Add Dockerfile UBI images for the Operator and ProxyRunner

.github/workflows/image-build-and-publish.yml

@@ -213,6 +213,21 @@ jobs:
       - name: Setup ko
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Extract UBI metadata
+        id: ubi-meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: ${{ env.BASE_REPO }}
+          tags: |
+            type=raw,value=${{ steps.version-string.outputs.tag }}-ubi
+          labels: |
+            name=toolhive-operator
+            vendor=Stacklok
+            maintainer=Stacklok
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
@@ -234,13 +249,29 @@ jobs:
           KO_DOCKER_REPO=$BASE_REPO ko build --platform=linux/amd64,linux/arm64 --bare $TAGS ./cmd/thv-operator \
             --image-label=org.opencontainers.image.source=https://github.com/stacklok/toolhive,org.opencontainers.image.title="toolhive-operator",org.opencontainers.image.vendor=Stacklok
 
+      - name: Build and Push UBI Image to GHCR
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: containers/operator/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.ubi-meta.outputs.tags }}
+          build-args: |
+            CODEDIR=cmd/thv-operator
+            VERSION=${{ steps.version-string.outputs.tag }}-ubi
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+          labels: ${{ steps.ubi-meta.outputs.labels }}
+
       - name: Sign Image with Cosign
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: |
           TAG=$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')
+          UBI_TAG=$(echo "${{ steps.version-string.outputs.tag }}-ubi" | sed 's/+/_/g')
           # Sign the ko image
           cosign sign -y $BASE_REPO:$TAG
+          cosign sign -y $BASE_REPO:$UBI_TAG
 
           # Sign the latest tag if building from a tag
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
@@ -293,6 +324,21 @@ jobs:
       - name: Setup ko
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Extract UBI metadata
+        id: ubi-meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: ${{ env.BASE_REPO }}
+          tags: |
+            type=raw,value=${{ steps.version-string.outputs.tag }}-ubi
+          labels: |
+            name=toolhive-proxyrunner
+            vendor=Stacklok
+            maintainer=Stacklok
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
@@ -314,13 +360,29 @@ jobs:
           KO_DOCKER_REPO=$BASE_REPO ko build --platform=linux/amd64,linux/arm64 --bare $TAGS ./cmd/thv-proxyrunner \
             --image-label=org.opencontainers.image.source=https://github.com/stacklok/toolhive,org.opencontainers.image.title="toolhive-proxyrunner",org.opencontainers.image.vendor=Stacklok
 
+      - name: Build and Push UBI Image to GHCR
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: containers/operator/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.ubi-meta.outputs.tags }}
+          build-args: |
+            CODEDIR=cmd/thv-proxyrunner
+            VERSION=${{ steps.version-string.outputs.tag }}
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+          labels: ${{ steps.ubi-meta.outputs.labels }}
+
       - name: Sign Image with Cosign
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: |
           TAG=$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')
+          UBI_TAG=$(echo "${{ steps.version-string.outputs.tag }}-ubi" | sed 's/+/_/g')
           # Sign the ko image
           cosign sign -y $BASE_REPO:$TAG
+          cosign sign -y $BASE_REPO:$UBI_TAG
 
           # Sign the latest tag if building from a tag
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then

cmd/thv-operator/Taskfile.yml

@@ -268,12 +268,21 @@ tasks:
 
   ocp-build-and-push:
     desc: Build ToolHive and Operator images and push them to OpenShift registry
+    vars:
+      SHA:  
+        sh: git rev-parse HEAD || echo "unknown"
     cmds:
       - task: ocp-registry-login
       - echo "Building and pushing toolhive operator image to {{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}}..."
-      - KO_DOCKER_REPO={{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}} ko build --push --base-import-paths {{if eq .OCP_INSECURE_REGISTRY "true"}}--insecure-registry{{end}} ./cmd/thv-operator
+      - task: build-operator-image-ubi
+        vars:
+          REPO: "{{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}}"
+      - eval "{{.CONTAINER_RUNTIME}} push {{if eq .OCP_INSECURE_REGISTRY "true"}}--tls-verify=false{{end}} {{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}}/thv-operator:{{.SHA}}-ubi"
       - echo "Building and pushing toolhive proxy runner image to {{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}}..."
-      - KO_DOCKER_REPO={{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}} ko build --push --base-import-paths {{if eq .OCP_INSECURE_REGISTRY "true"}}--insecure-registry{{end}} ./cmd/thv-proxyrunner
+      - task: build-proxyrunner-image-ubi
+        vars:
+          REPO: "{{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}}"
+      - eval "{{.CONTAINER_RUNTIME}} push {{if eq .OCP_INSECURE_REGISTRY "true"}}--tls-verify=false{{end}} {{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}}/thv-proxyrunner:{{.SHA}}-ubi"
       - echo "Images pushed successfully to {{.OCP_REGISTRY_ROUTE}}/{{.OCP_PROJECT}}"
 
   ocp-verify-push:
@@ -282,17 +291,20 @@ tasks:
       - echo "Checking image streams in project {{.OCP_PROJECT}}..."
       - oc get is -n {{.OCP_PROJECT}}
       - echo "Describing thv-operator image stream..."
-      - oc describe is thv-operator -n {{.OCP_PROJECT}} || echo "thv-operator image stream not found"
+      - oc describe is thv-operator -n {{.OCP_PROJECT}} || (echo "thv-operator image stream not found" && exit 1)
       - echo "Describing thv-proxyrunner image stream..."
-      - oc describe is thv-proxyrunner -n {{.OCP_PROJECT}} || echo "thv-proxyrunner image stream not found"
+      - oc describe is thv-proxyrunner -n {{.OCP_PROJECT}} || (echo "thv-proxyrunner image stream not found" && exit 1)
 
   ocp-deploy-operator:
     desc: Deploy ToolHive Operator to OpenShift using locally built images
+    vars:
+      SHA:  
+        sh: git rev-parse HEAD || echo "unknown"
     cmds:
       - |
         helm upgrade --install toolhive-operator deploy/charts/operator \
-        --set operator.image=image-registry.openshift-image-registry.svc:5000/{{.OCP_PROJECT}}/thv-operator:latest \
-        --set operator.toolhiveRunnerImage=image-registry.openshift-image-registry.svc:5000/{{.OCP_PROJECT}}/thv-proxyrunner:latest \
+        --set operator.image=image-registry.openshift-image-registry.svc:5000/{{.OCP_PROJECT}}/thv-operator:{{.SHA}}-ubi \
+        --set operator.toolhiveRunnerImage=image-registry.openshift-image-registry.svc:5000/{{.OCP_PROJECT}}/thv-proxyrunner:{{.SHA}}-ubi \
         --namespace {{.OCP_PROJECT}} \
         --create-namespace \
         {{ .CLI_ARGS }}
@@ -342,3 +354,47 @@ tasks:
       - echo "Keycloak will be available at http://localhost:8080"
       - echo "Use 'task keycloak:get-admin-creds' to get login credentials"
       - kubectl port-forward service/keycloak-dev-service -n keycloak 8080:8080 --kubeconfig kconfig.yaml
+
+  build-operator-image-ubi:
+    desc: Build the operator image
+    vars:
+      COMMIT:
+        sh: git rev-parse --short HEAD || echo "unknown"
+      BUILD_DATE: '{{dateInZone "2006-01-02T15:04:05Z" (now) "UTC"}}'
+      SHA:  
+        sh: git rev-parse HEAD || echo "unknown"
+      REPO: '{{.REPO | default "ghcr.io/stacklok/toolhive"}}'
+    cmds:
+      - >
+        eval "{{.CONTAINER_RUNTIME}} build --load
+        -t {{.REPO}}/thv-operator:{{.SHA}}-ubi
+        --build-arg CODEDIR=cmd/thv-operator
+        --build-arg VERSION={{.SHA}}-ubi
+        --build-arg COMMIT={{.COMMIT}}
+        --build-arg BUILD_DATE={{.BUILD_DATE}}
+        --label name=\"toolhive-operator\"
+        --label vendor=\"Stacklok\"
+        --label maintainer=\"Stacklok\"
+        -f containers/operator/Dockerfile ."
+
+  build-proxyrunner-image-ubi:
+    desc: Build the proxyrunner image
+    vars:
+      COMMIT:
+        sh: git rev-parse --short HEAD || echo "unknown"
+      BUILD_DATE: '{{dateInZone "2006-01-02T15:04:05Z" (now) "UTC"}}'
+      SHA:  
+        sh: git rev-parse HEAD || echo "unknown"
+      REPO: '{{.REPO | default "ghcr.io/stacklok/toolhive"}}'
+    cmds:
+      - >
+        eval "{{.CONTAINER_RUNTIME}} build --load
+        -t {{.REPO}}/thv-proxyrunner:{{.SHA}}-ubi
+        --build-arg CODEDIR=cmd/thv-proxyrunner
+        --build-arg VERSION={{.SHA}}-ubi
+        --build-arg COMMIT={{.COMMIT}}
+        --build-arg BUILD_DATE={{.BUILD_DATE}}
+        --label name=\"toolhive-proxyrunner\"
+        --label vendor=\"Stacklok\"
+        --label maintainer=\"Stacklok\"
+        -f containers/operator/Dockerfile ."

containers/operator/Dockerfile

@@ -0,0 +1,39 @@
+# Build the binary
+FROM registry.access.redhat.com/ubi10/go-toolset:1.24 as builder
+
+USER root
+
+WORKDIR /workspace
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+ARG CODEDIR \
+VERSION \
+COMMIT \
+BUILD_DATE
+
+# Copy the entire Go module structure
+COPY . .
+
+# Build
+RUN CGO_ENABLED=0 LDFLAGS="-s -w \
+-X github.com/stacklok/toolhive/pkg/versions.Version=${VERSION} \
+-X github.com/stacklok/toolhive/pkg/versions.Commit=${COMMIT} \
+-X github.com/stacklok/toolhive/pkg/versions.BuildDate=${BUILD_DATE} \
+-X github.com/stacklok/toolhive/pkg/versions.BuildType=release" \
+GOOS=linux GOARCH=amd64 go build -ldflags "${LDFLAGS}" -o main ./${CODEDIR}/main.go
+
+# Use micro base image to package the binary
+FROM  --platform=linux/amd64 registry.access.redhat.com/ubi10/ubi-micro:10.0
+
+COPY --from=builder /workspace/main /
+COPY LICENSE /licenses/LICENSE
+
+USER 1001
+
+ENTRYPOINT ["/main"]