Add AIPCC-based Containerfile for Spark operator

Vedant-Deshpande · Vedant-Deshpande · commit 8fef643b134c · 2026-03-25T12:32:36.000-04:00
Multi-stage Containerfile using quay.io/aipcc/base-images/cpu as the
base image with Java 21 (copied from ubi9/openjdk-21), PySpark 4.0.1
from Red Hat's internal PyPI index, tini from EPEL, and OpenShift
arbitrary UID compatibility. Updated params.env to reference the new
image.
diff --git a/examples/openshift/Dockerfile.odh b/examples/openshift/Dockerfile.odh
@@ -0,0 +1,125 @@
+# Dockerfile.odh for Spark Operator based on AIPCC base image
+#
+# Build: docker build -f examples/openshift/Dockerfile.odh -t <image> .
+# Override base: --build-arg BASE_IMAGE=<other-image>
+
+################################################################################
+# Build Arguments
+################################################################################
+ARG GO_BUILDER_IMAGE=registry.access.redhat.com/ubi9/go-toolset:1.25.7
+ARG JDK_IMAGE=registry.redhat.io/ubi9/openjdk-21:latest
+ARG BASE_IMAGE=quay.io/aipcc/base-images/cpu:3.4.0-1773328752
+
+################################################################################
+# Stage 1: Build the Go operator binary
+################################################################################
+FROM ${GO_BUILDER_IMAGE} AS builder
+
+USER 0
+WORKDIR /workspace
+
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+    --mount=type=bind,source=go.mod,target=go.mod \
+    --mount=type=bind,source=go.sum,target=go.sum \
+    go mod download
+
+COPY . .
+
+ENV GOCACHE=/root/.cache/go-build
+ARG TARGETARCH
+
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+    --mount=type=cache,target="/root/.cache/go-build" \
+    CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on make build-operator
+
+################################################################################
+# Stage 2: JDK source (provides Java 21)
+################################################################################
+FROM ${JDK_IMAGE} AS jdk
+
+################################################################################
+# Stage 3: Runtime image
+################################################################################
+FROM ${BASE_IMAGE}
+
+LABEL name="spark-operator" \
+      summary="Spark Operator for OpenShift" \
+      description="Kubeflow Spark Operator built on AIPCC base with Java 21 and PySpark 4.0.1" \
+      io.k8s.display-name="Spark Operator" \
+      io.k8s.description="Operator for managing Apache Spark applications on OpenShift"
+
+ARG SPARK_UID=185
+ARG PYSPARK_VERSION=4.0.1
+ARG PYSPARK_INDEX_URL=https://packages.redhat.com/api/pypi/public-rhai/rhoai/3.4-EA2/cpu-ubi9/simple/
+
+USER 0
+
+# Create the spark user/group (reuse UID/GID 185).
+# The base image may already have a user at UID 185, so adjust accordingly.
+RUN if getent group 185 > /dev/null 2>&1; then \
+        EXISTING_GROUP=$(getent group 185 | cut -d: -f1); \
+        groupmod -n spark "$EXISTING_GROUP"; \
+    else \
+        groupadd -g 185 spark; \
+    fi && \
+    if getent passwd 185 > /dev/null 2>&1; then \
+        EXISTING_USER=$(getent passwd 185 | cut -d: -f1); \
+        usermod -l spark -d /home/spark "$EXISTING_USER"; \
+    else \
+        useradd -u 185 -g spark -d /home/spark -s /bin/bash spark; \
+    fi && \
+    mkdir -p /home/spark && \
+    chown spark:spark /home/spark
+
+# Copy Java 21 from the JDK stage.
+COPY --from=jdk /usr/lib/jvm/java-21-openjdk /usr/lib/jvm/java-21-openjdk
+COPY --from=jdk /usr/share/javazi-1.8 /usr/share/javazi-1.8
+COPY --from=jdk /etc/java /etc/java
+COPY --from=jdk /etc/crypto-policies /etc/crypto-policies
+COPY --from=jdk /etc/pki/java /etc/pki/java
+
+ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+
+# Install tini from EPEL
+RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+    dnf install -y tini && \
+    dnf clean all && rm -rf /var/cache/dnf/* && \
+    java -version 2>&1 | grep "21\." && \
+    tini --version
+
+# Install PySpark from Red Hat's internal PyPI index
+RUN pip3 install --no-cache-dir \
+    --index-url ${PYSPARK_INDEX_URL} \
+    pyspark==${PYSPARK_VERSION}
+
+# Set up Spark directory structure via PySpark's installed location
+ENV SPARK_HOME=/opt/spark
+RUN PYSPARK_DIR=$(python3 -c "import pyspark; import os; print(os.path.dirname(pyspark.__file__))") && \
+    ln -s ${PYSPARK_DIR} /opt/spark && \
+    mkdir -p /opt/spark/work-dir /opt/spark/logs && \
+    chmod g+w /opt/spark/work-dir && \
+    touch /opt/spark/RELEASE && \
+    chown -R spark:spark /opt/spark/work-dir /opt/spark/RELEASE
+
+ENV PATH="${PATH}:${SPARK_HOME}/bin:${SPARK_HOME}/sbin"
+
+# Webhook certs directory (needed by the operator's webhook server)
+RUN mkdir -p /etc/k8s-webhook-server/serving-certs && \
+    chmod -R g+rw /etc/k8s-webhook-server/serving-certs && \
+    chown -R spark /etc/k8s-webhook-server/serving-certs /home/spark
+
+# OpenShift arbitrary UID compatibility (GID 0 must have write access)
+RUN chgrp -R 0 /opt/spark /etc/k8s-webhook-server && \
+    chmod -R g=u /opt/spark /etc/k8s-webhook-server && \
+    chmod -R 775 /opt/spark/work-dir /opt/spark/logs
+
+# Copy the operator binary from builder stage
+COPY --from=builder /workspace/bin/spark-operator /usr/bin/spark-operator
+
+# Copy operator entrypoint
+COPY --chmod=0755 entrypoint.sh /usr/bin/
+
+USER ${SPARK_UID}
+
+ENTRYPOINT ["/usr/bin/entrypoint.sh"]
