openshift-knative · openshift-merge-bot · Oct 7, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/.github/workflows/release-discover-branches.yaml b/.github/workflows/release-discover-branches.yaml
@@ -74,6 +74,13 @@ jobs:
             localhost/rpm-lockfile-prototype:latest \
             --outfile=${container_dir}/pkg/dockerfilegen/ubi8.rpms.lock.yaml \
             ${container_dir}/pkg/dockerfilegen/ubi8.rpms.in.yaml || exit $?
+
+          podman run --privileged \
+            --rm \
+            -v ${PWD}:${container_dir} \
+            localhost/rpm-lockfile-prototype:latest \
+            --outfile=${container_dir}/pkg/dockerfilegen/ubi9.rpms.lock.yaml \
+            ${container_dir}/pkg/dockerfilegen/ubi9.rpms.in.yaml || exit $?
 
       - name: Create Discovery Pull Request
         if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'main'

diff --git a/pkg/dockerfilegen/dockerfile-templates/rhel-9/BuildImage.dockerfile.tmpl b/pkg/dockerfilegen/dockerfile-templates/rhel-9/BuildImage.dockerfile.tmpl
@@ -0,0 +1,26 @@
+# DO NOT EDIT! Generated Dockerfile.
+
+FROM registry.ci.openshift.org/ocp/4.19:cli-artifacts as tools
+
+# Dockerfile to bootstrap build and test in openshift-ci
+FROM {{.builder}} as builder
+
+ARG TARGETARCH
+
+COPY --from=tools /usr/share/openshift/linux_$TARGETARCH/oc.rhel9 /usr/bin/oc
+
+RUN ln -s /usr/bin/oc /usr/bin/kubectl
+
+RUN dnf install -y httpd-tools
+
+RUN wget https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
+    chmod 700 ./get-helm-3
+
+RUN ./get-helm-3 --version v3.11.3 --no-sudo && helm version
+
+RUN GOFLAGS='' go install github.com/mikefarah/yq/v3@latest
+RUN GOFLAGS='' go install -tags="exclude_graphdriver_btrfs containers_image_openpgp" github.com/containers/skopeo/cmd/skopeo@v1.17.0
+
+# go install creates $GOPATH/.cache with root permissions, we delete it here
+# to avoid permission issues with the runtime users
+RUN rm -rf $GOPATH/.cache
diff --git a/pkg/dockerfilegen/dockerfile-templates/rhel-9/Default.dockerfile.tmpl b/pkg/dockerfilegen/dockerfile-templates/rhel-9/Default.dockerfile.tmpl
@@ -0,0 +1,39 @@
+# DO NOT EDIT! Generated Dockerfile for {{.main}}.
+ARG GO_BUILDER={{.builder}}
+ARG GO_RUNTIME=registry.access.redhat.com/ubi9/ubi-minimal
+
+FROM $GO_BUILDER as builder
+
+WORKDIR /workspace
+COPY . .
+{{ range $c := .build_env_vars}}
+ENV {{ $c }}
+{{- end }}
+
+RUN go build -tags strictfipsruntime -o /usr/bin/main ./{{.main}}
+
+FROM $GO_RUNTIME
+
+ARG VERSION={{.version}}
+
+{{- range $c := .additional_instructions }}
+{{ $c }}
+{{- end }}
+
+COPY --from=builder /usr/bin/main {{.app_file}}
+COPY LICENSE /licenses/
+
+USER 65532
+
+LABEL \
+      com.redhat.component="openshift-serverless-1-{{.project_dashcase}}{{.component_dashcase}}-rhel9-container" \
+      name="openshift-serverless-1/{{.project_dashcase}}{{.component_dashcase}}-rhel8" \
+      version=$VERSION \
+      summary="Red Hat OpenShift Serverless 1 {{.project}}{{.component}}" \
+      maintainer="serverless-support@redhat.com" \
+      description="Red Hat OpenShift Serverless 1 {{.project}}{{.component}}" \
+      io.k8s.display-name="Red Hat OpenShift Serverless 1 {{.project}}{{.component}}" \
+      io.k8s.description="Red Hat OpenShift Serverless {{.project}}{{.component}}" \
+      io.openshift.tags="{{.component_dashcase}}"
+
+ENTRYPOINT ["{{.app_file}}"]
diff --git a/pkg/dockerfilegen/dockerfile-templates/rhel-9/FuncUtil.dockerfile.tmpl b/pkg/dockerfilegen/dockerfile-templates/rhel-9/FuncUtil.dockerfile.tmpl
@@ -0,0 +1,46 @@
+# DO NOT EDIT! Generated Dockerfile for {{.main}}.
+ARG GO_BUILDER={{.builder}}
+ARG GO_RUNTIME=registry.access.redhat.com/ubi9/ubi-minimal
+
+FROM $GO_BUILDER as builder
+
+WORKDIR /workspace
+COPY . .
+
+ENV CGO_ENABLED=1
+ENV GOEXPERIMENT=strictfipsruntime
+ENV GOFLAGS=''
+
+RUN go build -tags strictfipsruntime,exclude_graphdriver_btrfs -o /usr/bin/main ./{{.main}}
+
+FROM $GO_RUNTIME
+
+ARG VERSION={{.version}}
+
+RUN microdnf install socat tar
+{{- range $c := .additional_instructions }}
+{{ $c }}
+{{- end }}
+
+COPY --from=builder /usr/bin/main {{.app_file}}
+COPY LICENSE /licenses/
+
+RUN ln -s {{.app_file}} /usr/local/bin/deploy && \
+	ln -s {{.app_file}} /usr/local/bin/scaffold && \
+	ln -s {{.app_file}} /usr/local/bin/s2i && \
+	ln -s {{.app_file}} /usr/local/bin/s2i-generate
+
+USER 65532
+
+LABEL \
+      com.redhat.component="openshift-serverless-1-{{.project_dashcase}}{{.component_dashcase}}-rhel9-container" \
+      name="openshift-serverless-1/{{.project_dashcase}}{{.component_dashcase}}-rhel8" \
+      version=$VERSION \
+      summary="Red Hat OpenShift Serverless 1 {{.project}}{{.component}}" \
+      maintainer="serverless-support@redhat.com" \
+      description="Red Hat OpenShift Serverless 1 {{.project}}{{.component}}" \
+      io.k8s.display-name="Red Hat OpenShift Serverless 1 {{.project}}{{.component}}" \
+      io.k8s.description="Red Hat OpenShift Serverless {{.project}}{{.component}}" \
+      io.openshift.tags="{{.component_dashcase}}"
+
+ENTRYPOINT ["/usr/bin/bash"]
diff --git a/pkg/dockerfilegen/dockerfile-templates/rhel-9/MustGather.dockerfile.tmpl b/pkg/dockerfilegen/dockerfile-templates/rhel-9/MustGather.dockerfile.tmpl
@@ -0,0 +1,35 @@
+# DO NOT EDIT! Generated Dockerfile for {{.main}}.
+ARG CLI_ARTIFACTS={{ .oc_cli_artifacts }}
+ARG RUNTIME=registry.access.redhat.com/ubi9/ubi-minimal
+FROM $CLI_ARTIFACTS AS cli-artifacts
+
+FROM $RUNTIME
+
+ARG TARGETARCH
+
+COPY --from=cli-artifacts /usr/share/openshift/linux_$TARGETARCH/{{ .oc_binary_name }} /usr/bin/oc
+
+# Copy all collection scripts to /usr/bin
+COPY must-gather/bin/* /usr/bin/
+COPY LICENSE /licenses/
+
+RUN microdnf install -y rsync tar
+
+ENV LOGS_DIR="/must-gather"
+RUN mkdir -p $LOGS_DIR && \
+    chown -R 65532:65532 $LOGS_DIR
+
+USER 65532
+
+LABEL \
+      com.redhat.component="openshift-serverless-1-{{.project_dashcase}}rhel9-container" \
+      name="openshift-serverless-1/svls-{{.project_dashcase}}rhel8" \
+      version={{.version}} \
+      summary="Red Hat OpenShift Serverless 1 {{.project}}" \
+      maintainer="serverless-support@redhat.com" \
+      description="Red Hat OpenShift Serverless 1 {{.project}}" \
+      io.k8s.display-name="Red Hat OpenShift Serverless 1 {{.project}}" \
+      io.k8s.description="Red Hat OpenShift Serverless {{.project}}" \
+      io.openshift.tags="{{.main}}"
+
+ENTRYPOINT /usr/bin/gather
diff --git a/pkg/dockerfilegen/dockerfile-templates/rhel-9/SourceImage.dockerfile.tmpl b/pkg/dockerfilegen/dockerfile-templates/rhel-9/SourceImage.dockerfile.tmpl
@@ -0,0 +1,7 @@
+# DO NOT EDIT! Generated Dockerfile.
+
+FROM src
+
+RUN chmod +x vendor/k8s.io/code-generator/generate-groups.sh || true
+RUN chmod +x vendor/knative.dev/pkg/hack/generate-knative.sh || true
+RUN chmod +x vendor/k8s.io/code-generator/generate-internal-groups.sh || true
diff --git a/pkg/dockerfilegen/generator.go b/pkg/dockerfilegen/generator.go
@@ -152,9 +152,27 @@ func generateDockerfile(params Params, mainPackagesPaths sets.Set[string]) error
 		goVersion = strings.Join(strings.Split(goVersion, ".")[0:2], ".")
 	}
 
+	metadata, err := project.ReadMetadataFile(params.ProjectFilePath)
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return fmt.Errorf("%w: Failed to read project metadata file: %w",
+				ErrBadConf, errors.WithStack(err))
+		}
+		log.Println("File not found:", params.ProjectFilePath, "(Using defaults)")
+		metadata = project.DefaultMetadata()
+	}
+
+	rhelVersion := "rhel-8"
+	minorVersion, err := strconv.Atoi(strings.Replace(metadata.Project.Tag, "knative-v1.", "", 1))
+	if err != nil {
+		if minorVersion >= 17 {
+			rhelVersion = "rhel-9"
+		}
+	}
+
 	builderImage := params.DockerfileImageBuilderFmt
 	if builderImage == "" {
-		builderImage = builderImageForGoVersion(goVersion)
+		builderImage = builderImageForGoVersion(goVersion, rhelVersion)
 	} else {
 		// Builder image might be provided without formatting '%s' string as plain value
 		if strings.Count(params.DockerfileImageBuilderFmt, "%s") == 1 {
@@ -164,16 +182,6 @@ func generateDockerfile(params Params, mainPackagesPaths sets.Set[string]) error
 
 	goPackageToImageMapping := map[string]string{}
 
-	metadata, err := project.ReadMetadataFile(params.ProjectFilePath)
-	if err != nil {
-		if !errors.Is(err, os.ErrNotExist) {
-			return fmt.Errorf("%w: Failed to read project metadata file: %w",
-				ErrBadConf, errors.WithStack(err))
-		}
-		log.Println("File not found:", params.ProjectFilePath, "(Using defaults)")
-		metadata = project.DefaultMetadata()
-	}
-
 	d := map[string]interface{}{
 		"builder": builderImage,
 	}
@@ -261,7 +269,11 @@ func generateDockerfile(params Params, mainPackagesPaths sets.Set[string]) error
 				ErrBadConf, params.TemplateName)
 		}
 
-		t, err := template.ParseFS(dockerfileTemplate, "dockerfile-templates/*.tmpl")
+		templateFiles := "dockerfile-templates/*.tmpl"
+		if rhelVersion == "rhel-9" {
+			templateFiles = "dockerfile-templates/rhel-9/*.tmpl"
+		}
+		t, err := template.ParseFS(dockerfileTemplate, templateFiles)
 		if err != nil {
 			return fmt.Errorf("%w: Parsing failed: %w",
 				ErrBadTemplate, errors.WithStack(err))
@@ -573,19 +585,22 @@ func writeRPMLockFile(rpmsLockTemplate fs.FS, rootDir string) error {
 	return nil
 }
 
-func builderImageForGoVersion(goVersion string) string {
-	builderImageFmt := "registry.ci.openshift.org/openshift/release:rhel-8-release-golang-%s-openshift-%s"
+func builderImageForGoVersion(goVersion, rhelVersion string) string {
+	if rhelVersion == "" {
+		rhelVersion = "rhel-8"
+	}
+	builderImageFmt := "registry.ci.openshift.org/openshift/release:%s-release-golang-%s-openshift-%s"
 
 	switch goVersion {
 	case "1.21":
-		return fmt.Sprintf(builderImageFmt, goVersion, "4.16")
+		return fmt.Sprintf(builderImageFmt, rhelVersion, goVersion, "4.16")
 	case "1.22":
-		return fmt.Sprintf(builderImageFmt, goVersion, "4.17")
+		return fmt.Sprintf(builderImageFmt, rhelVersion, goVersion, "4.17")
 	case "1.23":
-		return fmt.Sprintf(builderImageFmt, goVersion, "4.19")
+		return fmt.Sprintf(builderImageFmt, rhelVersion, goVersion, "4.19")
 	case "1.24":
 		fallthrough
 	default:
-		return fmt.Sprintf(builderImageFmt, goVersion, "4.20")
+		return fmt.Sprintf(builderImageFmt, rhelVersion, goVersion, "4.20")
 	}
 }
diff --git a/pkg/dockerfilegen/templates.go b/pkg/dockerfilegen/templates.go
@@ -19,3 +19,6 @@ var DockerfileMustGatherTemplate embed.FS
 
 //go:embed ubi8.rpms.lock.yaml
 var RPMsLockTemplateUbi8 embed.FS
+
+//go:embed ubi9.rpms.lock.yaml
+var RPMsLockTemplateUbi9 embed.FS
diff --git a/pkg/dockerfilegen/ubi9.Containerfile b/pkg/dockerfilegen/ubi9.Containerfile
@@ -0,0 +1 @@
+FROM registry.access.redhat.com/ubi9/ubi-minimal
diff --git a/pkg/dockerfilegen/ubi9.rpms.in.yaml b/pkg/dockerfilegen/ubi9.rpms.in.yaml
@@ -0,0 +1,30 @@
+contentOrigin:
+  # Define at least one source of packages, but you can have as many as you want.
+  repofiles:
+    # Either local path or url pointing to .repo file
+    - 'https://raw.githubusercontent.com/konflux-ci/bazel-builder/refs/heads/bazel8-ubi9/ubi9.repo'
+packages:
+  # list of rpm names to resolve
+  - socat
+  - tar
+  - rsync
+
+reinstallPackages:
+  - tzdata
+
+upgradePackages:
+  - tzdata
+
+arches:
+  # The list of architectures can be set in the config file. Any `--arch` option set
+  # on the command line will override this list.
+  - x86_64
+  - aarch64
+  - s390x
+  - ppc64le
+
+context:
+  # Alternative to setting command line options. Usually you will only want
+  # to include one of these options, with the exception of `flatpak` that
+  # can be combined with `image` and `containerfile`
+  containerfile: ubi9.Containerfile
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		FROM registry.access.redhat.com/ubi9/ubi-minimal