Merge pull request #3810 from fontivan/sskeard/cnf-22506-update-ubi-tags

CNF-22504: Best practices for ubi tags

Author: openshift-merge-bot[bot]

cnf-tests/.konflux/Makefile

@@ -8,9 +8,7 @@ PROJECT_DIR := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
 ROOT_PROJECT_DIR := $(shell dirname $(shell dirname $(abspath $(PROJECT_DIR))))
 
 # RHEL9_RELEASE defines the RHEL9 release version to update the rpm lock file for the runtime
-# This is automatically extracted from the Containerfile
-RHEL9_RELEASE ?= $(shell awk '/^FROM registry.access.redhat.com\/ubi9\/ubi-minimal:/ {split($$2, parts, /[:|@]/); print parts[2]}' $(PROJECT_DIR)/Dockerfile)
-RHEL9_RELEASE_DASHED := $(subst .,-,$(RHEL9_RELEASE))
+RHEL9_RELEASE ?= latest
 
 # These should be set by the caller of the Makefile
 RHEL9_ACTIVATION_KEY ?= ""
@@ -22,6 +20,14 @@ RHEL9_ORG_ID ?= ""
 # This can be set from the command line if the default is not correct for your environment.
 REGISTRY_AUTH_FILE ?= $(shell echo $${XDG_RUNTIME_DIR:-/run/user/$$(id -u)})/containers/auth.json
 
+# BSD sed (macOS) requires a backup suffix after -i (use '' for none); GNU sed (Linux) uses plain -i.
+UNAME_S := $(shell uname -s)
+ifeq ($(UNAME_S),Darwin)
+SED_INPLACE := sed -i ''
+else
+SED_INPLACE := sed -i
+endif
+
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
@@ -41,12 +47,12 @@ konflux-update-rpm-lock-runtime: sync-telco5g-konflux-submodule ## Update the rp
 	cp $(PROJECT_DIR)/Dockerfile $(PROJECT_DIR)/lock-runtime/Dockerfile
 	@echo "Copying rpms.in.yaml to lock-runtime directory..."
 	cp $(PROJECT_DIR)/rpms.in.yaml $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
-	sed -i 's|sslclientkey: $$SSL_CLIENT_KEY|sslclientkey: /etc/pki/entitlement/placeholder-key.pem|g' $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
-	sed -i 's|sslclientcert: $$SSL_CLIENT_CERT|sslclientcert: /etc/pki/entitlement/placeholder.pem|g' $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
+	$(SED_INPLACE) 's|sslclientkey: $$SSL_CLIENT_KEY|sslclientkey: /etc/pki/entitlement/placeholder-key.pem|g' $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
+	$(SED_INPLACE) 's|sslclientcert: $$SSL_CLIENT_CERT|sslclientcert: /etc/pki/entitlement/placeholder.pem|g' $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
 	@cat $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
 	$(MAKE) -C $(ROOT_PROJECT_DIR)/telco5g-konflux/scripts/rpm-lock generate-rhel9-locks \
 		LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/lock-runtime \
-		RHEL9_IMAGE_TO_LOCK=$$(awk '/^FROM registry.access.redhat.com\/ubi9\/ubi-minimal:/ {print $$2}' $(PROJECT_DIR)/Dockerfile) \
+		RHEL9_IMAGE_TO_LOCK=registry.access.redhat.com/ubi9/ubi-minimal:$(RHEL9_RELEASE) \
 		REGISTRY_AUTH_FILE=$(REGISTRY_AUTH_FILE) \
 		\
 		RHEL9_RELEASE=$(RHEL9_RELEASE) \

cnf-tests/.konflux/README.md

@@ -19,7 +19,7 @@ As part of the update, make sure that packages are updated in both `rpms.in.yaml
 It is enough that the Dockerfile that is used to generate the lockfile contain the final base image and the command that installs the packages. For example:
 
 ```azure
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 RUN microdnf install -y lksctp-tools iproute \
       ethtool iputils procps-ng numactl-libs iptables \
       kmod realtime-tests linuxptp iperf3 nc \
@@ -31,7 +31,7 @@ When an image version is out-of-maintenance (OOM) some versions has what's calle
 As any other RPM repo, also EUS repos need to be enabled in the activation key. Once enabled, the lockfile will be generated with additional EUS packages. The version of the base images should anyhow align with those used for OCP for the same branch.   
 
 **Important**: 
-* When starting the container in which you will be generating the lockfile in, use a production image in order to get the GA RPM repos and not beta one. So use `registry.access.redhat.com/ubi9/ubi-minimal:9.4` and not `registry-proxy.engineering.redhat.com/rh-osbs/ubi9/ubi-minimal:9.4`.
+* When starting the container in which you will be generating the lockfile in, use a production image in order to get the GA RPM repos and not beta one. So use `registry.access.redhat.com/ubi9/ubi-minimal:latest` and not `registry-proxy.engineering.redhat.com/rh-osbs/ubi9/ubi-minimal:latest`.
 * Please make sure that the repos that you used to pull the RPMs from are found under the activation key that is associated to the konflux public instance by:
 <steps on how to confirm this will be detailed later once we have a team activation key> 
 

cnf-tests/.konflux/rpms.lock.yaml

@@ -32,13 +32,13 @@ arches:
     name: nmap-ncat
     evr: 3:7.92-3.el9
     sourcerpm: nmap-7.92-3.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/p/python-unversioned-command-3.9.25-3.el9_7.noarch.rpm
+  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/p/python-unversioned-command-3.9.25-3.el9_7.1.noarch.rpm
     repoid: rhel-9-for-x86_64-appstream-rpms
-    size: 15791
-    checksum: sha256:624671b3cc8d4e90eb53a05aae5c5533c6f9f4cb9c18ec0720ac98e328b8f69b
+    size: 15875
+    checksum: sha256:f0b982bd1aef79c7389814cf16dbfe64737be8692bd9f9ae2f0a8618e397bdd6
     name: python-unversioned-command
-    evr: 3.9.25-3.el9_7
-    sourcerpm: python3.9-3.9.25-3.el9_7.src.rpm
+    evr: 3.9.25-3.el9_7.1
+    sourcerpm: python3.9-3.9.25-3.el9_7.1.src.rpm
   - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/r/realtime-tests-2.9-1.el9.x86_64.rpm
     repoid: rhel-9-for-x86_64-appstream-rpms
     size: 196448
@@ -165,13 +165,13 @@ arches:
     name: jansson
     evr: 2.14-1.el9
     sourcerpm: jansson-2.14-1.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/k/kernel-tools-libs-5.14.0-611.36.1.el9_7.x86_64.rpm
+  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/k/kernel-tools-libs-5.14.0-611.41.1.el9_7.x86_64.rpm
     repoid: rhel-9-for-x86_64-baseos-rpms
-    size: 1181881
-    checksum: sha256:15810c98bd132f55b8f49463a74d76bfaaa5a7beb3dbd5e9974e3d94a3b470ea
+    size: 1184541
+    checksum: sha256:b2d18b8b71cfcf941b1056a0cfbe28ea7de3d015a954c3c5ff6fc7183fcc8799
     name: kernel-tools-libs
-    evr: 5.14.0-611.36.1.el9_7
-    sourcerpm: kernel-5.14.0-611.36.1.el9_7.src.rpm
+    evr: 5.14.0-611.41.1.el9_7
+    sourcerpm: kernel-5.14.0-611.41.1.el9_7.src.rpm
   - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/k/kmod-28-11.el9.x86_64.rpm
     repoid: rhel-9-for-x86_64-baseos-rpms
     size: 127775
@@ -333,20 +333,20 @@ arches:
     name: psmisc
     evr: 23.4-3.el9
     sourcerpm: psmisc-23.4-3.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/p/python3-3.9.25-3.el9_7.x86_64.rpm
+  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/p/python3-3.9.25-3.el9_7.1.x86_64.rpm
     repoid: rhel-9-for-x86_64-baseos-rpms
-    size: 33157
-    checksum: sha256:0e0cadfc2b4ce7eb629c82a2a8f3bebb89ecf828da36ba142ac92d485d2baca4
+    size: 33297
+    checksum: sha256:d21de06ad0b98cdc04021a37330071758a71fb712a808f82e4ae715727f5f639
     name: python3
-    evr: 3.9.25-3.el9_7
-    sourcerpm: python3.9-3.9.25-3.el9_7.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/p/python3-libs-3.9.25-3.el9_7.x86_64.rpm
+    evr: 3.9.25-3.el9_7.1
+    sourcerpm: python3.9-3.9.25-3.el9_7.1.src.rpm
+  - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/p/python3-libs-3.9.25-3.el9_7.1.x86_64.rpm
     repoid: rhel-9-for-x86_64-baseos-rpms
-    size: 8476238
-    checksum: sha256:5140197b69d6cf14dcbc65d4d5733fa1d3d248fa4f7e03e0b0f37faebf45e341
+    size: 8484329
+    checksum: sha256:c371182b9b33f245737e82ffef539f9fbd9adc0a0f1c7fab0fda24459e4e4695
     name: python3-libs
-    evr: 3.9.25-3.el9_7
-    sourcerpm: python3.9-3.9.25-3.el9_7.src.rpm
+    evr: 3.9.25-3.el9_7.1
+    sourcerpm: python3.9-3.9.25-3.el9_7.1.src.rpm
   - url: https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/baseos/os/Packages/p/python3-pip-wheel-21.3.1-1.el9.noarch.rpm
     repoid: rhel-9-for-x86_64-baseos-rpms
     size: 1193706

telco5g-konflux

@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi8/ubi AS builder
+FROM registry.access.redhat.com/ubi8/ubi:latest AS builder
 USER root
 # Copy entitlements
 COPY ./etc-pki-entitlement /etc/pki/entitlement
@@ -17,7 +17,7 @@ USER 1001
 COPY samplebuild/src/* /src/
 RUN gcc /src/sctp.c -o /src/sctpclient -lsctp
 
-FROM registry.access.redhat.com/ubi8/ubi
+FROM registry.access.redhat.com/ubi8/ubi:latest
 COPY --from=builder /src/sctpclient /usr/local/bin/sctpclient
 CMD ["/usr/bin/sctptest"]
 

tools/buildingsctp/src/Dockerfile.sctp

@@ -25,16 +25,9 @@ PROJECT_DIR := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
 # Trim any trailing slash from the directory path as we will add if when necessary later
 ROOT_PROJECT_DIR := $(shell dirname $(shell dirname $(shell dirname $(abspath $(PROJECT_DIR)))))
 
-# RHEL8_RELEASE defines the RHEL8 release version to update the rpm lock file for the runtime
-# This is automatically extracted from the Containerfile
-RHEL8_RELEASE ?= $(shell awk '/^FROM registry.access.redhat.com\/ubi8-minimal:/ {split($$2, parts, /[:|@]/); print parts[2]}' $(PROJECT_DIR)/Containerfile)
-
-# Use make's built-in substitution function to replace the dot with a dash
-RHEL8_RELEASE_DASHED := $(subst .,-,$(RHEL8_RELEASE))
-
 # RHEL9_RELEASE defines the RHEL9 release version to update the rpm lock file for the runtime
-RHEL9_RELEASE ?= 9.4
-RHEL9_RELEASE_DASHED := $(subst .,-,$(RHEL9_RELEASE))
+RHEL9_RELEASE ?= latest
+RHEL8_RELEASE ?= latest
 
 # We don't need activation keys because we only use ubi packages
 RHEL9_ACTIVATION_KEY ?= ""
@@ -48,6 +41,14 @@ RHEL8_ORG_ID ?= ""
 # This can be set from the command line if the default is not correct for your environment.
 REGISTRY_AUTH_FILE ?= $(shell echo $${XDG_RUNTIME_DIR:-/run/user/$$(id -u)})/containers/auth.json
 
+# BSD sed (macOS) requires a backup suffix after -i (use '' for none); GNU sed (Linux) uses plain -i.
+UNAME_S := $(shell uname -s)
+ifeq ($(UNAME_S),Darwin)
+SED_INPLACE := sed -i ''
+else
+SED_INPLACE := sed -i
+endif
+
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
@@ -79,11 +80,11 @@ konflux-update-rpm-lock-runtime: sync-telco5g-konflux-submodule ## Update the rp
 	cp $(PROJECT_DIR)/../Containerfile $(PROJECT_DIR)/lock-runtime/Containerfile
 	@echo "Copying rpms.in.yaml to lock-runtime directory..."
 	cp $(PROJECT_DIR)/rpms.in.yaml $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
-	sed -i 's|../Containerfile|Containerfile|g' $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
+	$(SED_INPLACE) 's|../Containerfile|Containerfile|g' $(PROJECT_DIR)/lock-runtime/rpms.in.yaml
 	@echo "Updating rpm lock file for the runtime..."
 	$(MAKE) -C $(ROOT_PROJECT_DIR)/telco5g-konflux/scripts/rpm-lock generate-rhel8-locks \
 		LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/lock-runtime \
-		RHEL8_IMAGE_TO_LOCK=$$(awk '/^FROM registry.access.redhat.com\/ubi8-minimal:/ {print $$2}' $(PROJECT_DIR)/Containerfile) \
+		RHEL8_IMAGE_TO_LOCK=registry.access.redhat.com/ubi8-minimal:$(RHEL8_RELEASE) \
 		REGISTRY_AUTH_FILE=$(REGISTRY_AUTH_FILE) \
 		\
 		RHEL9_RELEASE=$(RHEL9_RELEASE) \

ztp/resource-generator/.konflux/Makefile

@@ -61,8 +61,8 @@ To manually regenerate the rpm lock configuration, use the following Makefile ta
    - Update the `.konflux/rpms.lock.yaml` file
 
 **Configuration Options:**
-- `RHEL8_RELEASE`: RHEL8 release version (automatically extracted from Containerfile)
-- `RHEL9_RELEASE`: RHEL9 release version (default: 9.4)
+- `RHEL8_RELEASE`: RHEL8 release version (default: latest)
+- `RHEL9_RELEASE`: RHEL9 release version (default: latest)
 - `RHEL8_ACTIVATION_KEY`: Red Hat activation key for RHEL8 (not needed for UBI packages)
 - `RHEL8_ORG_ID`: Red Hat organization ID for RHEL8 (not needed for UBI packages)
 - `RHEL9_ACTIVATION_KEY`: Red Hat activation key for RHEL9 (not needed for UBI packages)  

ztp/resource-generator/.konflux/README.md

@@ -34,7 +34,7 @@ WORKDIR $SITECONFIG_GENERATOR_ROOT
 RUN make build
 
 # Container image
-FROM registry.access.redhat.com/ubi8-minimal:8.10-1772599255@sha256:b880e16b888f47bc3fae64e67cd9776b24372f2e7ec2051f5a9386de6f5a75ac
+FROM registry.access.redhat.com/ubi8-minimal:latest
 #
 
 USER root