-root/src/go/bin:$PATH # RUN --mount=type=bind,target=/versions.yaml,source=cloud-api-adaptor/versions.yaml,readonly \ # version=$(yq -r .tools.iptables-wrapper /versions.yaml) && \ # GOARCH=$TARGETARCH go install "github.com/kubernetes-sigs/iptables-wrappers@$version" && \ From a85b445f125320a6e7855fdcd452b54833560bff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Rop=C3=A9?= Date: Wed, 26 Mar 2025 11:06:05 +0100 Subject: [PATCH 2/3] Dockerfile.openshift: remove the activation key mount command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was added by mistake - needed for local build, but not in the repo. It doesn't break the build as Konflux actually sets this same folder by itself, but it should not be left by default. Signed-off-by: Julien Ropé --- src/cloud-api-adaptor/Dockerfile.openshift | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/cloud-api-adaptor/Dockerfile.openshift b/src/cloud-api-adaptor/Dockerfile.openshift index 03a65a9ed..295fbc442 100644 --- a/src/cloud-api-adaptor/Dockerfile.openshift +++ b/src/cloud-api-adaptor/Dockerfile.openshift @@ -29,11 +29,11 @@ USER root # the build process assumes go is under "/go", so let's make sure it works RUN ln -s /opt/app-root/src/go /go RUN go install github.com/mikefarah/yq/v4@$YQ_VERSION -# This registering RHEL when building on an unsubscribed system + +# This registers RHEL when building on an unsubscribed system # If you are running a UBI container on a registered and subscribed RHEL host, # the main RHEL Server repository is enabled inside the standard UBI container. -RUN --mount=type=bind,source=activation-key,target=/activation-key \ - if command -v subscription-manager; then \ +RUN if command -v subscription-manager; then \ REPO_ARCH=$(uname -m) && \ subscription-manager register --org "$(cat /activation-key/org)" --activationkey "$(cat /activation-key/activationkey)" && \ subscription-manager repos --enable rhel-9-for-${REPO_ARCH}-appstream-rpms --enable codeready-builder-for-rhel-9-${REPO_ARCH}-rpms; \ From e5ea2420469fe0d74f42c5dca908a1c09949d90a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Rop=C3=A9?= Date: Tue, 25 Mar 2025 16:45:56 +0100 Subject: [PATCH 3/3] Change builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use golang 1.23 from openshift builder images. Had to modify the Makefile as part of this, because our new builder image has a wrapper script around "go" that doesn't like the line break in the LDFLAGS parameters as written in our Makefile. This results in a parsing error that provides go with unclosed quotes in the parameters it receives. I'm splitting the option in the Makefile so that we get something that builds. Signed-off-by: Julien Ropé --- podvm-payload/Dockerfile | 7 +++++-- src/cloud-api-adaptor/Dockerfile.openshift | 14 ++++++-------- src/cloud-api-adaptor/Makefile | 9 +++++++-- src/webhook/Dockerfile | 4 ++-- 4 files changed, 20 insertions(+), 14 deletions(-) diff --git a/podvm-payload/Dockerfile b/podvm-payload/Dockerfile index bd97fe89a..5bf2739a0 100644 --- a/podvm-payload/Dockerfile +++ b/podvm-payload/Dockerfile @@ -1,6 +1,5 @@ ## GOLANG ## -FROM registry.access.redhat.com/ubi9/go-toolset:1.22.9-1739801907 as go_builder -USER root +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.23 as go_builder ARG ARCH ENV ARCH=${ARCH} @@ -10,6 +9,10 @@ COPY src/cloud-api-adaptor /workdir # binary: agent-protocol-forwarder, proccess-user-data (golang) WORKDIR /workdir +# openshift-golang-builder: GOFLAGS is set to "-mod=vendor" by default in our builder image. +# We need to disable that to keep the build running. +# Taking this opportunity to set our downstream build options +ENV GOFLAGS="-tags=strictfipsruntime,aws,azure,ibmcloud,vsphere,libvirt,gcp" RUN CGO_ENABLED=1 GOOS=linux go build \ -ldflags=-X=github.com/openshift/cloud-api-adaptor/cmd.VERSION=${CI_CLOUD_API_ADAPTOR_UPSTREAM_VERSION} \ -ldflags=-X=github.com/openshift/cloud-api-adaptor/cmd.COMMIT=${CI_CLOUD_API_ADAPTOR_UPSTREAM_COMMIT} \ diff --git a/src/cloud-api-adaptor/Dockerfile.openshift b/src/cloud-api-adaptor/Dockerfile.openshift index 295fbc442..117dbf693 100644 --- a/src/cloud-api-adaptor/Dockerfile.openshift +++ b/src/cloud-api-adaptor/Dockerfile.openshift @@ -22,12 +22,11 @@ ARG BASE=registry.fedoraproject.org/fedora:40 # binary into the container image of the target platform ($TARGETPLATFORM) # that was specified with --platform. For more details see: # https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/ -FROM registry.access.redhat.com/ubi9/go-toolset:1.22.9-1739801907 AS builder-release +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.23 AS builder-release +# openshift-golang-builder: GOFLAGS is set to "-mod=vendor" by default in our builder image. +# We need to disable that to keep the build running. +ENV GOFLAGS="" ARG YQ_VERSION -# "USER root" is required for podman builds -USER root -# the build process assumes go is under "/go", so let's make sure it works -RUN ln -s /opt/app-root/src/go /go RUN go install github.com/mikefarah/yq/v4@$YQ_VERSION # This registers RHEL when building on an unsubscribed system @@ -53,7 +52,6 @@ ARG RELEASE_BUILD ARG COMMIT ARG VERSION ARG TARGETARCH -USER root WORKDIR /work COPY cloud-api-adaptor/go.mod cloud-api-adaptor/go.sum ./cloud-api-adaptor/ @@ -69,8 +67,8 @@ COPY cloud-api-adaptor/proto ./proto # Set the desired cloud providers for our downstream build (not upsream default) ENV BUILTIN_CLOUD_PROVIDERS="strictfipsruntime aws azure ibmcloud vsphere libvirt gcp" -# Make sure the PATH and GOPATH are set appropriately - our builder image being different, the upstream scripts fail otherwise -ENV PATH=/opt/app-root/src/go/bin:$PATH +# Make sure the PATH is set appropriately - our builder image being different, the upstream scripts fail otherwise +ENV PATH=$GOPATH/bin:$PATH RUN CC=gcc make ARCH=$TARGETARCH COMMIT=$COMMIT VERSION=$VERSION RELEASE_BUILD=$RELEASE_BUILD cloud-api-adaptor # FROM builder-release AS iptables diff --git a/src/cloud-api-adaptor/Makefile b/src/cloud-api-adaptor/Makefile index 502340e7c..35a0bcb56 100644 --- a/src/cloud-api-adaptor/Makefile +++ b/src/cloud-api-adaptor/Makefile @@ -76,8 +76,13 @@ help: ## Display this help. VERSION ?= $(shell git describe --match "v[0-9]*" --tags 2> /dev/null | sed -E 's/-[0-9]+-g[0-9a-f]+$$/-dev/' || echo unknown) COMMIT ?= $(shell cat .git-commit) -GOFLAGS += -ldflags="-X 'github.com/openshift/cloud-api-adaptor/src/cloud-api-adaptor/cmd.VERSION=$(VERSION)' \ - -X 'github.com/openshift/cloud-api-adaptor/src/cloud-api-adaptor/cmd.COMMIT=$(COMMIT)'" +# Dowstream change: split the ldflags definition in two lines. +# Our builder image has a wrapper script on "go", which parses the parameters +# before giving them to the actual binary. This parsing has an issue with the +# line break here, which results in invalid parameters given to the "go" binary. +# Splitting the lines here is the easiest way to avoid the problem. +GOFLAGS += -ldflags=-X='github.com/openshift/cloud-api-adaptor/src/cloud-api-adaptor/cmd.VERSION=$(VERSION)' +GOFLAGS += -ldflags=-X='github.com/openshift/cloud-api-adaptor/src/cloud-api-adaptor/cmd.COMMIT=$(COMMIT)' # Build tags required to build cloud-api-adaptor are derived from BUILTIN_CLOUD_PROVIDERS. # When libvirt is specified, CGO_ENABLED is set to 1. diff --git a/src/webhook/Dockerfile b/src/webhook/Dockerfile index 437638d45..36189cf63 100644 --- a/src/webhook/Dockerfile +++ b/src/webhook/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM registry.access.redhat.com/ubi9/go-toolset:1.22.9-1739801907 AS builder +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.23 AS builder WORKDIR /workspace # Copy the Go Modules manifests @@ -18,7 +18,7 @@ COPY pkg/ pkg/ # Build ARG TARGETARCH ENV GOFLAGS="-tags=strictfipsruntime" -USER root + RUN CGO_ENABLED=1 GOOS=linux GOARCH=$TARGETARCH go build -mod=readonly -a -o manager main.go FROM registry.access.redhat.com/ubi9/ubi-micro:latest