diff --git a/.konflux/Dockerfile.catalog b/.konflux/Dockerfile.catalog index e5d2c83b8e..7927122b36 100644 --- a/.konflux/Dockerfile.catalog +++ b/.konflux/Dockerfile.catalog @@ -35,7 +35,7 @@ ENV REGISTRY_AUTH_FILE=$HOME/.docker/config.json RUN SKIP_SUBMODULE_SYNC=yes make konflux-generate-catalog-production && \ rm -f $HOME/.docker/config.json -# run the catalog +# Run the catalog FROM ${OPM_IMAGE} ENTRYPOINT ["/bin/opm"] diff --git a/.konflux/container_build_args.conf b/.konflux/container_build_args.conf index b1c37ae1c2..d41b1dd692 100644 --- a/.konflux/container_build_args.conf +++ b/.konflux/container_build_args.conf @@ -17,7 +17,9 @@ OPENSHIFT_CLI_IMAGE=registry.redhat.io/openshift4/ose-cli-rhel9:v4.20@sha256:5f1 # # The runtime image is used to run the binaries -RUNTIME_IMAGE=registry.redhat.io/rhel9-6-els/rhel-minimal:9.6@sha256:f62b9615bdda046bf7c10743448639ec665650502472f79d81813b194a978d35 +# This should match the varsFromImage in the rpms.in.yaml file +# Mintmaker should keep these in sync automatically when it performs updates +RUNTIME_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 # # The yq image is used at build time to manipulate yaml diff --git a/.konflux/lock-runtime/.gitignore b/.konflux/lock-runtime/.gitignore index bdeebcd829..3fec32c842 100644 --- a/.konflux/lock-runtime/.gitignore +++ b/.konflux/lock-runtime/.gitignore @@ -1,4 +1 @@ -Dockerfile -podman_script.sh -redhat.repo -rpms.out.yaml +tmp/ diff --git a/.konflux/lock-runtime/rpms.in.yaml b/.konflux/lock-runtime/rpms.in.yaml index 044f18a5d5..edbf9f6cd9 100644 --- a/.konflux/lock-runtime/rpms.in.yaml +++ b/.konflux/lock-runtime/rpms.in.yaml @@ -6,94 +6,90 @@ contentOrigin: # Repos defined in this list must exactly match the repos defined in the conforma configuration # See https://github.com/release-engineering/rhtap-ec-policy/blob/main/data/known_rpm_repositories.yml repos: - - repoid: rhel-9-for-$basearch-appstream-rpms - name: Red Hat Enterprise Linux 9 for $basearch - AppStream (RPMs) - baseurl: https://cdn.redhat.com/content/dist/rhel9/{version}/$basearch/appstream/os + - repoid: ubi-9-for-$basearch-appstream-rpms + name: Red Hat Universal Base Image 9 for $basearch - AppStream (RPMs) + baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os enabled: "1" gpgcheck: "1" gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify: "1" - sslcacert: /etc/rhsm/ca/redhat-uep.pem - sslclientkey: /etc/pki/entitlement/placeholder-key.pem - sslclientcert: /etc/pki/entitlement/placeholder.pem sslverifystatus: "1" metadata_expire: "86400" enabled_metadata: "1" - varsFromContainerfile: Dockerfile - - repoid: rhel-9-for-$basearch-appstream-eus-rpms - name: Red Hat Enterprise Linux 9 for $basearch - AppStream EUS (RPMs) - baseurl: https://cdn.redhat.com/content/eus/rhel9/{version}/$basearch/appstream/os + # This should match the RUNTIME_IMAGE in container_build_args.conf + # Mintmaker should keep these in sync automatically when it performs updates + varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 + # + - repoid: ubi-9-for-$basearch-appstream-eus-rpms + name: Red Hat Universal Base Image 9 for $basearch - AppStream EUS (RPMs) + baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os enabled: "1" gpgcheck: "1" gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify: "1" - sslcacert: /etc/rhsm/ca/redhat-uep.pem - sslclientkey: /etc/pki/entitlement/placeholder-key.pem - sslclientcert: /etc/pki/entitlement/placeholder.pem sslverifystatus: "1" metadata_expire: "86400" enabled_metadata: "1" - varsFromContainerfile: Dockerfile - - repoid: rhel-9-for-$basearch-baseos-rpms - name: Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs) - baseurl: https://cdn.redhat.com/content/dist/rhel9/{version}/$basearch/baseos/os + # This should match the RUNTIME_IMAGE in container_build_args.conf + # Mintmaker should keep these in sync automatically when it performs updates + varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 + # + - repoid: ubi-9-for-$basearch-baseos-rpms + name: Red Hat Universal Base Image 9 for $basearch - BaseOS (RPMs) + baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os enabled: "1" gpgcheck: "1" gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify: "1" - sslcacert: /etc/rhsm/ca/redhat-uep.pem - sslclientkey: /etc/pki/entitlement/placeholder-key.pem - sslclientcert: /etc/pki/entitlement/placeholder.pem sslverifystatus: "1" metadata_expire: "86400" enabled_metadata: "1" - varsFromContainerfile: Dockerfile - - repoid: rhel-9-for-$basearch-baseos-eus-rpms - name: Red Hat Enterprise Linux 9 for $basearch - BaseOS EUS (RPMs) - baseurl: https://cdn.redhat.com/content/eus/rhel9/{version}/$basearch/baseos/os + # This should match the RUNTIME_IMAGE in container_build_args.conf + # Mintmaker should keep these in sync automatically when it performs updates + varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 + # + - repoid: ubi-9-for-$basearch-baseos-eus-rpms + name: Red Hat Universal Base Image 9 for $basearch - BaseOS EUS (RPMs) + baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os enabled: "1" gpgcheck: "1" gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify: "1" - sslcacert: /etc/rhsm/ca/redhat-uep.pem - sslclientkey: /etc/pki/entitlement/placeholder-key.pem - sslclientcert: /etc/pki/entitlement/placeholder.pem sslverifystatus: "1" metadata_expire: "86400" enabled_metadata: "1" - varsFromContainerfile: Dockerfile - - repoid: codeready-builder-for-rhel-9-$basearch-rpms - name: Red Hat CodeReady Linux Builder for RHEL 9 $basearch (RPMs) - baseurl: https://cdn.redhat.com/content/dist/rhel9/{version}/$basearch/codeready-builder/os + # This should match the RUNTIME_IMAGE in container_build_args.conf + # Mintmaker should keep these in sync automatically when it performs updates + varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 + # + - repoid: codeready-builder-for-ubi-9-$basearch-rpms + name: Red Hat CodeReady Linux Builder for UBI 9 $basearch (RPMs) + baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os/ enabled: "1" gpgcheck: "1" gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify: "1" - sslcacert: /etc/rhsm/ca/redhat-uep.pem - sslclientkey: /etc/pki/entitlement/placeholder-key.pem - sslclientcert: /etc/pki/entitlement/placeholder.pem sslverifystatus: "1" metadata_expire: "86400" enabled_metadata: "1" - varsFromContainerfile: Dockerfile - - repoid: codeready-builder-for-rhel-9-$basearch-eus-rpms - name: Red Hat CodeReady Linux Builder for RHEL 9 $basearch EUS (RPMs) - baseurl: https://cdn.redhat.com/content/eus/rhel9/{version}/$basearch/codeready-builder/os + # This should match the RUNTIME_IMAGE in container_build_args.conf + # Mintmaker should keep these in sync automatically when it performs updates + varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 + # + - repoid: codeready-builder-for-ubi-9-$basearch-eus-rpms + name: Red Hat CodeReady Linux Builder for UBI 9 $basearch EUS (RPMs) + baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os/ enabled: "1" gpgcheck: "1" gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify: "1" - sslcacert: /etc/rhsm/ca/redhat-uep.pem - sslclientkey: /etc/pki/entitlement/placeholder-key.pem - sslclientcert: /etc/pki/entitlement/placeholder.pem sslverifystatus: "1" metadata_expire: "86400" enabled_metadata: "1" - varsFromContainerfile: Dockerfile -context: - containerfile: - file: Dockerfile - stageName: runtime-image + # This should match the RUNTIME_IMAGE in container_build_args.conf + # Mintmaker should keep these in sync automatically when it performs updates + varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 + # packages: - util-linux-core - rsync diff --git a/.konflux/lock-runtime/rpms.lock.yaml b/.konflux/lock-runtime/rpms.lock.yaml index 01d5b0886e..06c3bfef1d 100644 --- a/.konflux/lock-runtime/rpms.lock.yaml +++ b/.konflux/lock-runtime/rpms.lock.yaml @@ -4,22 +4,22 @@ lockfileVendor: redhat arches: - arch: aarch64 packages: - - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9.aarch64.rpm - repoid: rhel-9-for-aarch64-baseos-rpms + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9.aarch64.rpm + repoid: ubi-9-for-aarch64-baseos-rpms size: 416293 checksum: sha256:99235a7555f6454898ebbcdcf927ebed68e3a60599c9226b9d1d60578d292878 name: rsync evr: 3.2.5-3.el9 sourcerpm: rsync-3.2.5-3.el9.src.rpm - - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm - repoid: rhel-9-for-aarch64-baseos-rpms + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm + repoid: ubi-9-for-aarch64-baseos-rpms size: 900197 checksum: sha256:44552dea889d350403c3074a33d7cb274b3f57553e47db998745df13f931b458 name: tar evr: 2:1.34-7.el9 sourcerpm: tar-1.34-7.el9.src.rpm - - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.aarch64.rpm - repoid: rhel-9-for-aarch64-baseos-rpms + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.aarch64.rpm + repoid: ubi-9-for-aarch64-baseos-rpms size: 476169 checksum: sha256:e1d6b36eaaa048d6cb22799d3c463c95d0aadf5dac83fdcf05e9c047eb396406 name: util-linux-core @@ -29,22 +29,22 @@ arches: module_metadata: [] - arch: x86_64 packages: - - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm - repoid: rhel-9-for-x86_64-baseos-rpms + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms size: 421930 checksum: sha256:b1d90c38b613f2d66dfe0c7c3d067a3ce429f7b2ec5224e560f326fc2fd8d1e5 name: rsync evr: 3.2.5-3.el9 sourcerpm: rsync-3.2.5-3.el9.src.rpm - - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm - repoid: rhel-9-for-x86_64-baseos-rpms + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms size: 910235 checksum: sha256:17f2e592a2c04c050b690afeb9042e02521a0b5ee3288dad837463f4acf542c3 name: tar evr: 2:1.34-7.el9 sourcerpm: tar-1.34-7.el9.src.rpm - - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.x86_64.rpm - repoid: rhel-9-for-x86_64-baseos-rpms + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms size: 480619 checksum: sha256:36389814fcec56d9b9d4bd1a4a63efb1cefa00bc8bacab73f89ef8f8be04b1cd name: util-linux-core diff --git a/.tekton/lifecycle-agent-4-20-pull-request.yaml b/.tekton/lifecycle-agent-4-20-pull-request.yaml index 61a9960f3b..e984000695 100644 --- a/.tekton/lifecycle-agent-4-20-pull-request.yaml +++ b/.tekton/lifecycle-agent-4-20-pull-request.yaml @@ -63,7 +63,7 @@ spec: - name: dev-package-managers value: "true" - name: prefetch-input - value: '[{"type": "rpm", "path": ".konflux/lock-runtime"}, {"type": "gomod", "path": "."}]' + value: '[{"type": "rpm", "path": ".konflux/lock-runtime/"}, {"type": "gomod", "path": "."}]' - name: build-source-image value: "true" - name: skip-sast-coverity diff --git a/.tekton/lifecycle-agent-4-20-push.yaml b/.tekton/lifecycle-agent-4-20-push.yaml index 4b2412db1b..20e944963d 100644 --- a/.tekton/lifecycle-agent-4-20-push.yaml +++ b/.tekton/lifecycle-agent-4-20-push.yaml @@ -61,7 +61,7 @@ spec: - name: dev-package-managers value: "true" - name: prefetch-input - value: '[{"type": "rpm", "path": ".konflux/lock-runtime"}, {"type": "gomod", "path": "."}]' + value: '[{"type": "rpm", "path": ".konflux/lock-runtime/"}, {"type": "gomod", "path": "."}]' - name: build-source-image value: "true" - name: skip-sast-coverity diff --git a/.yamllint.yaml b/.yamllint.yaml index 9ab88ab7a8..be75e1e130 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -4,7 +4,7 @@ yamllint: ignore: - .konflux/catalog/catalog-template.out.yaml # This is generated for Konflux builds - .konflux/catalog/lifecycle-agent/catalog.yaml # This is generated for Konflux builds - - .konflux/lock-runtime/rpms.lock.yaml # These are generated files so linting them is problematic + - .konflux/rpms.lock.yaml # These are generated files so linting them is problematic - bin/ - bundle/ # These are generated files so linting them is problematic - config/ # These are generated files so linting them is problematic diff --git a/Dockerfile b/Dockerfile index daac572a5e..bea5fca5bc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,6 @@ -##################################################################################################### # Build arguments ARG BUILDER_IMAGE=quay.io/projectquay/golang:1.24 -ARG RUNTIME_IMAGE=registry.access.redhat.com/ubi9-minimal:9.6-1760515502 +ARG RUNTIME_IMAGE=registry.access.redhat.com/ubi9-minimal:latest ARG OPENSHIFT_CLI_IMAGE=registry.redhat.io/openshift4/ose-cli-rhel9:latest # Build the binaries diff --git a/Makefile b/Makefile index 94c7e0a041..d34948fb23 100644 --- a/Makefile +++ b/Makefile @@ -5,14 +5,6 @@ # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) VERSION ?= 4.20.0 -# RHEL9_ACTIVATION_KEY defines the activation key to use for the rpm lock file for the runtime -# This should be set in your environment prior to running the `konflux-update-rpm-lock-runtime` target -RHEL9_ACTIVATION_KEY ?= "" - -# RHEL9_ORG_ID defines the organization to use for the rpm lock file for the runtime -# This should be set in your environment prior to running the `konflux-update-rpm-lock-runtime` target -RHEL9_ORG_ID ?= "" - # BASHATE_VERSION defines the bashate version to download from GitHub releases. BASHATE_VERSION ?= 2.1.1 @@ -106,13 +98,6 @@ SHELL = /usr/bin/env GOFLAGS=$(GOFLAGS) bash -o pipefail .SHELLFLAGS = -ec -# RHEL9_RELEASE defines the RHEL9 release version to update the rpm lock file for the runtime -# This is automatically extracted from the RUNTIME_IMAGE in `.konflux/container_build_args.conf` -RHEL9_RELEASE ?= $(shell awk -F'=' '/^RUNTIME_IMAGE=/ {split($$2, parts, /[:|@]/); print parts[2]}' $(PROJECT_DIR)/.konflux/container_build_args.conf) - -# Use make's built-in substitution function to replace the dot with a dash -RHEL9_RELEASE_DASHED := $(subst .,-,$(RHEL9_RELEASE)) - # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") # To re-generate a bundle for other specific channels without changing the standard setup, you can: @@ -546,32 +531,20 @@ konflux-generate-catalog-production: sync-git-submodules yq opm ## generate a re .PHONY: konflux-update-rpm-lock-runtime konflux-update-rpm-lock-runtime: sync-git-submodules ## Update the rpm lock file for the runtime + @echo "Creating lock-runtime/tmp/ directory..." + mkdir -p $(PROJECT_DIR)/.konflux/lock-runtime/tmp/ + @echo "Copying rpms.in.yaml to lock-runtime directory..." + cp $(PROJECT_DIR)/.konflux/lock-runtime/rpms.in.yaml $(PROJECT_DIR)/.konflux/lock-runtime/tmp/rpms.in.yaml + @cat $(PROJECT_DIR)/.konflux/lock-runtime/tmp/rpms.in.yaml @echo "Updating rpm lock file for the runtime..." - @echo "Creating modified Dockerfile in lock-runtime directory..." - cp $(PROJECT_DIR)/Dockerfile $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile - @echo "Updating RUNTIME_IMAGE value in copied Dockerfile..." - RUNTIME_IMAGE_VALUE=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf); \ - sed -i.bak \ - -e "s|ARG RUNTIME_IMAGE=.*|ARG RUNTIME_IMAGE=$$RUNTIME_IMAGE_VALUE|g" \ - -e "s|FROM \$${RUNTIME_IMAGE}|FROM $$RUNTIME_IMAGE_VALUE|g" \ - -e "s|FROM --platform=linux/\$${GOARCH} \$${RUNTIME_IMAGE}|FROM --platform=linux/\$${GOARCH} $$RUNTIME_IMAGE_VALUE|g" \ - $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile; \ - rm -f $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile.bak $(MAKE) -C $(PROJECT_DIR)/telco5g-konflux/scripts/rpm-lock generate-rhel9-locks \ - LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/.konflux/lock-runtime \ - RHEL9_RELEASE=$(RHEL9_RELEASE) \ - RHEL9_ACTIVATION_KEY=$(RHEL9_ACTIVATION_KEY) \ - RHEL9_ORG_ID=$(RHEL9_ORG_ID) \ - RHEL9_EXECUTION_IMAGE=registry.redhat.io/rhel$(RHEL9_RELEASE_DASHED)-els/rhel:$(RHEL9_RELEASE) \ - RHEL9_IMAGE_TO_LOCK=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf); \ - result=$$?; \ - echo "Cleaning up copied Dockerfile..."; \ - rm -f $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile; \ - if [ $$result -ne 0 ]; then \ - echo "rpm lock file update failed."; \ - exit $$result; \ - fi - @echo "Rpm lock file updated successfully." + LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/.konflux/lock-runtime/tmp/ \ + RHEL9_EXECUTION_IMAGE=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf | sed 's|ubi-minimal|ubi|g' | sed 's|@.*||') \ + RHEL9_IMAGE_TO_LOCK=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf) + @echo "Update rpms.lock.yaml with new contents..." + cp $(PROJECT_DIR)/.konflux/lock-runtime/tmp/rpms.lock.yaml $(PROJECT_DIR)/.konflux/lock-runtime/rpms.lock.yaml + # intentionally keep lock-runtime/tmp/ directory for debugging purposes + @echo "RPM lock file updated successfully." .PHONY: konflux-update-tekton-task-refs konflux-update-tekton-task-refs: sync-git-submodules ## Update task references in Tekton pipeline files