Skip to content

add template konflux dockerfile #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
weshayutin wants to merge 1 commit into
base: oadp-dev
Choose a base branch
from
+25 −0
Open

add template konflux dockerfile #327

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
COPY . .
WORKDIR $APP_ROOT/app/
COPY go.mod go.mod
COPY go.sum go.sum
RUN go mod download
COPY cmd/main.go cmd/main.go
COPY api/ api/
COPY internal/ internal/
ENV BUILDTAGS strictfipsruntime
ENV GOEXPERIMENT strictfipsruntime
RUN CGO_ENABLED=1 GOOS=linux go build -tags "$BUILDTAGS" -mod=mod -a -o manager cmd/main.go

FROM registry.redhat.io/ubi9/ubi:latest
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is Red Hat’s recommended immutable reference format for registry.redhat.io/ubi9/ubi in Dockerfiles (tag vs digest), and what is the current supported digest to pin for reproducible builds?

💡 Result:

Recommended immutable reference format (tag vs digest)

Red Hat recommends pinning images by digest (not just a tag) for reproducible builds, ideally using the “Manifest List Digest (Recommended)” so the correct architecture is selected automatically. In a Dockerfile that looks like:

FROM registry.redhat.io/ubi9/ubi@sha256:<manifest-list-digest>
# (optionally) FROM registry.redhat.io/ubi9/ubi:9.7@sha256:<manifest-list-digest>  # tag for readability

Tags (including latest) are mutable, while digest references are immutable and make builds reproducible. [1][2]

Current digest to pin (for reproducible builds)

If you are building linux/amd64, the current digest corresponding to the current 9.7 / latest UBI 9 image is:

sha256:f09be5a4b3eed653eb88eb4d9f936823522d89947baab4aca6fadd543d857abb

(That is the digest shown for redhat/ubi9:9.7 / redhat/ubi9:latest on Docker Hub, which tracks the same UBI 9 content stream.) [3]

To pin the multi-arch manifest list digest specifically (Red Hat’s preferred “Manifest List Digest (Recommended)”), copy it from the UBI 9 entry in the Red Hat Ecosystem Catalog under Image identifiers → Manifest List Digest (Recommended). [2]

Sources:
[1] Red Hat Developer – How to name, version, and reference container images (digest vs tag mutability/reproducibility)
[2] Red Hat Ecosystem Catalog – UBI 9 image page (recommends “Manifest List Digest (Recommended)”)
[3] Docker Hub – redhat/ubi9:9.7 layer details page (digest value in the image reference)

Pin runtime base image to an immutable reference.

Line 14 uses ubi:latest, which is mutable and makes builds non-reproducible, potentially introducing unreviewed runtime changes. Use a digest-based pinning strategy instead.

Obtain the Manifest List Digest (Recommended) from the Red Hat Ecosystem Catalog entry for UBI 9, then update to:

-FROM registry.redhat.io/ubi9/ubi:latest
+FROM registry.redhat.io/ubi9/ubi@sha256:<manifest-list-digest>

Optionally include the tag for readability: FROM registry.redhat.io/ubi9/ubi:9.7@sha256:<manifest-list-digest>

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@konflux.Dockerfile` at line 14, Replace the mutable base image reference
"FROM registry.redhat.io/ubi9/ubi:latest" with a digest-pinned immutable
reference; obtain the Manifest List Digest for UBI 9 from the Red Hat Ecosystem
Catalog and update the FROM line to use the digest form (e.g. "FROM
registry.redhat.io/ubi9/ubi:9.7@sha256:<manifest-list-digest>" or at minimum
"FROM registry.redhat.io/ubi9/ubi@sha256:<manifest-list-digest>") so builds are
reproducible.

COPY --from=builder $APP_ROOT/app/manager /manager
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Verify APP_ROOT usage/definition around stage boundaries.
rg -n -C2 '^(FROM|ARG APP_ROOT|ENV APP_ROOT|WORKDIR|COPY --from=builder .*APP_ROOT)' konflux.Dockerfile

Repository: migtools/oadp-non-admin

Length of output: 461

🏁 Script executed:

rg -i 'APP_ROOT' --type docker --type sh --type makefile --type yaml

Repository: migtools/oadp-non-admin

Length of output: 99

🏁 Script executed:

fd -type f -name "Dockerfile*" -o -name "*.dockerfile" | head -20

Repository: migtools/oadp-non-admin

Length of output: 237

🏁 Script executed:

rg 'APP_ROOT' .

Repository: migtools/oadp-non-admin

Length of output: 182

🏁 Script executed:

fd -name '*[Dd]ockerfile*'

Repository: migtools/oadp-non-admin

Length of output: 297

🏁 Script executed:

fd 'Dockerfile'

Repository: migtools/oadp-non-admin

Length of output: 96

🏁 Script executed:

find . -type f \( -name "*.yml" -o -name "*.yaml" \) | head -20

Repository: migtools/oadp-non-admin

Length of output: 926

🏁 Script executed:

cat -n konflux.Dockerfile

Repository: migtools/oadp-non-admin

Length of output: 1067

🏁 Script executed:

cat -n Dockerfile | head -40

Repository: migtools/oadp-non-admin

Length of output: 1604

🏁 Script executed:

rg 'build' .github/workflows/ci.yml -A 3 -B 3

Repository: migtools/oadp-non-admin

Length of output: 251

Declare APP_ROOT as an ARG in both stages to avoid undefined variable expansion.

Lines 3 and 15 reference $APP_ROOT without declaring it anywhere in the Dockerfile. The builder image may define this internally, but it won't be available in child stages unless explicitly declared with ARG. This can lead to broken paths during build.

Proposed fix 
+ARG APP_ROOT=/opt/app-root
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
-COPY . .
-WORKDIR $APP_ROOT/app/
+WORKDIR ${APP_ROOT}/app/
 COPY go.mod go.mod
 COPY go.sum go.sum
 RUN go mod download
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/ internal/
 ENV BUILDTAGS strictfipsruntime
 ENV GOEXPERIMENT strictfipsruntime
 RUN CGO_ENABLED=1 GOOS=linux go build -tags "$BUILDTAGS" -mod=mod -a -o manager cmd/main.go
 
 FROM registry.redhat.io/ubi9/ubi:latest
+ARG APP_ROOT=/opt/app-root
-COPY --from=builder $APP_ROOT/app/manager /manager
+COPY --from=builder ${APP_ROOT}/app/manager /manager
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@konflux.Dockerfile` at line 15, The Dockerfile uses the build-time variable
APP_ROOT in multiple stages (e.g., COPY --from=builder $APP_ROOT/app/manager
/manager) but never declares it as an ARG; declare ARG APP_ROOT in both the
builder stage and the final stage (before referencing it and before any FROM
that needs it) so the variable is available during multi-stage builds, ensuring
the COPY lines like COPY --from=builder $APP_ROOT/app/manager /manager resolve
correctly.


USER 65532:65532

ENTRYPOINT ["/manager"]

LABEL description="OpenShift API for Data Protection - Non-Admin"
LABEL io.k8s.description="OpenShift API for Data Protection - Non-Admin"
LABEL io.k8s.display-name="OADP Non-Admin"
LABEL io.openshift.tags="migration"
LABEL summary="OpenShift API for Data Protection - Non-Admin"