Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NO-JIRA: Issue #362: feat(nbcs): build containers to be fips-ready #406

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

NO-JIRA: Issue #362: feat(nbcs): build containers to be fips-ready #406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions components/notebook-controller/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ ARG GOLANG_VERSION=1.21

# Use ubi8/go-toolset as base image
FROM registry.access.redhat.com/ubi8/go-toolset:${GOLANG_VERSION} as builder
ARG TARGETOS
ARG TARGETARCH
Comment on lines +14 to +15
Copy link
Member Author

@jiridanek jiridanek Oct 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have the TARGETARCH defined in our Makefile?

In general, I think not, or not yet. These variables are there mostly when somebody wants to mess with it from the outside (do amd64 build on $m_x$ mac). When we want to do

we can do something with it.

The way kubebuilder does it is something like https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Makefile#L106-L115 We'd have to do this with podman instead of docker buildx, but the approach is not very different. And we'd have to take into account osbs/konflux, which (I guess) builds every arch natively and then does the manifest in a separate step.


## Build args to be used at this step
ARG SOURCE_CODE
Expand All @@ -30,14 +32,12 @@ WORKDIR /workspace/notebook-controller
## Build the kf-notebook-controller
USER root

RUN if [ -z ${CACHITO_ENV_FILE} ]; then \
go mod download all; \
else \
source ${CACHITO_ENV_FILE}; \
fi

RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -mod=mod \
-o ./bin/manager main.go
# the GOARCH has not a default value to allow the binary be built according to the host where the command
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
RUN if [ -z ${CACHITO_ENV_FILE} ]; then go mod download; else source ${CACHITO_ENV_FILE}; fi && \
CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -a -o ./bin/manager main.go
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why TARGETARCH doesn't have a default value similarly as TARGETOS?

That's explained in the comment above. No default means default to the arch of the container.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, I didn't pay enough attention to the comment


# Use ubi8/ubi-minimal as base image
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
Expand Down
18 changes: 9 additions & 9 deletions components/odh-notebook-controller/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ ARG GOLANG_VERSION=1.21

# Use ubi8/go-toolset as base image
FROM registry.access.redhat.com/ubi8/go-toolset:${GOLANG_VERSION} as builder
ARG TARGETOS
ARG TARGETARCH

## Build args to be used at this step
ARG SOURCE_CODE
Expand All @@ -28,14 +30,12 @@ WORKDIR /workspace/odh-notebook-controller
## Build the kf-notebook-controller
USER root

RUN if [ -z ${CACHITO_ENV_FILE} ]; then \
go mod download all; \
else \
source ${CACHITO_ENV_FILE}; \
fi

RUN go build \
-o ./bin/manager main.go
# the GOARCH has not a default value to allow the binary be built according to the host where the command
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
RUN if [ -z ${CACHITO_ENV_FILE} ]; then go mod download; else source ${CACHITO_ENV_FILE}; fi && \
CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -a -o ./bin/manager main.go

# Use ubi8/ubi-minimal as base image
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
Expand All @@ -50,7 +50,7 @@ RUN useradd --uid 1001 --create-home --user-group --system rhods
## Set workdir directory to user home
WORKDIR /home/rhods

## Copy kf-notebook-controller-manager binary from builder stage
## Copy odh-notebook-controller-manager binary from builder stage
COPY --from=builder /workspace/odh-notebook-controller/bin/manager /manager
COPY --from=builder /workspace/odh-notebook-controller/third_party/license.txt third_party/license.txt

Expand Down