added ubi-flavoured image for the operator and the proxy runner

Signed-off-by: Tomer Figenblat <[email protected]>

Author: TomerFi

.github/workflows/image-build-and-publish.yml

@@ -213,6 +213,21 @@ jobs:
       - name: Setup ko
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Extract UBI metadata
+        id: ubi-meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: ${{ env.BASE_REPO }}
+          tags: |
+            type=raw,value=${{ steps.version-string.outputs.tag }}-ubi
+          labels: |
+            name=toolhive-operator
+            vendor=Stacklok
+            maintainer=Stacklok
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
@@ -234,13 +249,29 @@ jobs:
           KO_DOCKER_REPO=$BASE_REPO ko build --platform=linux/amd64,linux/arm64 --bare $TAGS ./cmd/thv-operator \
             --image-label=org.opencontainers.image.source=https://github.com/stacklok/toolhive,org.opencontainers.image.title="toolhive-operator",org.opencontainers.image.vendor=Stacklok
 
+      - name: Build and Push UBI Image to GHCR
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: containers/operator/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.ubi-meta.outputs.tags }}
+          build-args: |
+            CODEDIR=cmd/thv-operator
+            VERSION=${{ steps.version-string.outputs.tag }}-ubi
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+          labels: ${{ steps.ubi-meta.outputs.labels }}
+
       - name: Sign Image with Cosign
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: |
           TAG=$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')
+          UBI_TAG=$(echo "${{ steps.version-string.outputs.tag }}-ubi" | sed 's/+/_/g')
           # Sign the ko image
           cosign sign -y $BASE_REPO:$TAG
+          cosign sign -y $BASE_REPO:$UBI_TAG
           
           # Sign the latest tag if building from a tag
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
@@ -293,6 +324,21 @@ jobs:
       - name: Setup ko
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Extract UBI metadata
+        id: ubi-meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: ${{ env.BASE_REPO }}
+          tags: |
+            type=raw,value=${{ steps.version-string.outputs.tag }}-ubi
+          labels: |
+            name=toolhive-proxyrunner
+            vendor=Stacklok
+            maintainer=Stacklok
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
@@ -314,13 +360,29 @@ jobs:
           KO_DOCKER_REPO=$BASE_REPO ko build --platform=linux/amd64,linux/arm64 --bare $TAGS ./cmd/thv-proxyrunner \
             --image-label=org.opencontainers.image.source=https://github.com/stacklok/toolhive,org.opencontainers.image.title="toolhive-proxyrunner",org.opencontainers.image.vendor=Stacklok
 
+      - name: Build and Push UBI Image to GHCR
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: containers/operator/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.ubi-meta.outputs.tags }}
+          build-args: |
+            CODEDIR=cmd/thv-proxyrunner
+            VERSION=${{ steps.version-string.outputs.tag }}
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+          labels: ${{ steps.ubi-meta.outputs.labels }}
+
       - name: Sign Image with Cosign
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: |
           TAG=$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')
+          UBI_TAG=$(echo "${{ steps.version-string.outputs.tag }}-ubi" | sed 's/+/_/g')
           # Sign the ko image
           cosign sign -y $BASE_REPO:$TAG
+          cosign sign -y $BASE_REPO:$UBI_TAG
           
           # Sign the latest tag if building from a tag
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then

cmd/thv-operator/Taskfile.yml

@@ -25,7 +25,6 @@ vars:
       fi
   KEYCLOAK_VERSION: '26.3.2'
 
-
 tasks:
   kind-setup:
     desc: Setup a local Kind cluster
@@ -342,3 +341,47 @@ tasks:
       - echo "Keycloak will be available at http://localhost:8080"
       - echo "Use 'task keycloak:get-admin-creds' to get login credentials"
       - kubectl port-forward service/keycloak-dev-service -n keycloak 8080:8080 --kubeconfig kconfig.yaml
+
+  build-operator-image-ubi:
+    desc: Build the operator image
+    vars:
+      COMMIT:
+        sh: git rev-parse --short HEAD || echo "unknown"
+      BUILD_DATE: '{{dateInZone "2006-01-02T15:04:05Z" (now) "UTC"}}'
+    cmds:
+      - >
+        eval "{{.CONTAINER_RUNTIME}} build --load
+        -t ghcr.io/stacklok/toolhive/operator:local-ubi
+        --build-arg CODEDIR=cmd/thv-operator
+        --build-arg VERSION=local-ubi
+        --build-arg COMMIT={{.COMMIT}}
+        --build-arg BUILD_DATE={{.BUILD_DATE}}
+        --label name=\"toolhive-operator\"
+        --label vendor=\"Stacklok\"
+        --label maintainer=\"Stacklok\"
+        --label org.opencontainers.image.source=\"https://github.com/stacklok/toolhive\"
+        --label org.opencontainers.image.title=\"toolhive-operator\"
+        --label org.opencontainers.image.vendor=\"Stacklok\"
+        -f containers/operator/Dockerfile ."
+
+  build-proxyrunner-image-ubi:
+    desc: Build the proxyrunner image
+    vars:
+      COMMIT:
+        sh: git rev-parse --short HEAD || echo "unknown"
+      BUILD_DATE: '{{dateInZone "2006-01-02T15:04:05Z" (now) "UTC"}}'
+    cmds:
+      - >
+        eval "{{.CONTAINER_RUNTIME}} build --load
+        -t ghcr.io/stacklok/toolhive/proxyrunner:local-ubi
+        --build-arg CODEDIR=cmd/thv-proxyrunner
+        --build-arg VERSION=local-ubi
+        --build-arg COMMIT={{.COMMIT}}
+        --build-arg BUILD_DATE={{.BUILD_DATE}}
+        --label name=\"toolhive-proxyrunner\"
+        --label vendor=\"Stacklok\"
+        --label maintainer=\"Stacklok\"
+        --label org.opencontainers.image.source=\"https://github.com/stacklok/toolhive\"
+        --label org.opencontainers.image.title=\"toolhive-proxyrunner\"
+        --label org.opencontainers.image.vendor=\"Stacklok\"
+        -f containers/operator/Dockerfile ."

containers/operator/Dockerfile

@@ -0,0 +1,42 @@
+# Build the binary
+FROM registry.access.redhat.com/ubi10/go-toolset:1.24 as builder
+
+USER root
+
+WORKDIR /workspace
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+ARG TARGETOS \ 
+TARGETARCH \
+CODEDIR \
+VERSION \
+COMMIT \
+BUILD_DATE
+
+# Copy the entire Go module structure
+COPY . .
+
+# Build
+RUN CGO_ENABLED=0 LDFLAGS="-s -w \
+-X github.com/stacklok/toolhive/pkg/versions.Version=${VERSION} \
+-X github.com/stacklok/toolhive/pkg/versions.Commit=${COMMIT} \
+-X github.com/stacklok/toolhive/pkg/versions.BuildDate=${BUILD_DATE} \
+-X github.com/stacklok/toolhive/pkg/versions.BuildType=release" \
+GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
+go build -o main ./${CODEDIR}/main.go
+
+# Use micro base image to package the binary
+FROM registry.access.redhat.com/ubi10/ubi-micro:10.0
+
+COPY --from=builder /workspace/main /
+COPY LICENSE /licenses/LICENSE
+
+USER 1001
+
+ENTRYPOINT ["/main"]