konflux: use RHAI base image

.tekton/lightspeed-stack-pull-request.yaml

@@ -55,7 +55,7 @@ spec:
           ],
           "requirements_build_files": ["requirements-build.txt"],
           "binary": {
-            "packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,huggingface-hub,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,polyleven,prompt-toolkit,propcache,proto-plus,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
+            "packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,prompt-toolkit,propcache,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
             "os": "linux",
             "arch": "x86_64,aarch64",
             "py_version": 312
@@ -66,6 +66,8 @@ spec:
     value: 'true'
   - name: dockerfile
     value: Containerfile
+  - name: build-args-file
+    value: build-args-konflux.conf
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

.tekton/lightspeed-stack-push.yaml

@@ -47,7 +47,7 @@ spec:
           ],
           "requirements_build_files": ["requirements-build.txt"],
           "binary": {
-            "packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,huggingface-hub,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,polyleven,prompt-toolkit,propcache,proto-plus,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
+            "packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,idna,jinja2,jiter,joblib,jsonschema-specifications,lxml,markdown-it-py,mdurl,mpmath,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,prompt-toolkit,propcache,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tornado,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
             "os": "linux",
             "arch": "x86_64,aarch64",
             "py_version": 312
@@ -58,6 +58,8 @@ spec:
     value: 'true'
   - name: dockerfile
     value: Containerfile
+  - name: build-args-file
+    value: build-args-konflux.conf
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.

Containerfile

@@ -1,6 +1,12 @@
 # vim: set filetype=dockerfile
-FROM registry.access.redhat.com/ubi9/python-312 AS builder
+ARG BUILDER_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312
+ARG BUILDER_DNF_COMMAND=dnf
+ARG RUNTIME_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312-minimal
+ARG RUNTIME_DNF_COMMAND=microdnf
 
+FROM ${BUILDER_BASE_IMAGE} AS builder
+
+ARG BUILDER_DNF_COMMAND=dnf
 ARG APP_ROOT=/app-root
 ARG LSC_SOURCE_DIR=.
 
@@ -18,7 +24,7 @@ USER root
 # Install gcc - required by polyleven python package on aarch64
 # (dependency of autoevals, no pre-built binary wheels for linux on aarch64)
 # cmake and cargo are required by fastuuid, maturin
-RUN dnf install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs gcc cmake cargo
+RUN ${BUILDER_DNF_COMMAND} install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs gcc gcc-c++ cmake cargo
 
 # Install uv package manager
 RUN pip3.12 install "uv>=0.8.15"
@@ -51,7 +57,8 @@ RUN if [ -f /cachi2/cachi2.env ]; then \
 RUN uv pip uninstall ecdsa
 
 # Final image without uv package manager
-FROM registry.access.redhat.com/ubi9/python-312-minimal
+FROM ${RUNTIME_BASE_IMAGE}
+ARG RUNTIME_DNF_COMMAND=microdnf
 ARG APP_ROOT=/app-root
 WORKDIR /app-root
 
@@ -79,7 +86,7 @@ COPY --from=builder /app-root/LICENSE /licenses/
 USER root
 
 # Additional tools for derived images
-RUN microdnf install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs jq patch libpq libtiff openjpeg2 lcms2 libjpeg-turbo libwebp
+RUN ${RUNTIME_DNF_COMMAND} install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs jq patch
 
 # Create llama-stack directories for library mode
 RUN mkdir -p /opt/app-root/src/.llama/storage /opt/app-root/src/.llama/providers.d && \

Makefile

@@ -124,6 +124,9 @@ upload-distribution-archives:	## Upload distribution archives into Python regist
 konflux-requirements:	## generate hermetic requirements.*.txt file for konflux build
 	./scripts/konflux_requirements.sh
 
+konflux-rpm-lock:	## generate rpm.lock.yaml file for konflux build
+	./scripts/generate-rpm-lock.sh
+
 help: ## Show this help screen
 	@echo 'Usage: make <OPTIONS> ... <TARGETS>'
 	@echo ''

README.md

@@ -36,6 +36,7 @@ The service includes comprehensive user data collection capabilities for various
         * [1. Static Tokens from Files (Recommended for Service Credentials)](#1-static-tokens-from-files-recommended-for-service-credentials)
         * [2. Kubernetes Service Account Tokens (For K8s Deployments)](#2-kubernetes-service-account-tokens-for-k8s-deployments)
         * [3. Client-Provided Tokens (For Per-User Authentication)](#3-client-provided-tokens-for-per-user-authentication)
+        * [Client-Authenticated MCP Servers Discovery](#client-authenticated-mcp-servers-discovery)
         * [Combining Authentication Methods](#combining-authentication-methods)
         * [Authentication Method Comparison](#authentication-method-comparison)
         * [Important: Automatic Server Skipping](#important-automatic-server-skipping)
@@ -768,6 +769,7 @@ verify                            Run all linters
 distribution-archives             Generate distribution archives to be uploaded into Python registry
 upload-distribution-archives      Upload distribution archives into Python registry
 konflux-requirements              generate hermetic requirements.*.txt file for konflux build
+konflux-rpm-lock 	                generate rpm.lock.yaml file for konflux build
 ```
 
 ## Running Linux container image
@@ -1229,20 +1231,35 @@ The script also updates the Tekton pipeline configurations (`.tekton/lightspeed-
 
 ### Updating RPM Dependencies
 
-**Prerequisites:** Install [rpm-lockfile-prototype](https://github.com/konflux-ci/rpm-lockfile-prototype?tab=readme-ov-file#installation)
+**Prerequisites:**
+- Install [rpm-lockfile-prototype](https://github.com/konflux-ci/rpm-lockfile-prototype?tab=readme-ov-file#installation)
+- Have an active RHEL Subscription, get activation keys from [RH console](https://console.redhat.com/insights/connector/activation-keys)
+- Have `dnf` installed in system
 
 **Steps:**
 
 1. **List your RPM packages** in `rpms.in.yaml` under the `packages` field
 
 2. **If you changed the base image**, extract its repo file:
 ```shell
+# UBI images
 podman run -it $BASE_IMAGE cat /etc/yum.repos.d/ubi.repo > ubi.repo
+# RHEL images
+podman run -it $BASE_IMAGE cat /etc/yum.repos.d/redhat.repo > redhat.repo
+```
+If the repo file contains too many entries, we can filter them and keep only required repositories.
+Here is the command to check active repositories:
+```shell
+dnf repolist
+```
+Replace the architecture tag (`uname -m`) to `$basearch` so that rpm-lockfile-prototype can replace it with requested architecture names.
+```shell
+sed -i "s/$(uname -m)/\$basearch/g" redhat.repo
 ```
 
-3. **Generate the lock file**:
+1. **Generate the lock file**:
 ```shell
-rpm-lockfile-prototype --image $BASE_IMAGE rpms.in.yaml
+make konflux-rpm-lock
 ```
 
 This creates `rpms.lock.yaml` with pinned RPM versions.

build-args-konflux.conf

@@ -0,0 +1,4 @@
+BUILDER_BASE_IMAGE=registry.redhat.io/rhai/base-image-cpu-rhel9:3.2
+BUILDER_DNF_COMMAND=dnf
+RUNTIME_BASE_IMAGE=registry.redhat.io/rhai/base-image-cpu-rhel9:3.2
+RUNTIME_DNF_COMMAND=dnf

redhat.repo

@@ -0,0 +1,69 @@
+[codeready-builder-for-rhel-9-$basearch-eus-rpms]
+name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (RPMs)
+baseurl = https://cdn.redhat.com/content/eus/rhel9/9.6/$basearch/codeready-builder/os
+enabled = 1
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm/ca/redhat-uep.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 0
+sslclientkey = $SSL_CLIENT_KEY
+sslclientcert = $SSL_CLIENT_CERT
+
+[rhel-9-for-$basearch-appstream-eus-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (RPMs)
+baseurl = https://cdn.redhat.com/content/eus/rhel9/9.6/$basearch/appstream/os
+enabled = 1
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm/ca/redhat-uep.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 0
+sslclientkey = $SSL_CLIENT_KEY
+sslclientcert = $SSL_CLIENT_CERT
+
+[rhel-9-for-$basearch-baseos-eus-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (RPMs)
+baseurl = https://cdn.redhat.com/content/eus/rhel9/9.6/$basearch/baseos/os
+enabled = 1
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm/ca/redhat-uep.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 0
+sslclientkey = $SSL_CLIENT_KEY
+sslclientcert = $SSL_CLIENT_CERT
+
+[rhocp-4.17-for-rhel-9-$basearch-rpms]
+name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (RPMs)
+baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/os
+enabled = 0
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm/ca/redhat-uep.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 0
+sslclientkey = $SSL_CLIENT_KEY
+sslclientcert = $SSL_CLIENT_CERT
+
+[rhocp-4.17-for-rhel-9-$basearch-source-rpms]
+name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Source RPMs)
+baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/source/SRPMS
+enabled = 0
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+sslverify = 1
+sslcacert = /etc/rhsm/ca/redhat-uep.pem
+sslverifystatus = 1
+metadata_expire = 86400
+enabled_metadata = 0
+sslclientkey = $SSL_CLIENT_KEY
+sslclientcert = $SSL_CLIENT_CERT

requirements-build.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.13
+# This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
 #    pybuild-deps compile --output-file=requirements-build.txt requirements.source.txt
@@ -56,6 +56,7 @@ maturin==1.10.2
     # via fastuuid
 packaging==26.0
     # via
+    #   dunamai
     #   hatchling
     #   setuptools-scm
     #   wheel
@@ -122,7 +123,9 @@ setuptools==80.10.2
     #   multiprocess
     #   pathspec
     #   pluggy
+    #   polyleven
     #   prometheus-client
+    #   proto-plus
     #   psutil
     #   pycparser
     #   pycryptodomex