Skip to content

HYPERFLEET-509 - feat: Standardize Dockerfiles and Makefile for building images #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xueli181114 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

HYPERFLEET-509 - feat: Standardize Dockerfiles and Makefile for building images #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 33 additions & 17 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,60 @@
ARG BASE_IMAGE=gcr.io/distroless/static-debian12:nonroot

# OpenAPI generation stage
FROM golang:1.25 AS builder
FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS builder
Copy link

@coderabbitai coderabbitai bot Feb 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "Dockerfile" -type f 2>/dev/null | head -20

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 61

🏁 Script executed:

git ls-files | grep -i dockerfile

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 89

🏁 Script executed:

cat -n Dockerfile | head -35

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 1414

🌐 Web query:

registry.access.redhat.com ubi9 go-toolset 1.24 available tags versions

💡 Result:

For registry.access.redhat.com/ubi9/go-toolset (Go Toolset 1.24 stream), the tags follow Red Hat’s standard “floating stream + pinned patch + build-id” pattern:

  • Floating stream tags (recommended if you want 1.24.x updates automatically):

    • 1.24
    • latest (typically points at the current supported stream/build)

  • Pinned patch tags (example currently shown in Red Hat’s catalog for Go Toolset 1.24 images):

    • 1.24.6 (patch-level pin) [1]

  • Build-specific tags (examples from the catalog; these pin to a specific rebuild):

    • 1.24-1761841878
    • 1.24.6-1761841878 [1]

Independent confirmation that the 1.24 tag is in active use for the UBI9 Go Toolset image can be seen in OpenShift release content referencing an update to registry.access.redhat.com/ubi9/go-toolset “Docker tag to v1.24”. [2]

If you need the exact current full tag list as returned by the registry, the usual way is:

skopeo list-tags docker://registry.access.redhat.com/ubi9/go-toolset

Sources: [1] [2]

🌐 Web query:

Go 1.24.9 release golang version availability

💡 Result:

Go 1.24.9 was an official Go patch release, released on October 13, 2025 [1]. It’s still available for download (source tarball and installers/archives for multiple OS/architectures) on the official downloads page at go.dev/dl under “go1.24.9” [2].

Note: Go 1.24.9 is not the latest 1.24 patch anymore (the 1.24 line continued past it) [1].

Sources: [1] [2]

🌐 Web query:

registry.access.redhat.com ubi9 ubi-micro FIPS glibc boringcrypto

💡 Result:

  • UBI 9 images (including ubi9/ubi-micro) are RHEL 9 userspace, i.e., glibc-based (not musl). Example from a UBI9 container shows glibc 2.34. [1]
  • RHEL 9 FIPS behavior is OpenSSL 3 provider-based: when the kernel FIPS flag is set, OpenSSL automatically loads the FIPS provider and restricts algorithms accordingly. [2]
  • Go “boringcrypto” / FIPS-capable builds on RHEL (Red Hat Go Toolset) rely on CGO + glibc dlopen + OpenSSL at runtime, and require dynamic linking with glibc (not static). [3]
  • Practical impact for ubi9/ubi-micro: UBI micro is designed to be extremely small and has no package manager, so you typically won’t have (or be able to easily add) the needed OpenSSL bits unless you add/copy them during a multi-stage build. [4]
  • If your goal is “FIPS + glibc + Go boringcrypto” in a container, the simplest path is usually to run on ubi9/ubi-minimal or ubi9/ubi and ensure OpenSSL is present, then run the container on a FIPS-enabled RHEL host so the FIPS provider is activated. [2][3][4]

Sources:
[1] https://access.redhat.com/discussions/7097037
[2] https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/epub/9.0_release_notes/bug-fix_high-availability-and-clusters
[3] https://developers.redhat.com/articles/2025/01/23/fips-mode-red-hat-go-toolset
[4] https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image

Align to Go 1.24 with FIPS-compliant build settings.

Line 4 currently uses Go 1.25, and line 29 sets CGO_ENABLED=0. This deviates from the project requirement: Go 1.24 with FIPS-compliant crypto (CGO_ENABLED=1 + GOEXPERIMENT=boringcrypto).

Update line 4 to use registry.access.redhat.com/ubi9/go-toolset:1.24 (available in the registry; exact patch level may vary) and line 29 to enable CGO and boringcrypto:

Suggested alignment 
-FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.24 AS builder

 RUN export PATH="$(go env GOPATH)/bin:$PATH" && \
-    CGO_ENABLED=0 GOOS=linux GIT_SHA=${GIT_SHA} GIT_DIRTY=${GIT_DIRTY} make build
+    CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux GIT_SHA=${GIT_SHA} GIT_DIRTY=${GIT_DIRTY} make build

For the runtime stage (line 1), switch BASE_IMAGE from gcr.io/distroless/static-debian12:nonroot to a glibc-based image (e.g., registry.access.redhat.com/ubi9/ubi-minimal:latest) to support FIPS boringcrypto at runtime.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 4, Update the builder base image FROM to use Go 1.24
(replace registry.access.redhat.com/ubi9/go-toolset:1.25 with
registry.access.redhat.com/ubi9/go-toolset:1.24) and change the build
environment to enable CGO and boringcrypto (set CGO_ENABLED=1 and add
GOEXPERIMENT=boringcrypto in the build stage where CGO is currently disabled);
also change the runtime BASE_IMAGE from the distroless nonroot image to a
glibc-based UBI minimal image (e.g.,
registry.access.redhat.com/ubi9/ubi-minimal:latest) so the binary built with
boringcrypto runs correctly at runtime.

Copy link
Collaborator Author

@xueli181114 xueli181114 Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1.25 is what I needed.
"Enable CGO_ENABLED=1 + boringcrypto" — Valid concern, but premature
this is a deliberate tradeoff I already documented in the Dockerfile

Copy link

@coderabbitai coderabbitai bot Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xueli181114, you're absolutely right—I apologize for the confusion. I see now that Go 1.25 is the intended version for this project, and the Dockerfile already documents the deliberate tradeoff at lines 27-29: CGO_ENABLED=0 produces a static binary for the distroless runtime, with clear guidance that FIPS-compliant builds would require switching to CGO_ENABLED=1 + boringcrypto + a glibc-based runtime image when needed. My review comment was premature. Thank you for the clarification!

✏️ Learnings added 
Learnt from: xueli181114
Repo: openshift-hyperfleet/hyperfleet-api PR: 59
File: Dockerfile:3-3
Timestamp: 2026-02-28T09:25:06.472Z
Learning: In openshift-hyperfleet/hyperfleet-api Dockerfile, CGO_ENABLED=0 is intentionally used to produce static binaries for the distroless runtime; the Dockerfile documents that FIPS-compliant builds (CGO_ENABLED=1 + GOEXPERIMENT=boringcrypto) would require switching to a glibc-based runtime image like ubi9-micro instead of distroless.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

🧠 Learnings used 
Learnt from: yasun1
Repo: openshift-hyperfleet/hyperfleet-api PR: 31
File: pkg/errors/errors.go:9-9
Timestamp: 2026-01-08T09:40:10.138Z
Learning: In openshift-hyperfleet/hyperfleet-api, pkg/api/openapi is a generated directory (excluded in .gitignore) created by `make generate` using openapi-generator-cli via Docker; linters that run before code generation will report false-positive import errors for this package.

Learnt from: xueli181114
Repo: openshift-hyperfleet/hyperfleet-api PR: 59
File: Makefile:42-42
Timestamp: 2026-02-28T08:46:17.822Z
Learning: The openshift-hyperfleet/hyperfleet-api project uses Go 1.25 (updated from 1.24.9) for builds with FIPS-compliant crypto requirements.


ARG GIT_SHA=unknown
ARG GIT_DIRTY=""
ARG BUILD_DATE=""
ARG VERSION=""

# Install make as root (UBI9 go-toolset doesn't include it), then switch back to non-root.
USER root
RUN dnf install -y make && dnf clean all
WORKDIR /build

# Copy go mod files
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Build binary
RUN CGO_ENABLED=0 GOOS=linux make build
RUN chown 1001:0 /build
USER 1001

# Install bingo tools (mockgen, oapi-codegen) under /build/.gobin and add to PATH
# so "go generate" can find them. ENV persists for all subsequent RUN commands.
ENV GOBIN=/build/.gobin
ENV PATH="${GOBIN}:${PATH}"

COPY --chown=1001:0 go.mod go.sum ./
RUN --mount=type=cache,target=/opt/app-root/src/go/pkg/mod,uid=1001 \
go mod download

COPY --chown=1001:0 . .

# CGO_ENABLED=0 produces a static binary required for distroless runtime.
# For FIPS-compliant builds (CGO_ENABLED=1 + GOEXPERIMENT=boringcrypto), use a
# runtime image with glibc (e.g. ubi9-micro) instead of distroless.
RUN --mount=type=cache,target=/opt/app-root/src/go/pkg/mod,uid=1001 \
--mount=type=cache,target=/opt/app-root/src/.cache/go-build,uid=1001 \
mkdir -p $GOBIN && \
CGO_ENABLED=0 GOOS=linux \
GIT_SHA=${GIT_SHA} GIT_DIRTY=${GIT_DIRTY} BUILD_DATE=${BUILD_DATE} VERSION=${VERSION} \
make build

# Runtime stage
FROM ${BASE_IMAGE}

WORKDIR /app

# Copy binary from builder
COPY --from=builder /build/bin/hyperfleet-api /app/hyperfleet-api

# Copy OpenAPI schema for validation (uses the source spec, not the generated one)
COPY --from=builder /build/openapi/openapi.yaml /app/openapi/openapi.yaml

# Set default schema path (can be overridden by Helm for provider-specific schemas)
ENV OPENAPI_SCHEMA_PATH=/app/openapi/openapi.yaml

USER 65532:65532

EXPOSE 8000

ENTRYPOINT ["/app/hyperfleet-api"]
CMD ["serve"]

ARG VERSION=""
LABEL name="hyperfleet-api" \
vendor="Red Hat" \
version="0.0.1" \
version="${VERSION}" \
summary="HyperFleet API - Cluster Lifecycle Management Service" \
description="HyperFleet API for cluster lifecycle management"
Loading