CLOUDP-264334: Explicitly trust ubi certs in Dockerfile (#1721)

* CLOUDP-264334: Explicitly trust ubi certs in Dockerfile

* Make CI preflight check the test images

Signed-off-by: jose.vazquez <[email protected]>

---------

Signed-off-by: jose.vazquez <[email protected]>

Author: josvazg

.github/actions/certify-openshift-images/action.yaml

@@ -1,13 +1,17 @@
 name: 'certify-openshift-images'
 description: 'Push image to RedHat Connect for certification'
 inputs:
+  registry:
+    description: Name of the registry to certify from
+    required: true
+    default: "quay.io"
   repository:
     description: The name of repository of the image to be certified
     required: true
   version:
     description: The version of the image to be certified
     required: true
-  quay_password:
+  registry_password:
     description: The password to access the quay.io registry
     required: true
   rhcc_token:
@@ -16,12 +20,18 @@ inputs:
   rhcc_project:
     description: The Redhat certification central project id
     required: true
+  submit:
+    description: Whether or not to submit the result of the preflight
+    required: true
+    default: false
 runs:
   using: 'docker'
   image: 'Dockerfile'
   env:
+    REGISTRY: ${{ inputs.registry }}
     REPOSITORY: ${{ inputs.repository }}
     VERSION: ${{ inputs.version }}
-    QUAY_PASSWORD: ${{ inputs.quay_password }}
+    REGISTRY_PASSWORD: ${{ inputs.registry_password }}
     RHCC_TOKEN: ${{ inputs.rhcc_token }}
-    RHCC_PROJECT: ${{ inputs.rhcc_project }}
+    RHCC_PROJECT: ${{ inputs.rhcc_project }}
+    SUBMIT: ${{ inputs.submit }}

.github/actions/certify-openshift-images/entrypoint.sh

@@ -2,22 +2,27 @@
 
 set -eou pipefail
 
-docker login -u mongodb+mongodb_atlas_kubernetes -p "${QUAY_PASSWORD}" quay.io
+docker login -u mongodb+mongodb_atlas_kubernetes -p "${REGISTRY_PASSWORD}" "${REGISTRY}"
 
-DIGESTS=$(docker manifest inspect "quay.io/${REPOSITORY}:${VERSION}" | jq -r '.manifests[] | select(.platform.os!="unknown") | .digest')
-mapfile -t PLATFORMS < <(docker manifest inspect "quay.io/${REPOSITORY}:${VERSION}" | jq -r '.manifests[] | select(.platform.os!="unknown") | .platform.architecture')
+DIGESTS=$(docker manifest inspect "${REGISTRY}/${REPOSITORY}:${VERSION}" | jq -r '.manifests[] | select(.platform.os!="unknown") | .digest')
+mapfile -t PLATFORMS < <(docker manifest inspect "${REGISTRY}/${REPOSITORY}:${VERSION}" | jq -r '.manifests[] | select(.platform.os!="unknown") | .platform.architecture')
+
+submit_flag=--submit
+if [ "${SUBMIT}" == "false" ]; then
+  submit_flag=
+fi
 
 INDEX=0
 for DIGEST in $DIGESTS; do
     echo "Check and Submit result to RedHat Connect"
     # Send results to RedHat if preflight finished wthout errors
-    preflight check container "quay.io/${REPOSITORY}@${DIGEST}" \
+    preflight check container "${REGISTRY}/${REPOSITORY}@${DIGEST}" \
       --artifacts "${DIGEST}" \
       --platform "${PLATFORMS[$INDEX]}" \
       --pyxis-api-token="${RHCC_TOKEN}" \
       --certification-project-id="${RHCC_PROJECT}" \
       --docker-config="${HOME}/.docker/config.json" \
-      --submit
+      ${submit_flag}
 
   (( INDEX++ )) || true
 done

.github/workflows/openshift-upgrade-test.yaml

@@ -28,7 +28,7 @@ concurrency:
   cancel-in-progress: true
 jobs:
   e2e-tests:
-    name: Prepare E2E configuration and image
+    name: Upgrade test on Openshift
     runs-on: ubuntu-latest
     if: ${{ vars.SKIP_OPENSHIFT != 'true' }}
     steps:

.github/workflows/release-openshift.yaml

@@ -66,11 +66,13 @@ jobs:
       - name: Certify Openshift images
         uses: ./.github/actions/certify-openshift-images
         with:
-          repository: quay.io/mongodb/mongodb-atlas-kubernetes-operator
+          registry: quay.io
+          registry_password: ${{ secrets.QUAY_PASSWORD }}
+          repository: mongodb/mongodb-atlas-kubernetes-operator
           version: ${{ github.event.inputs.version }}
-          quay_password: ${{ secrets.QUAY_PASSWORD }}
           rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }}
           rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }}
+          submit: true
       - name: Configure certified release
         if: ${{ matrix.certified }}
         env:

.github/workflows/release-post-merge.yml

@@ -160,11 +160,13 @@ jobs:
         if: ${{ steps.tag.outputs.certify == 'true' }}
         uses: ./.github/actions/certify-openshift-images
         with:
+          registry: quay.io
+          registry_password: ${{ secrets.QUAY_PASSWORD }}
           repository: ${{ steps.tag.outputs.repo }}
           version: ${{ steps.tag.outputs.certified_version }}
-          quay_password: ${{ secrets.QUAY_PASSWORD }}
           rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }}
           rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }}
+          submit: true
       - name: Login to artifactory.corp.mongodb.com
         if: steps.check-signing-support.outputs.sign == 'true'
         uses: docker/login-action@v3

.github/workflows/test-e2e.yml

@@ -31,7 +31,7 @@ jobs:
     name: Prepare E2E configuration and image
     runs-on: ubuntu-latest
     env:
-      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/mongodb-atlas-kubernetes-operator-prerelease
+      REPOSITORY: ${{ github.repository_owner }}/mongodb-atlas-kubernetes-operator-prerelease
     steps:
       - if: ${{ inputs.forked == false }}
         name: Check out code
@@ -56,12 +56,23 @@ jobs:
       - name: Build and Push image
         uses: ./.github/actions/build-push-image
         with:
-          repository: ${{ env.GHCR_REPO }}
+          repository: ghcr.io/${{ env.REPOSITORY }}
           version: ${{ steps.prepare.outputs.tag }}
-          tags: ${{ env.GHCR_REPO }}:${{ steps.prepare.outputs.tag }}
+          tags: ghcr.io/${{ env.REPOSITORY }}:${{ steps.prepare.outputs.tag }}
           platforms: linux/amd64
           push_to_docker: false
           forked: ${{ inputs.forked }}
+      - name: Do preflight-check on test image
+        uses: ./.github/actions/certify-openshift-images
+        with:
+          registry: ghcr.io
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ env.REPOSITORY }}
+          version: ${{ steps.prepare.outputs.tag }}
+          rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }}
+          rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }}
+          submit: false
+
   prepare-e2e-bundle:
     name: Prepare E2E Bundle configuration and image
     runs-on: ubuntu-latest

Dockerfile

@@ -28,6 +28,7 @@ ENV TARGET_OS=${TARGETOS}
 
 RUN make manager
 
+FROM registry.access.redhat.com/ubi9/ubi:9.2 as ubi-certs
 FROM registry.access.redhat.com/ubi9/ubi-micro:9.2
 
 LABEL name="MongoDB Atlas Operator" \
@@ -46,7 +47,7 @@ LABEL name="MongoDB Atlas Operator" \
 WORKDIR /
 COPY --from=builder /workspace/bin/manager .
 COPY hack/licenses licenses
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+COPY --from=ubi-certs /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 
 USER 1001:0
 ENTRYPOINT ["/manager"]

fast.Dockerfile

@@ -1,6 +1,7 @@
 # TODO: Eventually replace main Dockerfile
 FROM golang:1.22 as certs-source
 
+FROM registry.access.redhat.com/ubi9/ubi:9.2 as ubi-certs
 FROM registry.access.redhat.com/ubi9/ubi-micro:9.2
 
 ARG TARGETOS
@@ -23,7 +24,7 @@ LABEL name="MongoDB Atlas Operator" \
 WORKDIR /
 COPY bin/${TARGET_OS}/${TARGET_ARCH}/manager .
 COPY hack/licenses licenses
-COPY --from=certs-source /etc/ssl/certs/ca-certificates.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+COPY --from=ubi-certs /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 
 USER 1001:0
 ENTRYPOINT ["/manager"]