Remove 3rd party dependencies: dockerfile registry arg (#2126)

* allow args in Dockerfiles, change pull references * add new Dockerfile for OBP, adjust template remove debugging code
2022-06-24 14:40:13 -04:00 · 2022-06-24 14:40:13 -04:00 · 6544bcd2c5
--- a/.pipelines/onebranch/templates/template-buildrp-builddocker.yml
+++ b/.pipelines/onebranch/templates/template-buildrp-builddocker.yml
@ -3,7 +3,7 @@ steps:
  displayName: Build Multi Stage Dockerfile
  inputs:
    repositoryName: aro-rp
-    dockerFileRelPath: ./Dockerfile.aro-multistage
+    dockerFileRelPath: ./Dockerfile.aro-multistage-onebranch
    dockerFileContextPath: ./
    registry: cdpxlinux.azurecr.io
    saveImageToPath: aro-rp.tar
--- a/Dockerfile.aro
+++ b/Dockerfile.aro
@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/ubi-minimal
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all
 COPY aro e2e.test /usr/local/bin/
 ENTRYPOINT ["aro"]
--- a/Dockerfile.aro-multistage
+++ b/Dockerfile.aro-multistage
@ -4,7 +4,8 @@
 # Currently the docker version on our RHEL7 VMSS uses a version which
 # does not support multi-stage builds.  This is a temporary stop-gap
 # until we get podman working without issue
-FROM registry.access.redhat.com/ubi8/go-toolset:1.17.7 AS builder
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/go-toolset:1.17.7 AS builder
 ENV GOOS=linux \
    GOPATH=/go/
 WORKDIR ${GOPATH}/src/github.com/Azure/ARO-RP
@ -13,7 +14,7 @@ RUN yum update -y
 COPY . ${GOPATH}/src/github.com/Azure/ARO-RP/
 RUN make aro && make e2e.test

-FROM registry.access.redhat.com/ubi7/ubi-minimal
+FROM ${REGISTRY}/ubi7/ubi-minimal
 RUN microdnf update && microdnf clean all
 COPY --from=builder /go/src/github.com/Azure/ARO-RP/aro /go/src/github.com/Azure/ARO-RP/e2e.test /usr/local/bin/
 ENTRYPOINT ["aro"]
--- a/Dockerfile.aro-multistage-onebranch
+++ b/Dockerfile.aro-multistage-onebranch
@ -0,0 +1,22 @@
+# Uses a multi-stage container build to build the RP in OneBranch.
+#
+# TODO:
+# OneBranch pipelines currently pull from CDPx which is deprecated. As a temporary fix before
+# we migrate to a new solution, this multistage dockerfile uses the same image in both steps to avoid
+# needing to pull images that aren't hosted in CDPx.
+FROM cdpxlinux.azurecr.io/user/aro/ubi8-gotoolset-1.17.7-13:20220526 AS builder
+ENV GOOS=linux \
+    GOPATH=/go/
+WORKDIR ${GOPATH}/src/github.com/Azure/ARO-RP
+USER root
+RUN yum update -y
+COPY . ${GOPATH}/src/github.com/Azure/ARO-RP/
+RUN make aro && make e2e.test
+
+FROM cdpxlinux.azurecr.io/user/aro/ubi8-gotoolset-1.17.7-13:20220526
+USER root
+RUN yum -y update && yum -y clean all
+COPY --from=builder /go/src/github.com/Azure/ARO-RP/aro /go/src/github.com/Azure/ARO-RP/e2e.test /usr/local/bin/
+ENTRYPOINT ["aro"]
+EXPOSE 2222/tcp 8080/tcp 8443/tcp 8444/tcp 8445/tcp
+USER 1000
--- a/Dockerfile.autorest
+++ b/Dockerfile.autorest
@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/nodejs-14
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/nodejs-14

 LABEL MAINTAINER="aos-azure"

--- a/Dockerfile.fluentbit
+++ b/Dockerfile.fluentbit
@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi7/ubi-minimal
+ARG REGISTRY
+FROM ${REGISTRY}/ubi7/ubi-minimal
 ARG VERSION
 RUN echo -e '[td-agent-bit]\nname=td-agent-bit\nbaseurl=https://packages.fluentbit.io/centos/7/$basearch' >/etc/yum.repos.d/td-agent-bit.repo && \
    rpm --import https://packages.fluentbit.io/fluentbit.key && \
--- a/Dockerfile.muo
+++ b/Dockerfile.muo
@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/go-toolset:1.16.12 AS builder
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/go-toolset:1.16.12 AS builder
 ARG MUOVERSION
 ENV DOWNLOAD_URL=https://github.com/openshift/managed-upgrade-operator/archive/${MUOVERSION}.tar.gz
 ENV GOOS=linux \
@ -12,7 +13,7 @@ RUN curl -Lq $DOWNLOAD_URL | tar -xz --strip-components=1
 RUN go build -gcflags="all=-trimpath=/go/" -asmflags="all=-trimpath=/go/" -tags mandate_fips -o build/_output/bin/managed-upgrade-operator ./cmd/manager

 #### Runtime container
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM ${REGISTRY}/ubi8/ubi-minimal:latest

 ENV USER_UID=1001 \
    USER_NAME=managed-upgrade-operator
--- a/Dockerfile.portal_lint
+++ b/Dockerfile.portal_lint
@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/nodejs-14
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/nodejs-14
 WORKDIR /data
 USER root

--- a/Dockerfile.proxy
+++ b/Dockerfile.proxy
@ -1,4 +1,5 @@
-FROM registry.access.redhat.com/ubi8/ubi-minimal
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all
 COPY proxy /usr/local/bin
 ENTRYPOINT ["proxy"]
--- a/29
+++ b/29
@ -20,6 +20,17 @@ else
 	VERSION = $(TAG)
 endif

+# default to registry.access.redhat.com for build images on local builds and CI builds without $RP_IMAGE_ACR set.
+ifeq ($(RP_IMAGE_ACR),arointsvc)
+	REGISTRY = arointsvc.azurecr.io
+else ifeq ($(RP_IMAGE_ACR),arosvc)
+	REGISTRY = arosvc.azurecr.io
+else ifeq ($(RP_IMAGE_ACR),)
+	REGISTRY = registry.access.redhat.com
+else
+	REGISTRY = $(RP_IMAGE_ACR)
+endif
+
 ARO_IMAGE ?= $(ARO_IMAGE_BASE):$(VERSION)

 build-all:
@ -64,23 +75,21 @@ generate:
 	go generate ./...

 image-aro: aro e2e.test
-	docker pull registry.access.redhat.com/ubi8/ubi-minimal
-	docker build --network=host --no-cache -f Dockerfile.aro -t $(ARO_IMAGE) .
+	docker pull $(REGISTRY)/ubi8/ubi-minimal
+	docker build --network=host --no-cache -f Dockerfile.aro -t $(ARO_IMAGE) --build-arg REGISTRY=$(REGISTRY) .

 image-aro-multistage:
-	docker build --network=host --no-cache -f Dockerfile.aro-multistage -t $(ARO_IMAGE) .
+	docker build --network=host --no-cache -f Dockerfile.aro-multistage -t $(ARO_IMAGE) --build-arg REGISTRY=$(REGISTRY) .

 image-autorest:
-	docker build --network=host --no-cache --build-arg AUTOREST_VERSION="${AUTOREST_VERSION}" \
-	  -f Dockerfile.autorest -t ${AUTOREST_IMAGE} .
+	docker build --network=host --no-cache --build-arg AUTOREST_VERSION="${AUTOREST_VERSION}" --build-arg REGISTRY=$(REGISTRY) -f Dockerfile.autorest -t ${AUTOREST_IMAGE} .

 image-fluentbit:
-	docker build --network=host --no-cache --build-arg VERSION=$(FLUENTBIT_VERSION) \
-	  -f Dockerfile.fluentbit -t $(FLUENTBIT_IMAGE) .
+	docker build --network=host --no-cache --build-arg VERSION=$(FLUENTBIT_VERSION) --build-arg REGISTRY=$(REGISTRY) -f Dockerfile.fluentbit -t $(FLUENTBIT_IMAGE) .

 image-proxy: proxy
-	docker pull registry.access.redhat.com/ubi8/ubi-minimal
-	docker build --no-cache -f Dockerfile.proxy -t ${RP_IMAGE_ACR}.azurecr.io/proxy:latest .
+	docker pull $(REGISTRY)/ubi8/ubi-minimal
+	docker build --no-cache -f Dockerfile.proxy -t $(REGISTRY)/proxy:latest --build-arg REGISTRY=$(REGISTRY) .

 publish-image-aro: image-aro
 	docker push $(ARO_IMAGE)
@ -175,7 +184,7 @@ lint-go:
 	hack/lint-go.sh

 lint-admin-portal:
-	docker build -f Dockerfile.portal_lint . -t linter
+	docker build --build-arg REGISTRY=$(REGISTRY) -f Dockerfile.portal_lint . -t linter
 	docker run -it --rm localhost/linter ./src --ext .ts

 test-python: pyenv az
--- a/docs/admin-portal.md
+++ b/docs/admin-portal.md
@ -21,6 +21,8 @@ You will require Node.js and `npm`. These instructions were tested with the vers

 1. Run `make build-portal` from the main directory. This will install the dependencies and kick off the Webpack build, placing the results in `portal/v2/build/`.

+  > __NOTE:__ Due to security compliance requirements, the `make build-portal` target pulls from `arointsvc.azurecr.io`. You can either authenticate to this registry using `az acr login --name arointsvc` to pull the image, or modify the $RP_IMAGE_ACR environment variable to point the builds at `registry.access.redhat.com` instead.
+        
 1. Run `make generate`. This will regenerate the golang file containing the portal content to be served.

 1. Commit the results of `build-portal` and `generate`.
--- a/docs/deploy-full-rp-service-in-dev.md
+++ b/docs/deploy-full-rp-service-in-dev.md
@ -58,7 +58,9 @@

    1. Push the ARO and Fluentbit images to your ACR

-        __NOTE:__ If running this step from a VM separate from your workstation, ensure the commit tag used to build the image matches the commit tag where `make deploy` is run.
+        > If running this step from a VM separate from your workstation, ensure the commit tag used to build the image matches the commit tag where `make deploy` is run.
+ 
+        > Due to security compliance requirements, `make publish-image-*` targets pull from `arointsvc.azurecr.io`. You can either authenticate to this registry using `az acr login --name arointsvc` to pull the image, or modify the $RP_IMAGE_ACR environment variable locally to point to `registry.access.redhat.com` instead.
        
        ```bash
        make publish-image-aro-multistage