feat: enable ARM/MultiArch support and update dependencies

[khushiiagrawal]

User description

Type of change

• Refactor
• New feature
• Bug fix
• Optimization

Description

This PR introduces support for ARM and Multi-Architecture builds for the Kraken base container image. By updating the Dockerfile.template, we now leverage Docker's TARGETARCH argument to correctly cross-compile the oc and virtctl binaries for the target platform (e.g., arm64).

Additionally, this PR updates the build-time Go dependencies (such as buildkit, containerd, docker, runc) to their latest stable versions to ensure better security and compatibility with modern environments.

Related Tickets & Documents

• Closes ARM and MultiArch Support #1136 (First Part)

Documentation

• Is documentation needed for this update?

Checklist before requesting a review

• Ensure the changes and proposed solution have been discussed in the relevant issue and have received acknowledgment from the community or maintainers.
• I have performed a self-review of my code by running krkn and specific scenario
• If it is a core feature, I have added thorough unit tests with above 80% coverage

REQUIRED:
Description of combination of tests performed and output of run

Verification: Docker Build on ARM64

I verified the changes by building the Docker image on an ARM64 verification environment and checking the architecture of the resulting binaries.

# Build command
docker build -f containers/Dockerfile.template -t krkn-base:test . --build-arg TAG=main

# Architecture Verification
docker image inspect krkn-base:test --format '{{.Architecture}}'
# Output: arm64

# Binary Execution Verification
docker run --rm --entrypoint /usr/bin/oc krkn-base:test version --client
# Output: Client Version: v4.2.0-alpha.0-2568-g3a48fc2

---

PR Type

Enhancement

---

Description

• Enable ARM/MultiArch Docker builds via TARGETARCH argument

• Update Go dependencies to latest stable versions

• Cross-compile oc and virtctl binaries for target platforms

• Improve security and compatibility with modern environments

---

Diagram Walkthrough

flowchart LR
  A["Dockerfile.template"] -->|Add TARGETARCH| B["ARM64 Support"]
  A -->|Update Dependencies| C["Latest Go Packages"]
  B -->|GOARCH env var| D["Cross-compile oc"]
  B -->|GOARCH env var| E["Cross-compile virtctl"]
  C -->|buildkit v0.19.0| F["Enhanced Compatibility"]
  C -->|containerd v1.7.30| F
  C -->|runc v1.2.5| F

Loading

File Walkthrough

Relevant files

Enhancement

Dockerfile.template Add ARM support and update Go dependencies                              containers/Dockerfile.template Added ARG TARGETARCH to oc-build stage for multi-architecture support Updated Go module dependencies to latest stable versions (buildkit v0.12.5→v0.19.0, containerd v1.7.29→v1.7.30, runc v1.2.8→v1.2.5) Set GOARCH=$TARGETARCH environment variable for oc and virtctl builds to enable cross-compilation Updated various security-related dependencies (golang.org/x/crypto, golang.org/x/oauth2, go-git) +14/-13

---

[qodo-code-review]

ⓘ Your approaching your monthly quota for Qodo. Upgrade your plan

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Build-arg command injection Description: Using unvalidated build arg TARGETARCH directly in shell-form RUN commands (e.g., GOARCH=$TARGETARCH make ... / GOARCH=$TARGETARCH go build ...) could allow command injection if a malicious or untrusted build sets TARGETARCH to include shell metacharacters. Dockerfile.template [24-33] Referred Code RUN GOARCH=$TARGETARCH make GO_REQUIRED_MIN_VERSION:= oc # virtctl build WORKDIR /tmp RUN git clone https://github.com/kubevirt/kubevirt.git WORKDIR /tmp/kubevirt RUN go mod edit -go 1.24.9 &&\ go work use &&\ GOARCH=$TARGETARCH go build -o virtctl ./cmd/virtctl/
Ticket Compliance
🟡	🎫 #1136 🟢 Update containers/Dockerfile.template to properly build ARM and multi-architecture platform versions. Ensure Go-built dependencies/binaries in the Dockerfile are updated appropriately to support ARM/multiarch builds. ⚪ Confirm multi-arch images build correctly across intended platforms (e.g., linux/amd64 and linux/arm64) in CI/release pipelines and that the produced oc and virtctl binaries run correctly on each platform.
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Unhandled empty arch: The new GOARCH=$TARGETARCH build steps do not guard against an unset/invalid TARGETARCH, which can cause non-graceful build failures depending on the build environment. Referred Code ARG TARGETARCH RUN apt-get update && apt-get install -y --no-install-recommends libkrb5-dev WORKDIR /tmp # oc build RUN git clone --branch release-4.18 https://github.com/openshift/oc.git WORKDIR /tmp/oc RUN go mod edit -go 1.24.9 &&\ go mod edit -require github.com/moby/buildkit@v0.19.0 &&\ go mod edit -require github.com/containerd/containerd@v1.7.30&&\ go mod edit -require github.com/docker/docker@v27.5.1+incompatible&&\ go mod edit -require github.com/opencontainers/runc@v1.2.5&&\ go mod edit -require github.com/go-git/go-git/v5@v5.13.2&&\ go mod edit -require github.com/opencontainers/selinux@v1.11.1&&\ go mod edit -require github.com/ulikunitz/xz@v0.5.13&&\ go mod edit -require golang.org/x/net@v0.35.0&&\ go mod edit -require github.com/containerd/containerd@v1.7.30&&\ go mod edit -require golang.org/x/oauth2@v0.34.0&&\ go mod edit -require golang.org/x/crypto@v0.47.0&&\ go mod edit -replace github.com/containerd/containerd@v1.7.30=github.com/containerd/containerd@v1.7.30&&\ go mod tidy && go mod vendor ... (clipped 10 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated build arg: The TARGETARCH build argument is consumed directly to set GOARCH without validation/allowlisting, so a malicious or unexpected value could break builds or produce unintended artifacts. Referred Code ARG TARGETARCH RUN apt-get update && apt-get install -y --no-install-recommends libkrb5-dev WORKDIR /tmp # oc build RUN git clone --branch release-4.18 https://github.com/openshift/oc.git WORKDIR /tmp/oc RUN go mod edit -go 1.24.9 &&\ go mod edit -require github.com/moby/buildkit@v0.19.0 &&\ go mod edit -require github.com/containerd/containerd@v1.7.30&&\ go mod edit -require github.com/docker/docker@v27.5.1+incompatible&&\ go mod edit -require github.com/opencontainers/runc@v1.2.5&&\ go mod edit -require github.com/go-git/go-git/v5@v5.13.2&&\ go mod edit -require github.com/opencontainers/selinux@v1.11.1&&\ go mod edit -require github.com/ulikunitz/xz@v0.5.13&&\ go mod edit -require golang.org/x/net@v0.35.0&&\ go mod edit -require github.com/containerd/containerd@v1.7.30&&\ go mod edit -require golang.org/x/oauth2@v0.34.0&&\ go mod edit -require golang.org/x/crypto@v0.47.0&&\ go mod edit -replace github.com/containerd/containerd@v1.7.30=github.com/containerd/containerd@v1.7.30&&\ go mod tidy && go mod vendor ... (clipped 10 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[khushiiagrawal]

@pablomh Please take a look.
Thanks!

[qodo-code-review]

ⓘ Your approaching your monthly quota for Qodo. Upgrade your plan

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Avoid downgrading security-sensitive dependencies Re-evaluate the downgrading of dependencies like runc, selinux, xz, and golang.org/x/net, as it may introduce security risks. Consider using their latest stable versions instead. containers/Dockerfile.template [13-21] - go mod edit -require github.com/opencontainers/runc@v1.2.8&&\ - go mod edit -require github.com/go-git/go-git/v5@v5.13.0&&\ - go mod edit -require github.com/opencontainers/selinux@v1.13.0&&\ - go mod edit -require github.com/ulikunitz/xz@v0.5.15&&\ - go mod edit -require golang.org/x/net@v0.38.0&&\ - go mod edit -require github.com/containerd/containerd@v1.7.27&&\ - go mod edit -require golang.org/x/oauth2@v0.27.0&&\ - go mod edit -require golang.org/x/crypto@v0.35.0&&\ - go mod edit -replace github.com/containerd/containerd@v1.7.27=github.com/containerd/containerd@v1.7.29&&\ -+ go mod edit -require github.com/opencontainers/runc@v1.2.5&&\ ++ go mod edit -require github.com/opencontainers/runc@v1.1.12&&\ + go mod edit -require github.com/go-git/go-git/v5@v5.13.2&&\ + go mod edit -require github.com/opencontainers/selinux@v1.11.1&&\ -+ go mod edit -require github.com/ulikunitz/xz@v0.5.13&&\ -+ go mod edit -require golang.org/x/net@v0.35.0&&\ ++ go mod edit -require github.com/ulikunitz/xz@v0.5.11&&\ ++ go mod edit -require golang.org/x/net@v0.25.0&&\ + go mod edit -require github.com/containerd/containerd@v1.7.30&&\ + go mod edit -require golang.org/x/oauth2@v0.34.0&&\ + go mod edit -require golang.org/x/crypto@v0.47.0&&\ + go mod edit -replace github.com/containerd/containerd@v1.7.30=github.com/containerd/containerd@v1.7.30&&\ [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that several dependencies, including the security-sensitive runc, are being downgraded, which could reintroduce vulnerabilities and should be reviewed.	High
Possible issue	Correct containerd version replace Correct the go mod edit -replace directive for containerd, which currently replaces version v1.7.30 with itself. containers/Dockerfile.template [21] -go mod edit -replace github.com/containerd/containerd@v1.7.30=github.com/containerd/containerd@v1.7.30&&\ +go mod edit -replace github.com/containerd/containerd@v1.7.27=github.com/containerd/containerd@v1.7.30&&\ Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly points out a redundant go mod edit -replace command that replaces a version with itself, which is likely a copy-paste error and should be corrected or removed.	Low
General	Set GOARCH environment globally Set GOARCH as a global environment variable using ENV GOARCH=${TARGETARCH} after the ARG TARGETARCH declaration to avoid repeating it in subsequent commands. containers/Dockerfile.template [3] ARG TARGETARCH +ENV GOARCH=${TARGETARCH} Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion proposes a valid refactoring to set the GOARCH environment variable globally within the build stage, which would improve readability and maintainability by removing redundant prefixes.	Low
Update

[paigerube14]

@khushiiagrawal are you able to also update the docker-image.yaml workflow to pass the new arg, we'll want to push to quay a arm64 and amd64 version

[khushiiagrawal]

@paigerube14 Please take a look.
Thanks!

[khushiiagrawal]

@paigerube14 why is the license compliance check failing ? i have no idea about it. appreciate your guidance .
Thanks!

[paigerube14]

@paigerube14 why is the license compliance check failing ? i have no idea about it. appreciate your guidance . Thanks!

you can ignore it!

[khushiiagrawal]

@paigerube14 Please take a look.
Thanks!

[khushiiagrawal]

@paigerube14 a gentle ping 😊

[khushiiagrawal]

@paigerube14 do i have to make any changes here ? do let me know. would be happy to help.
Thanks!

[khushiiagrawal]

@paigerube14 PTAL.
Thanks!

[khushiiagrawal]

@paigerube14 any updates here ?

[paigerube14]

is there a reason we are going backwards on some of the versions? it would be good if we could keep current versions we know don't break

[khushiiagrawal]

I've restored runc, selinux, xz, and golang.org/x/net back to the versions currently on main.
I also cleaned up the duplicate containerd require line (it was listed twice, v1.7.29 and v1.7.27 with a replace directive). Now there's a single containerd@v1.7.30 entry, which makes the replace unnecessary, so I removed that too.

[khushiiagrawal]

@paigerube14 PTAL. Thanks!