-
Notifications
You must be signed in to change notification settings - Fork 49
Expand file tree
/
Copy pathDockerfile
More file actions
170 lines (146 loc) · 7.33 KB
/
Copy pathDockerfile
File metadata and controls
170 lines (146 loc) · 7.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
FROM quay.io/konflux-ci/oras:latest@sha256:6cea0b9e142c2e18429f5cd30d716715d932047cbf1631334c5c31f7e47c3a19 as oras
FROM registry.redhat.io/rhtas/cosign-rhel9:1.3.3-1773309431 as cosign
FROM registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:4.10.3-1 as roxctl
FROM registry.access.redhat.com/ubi10/ubi:10.1-1778562845
ARG COSIGN_VERSION=2.4.1
ARG COSIGN3_VERSION=3.0.4
ARG KUBECTL_VERSION=1.27.2
ARG OPM_VERSION=v1.50.0
ARG YQ_VERSION=4.34.1
ARG GLAB_VERSION=1.51.0
ARG GH_VERSION=2.82.1
ARG SYFT_VERSION=1.19.0
ARG KUBEARCHIVE_VERSION=1.17.3
RUN ARCH=$(uname -m) && \
if [ "$ARCH" = "x86_64" ]; then \
GO_ARCH="amd64"; \
elif [ "$ARCH" = "aarch64" ]; then \
GO_ARCH="arm64"; \
fi && \
curl -L https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${GO_ARCH} -o /usr/bin/yq &&\
curl -L https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${GO_ARCH}/kubectl -o /usr/bin/kubectl &&\
curl -L https://github.com/operator-framework/operator-registry/releases/download/${OPM_VERSION}/linux-${GO_ARCH}-opm -o /usr/bin/opm &&\
curl -L https://gitlab.com/gitlab-org/cli/-/releases/v${GLAB_VERSION}/downloads/glab_${GLAB_VERSION}_linux_${GO_ARCH}.tar.gz | tar -C /usr -xzf - bin/glab &&\
curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GO_ARCH}.tar.gz | tar -C /usr -xzf - --strip=1 gh_${GH_VERSION}_linux_${GO_ARCH}/bin/gh &&\
curl -L https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_${GO_ARCH}.tar.gz | tar -C /usr/bin/ -xzf - syft &&\
curl -L https://github.com/kubearchive/kubearchive/releases/download/v${KUBEARCHIVE_VERSION}/kubectl-ka-linux-${GO_ARCH} -o /usr/bin/kubectl-ka &&\
chmod +x /usr/bin/{yq,kubectl,opm,glab,gh,syft,kubectl-ka}
RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
COPY --from=oras /usr/bin/oras /usr/bin/oras
COPY --from=oras /usr/local/bin/select-oci-auth /usr/local/bin/select-oci-auth
COPY --from=oras /usr/local/bin/get-reference-base /usr/local/bin/get-reference-base
COPY --from=cosign /usr/local/bin/cosign-linux-*.gz /tmp/
RUN ARCH=$(uname -m) && \
if [ "$ARCH" = "x86_64" ]; then \
COSIGN_ARCH="amd64"; \
elif [ "$ARCH" = "aarch64" ]; then \
COSIGN_ARCH="arm64"; \
elif [ "$ARCH" = "ppc64le" ]; then \
COSIGN_ARCH="ppc64le"; \
elif [ "$ARCH" = "s390x" ]; then \
COSIGN_ARCH="s390x"; \
else \
echo "Unsupported architecture: $ARCH" && exit 1; \
fi && \
gunzip -c /tmp/cosign-linux-${COSIGN_ARCH}.gz > /usr/local/bin/cosign && \
chmod +x /usr/local/bin/cosign && \
rm -f /tmp/cosign-linux-*.gz
RUN ARCH=$(uname -m) && \
if [ "$ARCH" == "x86_64" ]; then ARCH=amd64; fi && \
if [ "$ARCH" == "aarch64" ]; then ARCH=arm64; fi && \
curl -LsSf https://github.com/sigstore/cosign/releases/download/v${COSIGN3_VERSION}/cosign-linux-${ARCH} -o /usr/local/bin/cosign3 && \
chmod +x /usr/local/bin/cosign3
COPY --from=roxctl /usr/bin/roxctl /usr/bin/roxctl
# Install uv via curl
RUN curl -LsSf https://astral.sh/uv/install.sh | sh && \
mv /root/.local/bin/uv /usr/local/bin/uv
RUN dnf install -y 'dnf-command(config-manager)' && \
dnf config-manager --set-enabled codeready-builder-for-ubi-10-$(arch)-rpms
RUN dnf -y --setopt=tsflags=nodocs install \
git \
git-lfs \
jq \
python3-devel \
diffutils \
python3-pip \
python3-requests \
python3-rpm \
rpm-build \
skopeo \
krb5-libs \
krb5-devel \
krb5-workstation \
openssl \
rsync \
gcc \
python3-qpid-proton \
zip \
&& dnf clean all
RUN curl -LO https://github.com/release-engineering/exodus-rsync/releases/latest/download/exodus-rsync && \
chmod +x exodus-rsync && mv exodus-rsync /usr/local/bin/rsync
# Copy utils before installation
COPY utils /home/utils
# Install Python dependencies using uv
COPY README.md pyproject.toml uv.lock /home/
RUN uv pip install -r /home/pyproject.toml --system && \
uv --directory /home/ pip install . --system && \
# Remove PyPI's python-qpid-proton so the system RPM (python3-qpid-proton) takes precedence.
# The PyPI wheel bundles its own OpenSSL which doesn't use the system CA trust store.
# The system RPM is properly linked to the distro's OpenSSL and respects /etc/pki/ca-trust.
pip uninstall -y python-qpid-proton
# remove gcc, required only for compiling gssapi indirect dependency of pubtools-pulp via pushsource
RUN dnf -y remove gcc
ADD data/certs/2015-IT-Root-CA.pem data/certs/2022-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust
COPY pyxis /home/pyxis
COPY integration-tests /home/integration-tests
COPY scripts /home/scripts
COPY templates /home/templates
COPY kafka /home/kafka
COPY pubtools-pulp-wrapper /home/pubtools-pulp-wrapper
COPY pubtools-marketplacesvm-wrapper /home/pubtools-marketplacesvm-wrapper
COPY developer-portal-wrapper /home/developer-portal-wrapper
COPY publish-to-cgw-wrapper /home/publish-to-cgw-wrapper
# It is mandatory to set these labels
LABEL name="Konflux Release Service Utils"
LABEL description="Konflux Release Service Utils"
LABEL io.k8s.description="Konflux Release Service Utils"
LABEL io.k8s.display-name="release-service-utils"
LABEL io.openshift.tags="konflux"
LABEL summary="Konflux Release Service Utils"
LABEL com.redhat.component="release-service-utils"
# Configure non-root user (UID 1001) for security and compatibility.
# Note: release-service-catalog unit tests with user 1001 can't write to "/var/workdir" and "/tekton/*" directories
# And openShift may assign a random UID/GID at runtime.
# So, below part also sets directory ownership and permissions to ensure write access for unit tests and runtime.
RUN groupadd -g 1001 group1 && \
useradd -m -u 1001 -g 1001 -d /tekton/home user1 && \
# Change ownership on directories to ensure write permissions for unit tests
mkdir -p /var/workdir && \
mkdir -p /tekton/home && \
mkdir -p /tekton/results && \
chown -R 1001:1001 /var/workdir && \
chown -R 1001:1001 /tekton/home /tekton/results && \
# Make all files group-owned by root to allow OpenShift's random UID to work
chgrp -R 0 /home /tekton && \
chmod -R g+rwX /var/workdir /tekton /home && \
# Ensure group permissions are inherited by new subdirectories
find /var/workdir /home /tekton -type d -exec chmod g+s {} +
# Switch to a non-root user
USER 1001
# Set HOME variable to something else than `/` to avoid 'permission denied' problems when writing files.
ENV HOME=/tekton/home
WORKDIR $HOME
ENV PATH="$PATH:/home/pyxis"
ENV PATH="$PATH:/home/utils"
ENV PATH="$PATH:/home/pubtools-pulp-wrapper"
ENV PATH="$PATH:/home/pubtools-marketplacesvm-wrapper"
ENV PATH="$PATH:/home/developer-portal-wrapper"
ENV PATH="$PATH:/home/publish-to-cgw-wrapper"
# Flat imports: helpers and task scripts must be importable.
# Tests use the same layout via pyproject [tool.pytest.ini_options] pythonpath.
# Keep /home for other modules (e.g. pyxis, sbom) that expect it.
ENV PYTHONPATH="/home:/home/utils:/home/scripts/python/helpers:/home/scripts/python/tasks/internal:/home/scripts/python/tasks/managed"
# uv installs newer requests and certifi which don't use the system CA like the one installed via
# dnf. So we need to point requests to the system CA bundle explicitly.
ENV REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt