From ae614df6bd986ebfe4dbf82f4c59532245a660e2 Mon Sep 17 00:00:00 2001
From: Brian Cook <bcook@redhat.com>
Date: Tue, 30 Jul 2024 19:39:29 -0400
Subject: [PATCH] Use UBI9 base image for container build

This changes the container build to use UBI9 so that it is supportable
by a major user (Red Hat) with subscription enabled repositories. The
change requires using createrepo_c from PyPyi since the createrepo_c rpm
is not distributed as part of the UBI9 content set and it is desireable
to keep this image freely redistributable. Chaniging to UBI keeps
maintenance to a minimum (just one image flavor) but in the future
multiple images could be maintained if required.

The subscription-manager package is included to support
https://github.com/konflux-ci/build-definitions/pull/1205 and
https://github.com/containerbuildsystem/cachi2/pull/580 where it will be
used to obtain TLS certificates to send to authenticate to private
repositories.

Signed-off-by: Brian Cook <bcook@redhat.com>
---
 Dockerfile              |  9 +++++----
 pyproject.toml          |  1 +
 requirements-extras.txt | 10 ++++++++++
 requirements.txt        | 11 +++++++++++
 4 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 21c7dda7e..ee1590807 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/library/rockylinux:9@sha256:d7be1c094cc5845ee815d4632fe377514ee6ebcf8efaed6892889657e5ddaaa6 as rockylinux9
+FROM registry.access.redhat.com/ubi9/ubi@sha256:763f30167f92ec2af02bf7f09e75529de66e98f05373b88bef3c631cdcc39ad8 as ubi
 FROM docker.io/library/golang:1.20.0-bullseye as golang_120
 FROM docker.io/library/golang:1.21.0-bullseye as golang_121
 FROM docker.io/library/node:22.3.0-bullseye as node_223
@@ -6,14 +6,14 @@ FROM docker.io/library/node:22.3.0-bullseye as node_223
 ########################
 # PREPARE OUR BASE IMAGE
 ########################
-FROM rockylinux9 as base
+FROM ubi as base
 RUN dnf -y install \
     --setopt install_weak_deps=0 \
     --nodocs \
-    createrepo_c \
     git-core \
     python3 \
-    && dnf clean all
+    subscription-manager && \
+    dnf clean all
 
 ######################
 # BUILD/INSTALL CACHI2
@@ -52,6 +52,7 @@ COPY --from=builder /src/utils/merge_syft_sbom.py /usr/local/bin/merge_syft_sbom
 RUN ln -s /usr/local/lib/corepack/dist/corepack.js /usr/local/bin/corepack && \
     ln -s /usr/local/lib/corepack/dist/yarn.js /usr/local/bin/yarn && \
     ln -s /usr/local/go/go1.21/bin/go /usr/local/bin/go && \
+    ln -s /venv/bin/createrepo_c /usr/local/bin/createrepo_c && \
     ln -s /venv/bin/cachi2 /usr/local/bin/cachi2
 
 ENTRYPOINT ["/usr/local/bin/cachi2"]
diff --git a/pyproject.toml b/pyproject.toml
index c77a23d2b..804ff2396 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -37,6 +37,7 @@ dependencies = [
   "setuptools",
   "tomli",
   "typer",
+  "createrepo-c",
 ]
 [project.optional-dependencies]
 dev = [
diff --git a/requirements-extras.txt b/requirements-extras.txt
index b65762628..bfc3c95c7 100644
--- a/requirements-extras.txt
+++ b/requirements-extras.txt
@@ -368,6 +368,16 @@ coverage[toml]==7.6.0 \
 exceptiongroup==1.2.2 \
     --hash=sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b \
     --hash=sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc
+createrepo-c==1.1.3 \
+    --hash=sha256:1d32a56940bb0930bf97993254943e4ab777b6da10ac6b3b4fc36026d5da5997 \
+    --hash=sha256:3e8140219e5ad95adcc3171fec2d77d84252c91ca602b7f93252cde9fa82a724 \
+    --hash=sha256:44018f61e5cf92e21e7554f838c81ba19cb47b13e22a6ac2b3c7bdfece26ca60 \
+    --hash=sha256:656e8306a9a3e78feaf1d28875491ca2496a57b9463c3055083c80175731d940 \
+    --hash=sha256:75db8f6ca43fd48f8bd29d2d7d6bab5f6450bafd5c017410f31ca24ee19a0edb \
+    --hash=sha256:a3f7cc31bf6832a42242ad50009319a12b91948bde8c267a5798fb11f8d47ed6 \
+    --hash=sha256:be3b655cec6d5512a2352691ef0d632cdd355319c3e1048c4dc17510f599c8a5 \
+    --hash=sha256:cc1881c99aca5b72ff5462d9e484c75d417ba5f5a96563cb8a8ad752f6200451 \
+    --hash=sha256:d90edc78281e8fd11b7d8d9dbf0951154a02cba1b5be5eeb5dd7a6a4f1c77c1c
     # via pytest
 flake8==7.1.0 \
     --hash=sha256:2e416edcc62471a64cea09353f4e7bdba32aeb079b6e360554c659a122b1bc6a \
diff --git a/requirements.txt b/requirements.txt
index 98c63e7c7..a4c82cb03 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -274,6 +274,17 @@ click==8.1.7 \
     --hash=sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28 \
     --hash=sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de
     # via typer
+createrepo-c==1.1.3 \
+    --hash=sha256:1d32a56940bb0930bf97993254943e4ab777b6da10ac6b3b4fc36026d5da5997 \
+    --hash=sha256:3e8140219e5ad95adcc3171fec2d77d84252c91ca602b7f93252cde9fa82a724 \
+    --hash=sha256:44018f61e5cf92e21e7554f838c81ba19cb47b13e22a6ac2b3c7bdfece26ca60 \
+    --hash=sha256:656e8306a9a3e78feaf1d28875491ca2496a57b9463c3055083c80175731d940 \
+    --hash=sha256:75db8f6ca43fd48f8bd29d2d7d6bab5f6450bafd5c017410f31ca24ee19a0edb \
+    --hash=sha256:a3f7cc31bf6832a42242ad50009319a12b91948bde8c267a5798fb11f8d47ed6 \
+    --hash=sha256:be3b655cec6d5512a2352691ef0d632cdd355319c3e1048c4dc17510f599c8a5 \
+    --hash=sha256:cc1881c99aca5b72ff5462d9e484c75d417ba5f5a96563cb8a8ad752f6200451 \
+    --hash=sha256:d90edc78281e8fd11b7d8d9dbf0951154a02cba1b5be5eeb5dd7a6a4f1c77c1c
+    # via cachi2 (pyproject.toml)
 frozenlist==1.4.1 \
     --hash=sha256:04ced3e6a46b4cfffe20f9ae482818e34eba9b5fb0ce4056e4cc9b6e212d09b7 \
     --hash=sha256:0633c8d5337cb5c77acbccc6357ac49a1770b8c487e5b3505c57b949b4b82e98 \