first pass at konflux.dockerfile

[weshayutin]

whayutin@fedora:~/OPENSHIFT/git/OADP/oadp-vm-file-restore$ podman build -f konflux.Dockerfile 
[1/2] STEP 1/12: FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
[1/2] STEP 2/12: COPY . .
--> 8bab5a95fae9
[1/2] STEP 3/12: WORKDIR $APP_ROOT/app/
--> 4ee3398914b0
[1/2] STEP 4/12: COPY go.mod go.mod
--> fa5cd7a22eef
[1/2] STEP 5/12: COPY go.sum go.sum
--> b9c9066dd4a1
[1/2] STEP 6/12: RUN go mod download
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: assessment: CGO_ENABLED=1
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: assessment: dynamic linking
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: skipping forced compliance due to broad exemption
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: EXEMPT: 1


Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: final command line arguments: "mod" "download" 

Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: invoking real go binary
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: Exited with: 0
--> 53bc2a7d7991
[1/2] STEP 7/12: COPY cmd/main.go cmd/main.go
--> 6dd805feb5d0
[1/2] STEP 8/12: COPY api/ api/
--> be12b598fe00
[1/2] STEP 9/12: COPY internal/ internal/
--> fb79d61d57e6
[1/2] STEP 10/12: ENV BUILDTAGS strictfipsruntime
--> defc70acbc53
[1/2] STEP 11/12: ENV GOEXPERIMENT strictfipsruntime
--> 705f2e566f13
[1/2] STEP 12/12: RUN CGO_ENABLED=1 GOOS=linux go build -tags "$BUILDTAGS" -mod=mod -a -o manager cmd/main.go
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: assessment: CGO_ENABLED=1
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: assessment: dynamic linking
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: skipping forced compliance due to broad exemption
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: EXEMPT: 1


Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: final command line arguments: "build" "-tags" "strictfipsruntime" "-mod=mod" "-a" "-o" "manager" "cmd/main.go" 

Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: invoking real go binary
Go compliance shim [1] [rhel-9-golang-1.25][openshift-golang-builder]: Exited with: 0
--> 454c4b557df9
[2/2] STEP 1/9: FROM registry.redhat.io/ubi9/ubi:latest
[2/2] STEP 2/9: COPY --from=builder $APP_ROOT/app/manager /manager
--> d2de065141da
[2/2] STEP 3/9: USER 65532:65532
--> 00bfe5249626
[2/2] STEP 4/9: ENTRYPOINT ["/manager"]
--> dc17eb40d452
[2/2] STEP 5/9: LABEL description="oadp-vmdp"
--> 6719ed0b2268
[2/2] STEP 6/9: LABEL io.k8s.description="oadp-vmdp"
--> 3c6a406cadd7
[2/2] STEP 7/9: LABEL io.k8s.display-name="oadp-vmdp"
--> 14d73575bd25
[2/2] STEP 8/9: LABEL io.openshift.tags="migration"
--> f6af8f0612ba
[2/2] STEP 9/9: LABEL summary="oadp-vmdp"
[2/2] COMMIT
--> 690716460a11
690716460a11b28f281007093feebd1da40121ae2b47563d68debf87020c408d

Summary by CodeRabbit

• Chores
  • Added optimized containerized build configuration with multi-stage compilation pattern and non-root user execution for enhanced deployment efficiency and security.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [weshayutin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

A new multi-stage Dockerfile (konflux.Dockerfile) is introduced for building and containerizing a Go application. The build stage compiles the "manager" binary using Red Hat's OpenShift Golang builder image with CGO enabled and FIPS-strict runtime flags, while the runtime stage packages the binary into a minimal Red Hat UBI container running as user 65532:65532.

Changes

Cohort / File(s)	Summary
Dockerfile Configuration konflux.Dockerfile	New multi-stage Dockerfile with Go builder image (first stage) and Red Hat UBI runtime (second stage). Includes BUILDTAGS and GOEXPERIMENT (strictfipsruntime) configuration, user/port settings, and LABEL metadata for image description and Kubernetes/OpenShift descriptors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• UPSTREAM: <carry>: Bump go to 1.25 in Dockerfile #65: Updates the Go builder image selection in the Dockerfile build stage for the manager compilation.

Suggested labels

approved, lgtm

Suggested reviewers

• kaovilai
• shubham-pampattiwar

Poem

🐰 A new Dockerfile hops onto the stage,
Multi-stage builds from a builder's page,
Go binary compiled with strictness and care,
UBI runtime, lightweight and fair! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'first pass at konflux.dockerfile' accurately describes the main change—introducing a new Dockerfile for Konflux builds—and reflects the developer's perspective on this initial implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can scan for known vulnerabilities in your dependencies using OSV Scanner.

OSV Scanner will automatically detect and report security vulnerabilities in your project's dependencies. No additional configuration is required.

[weshayutin]

oops cp to oadp-1.6 :)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

konflux.Dockerfile (1)

2-9: Reorder copy steps to recover build cache efficiency.

Line 2 copies the full context too early, then Lines 4-9 copy files again. This invalidates go mod download caching on most source changes and adds unnecessary layer churn.

♻️ Suggested Dockerfile refactor

 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
-COPY . .
 WORKDIR $APP_ROOT/app/
-COPY go.mod go.mod
-COPY go.sum go.sum
+COPY go.mod go.sum ./
 RUN go mod download
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/ internal/

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@konflux.Dockerfile` around lines 2 - 9, The Dockerfile copies the entire
context too early (COPY . .) which invalidates caching for the go mod download
layer; reorder steps to first set WORKDIR ($APP_ROOT/app/), copy only go.mod and
go.sum, run RUN go mod download, then copy the application source (COPY
cmd/main.go, COPY api/, COPY internal/, or a single COPY ./ ./) so that
dependency downloading is cached across most source changes and layer churn is
reduced; ensure APP_ROOT is used consistently and keep the dependency download
step immediately after copying only go.mod/go.sum and before copying project
sources.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@konflux.Dockerfile`:
- Line 14: Replace the mutable tag in the Dockerfile FROM line (currently "FROM
registry.redhat.io/ubi9/ubi:latest") with an immutable image digest (sha256) to
ensure reproducible builds; obtain the correct digest for the desired UBI9 image
from the registry (or via docker pull + inspect) and update the FROM instruction
to use the pinned form "registry.redhat.io/ubi9/ubi@sha256:<digest>" so the
build always uses the exact same image.

---

Nitpick comments:
In `@konflux.Dockerfile`:
- Around line 2-9: The Dockerfile copies the entire context too early (COPY . .)
which invalidates caching for the go mod download layer; reorder steps to first
set WORKDIR ($APP_ROOT/app/), copy only go.mod and go.sum, run RUN go mod
download, then copy the application source (COPY cmd/main.go, COPY api/, COPY
internal/, or a single COPY ./ ./) so that dependency downloading is cached
across most source changes and layer churn is reduced; ensure APP_ROOT is used
consistently and keep the dependency download step immediately after copying
only go.mod/go.sum and before copying project sources.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1aed1a05-b452-46e9-a7a2-91a3e1266d15

📥 Commits

Reviewing files that changed from the base of the PR and between ec97945 and 0448643.

📒 Files selected for processing (1)

• konflux.Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is Red Hat’s recommended production practice for pinning registry.redhat.io/ubi9/ubi(mutable tags vs immutable digest), and which current UBI9 digest should be used instead of:latest?

💡 Result:

Recommended production practice (mutable tags vs. immutable digest)

• Don’t pin production builds/deployments to mutable tags like :latest (or even :9.7, etc.) if you need repeatability—tags can be reassigned to newer image builds over time. Red Hat’s guidance is to use immutable digests when you need full control/reproducibility in production. [1]
• Red Hat also recommends using fully-qualified image references (registry/namespace/name, plus an explicit tag or digest) rather than relying on defaults like :latest. [3]

Current UBI9 digest to use instead of registry.redhat.io/ubi9/ubi:latest

Use:

registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a3e59590f495046f0  [2]

Example:

FROM registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a3e59590f495046f0

Sources: Red Hat Developer guidance on tags vs digests and production use [1]; Red Hat documentation example listing this UBI9 digest [2].

[1] (developers.redhat.com)
[2] (docs.redhat.com)
[3] (docs.redhat.com)

Citations:

• 1: https://developers.redhat.com/articles/2025/01/28/how-name-version-and-reference-container-images
• 2: https://docs.redhat.com/ko-kr/documentation/openshift_container_platform/4.17/pdf/disconnected_environments/OpenShift_Container_Platform-4.17-Disconnected_environments-ko-KR.pdf?utm_source=openai
• 3: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/building_running_and_managing_containers/working-with-container-registries_building-running-and-managing-containers

---

Replace mutable :latest tag with immutable digest for reproducible builds.

Using a mutable tag like :latest makes builds non-reproducible and can introduce unreviewed runtime changes. Red Hat's production guidance recommends pinning to an immutable digest instead.

🔒 Suggested hardening

-FROM registry.redhat.io/ubi9/ubi:latest
+FROM registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a3e59590f495046f0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM registry.redhat.io/ubi9/ubi:latest
	FROM registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a3e59590f495046f0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@konflux.Dockerfile` at line 14, Replace the mutable tag in the Dockerfile
FROM line (currently "FROM registry.redhat.io/ubi9/ubi:latest") with an
immutable image digest (sha256) to ensure reproducible builds; obtain the
correct digest for the desired UBI9 image from the registry (or via docker pull
+ inspect) and update the FROM instruction to use the pinned form
"registry.redhat.io/ubi9/ubi@sha256:<digest>" so the build always uses the exact
same image.

[openshift-ci]

@weshayutin: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	0448643	link	true	/test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.