build under konflux (first approach)

[rauhersu]

Summary by CodeRabbit

• New Features
  • Introduced a containerized build and runtime setup that streamlines deployment and enhances performance for container-based environments.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rauhersu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rauhersu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This pull request adds a new Dockerfile at .konflux/Dockerfile that defines a multi-stage build for a Rust application named recert. The build stage uses a RHEL base image to set up the required environment, register the system with subscription details from provided files, install the Rust toolset and protobuf compiler, and compile the application in release mode. The runtime stage uses a minimal RHEL image, installs the openssh-clients package, transfers the recert binary from the build stage, and sets it as the container's entry point.

Changes

File Path	Change Summary
.konflux/Dockerfile	Introduces a multi-stage Docker build. In the build stage, it registers with Red Hat subscription, installs Rust and protobuf, and compiles recert. In the runtime stage, it sets up a minimal RHEL image, installs openssh-clients, copies the compiled binary, and sets the entry point to recert.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Build as Build Stage (RHEL)
    participant Runtime as Runtime Stage (Minimal RHEL)
    
    Dev->>Build: Initiate Docker build process
    Build->>Build: Set working directory and copy source files
    Build->>Build: Register system (subscription via org and key files)
    Build->>Build: Install Rust toolset and protobuf compiler
    Build->>Build: Compile `recert` in release mode
    Build->>Runtime: Transfer the compiled `recert` binary
    Runtime->>Runtime: Install openssh-clients package
    Runtime->>Runtime: Set working directory and place `recert` at /usr/local/bin
    Runtime->>Dev: Set container entrypoint to `recert` binary

Loading

Suggested labels

lgtm

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.konflux/Dockerfile.konflux (2)

3-3: Absolute WORKDIR Path for Build Stage

The WORKDIR app directive should specify an absolute path to ensure clarity and consistency with Docker best practices (as noted by Hadolint DL3000). Consider updating it to:

- WORKDIR app
+ WORKDIR /app

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 3-3: Use absolute WORKDIR

(DL3000)

---

19-19: Absolute WORKDIR Path for Runtime Stage

Similar to the build stage, the WORKDIR app in the runtime stage should be an absolute path for clarity and to adhere to Docker best practices. Update it to:

- WORKDIR app
+ WORKDIR /app

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 19-19: Use absolute WORKDIR

(DL3000)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0587575 and 11bf409.

📒 Files selected for processing (1)

• .konflux/Dockerfile.konflux (1 hunks)

🧰 Additional context used

🪛 Hadolint (2.12.0)

.konflux/Dockerfile.konflux

[error] 3-3: Use absolute WORKDIR

(DL3000)

---

[error] 19-19: Use absolute WORKDIR

(DL3000)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build

🔇 Additional comments (4)

.konflux/Dockerfile.konflux (4)

6-7: Verify Subscription Manager Usage

The commands for registering the system and disabling repositories are structured correctly. Ensure that the key files (/activation-key/org and /activation-key/activationkey) exist at runtime in the build context to prevent registration failures.

---

8-10: Efficient Package Installation

The approach to define the PKGS variable and install the Rust toolset and protobuf compiler in one RUN statement is efficient. The subsequent clean-up of the package cache is also appropriate to minimize the image size.

---

11-11: Proper Build Command for Rust Application

The command cargo build --release --bin recert follows best practices for building a release binary. This ensures that the final binary is optimized for production.

---

20-21: Correct Binary Placement and Entry Point

The binary is correctly copied from the build stage to /usr/local/bin and the ENTRYPOINT is properly set to execute the recert binary.

[rauhersu]

/assign @fontivan

For lgtm

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.konflux/Dockerfile (3)

3-3: Use an Absolute WORKDIR in the Build Stage

Hadolint [DL3000] recommends using an absolute path for WORKDIR. Update this line from:

- WORKDIR app
+ WORKDIR /app

This change improves clarity and aligns with Docker best practices.

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 3-3: Use absolute WORKDIR

(DL3000)

---

6-7: Secure Subscription Registration Handling

The RUN command that registers the system using output from files (/activation-key/org and /activation-key/activationkey) could expose sensitive details if not managed securely. Please verify that these files are secured and consider using Docker build secrets if appropriate.

---

19-19: Use an Absolute WORKDIR in the Runtime Stage

Hadolint again flags the relative WORKDIR usage. Please change:

- WORKDIR app
+ WORKDIR /app

This ensures consistency and clarity in the container’s filesystem layout.

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 19-19: Use absolute WORKDIR

(DL3000)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 11bf409 and 4efdaf6.

📒 Files selected for processing (1)

• .konflux/Dockerfile (1 hunks)

🧰 Additional context used

🪛 Hadolint (2.12.0)

.konflux/Dockerfile

[error] 3-3: Use absolute WORKDIR

(DL3000)

---

[error] 19-19: Use absolute WORKDIR

(DL3000)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build

🔇 Additional comments (4)

.konflux/Dockerfile (4)

8-10: Verify Package Installation Requirements

The commands installing rust-toolset and protobuf-compiler look correct. Just ensure that the package versions meet your security and compatibility requirements. If specific versions are needed, consider pinning them.

---

11-11: Cargo Build Command Validation

The cargo build command is straightforward and correctly builds the recert binary. Confirm that any necessary build flags or environment variables (if needed) are configured elsewhere.

---

14-17: Runtime Stage Setup is Solid

The runtime stage appropriately uses a minimal RHEL image and installs openssh-clients via microdnf. This setup is efficient for production use. Ensure that the OpenSSH client configuration aligns with your security guidelines.

---

20-21: Binary Placement and Entrypoint Configuration

Copying the compiled recert binary to /usr/local/bin and setting it as the entry point is a best practice for containerized applications. No changes are necessary here.

[rauhersu]

/retest-required

[mresvanis]

/override ci/prow/e2e-aws-ovn-single-node-recert-parallel ci/prow/e2e-aws-ovn-single-node-recert-serial

[openshift-ci]

@mresvanis: Overrode contexts on behalf of mresvanis: ci/prow/e2e-aws-ovn-single-node-recert-parallel, ci/prow/e2e-aws-ovn-single-node-recert-serial

Details

In response to this:

/override ci/prow/e2e-aws-ovn-single-node-recert-parallel ci/prow/e2e-aws-ovn-single-node-recert-serial

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[fontivan]

/lgtm