Skip to content

CPBR-2361: Ubi9-Micro migration of cp-enterprise-replicator and cp-enterprise-replicator-executable#132

Open
Krish Vora (KrishVora01) wants to merge 17 commits intomasterfrom
micro-migration-ubi9
Open

CPBR-2361: Ubi9-Micro migration of cp-enterprise-replicator and cp-enterprise-replicator-executable#132
Krish Vora (KrishVora01) wants to merge 17 commits intomasterfrom
micro-migration-ubi9

Conversation

@KrishVora01
Copy link

@KrishVora01 Krish Vora (KrishVora01) commented Feb 17, 2026
edited
Loading

Summary

Migrates cp-enterprise-replicator and cp-enterprise-replicator-executable Docker images from the to ubi9 micro base.

More details at: https://confluentinc.atlassian.net/wiki/spaces/OAAC/pages/4381213566/Distroless+and+Ubi9+micro+estimations

Testing

Tested images: via the latest PR CI build:

Built images using the cp-server changes in confluentinc/kafka-images#454 .

Wrote tests using Claude: https://confluentinc.atlassian.net/wiki/x/SwFrNgE

Ran end-to-end Docker image validation tests for cp-enterprise-replicator and cp-enterprise-replicator-executable dev images (dev-master-258b3a8c-ubi9.arm64), comparing them against the publicly available 8.1.0 release images to verify no regressions. Tests covered image metadata (architecture, CMD, entrypoint, ports, labels), non-root user execution (UID 1000), Java 21 LTS presence, all key binaries (connect-distributed, kafka-topics, replicator, ub, etc.), replicator JAR completeness (423 JARs including connect-replicator-8.3.0-0.jar and replicator-rest-extension-8.3.0-0.jar), plugin paths, volume mount points, directory write permissions, config templates, replicator --help CLI validation, and security checks (no SUID/SGID binaries, no package manager on ubi9-micro). Docker scripts (run, configure, ensure, launch) are byte-for-byte identical between dev and public 8.1.0. Expected differences include the base image change from ubi9-minimal to ubi9-micro, version bumps for packages from 8.1.0 to 8.3.0 release train, and as expected, few additional JARs for new dependencies like affinity, disruptor, and confluent-k2-metadata.

Local redhat certification of cp-enterprise-replicator image and cp-enterprise-replicator-executable image:

image image

CFK e2e tests will be run post merging this PR. Ref: https://confluentinc.atlassian.net/wiki/spaces/CLUSTER/pages/4838985855/Self-Service+CFK+E2E+Testing+-+User+Manual

@KrishVora01 @claude
Migrate replicator images to UBI9 micro multi-stage build
a96359f 
Rewrite replicator/Dockerfile.ubi9 as a 3-stage multi-stage build
following the proven pattern from cp-server and cp-server-connect-base:

- Stage 1 (tools): Pull package_dedupe from cp-server-connect-base
- Stage 2 (builder): Install confluent-kafka-connect-replicator into
  /microdir using dnf --installroot for clean isolation
- Stage 3 (final): Selectively copy only replicator-specific binaries
  (replicator, replicator-verifier) to avoid overwriting base image
  system files that cause RedHat certification failures

Also update replicator/pom.xml to pass UBI9_VERSION build arg to both
Maven Docker plugins, and update replicator-executable/Dockerfile.ubi9
to use ${APP_UID}:${APP_GID} instead of hardcoded appuser for
consistency with the micro pattern.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01 Krish Vora (KrishVora01) requested a review from a team as a code owner February 17, 2026 05:21
Copilot AI review requested due to automatic review settings February 17, 2026 05:21
Copilot AI reviewed Feb 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the Confluent Replicator Docker images to use the UBI9 micro multi-stage build pattern. The migration addresses RedHat certification failures by selectively copying only replicator-specific binaries instead of blindly copying entire directories that could overwrite critical base image files.

Changes:

  • Rewrote replicator/Dockerfile.ubi9 as a 3-stage multi-stage build (tools → builder → final) following the established pattern from cp-server and cp-server-connect-base
  • Added UBI9_VERSION build argument configuration to both Maven Docker plugins (spotify and fabric8) in replicator/pom.xml
  • Updated both Dockerfiles to use ${APP_UID}:${APP_GID} variables instead of hardcoded appuser for consistency with the micro pattern

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
replicator/pom.xml Adds UBI9_VERSION build arg configuration for both spotify and fabric8 Maven Docker plugins to support the new multi-stage build
replicator/Dockerfile.ubi9 Complete rewrite to 3-stage multi-stage build with selective binary copying, user database file cleanup, and migration to APP_UID/APP_GID variables
replicator-executable/Dockerfile.ubi9 Updates user/group management to use APP_UID/APP_GID variables instead of hardcoded appuser for consistency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@KrishVora01 @claude
Add trailing slashes to COPY paths in replicator-executable Dockerfile
cb95215 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01 @claude
temp: use micro base image tag for CI validation
a11f7df 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01 @claude
revert: restore default DOCKER_UPSTREAM_TAG to ubi9-latest
859999d 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01 Krish Vora (KrishVora01) marked this pull request as draft February 17, 2026 05:49
@KrishVora01 @claude
temp: override CI to use dev registry micro base images
6d31882 
Point DOCKER_UPSTREAM_REGISTRY to dev registry and use
dev-master-f2472ac2 tag to pull micro cp-server-connect-base
from kafka-images PR #454. This is temporary until the micro
base images are promoted to prod.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01
Revert "temp: override CI to use dev registry micro base images"
0f95ba3 
This reverts commit 6d31882.
@KrishVora01 @claude
Consolidate COPY --from=builder into single RUN --mount layer for cp-…
9a5b7be 
…enterprise-replicator

RedHat certification check "LayerCountAcceptable" requires < 40 layers.
Use RUN --mount=type=bind,from=builder to replace 5 COPY --from=builder
and 1 RUN with a single layer, reducing final image from 44 to 38 layers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01 @claude
Replace RUN --mount with multi-source COPY for dockerfile-maven-plugi…
ab42cee 
…n compatibility

The Spotify dockerfile-maven-plugin used in CI does not support BuildKit
syntax (RUN --mount). Replace with standard multi-source COPY instructions
that consolidate /usr/bin/ files into a single layer to keep image layer
counts under the Red Hat certification limit of 40 (LayerCountAcceptable).

- replicator/Dockerfile.ubi9: 2 /usr/bin/ COPYs → 1 multi-source COPY (save 1 layer)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01 @claude
Revert COPY --chown to COPY + RUN chown for Spotify plugin compatibility
fa557c0 
The Spotify dockerfile-maven-plugin v1.4.13 does not support variable
expansion in COPY --chown (e.g. ${APP_UID}:${APP_GID}), causing build
failure: "can't find uid for user : no such user:".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01 Krish Vora (KrishVora01) changed the title Migrate replicator images to UBI9 micro multi-stage build CPBR-2361: Ubi9-Micro migration of cp-enterprise-replicator and cp-enterprise-replicator-executable Feb 23, 2026
@KrishVora01 @claude
temp: override CI to use dev registry micro base images
c3d7923 
Point DOCKER_UPSTREAM_REGISTRY to dev registry and use
dev-master-7a34d9f1 tag to pull micro cp-server-connect-base
for testing. This is temporary and will be reverted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01
Revert "temp: override CI to use dev registry micro base images"
000e3db 
This reverts commit c3d7923.
@KrishVora01 Krish Vora (KrishVora01) marked this pull request as ready for review February 26, 2026 04:59
@KrishVora01 @claude
temp: override CI to use dev registry micro base images
5a3b851 
Point DOCKER_UPSTREAM_REGISTRY to dev registry and use
dev-master-9dc282ab tag to pull micro cp-server-connect
for testing. This is temporary and will be reverted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01
Revert "temp: override CI to use dev registry micro base images"
ce1b20c 
This reverts commit 5a3b851.
@KrishVora01 @claude
temp: override CI to use dev registry micro base images
7513f74 
Point DOCKER_UPSTREAM_REGISTRY to dev registry and use
dev-master-9dc282ab tag to pull micro cp-server-connect
for testing. This is temporary and will be reverted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KrishVora01
Force push empty commit to retrigger CI build again
71973c7
@KrishVora01
Merge remote-tracking branch 'origin/master' into micro-migration-ubi9
88ebe7c 
# Conflicts:
#	.semaphore/semaphore.yml
@KrishVora01 @claude
revert: restore default upstream registry and tag
b23830c 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rahejaprince Prince Raheja (rahejaprince) rahejaprince approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KrishVora01 @rahejaprince