HOSTEDCP-1079: RHTAP HO Containerfile

This adds a containerfile for RHTAP to build the HyperShift Operator. It is based on ubi 9 and on the 1.19 Go toolset (both rhel9) Signed-off-by: Antoni Segura Puimedon <antoni@redhat.com>
openshift · Jul 28, 2023 · 2541138 · 2541138
1 parent c5e8fa6
commit 2541138
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 3 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,5 @@
+bin/
+.github/
+.tekton/
+.ci-operator.yaml
+.ko.yaml
diff --git a/.gitignore b/.gitignore
@@ -28,7 +28,7 @@ tools/bin
 
 .kube
 /kubeconfig
-.dockerignore
+vendor/**/.dockerignore
 .docker
 
 # ignore util binaries

diff --git a/.tekton/hypershift-operator-main-pull-request.yaml b/.tekton/hypershift-operator-main-pull-request.yaml
@@ -19,7 +19,7 @@ metadata:
 spec:
   params:
   - name: dockerfile
-    value: Dockerfile
+    value: Containerfile.operator
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after

diff --git a/.tekton/hypershift-operator-main-push.yaml b/.tekton/hypershift-operator-main-push.yaml
@@ -18,7 +18,7 @@ metadata:
 spec:
   params:
   - name: dockerfile
-    value: Dockerfile
+    value: Containerfile.operator
   - name: git-url
     value: '{{repo_url}}'
   - name: output-image

diff --git a/Containerfile.operator b/Containerfile.operator
@@ -0,0 +1,42 @@
+FROM registry.access.redhat.com/ubi9/go-toolset:1.19 as builder
+
+COPY . .
+
+# Go toolset runs as user default(1001) with group root. To be able to build in
+# rootless mode as podman and ocp do, it is necessary to give permissions for
+# file creation to the root group, of which the user default is a member.
+#
+# Due to CVE-2022-24765, git refuses actions on .git repository it does not own
+# Since the COPY command leaves the owner as root but the build is done as the
+# default user, we need to set the global git config to consier the working
+# directory as a safe one
+RUN chmod g+w . && \
+  git config --global --add safe.directory "$PWD" && \
+  make build
+
+FROM registry.access.redhat.com/ubi9-minimal:9.2
+COPY --from=builder \
+  /opt/app-root/src/bin/hypershift \
+  /opt/app-root/src/bin/hcp \
+  /opt/app-root/src/bin/hypershift-operator \
+  /opt/app-root/src/bin/control-plane-operator \
+  /usr/bin/
+
+RUN cd /usr/bin && \
+  ln -s control-plane-operator ignition-server && \
+  ln -s control-plane-operator konnectivity-socks5-proxy && \
+  ln -s control-plane-operator availability-prober && \
+  ln -s control-plane-operator token-minter
+
+ENTRYPOINT ["/usr/bin/hypershift"]
+
+LABEL io.openshift.hypershift.control-plane-operator-subcommands=true
+LABEL io.openshift.hypershift.control-plane-operator-skips-haproxy=true
+LABEL io.openshift.hypershift.ignition-server-healthz-handler=true
+LABEL io.openshift.hypershift.control-plane-operator-manages-ignition-server=true
+LABEL io.openshift.hypershift.control-plane-operator-manages.cluster-machine-approver=true
+LABEL io.openshift.hypershift.control-plane-operator-manages.cluster-autoscaler=true
+LABEL io.openshift.hypershift.control-plane-operator-manages.decompress-decode-config=true
+LABEL io.openshift.hypershift.control-plane-operator-creates-aws-sg=true
+LABEL io.openshift.hypershift.control-plane-operator-applies-management-kas-network-policy-label=true
+LABEL io.openshift.hypershift.restricted-psa=true