Dockerfile contract is not working for ubi10 (#193)

v1v · web-flow · commit 6f8763bc9a9b · 2026-02-02T11:30:28.000Z
* Dockerfile contract is not working for ubi10

Use the hardening yaml manifest that uses the opencontainer labels

* fix warning and use trim for quoted values

* fix

* add tests

* chore
diff --git a/tests/ironbank/templates/logstash/IronbankDockerfile.erb b/tests/ironbank/templates/logstash/IronbankDockerfile.erb
@@ -0,0 +1,7 @@
+ARG BASE_REGISTRY=registry1.dsop.io
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9
+ARG BASE_TAG=9.6
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS prep_files
+
+ARG ELASTIC_PRODUCT=apm-server
diff --git a/tests/ironbank/templates/logstash/hardening_manifest.yaml.erb b/tests/ironbank/templates/logstash/hardening_manifest.yaml.erb
@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "elastic/logstash/logstash"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+- "<%= elastic_version %>"
+- "latest"
+tags:
+- "latest"
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi9"
+  BASE_TAG: "9.6"
diff --git a/updatecli/policies/ironbank/templates/CHANGELOG.md b/updatecli/policies/ironbank/templates/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.6.0
+
+* Use containers image version from the `hardening_manifest.yaml`
+
 ## 0.5.4
 
 * Fix Ironbank version fetched from a dockerfile
diff --git a/updatecli/policies/ironbank/templates/Policy.yaml b/updatecli/policies/ironbank/templates/Policy.yaml
@@ -5,7 +5,7 @@ url: "https://github.com/elastic/oblt-updatecli-policies/"
 changelog: "https://github.com/elastic/oblt-updatecli-policies/tree/main/updatecli/policies/ironbank/templates/CHANGELOG.md"
 documentation: "https://github.com/elastic/oblt-updatecli-policies/tree/main/updatecli/policies/ironbank/templates/README.md"
 source: "https://github.com/elastic/oblt-updatecli-policies/tree/main/updatecli/policies/ironbank/templates/"
-version: 0.5.4
+version: 0.6.0
 vendor: Updatecli Project
 
 licenses:
diff --git a/updatecli/policies/ironbank/templates/testdata/values.yaml b/updatecli/policies/ironbank/templates/testdata/values.yaml
@@ -23,6 +23,10 @@ config:
   - path: tests/ironbank/templates/only-manifest
     skip_dockerfile: true
   - ent_search_ruby: tests/ironbank/templates/ent-search/dod.rb
+  # TODO: enable when this is merged as it targets the main branch
+  #- path: tests/ironbank/templates/logstash
+  #  dockerfile: IronbankDockerfile.erb
+  #  manifest: hardening_manifest.yaml.erb
 
 pull_request:
   labels:
diff --git a/updatecli/policies/ironbank/templates/updatecli.d/default.tpl b/updatecli/policies/ironbank/templates/updatecli.d/default.tpl
@@ -14,14 +14,13 @@ pipelineid: '{{ .pipelineid }}'
 sources:
   ubi_version:
     name: 'Get ubi version from {{ .ubi_version_path }}'
-    kind: file
+    kind: yaml
     spec:
-      file: '{{ .ubi_version_path }}/-/raw/{{ .ubi_version_branch }}/Dockerfile?ref_type=heads'
-      matchpattern: 'FROM registry.access.redhat.com/ubi\d+:(.+)'
+      file: '{{ .ubi_version_path }}/-/raw/{{ .ubi_version_branch }}/hardening_manifest.yaml?ref_type=heads'
+      key: "$.labels.'org.opencontainers.image.version'"
     transformers:
-      - findsubmatch:
-          pattern: 'FROM .*:(\\d+\\.\\d+)(\\s+(?i)AS .*)?$'
-          captureindex: 1
+      - trimprefix: '"'
+      - trimsuffix: '"'
 
 targets:
 # {{ range .config }}
@@ -46,7 +45,7 @@ targets:
     kind: file
     spec:
       file: {{ .path }}/{{ .manifest }}
-      matchpattern: 'BASE_TAG: ".*"'
+      matchpattern: 'BASE_TAG: .+'
       replacepattern: 'BASE_TAG: "{{ source "ubi_version" }}"'
 # {{ end }}
 # {{ end }} # end if not .skip_manifest
