forked from bpfman/bpfman-operator
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathContainerfile.bpfman-operator.openshift
More file actions
109 lines (91 loc) · 5.41 KB
/
Copy pathContainerfile.bpfman-operator.openshift
File metadata and controls
109 lines (91 loc) · 5.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
ARG BUILDVERSION
# Build the manager binary
ARG BUILDPLATFORM
# Verify that all code, including integration tests, compiles successfully.
# This stage catches build failures early before the main build proceeds.
FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 AS verify-test
WORKDIR /usr/src/bpfman-operator
COPY . .
RUN go test -mod vendor -tags=integration_tests -c -o /dev/null ./test/integration/... && touch /tmp/verify-test.done
FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:9.8-1782980183 AS bpfman-operator-build
ARG BUILDVERSION
ARG BUILDPLATFORM
# The following ARGs are set internally by docker/build-push-action in github actions
ARG TARGETOS
ARG TARGETARCH
ARG TARGETPLATFORM
# Build metadata passed from the caller so that every platform in a
# multi-arch build gets identical version strings. When not supplied
# (e.g. a plain "podman build") the values are computed locally.
ARG BUILD_VERSION=${BUILDVERSION}
ARG BUILD_COMMIT
ARG BUILD_DATE
RUN echo "TARGETOS=${TARGETOS} TARGETARCH=${TARGETARCH} BUILDPLATFORM=${BUILDPLATFORM} TARGETPLATFORM=${TARGETPLATFORM}"
WORKDIR /usr/src/bpfman-operator
# Copy everything except what's excluded by the .dockerignore file.
COPY . .
# Replace upstream csi-node-driver-registrar image with Red Hat image.
#
# This RUN block performs a guarded sed replacement with the following safeguards:
# 1. Fails if the upstream image reference is not found in an image: field
# 2. Anchors on "image:" to avoid replacing references in comments or other contexts
# 3. Handles both quoted and unquoted YAML values
# 4. Always prints the diff for audit/transparency (diff returns 1 when files
# differ, so we suppress that with "|| true" to avoid triggering pipefail)
# 5. Fails if no image: line was actually changed (guards against no-op)
# 6. Fails if the target image reference is not present after replacement
ARG CSI_NODE_DRIVER_REGISTRAR_IMAGE
USER root
RUN set -euo pipefail; \
ds=config/bpfman-deployment/daemonset.yaml; \
src='quay.io/bpfman/csi-node-driver-registrar'; \
dst="${CSI_NODE_DRIVER_REGISTRAR_IMAGE}"; \
grep -qE "^[[:space:]]*image:[[:space:]]*\"?${src}:" "${ds}" \
|| { echo "ERROR: expected ${ds} to contain image: ${src}:<tag>"; exit 1; }; \
cp "${ds}" "${ds}.bak"; \
sed -E -i \
"s#(^[[:space:]]*image:[[:space:]]*\"?)${src}:[^\"[:space:]]+(\"?)#\\1${dst}\\2#g" \
"${ds}"; \
echo "=== daemonset.yaml image substitution diff ==="; \
{ diff -u "${ds}.bak" "${ds}" || true; } | tee /dev/stderr | grep -q '^[-+].*image:' \
|| { echo "ERROR: expected image line to change"; exit 1; }; \
grep -qF "${dst}" "${ds}" \
|| { echo "ERROR: replacement failed in ${ds}"; exit 1; }; \
rm -f "${ds}.bak"
COPY --from=verify-test /tmp/verify-test.done /tmp/
# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
ENV GOEXPERIMENT=strictfipsruntime
RUN : "${BUILD_VERSION:=$(git describe --tags --dirty --always --long 2>/dev/null || echo 0.0.0-unknown)}" && \
: "${BUILD_COMMIT:=$(git rev-parse HEAD 2>/dev/null || echo unknown)}" && \
: "${BUILD_DATE:=$(date -u +%Y-%m-%dT%H:%M:%SZ)}" && \
VERSION_PKG="github.com/bpfman/bpfman-operator/internal/version" && \
LDFLAGS="-X '${VERSION_PKG}.buildVersion=${BUILD_VERSION}' -X '${VERSION_PKG}.buildCommit=${BUILD_COMMIT}' -X '${VERSION_PKG}.buildDate=${BUILD_DATE}'" && \
CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -mod vendor -ldflags "${LDFLAGS}" -o bpfman-operator ./cmd/bpfman-operator/main.go
FROM --platform=$TARGETPLATFORM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1782797275
ARG BUILDVERSION
ARG CPE_VERSION
# The following ARGs are set internally by docker or podman on multiarch builds
ARG TARGETPLATFORM
WORKDIR /
COPY --from=bpfman-operator-build /usr/src/bpfman-operator/config/bpfman-deployment/daemonset.yaml ./config/bpfman-deployment/daemonset.yaml
COPY --from=bpfman-operator-build /usr/src/bpfman-operator/config/bpfman-deployment/csidriverinfo.yaml ./config/bpfman-deployment/csidriverinfo.yaml
COPY --from=bpfman-operator-build /usr/src/bpfman-operator/config/bpfman-deployment/metrics-proxy-daemonset.yaml ./config/bpfman-deployment/metrics-proxy-daemonset.yaml
COPY --from=bpfman-operator-build /usr/src/bpfman-operator/bpfman-operator .
COPY LICENSE /licenses/
LABEL name="bpfman/bpfman-rhel9-operator" \
com.redhat.component="bpfman-operator" \
io.k8s.display-name="eBPF Manager Operator" \
summary="eBPF manager operator manages the eBPF programs lifecycle." \
description="The bpfman-operator repository exists to deploy and manage bpfman within a Kubernetes cluster." \
io.k8s.description="The bpfman-operator repository exists to deploy and manage bpfman within a Kubernetes cluster." \
io.openshift.tags="bpfman-operator" \
maintainer="support@redhat.com" \
version=$BUILDVERSION \
cpe="cpe:/a:redhat:openshift_bpfman_operator:${CPE_VERSION}::el9" \
vendor="Red Hat, Inc."
USER 65532:65532
ENTRYPOINT ["/bpfman-operator"]