Use the AIPCC Python package index

This also adds hermetic support for Python and RPMs. Yarn is still work
in progress due to missing GitHub dependency support.

Signed-off-by: mprahl <mprahl@users.noreply.github.com>

Author: mprahl

.tekton/mlflow-pull-request.yaml

@@ -2,52 +2,70 @@ apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   annotations:
-    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/mlflow?rev={{revision}}
+    build.appstudio.openshift.io/repo: https://github.com/red-hat-data-services/mlflow?rev={{revision}}
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
-    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
-    pipelinesascode.tekton.dev/cancel-in-progress: "false"
+    build.appstudio.redhat.com/pull_request_number: "{{pull_request_number}}"
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
-      == "master"
-  creationTimestamp: null
+    pipelinesascode.tekton.dev/on-comment: "^/build-konflux mlflow"
+    pipelinesascode.tekton.dev/on-event: "[pull_request]"
+    pipelinesascode.tekton.dev/cancel-in-progress: "true"
   labels:
-    appstudio.openshift.io/application: opendatahub-builds
-    appstudio.openshift.io/component: mlflow-ci
+    appstudio.openshift.io/application: automation
+    appstudio.openshift.io/component: pull-request-pipelines-mlflow
     pipelines.appstudio.openshift.io/type: build
   name: mlflow-on-pull-request
-  namespace: open-data-hub-tenant
+  namespace: rhoai-tenant
 spec:
   params:
   - name: git-url
     value: '{{source_url}}'
   - name: revision
     value: '{{revision}}'
+  - name: additional-tags
+    value:
+    - 'pr-{{pull_request_number}}-into-{{target_branch}}'
+  - name: additional-labels
+    value:
+    - version=on-pr-{{revision}}
+    - io.openshift.tags=mlflow
   - name: output-image
-    value: quay.io/opendatahub/mlflow:odh-pr
+    value: quay.io/rhoai/pull-request-pipelines:mlflow-{{revision}}
+  - name: rhoai-version
+    value: "3.4.0-ea.1"
   - name: dockerfile
     value: Dockerfile.konflux
   - name: path-context
     value: .
-  - name: additional-tags
-    value:
-    - 'odh-pr-{{revision}}'
-  - name: pipeline-type
-    value: pull-request
+  - name: hermetic
+    value: false
+  - name: prefetch-input
+    value: |
+      [{"type": "pip", "path": ".", "requirements_files": ["requirements/konflux-extra.txt"]}, {"type": "rpm", "path": "requirements"}]
+  - name: build-source-image
+    value: true
+  - name: build-image-index
+    value: true
   - name: build-platforms
     value:
-    - linux-extra-fast/amd64
+    - linux/x86_64
+    - linux-m2xlarge/arm64
+    - linux/ppc64le
+  - name: image-expires-after
+    value: 5d
+  - name: enable-slack-failure-notification
+    value: "false"
   pipelineRef:
     resolver: git
     params:
     - name: url
-      value: https://github.com/opendatahub-io/odh-konflux-central.git
+      value: https://github.com/red-hat-data-services/konflux-central.git
     - name: revision
-      value: main
+      value: '{{ target_branch }}'
     - name: pathInRepo
-      value: pipeline/multi-arch-container-build.yaml
+      value: pipelines/multi-arch-container-build.yaml
   taskRunTemplate:
-    serviceAccountName: build-pipeline-mlflow
+    serviceAccountName: build-pipeline-pull-request-pipelines
   workspaces:
   - name: git-auth
     secret:

.tekton/mlflow-push.yaml

@@ -2,46 +2,63 @@ apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   annotations:
-    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/mlflow?rev={{revision}}
+    build.appstudio.openshift.io/repo: https://github.com/red-hat-data-services/mlflow?rev={{revision}}
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
-    pipelinesascode.tekton.dev/cancel-in-progress: "false"
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
-      == "master"
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      event == "push"
+      && target_branch == "rhoai-3.4"
+      && ( !".tekton/**".pathChanged() || ".tekton/mlflow-push.yaml".pathChanged() )
   creationTimestamp: null
   labels:
-    appstudio.openshift.io/application: opendatahub-builds
-    appstudio.openshift.io/component: mlflow-ci
+    appstudio.openshift.io/application: rhoai-v3-4
+    appstudio.openshift.io/component: mlflow-v3-4
     pipelines.appstudio.openshift.io/type: build
-  name: mlflow-on-push
-  namespace: open-data-hub-tenant
+  name: mlflow-v3-4-on-push
+  namespace: rhoai-tenant
 spec:
   params:
   - name: git-url
     value: '{{source_url}}'
   - name: revision
     value: '{{revision}}'
+  - name: additional-tags
+    value:
+    - '{{target_branch}}-{{revision}}'
   - name: output-image
-    value: quay.io/opendatahub/mlflow:odh-stable
+    value: quay.io/rhoai/odh-mlflow-rhel9:{{target_branch}}
+  - name: rhoai-version
+    value: "3.4.0-ea.1"
   - name: dockerfile
     value: Dockerfile.konflux
   - name: path-context
     value: .
+  - name: hermetic
+    value: false
+  - name: prefetch-input
+    value: |
+      [{"type": "pip", "path": ".", "requirements_files": ["requirements/konflux-extra.txt"]}, {"type": "rpm", "path": "requirements"}]
+  - name: build-source-image
+    value: true
+  - name: build-image-index
+    value: true
   - name: build-platforms
     value:
-    - linux-extra-fast/amd64
+    - linux/x86_64
+    - linux-m2xlarge/arm64
+    - linux/ppc64le
   pipelineRef:
     resolver: git
     params:
     - name: url
-      value: https://github.com/opendatahub-io/odh-konflux-central.git
+      value: https://github.com/red-hat-data-services/konflux-central.git
     - name: revision
-      value: main
+      value: '{{ target_branch }}'
     - name: pathInRepo
-      value: pipeline/multi-arch-container-build.yaml
+      value: pipelines/multi-arch-container-build.yaml
   taskRunTemplate:
-    serviceAccountName: build-pipeline-mlflow
+    serviceAccountName: build-pipeline-mlflow-v3-4
   workspaces:
   - name: git-auth
     secret:

Dockerfile.konflux

@@ -9,26 +9,19 @@ ENV MLFLOW_ENABLE_AI_GATEWAY=false
 RUN yarn install --silent \
     && NODE_OPTIONS="--max_old_space_size=4096" yarn build
 
-FROM registry.access.redhat.com/ubi9/python-311@sha256:bb09d55bce99b839b0df565ab9e244cdc545037e612dad388569016137367cab AS python-builder
+FROM registry.access.redhat.com/ubi9/python-312:9.7@sha256:bcdbab62d80f7dd88b4c2ce69a5cf8e9e1e367ac39b2e5d7f5d3f532d936ec80 AS python-builder
 WORKDIR /src
 USER 0
-COPY --chown=1001:0 . .
-RUN set -eux; \
-    python -m pip install --no-cache-dir build; \
-    cp pyproject.release.toml pyproject.toml; \
-    python -m build --wheel --outdir /tmp/dist libs/tracing; \
-    python -m build --wheel --outdir /tmp/dist libs/skinny; \
-    python -m build --wheel --outdir /tmp/dist; \
+COPY --chown=1001:0 kubernetes-workspace-provider/ kubernetes-workspace-provider/
+# Unset Cachi2 pip overrides (auto-injected by Konflux) so we can
+# fetch from the AIPCC Python package index.
+RUN unset PIP_NO_INDEX PIP_FIND_LINKS && \
+    python -m pip install --no-cache-dir \
+        --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4-EA1/cpu-ubi9-test/simple \
+        build && \
     python -m build --wheel --outdir /tmp/dist kubernetes-workspace-provider
 
-FROM registry.access.redhat.com/ubi9/python-311@sha256:bb09d55bce99b839b0df565ab9e244cdc545037e612dad388569016137367cab
-# Build cryptography from source against the system OpenSSL for FIPS compliance.
-# The pip manylinux wheel bundles its own non-FIPS OpenSSL, so we must compile
-# from source with OPENSSL_NO_VENDOR=1 to link against the system library.
-RUN set -eux; \
-    dnf install -y --setopt=tsflags=nodocs openssl-devel cargo rust gcc python3.11-devel && \
-    OPENSSL_NO_VENDOR=1 python -m pip wheel --no-cache-dir --no-binary cryptography "cryptography>=43.0.0,<47" -w /tmp/dist && \
-    dnf clean all
+FROM registry.access.redhat.com/ubi9/python-312:9.7@sha256:bcdbab62d80f7dd88b4c2ce69a5cf8e9e1e367ac39b2e5d7f5d3f532d936ec80
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
     MLFLOW_DISABLE_TELEMETRY=true \
@@ -39,26 +32,23 @@ WORKDIR /app
 
 USER 0
 COPY --from=python-builder /tmp/dist/ /tmp/dist/
+COPY requirements/konflux.txt /tmp/konflux.txt
+COPY requirements/konflux-extra.txt /tmp/konflux-extra.txt
+# Unset Cachi2 pip overrides (auto-injected by Konflux) so we can
+# fetch from the AIPCC Python package index first, then re-source
+# cachi2.env for the hermetically prefetched extra packages.
 RUN set -eux; \
-    dnf install -y --setopt=tsflags=nodocs postgresql-devel gcc python3.11-devel && \
-    python -m pip install --no-cache-dir /tmp/dist/mlflow*.whl && \
-    python -m pip install --no-cache-dir --force-reinstall /tmp/dist/cryptography-*.whl && \
-    python -m pip install --no-cache-dir boto3 psycopg2 prometheus-flask-exporter && \
+    dnf install -y --setopt=tsflags=nodocs postgresql-devel gcc python3.12-devel openblas-threads && \
+    unset PIP_NO_INDEX PIP_FIND_LINKS && \
+    python -m pip install --no-cache-dir \
+        --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4-EA1/cpu-ubi9-test/simple \
+        setuptools -r /tmp/konflux.txt && \
+    if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \
+    python -m pip install --no-cache-dir --no-deps --no-build-isolation --require-hashes \
+        -r /tmp/konflux-extra.txt && \
+    python -m pip install --no-cache-dir --no-deps /tmp/dist/mlflow_kubernetes_workspace_provider-*.whl && \
     dnf clean all && \
-    rm -rf /tmp/dist
-
-# FIPS compliance: verify the cryptography package uses the system OpenSSL
-# rather than a bundled copy. The system OpenSSL on UBI 9 is FIPS-validated
-# and will operate in FIPS mode when the host kernel has FIPS enabled.
-RUN set -eux; \
-    sys_openssl=$(openssl version | awk '{print $1, $2, $3, $4, $5}'); \
-    py_openssl=$(python -c "from cryptography.hazmat.backends.openssl.backend import backend; print(backend.openssl_version_text())"); \
-    echo "System OpenSSL:      ${sys_openssl}"; \
-    echo "cryptography OpenSSL: ${py_openssl}"; \
-    [ "${sys_openssl}" = "${py_openssl}" ] || { \
-        echo "FIPS ERROR: cryptography is not using the system OpenSSL"; \
-        exit 1; \
-    }
+    rm -rf /tmp/dist /tmp/konflux.txt /tmp/konflux-extra.txt
 
 # Copy built UI from builder stage
 COPY --from=ui-builder /opt/app-root/src/build /tmp/mlflow-ui-build

requirements/konflux-extra.in

@@ -0,0 +1,17 @@
+# Packages NOT available on the AIPCC Python package index that are
+# needed in the Konflux (RHOAI) container build. These are prefetched
+# hermetically by Cachi2 during the Konflux pipeline.
+#
+# All transitive dependencies of these packages are already satisfied by
+# the AIPCC Python package index (requirements/konflux.txt), so only these two
+# packages themselves need to be listed here.
+#
+# To regenerate the lock file (requirements/konflux-extra.txt), run:
+#
+#   uv pip compile requirements/konflux-extra.in \
+#     --python-platform linux --python-version 3.12 \
+#     --no-deps --generate-hashes \
+#     -o requirements/konflux-extra.txt
+
+psycopg2
+prometheus-flask-exporter

requirements/konflux-extra.txt

@@ -0,0 +1,15 @@
+# This file was autogenerated by uv via the following command:
+#    uv pip compile requirements/konflux-extra.in --python-platform linux --python-version 3.12 --no-deps --generate-hashes -o requirements/konflux-extra.txt
+prometheus-flask-exporter==0.23.2 \
+    --hash=sha256:41fc9bbd7d48cc958ed8384aacf60c3621d9e903768be61c4e7f0c63872eaf1a \
+    --hash=sha256:94922a636d4c1d8b68e1ee605c30a23e9bbb0b21756df8222aa919634871784c
+    # via -r requirements/konflux-extra.in
+psycopg2==2.9.11 \
+    --hash=sha256:103e857f46bb76908768ead4e2d0ba1d1a130e7b8ed77d3ae91e8b33481813e8 \
+    --hash=sha256:210daed32e18f35e3140a1ebe059ac29209dd96468f2f7559aa59f75ee82a5cb \
+    --hash=sha256:6ecddcf573777536bddfefaea8079ce959287798c8f5804bee6933635d538924 \
+    --hash=sha256:8dc379166b5b7d5ea66dcebf433011dfc51a7bb8a5fc12367fa05668e5fc53c8 \
+    --hash=sha256:964d31caf728e217c697ff77ea69c2ba0865fa41ec20bb00f0977e62fdcc52e3 \
+    --hash=sha256:e03e4a6dbe87ff81540b434f2e5dc2bddad10296db5eea7bdc995bf5f4162938 \
+    --hash=sha256:f10a48acba5fe6e312b891f290b4d2ca595fc9a06850fe53320beac353575578
+    # via -r requirements/konflux-extra.in

requirements/konflux.in

@@ -0,0 +1,24 @@
+# Top-level requirements for the Konflux (RHOAI) container build.
+#
+# To regenerate the lock file (requirements.konflux.txt), run:
+#
+#   uv pip compile requirements/konflux.in \
+#     --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4-EA1/cpu-ubi9-test/simple \
+#     --python-platform linux --python-version 3.12 \
+#     --prerelease=allow --generate-hashes \
+#     -o requirements/konflux.txt
+#
+# Note: mlflow-kubernetes-workspace-provider is installed separately from the
+# repo (not from the package index). Its dependencies (mlflow, kubernetes,
+# graphql-core) are satisfied by the packages listed here.
+#
+# Packages not on the AIPCC Python package index (psycopg2, prometheus-flask-exporter)
+# are installed separately in the Dockerfile.
+
+mlflow==3.10.0rc0+rhai1
+boto3
+prometheus-client
+
+# Cross-arch constraints: pin packages to versions available on all target
+# architectures (aarch64, ppc64le, s390x, x86_64) on the AIPCC index.
+pyarrow<23.0.1