From 6544bcd2c5da535ade367f5513029e3a3426ee80 Mon Sep 17 00:00:00 2001
From: Caden Marchese <56140267+cadenmarchese@users.noreply.github.com>
Date: Fri, 24 Jun 2022 14:40:13 -0400
Subject: [PATCH] Remove 3rd party dependencies: dockerfile registry arg
 (#2126)

* allow args in Dockerfiles, change pull references

* add new Dockerfile for OBP, adjust template

remove debugging code
---
 .../template-buildrp-builddocker.yml          |  2 +-
 Dockerfile.aro                                |  3 +-
 Dockerfile.aro-multistage                     |  5 ++--
 Dockerfile.aro-multistage-onebranch           | 22 ++++++++++++++
 Dockerfile.autorest                           |  3 +-
 Dockerfile.fluentbit                          |  3 +-
 Dockerfile.muo                                |  5 ++--
 Dockerfile.portal_lint                        |  3 +-
 Dockerfile.proxy                              |  3 +-
 Makefile                                      | 29 ++++++++++++-------
 docs/admin-portal.md                          |  2 ++
 docs/deploy-full-rp-service-in-dev.md         |  6 ++--
 12 files changed, 64 insertions(+), 22 deletions(-)
 create mode 100644 Dockerfile.aro-multistage-onebranch

diff --git a/.pipelines/onebranch/templates/template-buildrp-builddocker.yml b/.pipelines/onebranch/templates/template-buildrp-builddocker.yml
index 867edc356..f01894bb1 100644
--- a/.pipelines/onebranch/templates/template-buildrp-builddocker.yml
+++ b/.pipelines/onebranch/templates/template-buildrp-builddocker.yml
@@ -3,7 +3,7 @@ steps:
   displayName: Build Multi Stage Dockerfile
   inputs:
     repositoryName: aro-rp
-    dockerFileRelPath: ./Dockerfile.aro-multistage
+    dockerFileRelPath: ./Dockerfile.aro-multistage-onebranch
     dockerFileContextPath: ./
     registry: cdpxlinux.azurecr.io
     saveImageToPath: aro-rp.tar
diff --git a/Dockerfile.aro b/Dockerfile.aro
index fb998fdad..9bf2f4098 100644
--- a/Dockerfile.aro
+++ b/Dockerfile.aro
@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/ubi-minimal
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all
 COPY aro e2e.test /usr/local/bin/
 ENTRYPOINT ["aro"]
diff --git a/Dockerfile.aro-multistage b/Dockerfile.aro-multistage
index d1ab10047..9a2b6457d 100644
--- a/Dockerfile.aro-multistage
+++ b/Dockerfile.aro-multistage
@@ -4,7 +4,8 @@
 # Currently the docker version on our RHEL7 VMSS uses a version which
 # does not support multi-stage builds.  This is a temporary stop-gap
 # until we get podman working without issue
-FROM registry.access.redhat.com/ubi8/go-toolset:1.17.7 AS builder
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/go-toolset:1.17.7 AS builder
 ENV GOOS=linux \
     GOPATH=/go/
 WORKDIR ${GOPATH}/src/github.com/Azure/ARO-RP
@@ -13,7 +14,7 @@ RUN yum update -y
 COPY . ${GOPATH}/src/github.com/Azure/ARO-RP/
 RUN make aro && make e2e.test
 
-FROM registry.access.redhat.com/ubi7/ubi-minimal
+FROM ${REGISTRY}/ubi7/ubi-minimal
 RUN microdnf update && microdnf clean all
 COPY --from=builder /go/src/github.com/Azure/ARO-RP/aro /go/src/github.com/Azure/ARO-RP/e2e.test /usr/local/bin/
 ENTRYPOINT ["aro"]
diff --git a/Dockerfile.aro-multistage-onebranch b/Dockerfile.aro-multistage-onebranch
new file mode 100644
index 000000000..a032cddb0
--- /dev/null
+++ b/Dockerfile.aro-multistage-onebranch
@@ -0,0 +1,22 @@
+# Uses a multi-stage container build to build the RP in OneBranch.
+#
+# TODO:
+# OneBranch pipelines currently pull from CDPx which is deprecated. As a temporary fix before
+# we migrate to a new solution, this multistage dockerfile uses the same image in both steps to avoid
+# needing to pull images that aren't hosted in CDPx.
+FROM cdpxlinux.azurecr.io/user/aro/ubi8-gotoolset-1.17.7-13:20220526 AS builder
+ENV GOOS=linux \
+    GOPATH=/go/
+WORKDIR ${GOPATH}/src/github.com/Azure/ARO-RP
+USER root
+RUN yum update -y
+COPY . ${GOPATH}/src/github.com/Azure/ARO-RP/
+RUN make aro && make e2e.test
+
+FROM cdpxlinux.azurecr.io/user/aro/ubi8-gotoolset-1.17.7-13:20220526
+USER root
+RUN yum -y update && yum -y clean all
+COPY --from=builder /go/src/github.com/Azure/ARO-RP/aro /go/src/github.com/Azure/ARO-RP/e2e.test /usr/local/bin/
+ENTRYPOINT ["aro"]
+EXPOSE 2222/tcp 8080/tcp 8443/tcp 8444/tcp 8445/tcp
+USER 1000
diff --git a/Dockerfile.autorest b/Dockerfile.autorest
index 31db205cc..ce3512684 100644
--- a/Dockerfile.autorest
+++ b/Dockerfile.autorest
@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/nodejs-14
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/nodejs-14
 
 LABEL MAINTAINER="aos-azure"
 
diff --git a/Dockerfile.fluentbit b/Dockerfile.fluentbit
index 41c8eb8e1..10065213a 100644
--- a/Dockerfile.fluentbit
+++ b/Dockerfile.fluentbit
@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi7/ubi-minimal
+ARG REGISTRY
+FROM ${REGISTRY}/ubi7/ubi-minimal
 ARG VERSION
 RUN echo -e '[td-agent-bit]\nname=td-agent-bit\nbaseurl=https://packages.fluentbit.io/centos/7/$basearch' >/etc/yum.repos.d/td-agent-bit.repo && \
     rpm --import https://packages.fluentbit.io/fluentbit.key && \
diff --git a/Dockerfile.muo b/Dockerfile.muo
index d8e32dec8..40584b896 100644
--- a/Dockerfile.muo
+++ b/Dockerfile.muo
@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/go-toolset:1.16.12 AS builder
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/go-toolset:1.16.12 AS builder
 ARG MUOVERSION
 ENV DOWNLOAD_URL=https://github.com/openshift/managed-upgrade-operator/archive/${MUOVERSION}.tar.gz
 ENV GOOS=linux \
@@ -12,7 +13,7 @@ RUN curl -Lq $DOWNLOAD_URL | tar -xz --strip-components=1
 RUN go build -gcflags="all=-trimpath=/go/" -asmflags="all=-trimpath=/go/" -tags mandate_fips -o build/_output/bin/managed-upgrade-operator ./cmd/manager
 
 #### Runtime container
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM ${REGISTRY}/ubi8/ubi-minimal:latest
 
 ENV USER_UID=1001 \
     USER_NAME=managed-upgrade-operator
diff --git a/Dockerfile.portal_lint b/Dockerfile.portal_lint
index 93401d8c0..52d7b8973 100644
--- a/Dockerfile.portal_lint
+++ b/Dockerfile.portal_lint
@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/nodejs-14
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/nodejs-14
 WORKDIR /data
 USER root
 
diff --git a/Dockerfile.proxy b/Dockerfile.proxy
index cd425dbb5..8c878121f 100644
--- a/Dockerfile.proxy
+++ b/Dockerfile.proxy
@@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/ubi-minimal
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all
 COPY proxy /usr/local/bin
 ENTRYPOINT ["proxy"]
diff --git a/Makefile b/Makefile
index 86f429644..26884be97 100644
--- a/Makefile
+++ b/Makefile
@@ -20,6 +20,17 @@ else
 	VERSION = $(TAG)
 endif
 
+# default to registry.access.redhat.com for build images on local builds and CI builds without $RP_IMAGE_ACR set.
+ifeq ($(RP_IMAGE_ACR),arointsvc)
+	REGISTRY = arointsvc.azurecr.io
+else ifeq ($(RP_IMAGE_ACR),arosvc)
+	REGISTRY = arosvc.azurecr.io
+else ifeq ($(RP_IMAGE_ACR),)
+	REGISTRY = registry.access.redhat.com
+else
+	REGISTRY = $(RP_IMAGE_ACR)
+endif
+
 ARO_IMAGE ?= $(ARO_IMAGE_BASE):$(VERSION)
 
 build-all:
@@ -64,23 +75,21 @@ generate:
 	go generate ./...
 
 image-aro: aro e2e.test
-	docker pull registry.access.redhat.com/ubi8/ubi-minimal
-	docker build --network=host --no-cache -f Dockerfile.aro -t $(ARO_IMAGE) .
+	docker pull $(REGISTRY)/ubi8/ubi-minimal
+	docker build --network=host --no-cache -f Dockerfile.aro -t $(ARO_IMAGE) --build-arg REGISTRY=$(REGISTRY) .
 
 image-aro-multistage:
-	docker build --network=host --no-cache -f Dockerfile.aro-multistage -t $(ARO_IMAGE) .
+	docker build --network=host --no-cache -f Dockerfile.aro-multistage -t $(ARO_IMAGE) --build-arg REGISTRY=$(REGISTRY) .
 
 image-autorest:
-	docker build --network=host --no-cache --build-arg AUTOREST_VERSION="${AUTOREST_VERSION}" \
-	  -f Dockerfile.autorest -t ${AUTOREST_IMAGE} .
+	docker build --network=host --no-cache --build-arg AUTOREST_VERSION="${AUTOREST_VERSION}" --build-arg REGISTRY=$(REGISTRY) -f Dockerfile.autorest -t ${AUTOREST_IMAGE} .
 
 image-fluentbit:
-	docker build --network=host --no-cache --build-arg VERSION=$(FLUENTBIT_VERSION) \
-	  -f Dockerfile.fluentbit -t $(FLUENTBIT_IMAGE) .
+	docker build --network=host --no-cache --build-arg VERSION=$(FLUENTBIT_VERSION) --build-arg REGISTRY=$(REGISTRY) -f Dockerfile.fluentbit -t $(FLUENTBIT_IMAGE) .
 
 image-proxy: proxy
-	docker pull registry.access.redhat.com/ubi8/ubi-minimal
-	docker build --no-cache -f Dockerfile.proxy -t ${RP_IMAGE_ACR}.azurecr.io/proxy:latest .
+	docker pull $(REGISTRY)/ubi8/ubi-minimal
+	docker build --no-cache -f Dockerfile.proxy -t $(REGISTRY)/proxy:latest --build-arg REGISTRY=$(REGISTRY) .
 
 publish-image-aro: image-aro
 	docker push $(ARO_IMAGE)
@@ -175,7 +184,7 @@ lint-go:
 	hack/lint-go.sh
 
 lint-admin-portal:
-	docker build -f Dockerfile.portal_lint . -t linter
+	docker build --build-arg REGISTRY=$(REGISTRY) -f Dockerfile.portal_lint . -t linter
 	docker run -it --rm localhost/linter ./src --ext .ts
 
 test-python: pyenv az
diff --git a/docs/admin-portal.md b/docs/admin-portal.md
index 36def571a..2c758b866 100644
--- a/docs/admin-portal.md
+++ b/docs/admin-portal.md
@@ -21,6 +21,8 @@ You will require Node.js and `npm`. These instructions were tested with the vers
 
 1. Run `make build-portal` from the main directory. This will install the dependencies and kick off the Webpack build, placing the results in `portal/v2/build/`.
 
+  > __NOTE:__ Due to security compliance requirements, the `make build-portal` target pulls from `arointsvc.azurecr.io`. You can either authenticate to this registry using `az acr login --name arointsvc` to pull the image, or modify the $RP_IMAGE_ACR environment variable to point the builds at `registry.access.redhat.com` instead.
+        
 1. Run `make generate`. This will regenerate the golang file containing the portal content to be served.
 
 1. Commit the results of `build-portal` and `generate`.
diff --git a/docs/deploy-full-rp-service-in-dev.md b/docs/deploy-full-rp-service-in-dev.md
index 641201e56..294340c24 100644
--- a/docs/deploy-full-rp-service-in-dev.md
+++ b/docs/deploy-full-rp-service-in-dev.md
@@ -58,8 +58,10 @@
 
     1. Push the ARO and Fluentbit images to your ACR
 
-        __NOTE:__ If running this step from a VM separate from your workstation, ensure the commit tag used to build the image matches the commit tag where `make deploy` is run.
-
+        > If running this step from a VM separate from your workstation, ensure the commit tag used to build the image matches the commit tag where `make deploy` is run.
+ 
+        > Due to security compliance requirements, `make publish-image-*` targets pull from `arointsvc.azurecr.io`. You can either authenticate to this registry using `az acr login --name arointsvc` to pull the image, or modify the $RP_IMAGE_ACR environment variable locally to point to `registry.access.redhat.com` instead.
+        
         ```bash
         make publish-image-aro-multistage
         make publish-image-fluentbit