Merge branch 'main' into mh_roxie-41

Author: GrimmiMeloni

.github/workflows/docker-build.yml

@@ -9,8 +9,8 @@ on:
     branches: [ main ]
 
 env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+  REGISTRY: quay.io
+  IMAGE_NAME: rhacs-eng/roxie
 
 jobs:
   docker-build-push:
@@ -35,12 +35,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GitHub Container Registry
+      - name: Log in to Quay.io
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Get build metadata
         id: build-meta

.github/workflows/release.yml

@@ -0,0 +1,70 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+*'
+
+permissions:
+  contents: write
+
+jobs:
+  build-and-release:
+    name: Build and Release Binaries
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Get version information
+        id: version
+        run: |
+          echo "version=$(make version)" >> $GITHUB_OUTPUT
+          echo "git_commit=$(make get-commit-hash)" >> $GITHUB_OUTPUT
+          echo "build_date=$(make get-build-date)" >> $GITHUB_OUTPUT
+
+      - name: Build binaries for multiple platforms
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+          GIT_COMMIT: ${{ steps.version.outputs.git_commit }}
+          BUILD_DATE: ${{ steps.version.outputs.build_date }}
+        run: |
+          LDFLAGS="-X main.version=${VERSION} -X main.gitCommit=${GIT_COMMIT} -X main.buildDate=${BUILD_DATE}"
+
+          # Linux amd64
+          GOOS=linux GOARCH=amd64 go build -ldflags "${LDFLAGS}" -o roxie-linux-amd64 ./cmd
+
+          # Linux arm64
+          GOOS=linux GOARCH=arm64 go build -ldflags "${LDFLAGS}" -o roxie-linux-arm64 ./cmd
+
+          # macOS amd64
+          GOOS=darwin GOARCH=amd64 go build -ldflags "${LDFLAGS}" -o roxie-darwin-amd64 ./cmd
+
+          # macOS arm64
+          GOOS=darwin GOARCH=arm64 go build -ldflags "${LDFLAGS}" -o roxie-darwin-arm64 ./cmd
+
+          # Generate checksums
+          sha256sum roxie-* > checksums.txt
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: Release ${{ steps.version.outputs.version }}
+          draft: false
+          prerelease: false
+          generate_release_notes: true
+          files: |
+            roxie-linux-amd64
+            roxie-linux-arm64
+            roxie-darwin-amd64
+            roxie-darwin-arm64
+            checksums.txt

Dockerfile

@@ -32,6 +32,21 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \
     -o roxie \
     ./cmd
 
+# Download gcloud SDK in builder stage to avoid UBI filesystem restrictions
+ARG GCLOUD_VERSION=latest
+RUN apk add --no-cache curl python3 && \
+    ARCH=${TARGETARCH:-amd64} && \
+    if [ "${ARCH}" = "amd64" ]; then \
+        GCLOUD_ARCH="x86_64"; \
+    elif [ "${ARCH}" = "arm64" ]; then \
+        GCLOUD_ARCH="arm"; \
+    else \
+        echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
+    fi && \
+    curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-${GCLOUD_ARCH}.tar.gz" | \
+    tar -xz -C /tmp && \
+    /tmp/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet
+
 # Stage 2: Runtime image based on Red Hat UBI Minimal
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
@@ -64,19 +79,17 @@ RUN microdnf install -y \
 ARG KUBECTL_VERSION=v1.29.0
 RUN ARCH=${TARGETARCH:-amd64} && \
     echo "Installing kubectl for ${ARCH}" && \
-    curl -sLo /usr/local/bin/kubectl \
+    curl -fsSLo /usr/local/bin/kubectl \
     "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \
     && chmod +x /usr/local/bin/kubectl
 
 # Install helm - architecture-aware
 ARG HELM_VERSION=v3.14.0
 RUN ARCH=${TARGETARCH:-amd64} && \
     echo "Installing helm for ${ARCH}" && \
-    curl -sL "https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz" \
-    | tar xz -C /tmp \
-    && mv /tmp/linux-${ARCH}/helm /usr/local/bin/helm \
-    && chmod +x /usr/local/bin/helm \
-    && rm -rf /tmp/linux-${ARCH}
+    curl -fsSL "https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz" | \
+    tar -xzO "linux-${ARCH}/helm" > /usr/local/bin/helm && \
+    chmod +x /usr/local/bin/helm
 
 # Install roxctl - architecture-aware
 # The mirror has architecture-specific binaries: 'roxctl' (amd64) and 'roxctl-arm64'
@@ -108,37 +121,23 @@ RUN microdnf install -y podman fuse-overlayfs \
 # without requiring users to manage different auth plugins
 
 # 1. Google Cloud (GKE) - gke-gcloud-auth-plugin
-RUN ARCH=${TARGETARCH:-amd64} && \
-    echo "Installing gcloud SDK and gke-gcloud-auth-plugin for ${ARCH}" && \
-    # Map Docker arch names to gcloud package names
-    if [ "${ARCH}" = "amd64" ]; then \
-        GCLOUD_ARCH="x86_64"; \
-    elif [ "${ARCH}" = "arm64" ]; then \
-        GCLOUD_ARCH="arm"; \
-    else \
-        echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
-    fi && \
-    # Download and install gcloud SDK
-    curl -sL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-${GCLOUD_ARCH}.tar.gz" \
-    | tar xz -C /opt && \
-    # Install gke-gcloud-auth-plugin
-    /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet && \
-    # Create symlinks in PATH
-    ln -s /opt/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud && \
+# Copy gcloud SDK from builder stage (extracted there to avoid UBI filesystem restrictions)
+COPY --from=builder /tmp/google-cloud-sdk /opt/google-cloud-sdk
+RUN ln -s /opt/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud && \
     ln -s /opt/google-cloud-sdk/bin/gke-gcloud-auth-plugin /usr/local/bin/gke-gcloud-auth-plugin
 
 # 2. AWS (EKS) - aws-iam-authenticator
 RUN ARCH=${TARGETARCH:-amd64} && \
     echo "Installing aws-iam-authenticator for ${ARCH}" && \
-    curl -sLo /usr/local/bin/aws-iam-authenticator \
+    curl -fsSLo /usr/local/bin/aws-iam-authenticator \
     "https://amazon-eks.s3.us-west-2.amazonaws.com/1.30.0/2024-05-12/bin/linux/${ARCH}/aws-iam-authenticator" && \
     chmod +x /usr/local/bin/aws-iam-authenticator
 
 # 3. Azure (AKS) - kubelogin
 RUN ARCH=${TARGETARCH:-amd64} && \
     echo "Installing kubelogin (Azure) for ${ARCH}" && \
     KUBELOGIN_VERSION="v0.1.4" && \
-    curl -sL "https://github.com/Azure/kubelogin/releases/download/${KUBELOGIN_VERSION}/kubelogin-linux-${ARCH}.zip" \
+    curl -fsSL "https://github.com/Azure/kubelogin/releases/download/${KUBELOGIN_VERSION}/kubelogin-linux-${ARCH}.zip" \
     -o /tmp/kubelogin.zip && \
     unzip -q /tmp/kubelogin.zip -d /tmp && \
     mv /tmp/bin/linux_${ARCH}/kubelogin /usr/local/bin/kubelogin && \

cmd/deploy.go

@@ -18,30 +18,33 @@ func newDeployCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "deploy [component]",
 		Short: "Deploy ACS components",
-		Long: `Deploy ACS components (central, secured-cluster).
+		Long: `Deploy ACS components (central, secured-cluster, operator).
 
 Examples:
   roxie deploy central
   roxie deploy secured-cluster
-  roxie deploy both`,
-		ValidArgs: []string{"central", "secured-cluster", "both", "all"},
+  roxie deploy both
+  roxie deploy operator`,
+		ValidArgs: []string{"central", "secured-cluster", "both", "all", "operator"},
 		Args:      cobra.MaximumNArgs(1),
 		RunE:      runDeploy,
 	}
 
 	cmd.Flags().BoolVar(&helm, "helm", false, "Deploy using Helm charts instead of operator")
 	_ = cmd.Flags().MarkHidden("helm")
 	cmd.Flags().BoolVar(&olm, "olm", false, "Deploy operator via OLM (requires OLM installed)")
+	cmd.Flags().BoolVar(&konflux, "konflux", false, "Use Konflux images")
 	cmd.Flags().BoolVar(&deployOperator, "deploy-operator", true, "Deploy and check operator (set to false to skip operator deployment/checks)")
 	cmd.Flags().BoolVar(&portForwarding, "port-forwarding", false, "Enable localhost port-forward for Central")
 	cmd.Flags().BoolVar(&pauseReconciliation, "pause-reconciliation", false, "Pause reconciliation after deployment")
 	cmd.Flags().StringVar(&overrideFile, "override", "", "Path to YAML file with overrides")
 	cmd.Flags().StringArrayVar(&overrideSetExpressions, "set", []string{}, "Set override values (can specify multiple times, e.g., --set foo.bar=val)")
 	cmd.Flags().StringVar(&exposure, "exposure", "loadbalancer", "Central exposure backend (loadbalancer, none)")
-	cmd.Flags().StringVar(&resources, "resources", "auto", "Resource sizing preset (auto=cluster-based, medium, small)")
+	cmd.Flags().StringVar(&resources, "resources", "acs-defaults", "Resource sizing preset (acs-defaults, auto, medium, small)")
 	cmd.Flags().StringVar(&shell, "shell", "", "Shell to spawn after Central deployment")
 	cmd.Flags().StringVar(&envrc, "envrc", "", "Write environment to file instead of spawning sub-shell")
 	cmd.Flags().BoolVar(&singleNamespace, "single-namespace", false, "Deploy all components in a single namespace ('stackrox' by default)")
+	cmd.Flags().StringVarP(&tag, "tag", "t", "", "Main image tag to use for deployment (takes precedence over MAIN_IMAGE_TAG environment variable)")
 
 	return cmd
 }
@@ -64,6 +67,10 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 		component = args[0]
 	}
 
+	if component == "operator" && helm {
+		return errors.New("cannot use --helm flag with 'operator' component")
+	}
+
 	if (component == "central" || component == "both") && os.Getenv("ROXIE_SHELL") != "" {
 		return errors.New("already in a roxie sub-shell (ROXIE_SHELL environment variable is set), please exit the shell and try again")
 	}
@@ -109,6 +116,19 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 		return errors.New("cannot use both --helm and --olm flags together")
 	}
 
+	if konflux {
+		if helm {
+			return errors.New("cannot use both --helm and --konflux flags together (Konflux requires operator-based deployment)")
+		}
+		if olm {
+			return errors.New("cannot use both --olm and --konflux flags together (not currently implemented)")
+		}
+		clusterType := env.GetCurrentClusterType()
+		if clusterType != env.InfraOpenShift4 {
+			return fmt.Errorf("--konflux flag is only supported on OpenShift 4 clusters (current cluster type: %s)", clusterType.String())
+		}
+	}
+
 	if !deployOperator && olm {
 		return errors.New("cannot use --deploy-operator=false with --olm (OLM requires operator deployment)")
 	}
@@ -123,6 +143,8 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 		d.PrintCentralDeploymentSummary()
 	case "secured-cluster", "sensor":
 		d.PrintSecuredClusterDeploymentSummary()
+	case "operator":
+		// No deployment summary needed for operator-only deployment
 	}
 
 	if envrc != "" {
@@ -142,6 +164,13 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if konflux {
+		if err := d.SetUseKonflux(true); err != nil {
+			return err
+		}
+
+	}
+
 	d.SetDeployOperator(deployOperator)
 
 	d.SetVerbose(verbose)
@@ -150,9 +179,16 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 	d.SetPauseReconciliation(pauseReconciliation)
 	d.SetSingleNamespace(singleNamespace)
 
-	mainImageTag, err := helpers.LookupMainImageTag(log)
-	if err != nil {
-		return fmt.Errorf("looking up main image tag: %w", err)
+	var mainImageTag string
+	if tag != "" {
+		log.Dimf("Using main image tag from --tag flag: %s", tag)
+		mainImageTag = tag
+	}
+	if mainImageTag == "" {
+		mainImageTag, err = helpers.LookupMainImageTag(log)
+		if err != nil {
+			return fmt.Errorf("looking up main image tag: %w", err)
+		}
 	}
 	d.SetMainImageTag(mainImageTag)
 
@@ -192,14 +228,15 @@ func resolveAutoResources(clusterType env.ClusterType, log *logger.Logger) strin
 	switch clusterType {
 	case env.LocalKind:
 		resolvedResources = "small"
-		log.Info("Auto-detected cluster type Kind: using small resources")
 	case env.InfraOpenShift4:
 		resolvedResources = "medium"
-		log.Info("Auto-detected cluster type OpenShift 4: using medium resources")
+	case env.InfraGKE:
+		resolvedResources = "medium"
 	default:
-		resolvedResources = "default"
-		log.Info("Auto-detected cluster type " + clusterType.String() + ": using default resources")
+		resolvedResources = "acs-defaults"
 	}
 
+	log.Infof("Auto-detected cluster type %s: using resource profile %q", clusterType.String(), resolvedResources)
+
 	return resolvedResources
 }

cmd/main.go

@@ -13,6 +13,7 @@ var (
 	earlyReadiness         bool
 	helm                   bool
 	olm                    bool
+	konflux                bool
 	deployOperator         bool
 	portForwarding         bool
 	pauseReconciliation    bool
@@ -23,6 +24,7 @@ var (
 	shell                  string
 	envrc                  string
 	singleNamespace        bool
+	tag                    string
 )
 
 func main() {