MGMT-17896: Add separate Dockerfile for assisted-service with an el8 base

[carbonin]

This is required to ensure that users have an option to install FIPS clusters for versions where the installer is linked against el8 crypto libraries.

The resulting image will be deployed by the operator when the user indicates that clusters requiring the el8 libraries will be installed in FIPS mode (versions < 4.16).

List all the issues related to this PR

Resolves https://issues.redhat.com/browse/MGMT-17896

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

[openshift-ci-robot]

@carbonin: This pull request references MGMT-17896 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.17.0" version, but no target version was set.

In response to this:

This is required to ensure that users have an option to install FIPS clusters for versions where the installer is linked against el8 crypto libraries.

The resulting image will be deployed by the operator when the user indicates that clusters requiring the el8 libraries will be installed in FIPS mode (versions < 4.16).

List all the issues related to this PR

Resolves https://issues.redhat.com/browse/MGMT-17896

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.28%. Comparing base (fdf233a) to head (210fba1).
Report is 11 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6347   +/-   ##
=======================================
  Coverage   68.27%   68.28%           
=======================================
  Files         241      244    +3     
  Lines       35873    35958   +85     
=======================================
+ Hits        24493    24553   +60     
- Misses       9215     9239   +24     
- Partials     2165     2166    +1     

see 11 files with indirect coverage changes

[rccrdpccl]

/retest

[pastequo]

Diff with https://github.com/openshift/assisted-service/blob/master/Dockerfile.assisted-service:

16c16
< FROM quay.io/centos/centos:stream9 as builder
---
> FROM quay.io/centos/centos:stream8 as builder
18c18
< RUN dnf install --enablerepo=crb -y gcc git nmstate-devel && dnf clean all
---
> RUN dnf install --enablerepo=powertools -y gcc git nmstate-devel && dnf clean all
42c42
< FROM quay.io/centos/centos:stream9
---
> FROM quay.io/centos/centos:stream8

Is there a way to have a common dnf install for both image ? If so, it might be worth it to add an ARG for the stream8/stream9 variation instead of adding a new file to maintain (like this https://docs.docker.com/reference/dockerfile/#understand-how-arg-and-from-interact)

[carbonin]

Using ARGs in FROM and especially before the first FROM is something I've avoided since the confusion in openshift/imagebuilder#151

Ideally this will be temporary since we'll want to move toward the solution outlined in the body of #6290 in the long term.

That said it may need to be a problem we solve for the installer runner images anyway, but hopefully those will be significantly simpler to build than assisted-service.

[carbonin]

/test e2e-agent-compact-ipv4

[pastequo]

I'm not sure to see what you refer to when you talk about "confusion"

• Is it related to the docker discussion ? In this case I think we are safe since this variable would only be used by FROM directives
• Is it related to the imagebuilder issue you linked ? In this case, it's not clear if you have fixed it or not, but it sounds like a bug (not implementing the confusing docker behavior). imagebuilder being one of many tool to build images, is there a reason to restrict ourselves from using a syntax because one implementation has some bug ? I don't know if/where imagebuilder is used

[carbonin]

imagebuilder being one of many tool to build images, is there a reason to restrict ourselves from using a syntax because one implementation has some bug ? I don't know if/where imagebuilder is used

Sorry, I should have given a bit more information. That library (imagebuilder) is what is behind podman build, buildah as well as OpenShift builds.

The "confusion" I'm referencing is that there was difference in behavior between how imagebuilder was handling these "heading args" and how docker handled it. All of our automated and published images should be using the imagebuilder code in some way, but I'm sure there are still people using docker locally so I wanted to avoid any chance of a very difficult to debug issue coming up due to that difference.

That all said, I'll check to see if there's some straightforward way to parameterize this and use a single file. If not, I'd like to move forward with the different files for now given that this has a few other changes depending on it (all of which need to get in by the end of next week). We can then optimize later (or just wait until I remove them with the planned changes for the next release).

---

On a separate note, and while you're here @pastequo ... How to I rerun the Konflux PR check that's failing here? Or at least how do I see what failed? When I click into the status I can see that something called a clamav-scan failed due to a timeout, but following the link brings me to what looks like a generic "Get started with Red Hat Trusted Application Pipeline" page.

[adriengentil]

/retest

should do the trick to re-run konflux pipeline @carbonin

[carbonin]

Moved to using a build arg. @adriengentil @pastequo can you take another look?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adriengentil, carbonin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [adriengentil,carbonin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@carbonin: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-agent-installer-api-server-container-v4.17.0-202405240410.p0.g34706cf.assembly.stream.el9 for distgit ose-agent-installer-api-server.
All builds following this will include this PR.