ROX-33561: Migrate roxctl to ubi8-micro#19379
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19379 +/- ##
=======================================
Coverage 49.36% 49.37%
=======================================
Files 2713 2713
Lines 204977 204977
=======================================
+ Hits 101194 101204 +10
+ Misses 96250 96243 -7
+ Partials 7533 7530 -3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
|
Images are ready for the commit at 56b0348. To use with deploy scripts, first |
249a032 to
db31272
Compare
db31272 to
d39b371
Compare
Migrate roxctl images from ubi8-minimal to ubi8-micro following the same best practices used for operator migration. Changes to image/roxctl/Dockerfile: - Change cert source from ubi8-minimal to ubi8-micro - This is a simple change since it uses FROM scratch as final base Changes to image/roxctl/konflux.Dockerfile: - Add ubi-micro-base stage for reference and final image - Add package_installer stage using ubi8/ubi with dnf (not ubi-minimal) - CRITICAL: Preserve ubi-micro rpmdb by copying base to /out/ first - Use dnf --installroot pattern for Konflux hermetic builds - Install only ca-certificates (minimal runtime dependency) - Consolidate all COPY commands to reduce layers (3→1) - Remove manual rpm -e package cleanup (no longer needed) This follows the migration guide recommendation (Step 1.2) to use ubi8/ubi (not ubi-minimal) as package_installer, which provides dnf without requiring workarounds. Expected benefits: - 65% smaller konflux image (~100 MB → ~35 MB) - 33% fewer packages (~90 → ~60) - Reduced attack surface - Single-layer final image Updated rpms.in.yaml with ca-certificates for Konflux prefetch (shared with operator migration). User request: Migrate roxctl to ubi-micro (same as operator) Code partially generated by AI (Claude) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
The ubi8-micro base image doesn't include extracted CA certificates at /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. This path exists in ubi8-minimal but not in ubi8-micro. Solution: Use the same pattern as konflux.Dockerfile - add a package_installer stage that installs ca-certificates to /out/ using dnf --installroot. This generates the extracted CA bundle which is then copied to the final scratch image. Build pattern: 1. ubi-micro-base: Reference ubi8-micro for rpmdb preservation 2. package_installer: Install ca-certificates to /out/ 3. final (scratch): Copy roxctl + CA bundle Tested locally - build succeeds and roxctl works correctly. The ca-certificates package is already in rpms.in.yaml for Konflux builds. Fixes build error: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem": not found Related: https://issues.redhat.com/browse/ROX-33561 Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
The rpms.in.yaml was updated to include ca-certificates for the roxctl konflux build, but rpms.lock.yaml was not regenerated. This caused Konflux builds to fail because cachi2 couldn't find the prefetched ca-certificates package and its dependencies. Changes: - Regenerated lockfile for all architectures (aarch64, ppc64le, s390x, x86_64) - Updated package versions to latest available (security updates): - postgresql: 15.15 → 15.17 - python3.12: 3.12.12-1 → 3.12.12-2 - curl: 7.61.1-34.el8_10.9 → 7.61.1-34.el8_10.10 - brotli: 1.0.6-3 → 1.0.6-4 - And other dependency updates Generated using: ../collector/regenerate-rpms-lockfile.sh This fixes the Konflux build error: "Unable to read consumer identity" when trying to install ca-certificates Related: https://issues.redhat.com/browse/ROX-33561 Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Signed-off-by: Tomasz Janiszewski <[email protected]>
The root cause of the 'Could not resolve host: cdn-ubi.redhat.com' error was that
roxctl's Konflux build was missing RPM prefetch configuration. When cachi2 performs
RPM prefetch (type: rpm), it sets up /etc/yum.repos.d/ to point to its local cache.
Without RPM prefetch, dnf falls back to the UBI repos copied from ubi-micro which
point to cdn-ubi.redhat.com.
Changed roxctl-build.yaml prefetch-input from:
value: '{"type": "gomod", "path": "."}'
To (matching main-build.yaml pattern):
value: |
[
{ "type": "gomod", "path": "." },
{ "type": "rpm", "path": "." }
]
This aligns with:
- main-build.yaml: uses npm + gomod + rpm prefetch
- collector: uses rpm prefetch only
The --setopt=reposdir=/etc/yum.repos.d flag works correctly once RPM prefetch
sets up the cachi2 repos.
Partially generated by AI.
Add ACTIVATION_KEY parameter to prefetch-dependencies task to fix SSL certificate verification errors when downloading RPMs from cdn.redhat.com. The subscription-manager-activation-key-prod secret provides the credentials needed for accessing Red Hat CDN during hermetic RPM prefetch. Also added dev-package-managers: true parameter as required for RPM prefetching. Fixes: FetchError: ClientConnectorCertificateError during RPM download Partially generated by AI.
6cb09bb to
172a649
Compare
Move ACTIVATION_KEY and dev-package-managers parameters from roxctl-build taskRunSpecs into basic-component-pipeline definition. This ensures consistent RPM prefetch configuration for all components using this pipeline. Changes: - basic-component-pipeline.yaml: Add ACTIVATION_KEY and dev-package-managers to prefetch-dependencies - roxctl-build.yaml: Remove redundant parameters now inherited from pipeline This fixes RPM prefetch by ensuring roxctl has the required credentials for accessing Red Hat CDN during hermetic builds. Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Signed-off-by: Tomasz Janiszewski <[email protected]>
Signed-off-by: Tomasz Janiszewski <[email protected]>
This was referenced Mar 17, 2026
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 28322140 | Triggered | Username Password | 56b0348 | pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/image-pull-secrets.test.yaml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
janisz
commented
Mar 17, 2026
Contributor
|
/konflux-retest scanner-v4-db-on-push |
rhybrillou
approved these changes
Mar 17, 2026
Contributor
|
/konflux-retest operator-bundle-on-push |
janisz
added a commit
that referenced
this pull request
Mar 17, 2026
User request: Apply ubi-micro migration patterns from collector and StackRox PRs. Remove curl entirely from both Dockerfiles (compliance requirement) and keep changes small. Changes: - image/rhel/Dockerfile: Removed curl package and HEALTHCHECK that depended on curl (ACS compliance requirement) - image/rhel/konflux.Dockerfile: Removed curl, added openssl for FIPS support, added comment explaining Hermeto/Cachi2 reposdir behavior Follows patterns from: - stackrox/collector#3021 - #19379 OpenSSL requirement: stackrox/collector#3021 (comment) Note: Code changes were partially generated by AI assistance.
msugakov
reviewed
Mar 17, 2026
Comment on lines
+241
to
+243
| # Required for the RPM prefetching support. | ||
| - name: dev-package-managers | ||
| value: "true" |
Contributor
There was a problem hiding this comment.
False. dev-package-managers should not be required any more.
| --setopt=install_weak_deps=False \ | ||
| --setopt=reposdir=/etc/yum.repos.d \ | ||
| --nodocs \ | ||
| ca-certificates && \ |
Contributor
There was a problem hiding this comment.
What about openssl? We definitely need it for FIPS.
Comment on lines
+12
to
+13
| # package_installer stages in image/roxctl/konflux.Dockerfile | ||
| - ca-certificates |
Contributor
There was a problem hiding this comment.
ca-certificates and openssl will be needed in all ubi-micro-s, so the comment should be revised.
| @@ -26,15 +26,33 @@ RUN RACE=0 CGO_ENABLED=1 GOOS=linux GOARCH=$(go env GOARCH) scripts/go-build.sh | |||
| cp bin/linux_$(go env GOARCH)/roxctl image/bin/roxctl | |||
|
|
|||
Contributor
4 tasks
janisz
added a commit
that referenced
this pull request
Mar 19, 2026
User request: Apply ubi-micro migration patterns from collector and StackRox PRs. Remove curl entirely from both Dockerfiles (compliance requirement) and keep changes small. Changes: - image/rhel/Dockerfile: Removed curl package and HEALTHCHECK that depended on curl (ACS compliance requirement) - image/rhel/konflux.Dockerfile: Removed curl, added openssl for FIPS support, added comment explaining Hermeto/Cachi2 reposdir behavior Follows patterns from: - stackrox/collector#3021 - #19379 OpenSSL requirement: stackrox/collector#3021 (comment) Note: Code changes were partially generated by AI assistance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Migrate roxctl images from ubi8-minimal to ubi8-micro following the same best practices used for collector migration.
User-facing documentation
Testing and quality
Automated testing
How I validated my change