Skip to content

add template konflux dockerfile #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
weshayutin wants to merge 1 commit into
base: oadp-dev
Choose a base branch
from
+26 −0
Open

add template konflux dockerfile #382

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
COPY . .
COPY go.mod go.sum $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin/
RUN go mod download
COPY . $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin
Comment on lines +2 to +5
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Dependency layer caching is currently defeated.

COPY . . before go mod download causes dependency downloads to rerun on any source change, and the full source is copied twice.

Proposed fix 
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
-COPY . .
-COPY go.mod go.sum $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin/
-RUN go mod download
-COPY . $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin
-WORKDIR $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
+WORKDIR $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . ./

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@konflux.Dockerfile` around lines 2 - 5, The Dockerfile currently copies the
whole context early (COPY . .) which defeats layer caching and duplicates source
copies; reorder and simplify so you first COPY go.mod go.sum to the destination
referenced in the diff (the path used with COPY go.mod go.sum
$APP_ROOT/src/github.com/konveyor/openshift-velero-plugin/), run RUN go mod
download to populate module cache, then COPY the remaining source once (replace
the initial COPY . . and the later COPY . ...) so dependency layers are cached
and source is only copied once.

WORKDIR $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin
ENV GOPATH=$APP_ROOT
ENV BUILDTAGS containers_image_ostree_stub exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp exclude_graphdriver_overlay include_gcs include_oss strictfipsruntime
ENV BIN velero-plugins
ENV GOEXPERIMENT strictfipsruntime
RUN go build -installsuffix "static" -tags "$BUILDTAGS" -mod=mod -o _output/$BIN ./$BIN


FROM registry.redhat.io/ubi9/ubi:latest
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Verify whether floating base tags are present in Dockerfiles.
rg -n '^\s*FROM\s+\S+:latest(\s|$)' --glob '*Dockerfile*'

Repository: openshift/openshift-velero-plugin

Length of output: 138

Use explicit version tags instead of latest for the base image.

Floating tags like ubi:latest prevent reproducible builds and can introduce unexpected base-image changes without review. Pin to a specific version (e.g., ubi9/ubi:9.3 or similar).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@konflux.Dockerfile` at line 14, Replace the floating base image tag in the
Dockerfile FROM instruction (currently "registry.redhat.io/ubi9/ubi:latest")
with a specific, reproducible version tag (for example
"registry.redhat.io/ubi9/ubi:9.3" or your project's approved UBI9 patch
version); update the FROM line accordingly and ensure any CI/build docs or image
scanning policy reflect the chosen fixed tag.

RUN dnf -y install openssl && dnf -y reinstall tzdata && dnf clean all
RUN mkdir /plugins
COPY --from=builder $APP_ROOT/src/github.com/konveyor/openshift-velero-plugin/_output/$BIN /plugins/
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show variable usage and stage-local declarations around runtime stage.
nl -ba konflux.Dockerfile | sed -n '1,26p'
echo
echo "Runtime-stage ENV/ARG declarations:"
awk '
  BEGIN {stage=0}
  /^\s*FROM\s+/ {stage++; next}
  stage==2 && /^\s*(ENV|ARG)\s+/ {print NR ":" $0}
' konflux.Dockerfile
echo
echo "Variable references in COPY --from lines:"
rg -n '^\s*COPY\s+--from=.*\$(APP_ROOT|BIN)' konflux.Dockerfile

Repository: openshift/openshift-velero-plugin

Length of output: 119

🏁 Script executed:

#!/bin/bash
# Read the Dockerfile to understand its structure and variable usage
cat -n konflux.Dockerfile

Repository: openshift/openshift-velero-plugin

Length of output: 1581

COPY --from=builder references variables undefined in runtime stage.

$APP_ROOT and $BIN are only available in the builder stage. In the runtime stage (line 14 onwards), Dockerfile expands these variables in the current stage context where they're undefined, causing the COPY on line 17 to fail or copy from an incorrect path.

Add the following to the runtime stage:

 FROM registry.redhat.io/ubi9/ubi:latest
+ENV APP_ROOT=/opt/app-root
+ENV BIN=velero-plugins
 RUN dnf -y install openssl && dnf -y reinstall tzdata && dnf clean all
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@konflux.Dockerfile` at line 17, The COPY --from=builder line fails because
$APP_ROOT and $BIN are only defined in the builder stage; declare those build
args or envs so they are available in the runtime stage (or replace with a
static path). Add ARG APP_ROOT and ARG BIN (or ENV definitions) in a scope
visible to both stages (e.g., before the first FROM or re-declare them in the
runtime stage) so the COPY --from=builder $APP_ROOT/src/.../$BIN /plugins/
resolves correctly at build time.

COPY LICENSE /licenses/
USER 65534:65534
ENTRYPOINT ["/bin/bash", "-c", "cp /plugins/* /target/."]

LABEL description="OpenShift API for Data Protection - Velero Plugin"
LABEL io.k8s.description="OpenShift API for Data Protection - Velero Plugin"
LABEL io.k8s.display-name="OADP Velero Plugin"
LABEL io.openshift.tags="migration"
LABEL summary="OpenShift API for Data Protection - Velero Plugin"