From 0400fc3bdb33d9e7c2a8b871221256b4a4b78659 Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Wed, 2 Oct 2024 11:43:33 +0200 Subject: [PATCH] Issue #362: feat(nbcs): build containers to be fips-ready This takes inspiration from: * The Notebooks 2.0 Dockerfile, which comes from a default recent Kubebuilder template, at https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Dockerfile * The Red Hat build Dockerfile (that's the Cachito part) in an internal repository. This change brings multiple improvements: 1. Dockerfiles are brought closer together, especially to the Red Hat build; previously, sourcing things in a stand-alone RUN command had no effect 2. The openssl fips-compatible library is linked into the manager binaries, to proactively address fips concerns --- components/notebook-controller/Dockerfile | 16 ++++++++-------- components/odh-notebook-controller/Dockerfile | 18 +++++++++--------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/components/notebook-controller/Dockerfile b/components/notebook-controller/Dockerfile index cd8e2db01e8..8c35069ab20 100644 --- a/components/notebook-controller/Dockerfile +++ b/components/notebook-controller/Dockerfile @@ -11,6 +11,8 @@ ARG GOLANG_VERSION=1.21 # Use ubi8/go-toolset as base image FROM registry.access.redhat.com/ubi8/go-toolset:${GOLANG_VERSION} as builder +ARG TARGETOS +ARG TARGETARCH ## Build args to be used at this step ARG SOURCE_CODE @@ -30,14 +32,12 @@ WORKDIR /workspace/notebook-controller ## Build the kf-notebook-controller USER root -RUN if [ -z ${CACHITO_ENV_FILE} ]; then \ - go mod download all; \ - else \ - source ${CACHITO_ENV_FILE}; \ - fi - -RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -mod=mod \ - -o ./bin/manager main.go +# the GOARCH has not a default value to allow the binary be built according to the host where the command +# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO +# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, +# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. +RUN if [ -z ${CACHITO_ENV_FILE} ]; then go mod download; else source ${CACHITO_ENV_FILE}; fi && \ + CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -a -o ./bin/manager main.go # Use ubi8/ubi-minimal as base image FROM registry.access.redhat.com/ubi8/ubi-minimal:latest diff --git a/components/odh-notebook-controller/Dockerfile b/components/odh-notebook-controller/Dockerfile index bb6ce4f2303..e370c35e578 100644 --- a/components/odh-notebook-controller/Dockerfile +++ b/components/odh-notebook-controller/Dockerfile @@ -11,6 +11,8 @@ ARG GOLANG_VERSION=1.21 # Use ubi8/go-toolset as base image FROM registry.access.redhat.com/ubi8/go-toolset:${GOLANG_VERSION} as builder +ARG TARGETOS +ARG TARGETARCH ## Build args to be used at this step ARG SOURCE_CODE @@ -28,14 +30,12 @@ WORKDIR /workspace/odh-notebook-controller ## Build the kf-notebook-controller USER root -RUN if [ -z ${CACHITO_ENV_FILE} ]; then \ - go mod download all; \ - else \ - source ${CACHITO_ENV_FILE}; \ - fi - -RUN go build \ - -o ./bin/manager main.go +# the GOARCH has not a default value to allow the binary be built according to the host where the command +# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO +# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, +# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. +RUN if [ -z ${CACHITO_ENV_FILE} ]; then go mod download; else source ${CACHITO_ENV_FILE}; fi && \ + CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -a -o ./bin/manager main.go # Use ubi8/ubi-minimal as base image FROM registry.access.redhat.com/ubi8/ubi-minimal:latest @@ -50,7 +50,7 @@ RUN useradd --uid 1001 --create-home --user-group --system rhods ## Set workdir directory to user home WORKDIR /home/rhods -## Copy kf-notebook-controller-manager binary from builder stage +## Copy odh-notebook-controller-manager binary from builder stage COPY --from=builder /workspace/odh-notebook-controller/bin/manager /manager COPY --from=builder /workspace/odh-notebook-controller/third_party/license.txt third_party/license.txt