Skip to content

ROX-33561: Migrate roxctl to ubi8-micro #19379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
janisz merged 10 commits into from
Mar 17, 2026
Merged

ROX-33561: Migrate roxctl to ubi8-micro #19379

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
1c2c34f
ROX-33561: Migrate roxctl Dockerfiles to ubi8-micro
janisz Mar 11, 2026
64bb7de
fix(roxctl): Install ca-certificates for ubi-micro CA bundle
janisz Mar 12, 2026
df87a40
chore: Regenerate rpms.lock.yaml for ca-certificates package
janisz Mar 12, 2026
7e9278a
minimize
janisz Mar 12, 2026
7fcc549
fix(roxctl): Add RPM prefetch to Konflux build configuration
janisz Mar 12, 2026
172a649
fix(roxctl): Add ACTIVATION_KEY parameter for RPM prefetch
janisz Mar 13, 2026
100c408
fix(roxctl): Move RPM prefetch params to basic-component-pipeline
janisz Mar 16, 2026
7c5aa46
cleanup
janisz Mar 17, 2026
586c990
fix
janisz Mar 17, 2026
56b0348
Merge branch 'master' into ROX-30858/ubi-micro/roxctl
janisz Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .tekton/basic-component-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,11 @@ spec:
value: $(params.output-image-repo):konflux-$(params.revision).prefetch
- name: ociArtifactExpiresAfter
value: $(params.oci-artifact-expires-after)
- name: ACTIVATION_KEY
value: subscription-manager-activation-key-prod
# Required for the RPM prefetching support.
- name: dev-package-managers
value: "true"
Comment on lines +241 to +243
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

False. dev-package-managers should not be required any more.

Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#19485

taskRef:
params:
- name: name
Expand Down
6 changes: 5 additions & 1 deletion .tekton/roxctl-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,11 @@ spec:
- name: hermetic
value: 'true'
- name: prefetch-input
value: '{"type": "gomod", "path": "."}'
value: |
[
{ "type": "gomod", "path": "." },
{ "type": "rpm", "path": "." }
]
- name: build-source-image
value: 'true'
- name: clone-depth
Expand Down
30 changes: 24 additions & 6 deletions image/roxctl/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,33 @@ RUN RACE=0 CGO_ENABLED=1 GOOS=linux GOARCH=$(go env GOARCH) scripts/go-build.sh
cp bin/linux_$(go env GOARCH)/roxctl image/bin/roxctl

Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(not about this line) Are you aware about the ongoing work #19437? Landing this #19379 just created merge conflict for them.


FROM registry.access.redhat.com/ubi8/ubi-minimal:latest@sha256:5dc6ba426ccbeb3954ead6b015f36b4a2d22320e5b356b074198d08422464ed2
FROM registry.access.redhat.com/ubi8/ubi-micro:latest@sha256:37552f11d3b39b3360f7be7c13f6a617e468f39be915cd4f8c8a8531ffc9d43d AS ubi-micro-base

COPY --from=builder /go/src/github.com/stackrox/rox/app/image/bin/roxctl /usr/bin/roxctl

RUN microdnf clean all && \
rpm --verbose -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum
FROM registry.access.redhat.com/ubi8/ubi:latest@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac AS package_installer

COPY LICENSE /licenses/LICENSE
# Copy ubi-micro base to /out/ to preserve its rpmdb
COPY --from=ubi-micro-base / /out/

# Install packages directly to /out/ using --installroot
# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
RUN dnf install -y \
--installroot=/out/ \
--releasever=8 \
--setopt=install_weak_deps=False \
--setopt=reposdir=/etc/yum.repos.d \
--nodocs \
ca-certificates && \
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about openssl? We definitely need it for FIPS.

dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/*

COPY --from=builder /go/src/github.com/stackrox/rox/app/image/bin/roxctl /out/usr/bin/roxctl
COPY LICENSE /out/licenses/LICENSE

FROM ubi-micro-base

COPY --from=package_installer /out/ /

ARG BUILD_TAG

Expand Down
2 changes: 2 additions & 0 deletions rpms.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ packages:
- postgresql
# builder stage in operator/konflux.bundle.Dockerfile
- python3.12-pyyaml
# package_installer stages in image/roxctl/konflux.Dockerfile
- ca-certificates
Comment on lines +12 to +13
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ca-certificates and openssl will be needed in all ubi-micro-s, so the comment should be revised.

moduleEnable:
# final stage in image/rhel/konflux.Dockerfile
- postgresql:15
Expand Down
Loading
Loading