Install trusted certs instead of copy

mtodor · mtodor · commit ac1479139049 · 2026-03-19T17:06:25.000+01:00
diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
@@ -37,6 +37,11 @@ jobs:
         with:
           dockerfile: Dockerfile
 
+      - name: Run hadolint Konflux
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: konflux.Dockerfile
+
       - name: Create ../results directory for SARIF report files
         shell: bash
         run: mkdir -p ../results
diff --git a/Dockerfile b/Dockerfile
@@ -3,6 +3,7 @@
 # Used images
 ARG GOLANG_BUILDER=registry.access.redhat.com/ubi10/go-toolset:1.25
 ARG MCP_SERVER_BASE_IMAGE=registry.access.redhat.com/ubi10/ubi-micro:10.1
+ARG PACKAGE_INSTALLER_IMAGE=registry.access.redhat.com/ubi10/ubi:10.1
 
 # Build arguments for multi-arch build support
 ARG BUILDPLATFORM
@@ -43,18 +44,46 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
     -o /tmp/stackrox-mcp \
     ./cmd/stackrox-mcp
 
-# Stage 2: Runtime - Minimal runtime image
-FROM $MCP_SERVER_BASE_IMAGE
+# Stage 2: Runtime base - used to preserve rpmdb when installing packages
+FROM $MCP_SERVER_BASE_IMAGE AS ubi-micro-base
+
+
+# Stage 3: Package installer - installs ca-certificates and openssl into /ubi-micro-base-root/
+FROM --platform=$BUILDPLATFORM $PACKAGE_INSTALLER_IMAGE AS package_installer
+
+# Support multi-arch target builds
+ARG TARGETARCH
+
+# Copy ubi-micro base to /ubi-micro-base-root/ to preserve its rpmdb
+COPY --from=ubi-micro-base / /ubi-micro-base-root/
+
+# Install packages directly to /ubi-micro-base-root/ using --installroot
+# Note: --forcearch maps Docker's arch name to RPM arch name to install target-arch packages on the build platform.
+# hadolint ignore=DL3041 # We are installing ca-certificates and openssl only to include trusted certs.
+RUN TARGETARCH_RPM=$([ "$TARGETARCH" = "amd64" ] && echo "x86_64" || [ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "$TARGETARCH") && \
+    dnf install -y \
+    --installroot=/ubi-micro-base-root/ \
+    --releasever=10 \
+    --forcearch="$TARGETARCH_RPM" \
+    --setopt=install_weak_deps=False \
+    --setopt=reposdir=/etc/yum.repos.d \
+    --nodocs \
+    ca-certificates \
+    openssl && \
+    dnf clean all --installroot=/ubi-micro-base-root/ && \
+    rm -rf /ubi-micro-base-root/var/cache/*
+
+
+# Stage 4: Runtime - Minimal runtime image
+FROM ubi-micro-base
 
 # Set default environment variables
 ENV LOG_LEVEL=INFO
 
 # Set working directory
 WORKDIR /app
 
-# Copy trusted certificates from builder
-COPY --from=builder /etc/pki/ca-trust/extracted/ /etc/pki/ca-trust/extracted/
-COPY --from=builder /etc/ssl/certs/ /etc/ssl/certs/
+COPY --from=package_installer /ubi-micro-base-root/ /
 
 # Copy binary from builder
 COPY --from=builder /tmp/stackrox-mcp /app/stackrox-mcp
diff --git a/Makefile b/Makefile
@@ -57,6 +57,7 @@ image: ## Build the docker image
 .PHONY: dockerfile-lint
 dockerfile-lint: ## Run hadolint for Dockerfile
 	$(DOCKER_CMD) run --rm -i --env HADOLINT_FAILURE_THRESHOLD=info ghcr.io/hadolint/hadolint < Dockerfile
+	$(DOCKER_CMD) run --rm -i --env HADOLINT_FAILURE_THRESHOLD=info ghcr.io/hadolint/hadolint < konflux.Dockerfile
 
 .PHONY: helm-lint
 helm-lint: ## Run helm lint for Helm chart
diff --git a/konflux.Dockerfile b/konflux.Dockerfile
@@ -23,7 +23,7 @@ COPY . .
 # Build the binary with optimizations
 # Output to "/tmp" directory, because user can not copy built binary to "/workspace"
 # Go build uses "venodr" mode and that fails, that's why explicit "-mod=mod" is set.
-RUN RACE=0 CGO_ENABLED=0 GOOS=$(go env GOOS) GOARCH=$(go env GOARCH) \
+RUN RACE=0 GOOS=$(go env GOOS) GOARCH=$(go env GOARCH) \
     go build \
     -mod=mod \
     -ldflags="-w -s \
@@ -34,18 +34,43 @@ RUN RACE=0 CGO_ENABLED=0 GOOS=$(go env GOOS) GOARCH=$(go env GOARCH) \
     -o /tmp/stackrox-mcp \
     ./cmd/stackrox-mcp
 
-# Stage 2: Runtime - Minimal runtime image
-FROM registry.access.redhat.com/ubi9/ubi-micro@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10
+
+# Stage 2: Runtime base - used to preserve rpmdb when installing packages
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base
+
+
+# Stage 3: Package installer - installs ca-certificates and openssl into /ubi-micro-base-root/
+FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:05fa0100593c08b5e9dde684cd3eaa94b4d5d7b3cc09944f1f73924e49fde036 AS package_installer
+
+# Copy ubi-micro base to /ubi-micro-base-root/ to preserve its rpmdb
+COPY --from=ubi-micro-base / /ubi-micro-base-root/
+
+# Install packages directly to /ubi-micro-base-root/ using --installroot
+# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
+# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
+# hadolint ignore=DL3041 # We are installing ca-certificates and openssl only to include trusted certs.
+RUN dnf install -y \
+    --installroot=/ubi-micro-base-root/ \
+    --releasever=9 \
+    --setopt=install_weak_deps=False \
+    --setopt=reposdir=/etc/yum.repos.d \
+    --nodocs \
+    ca-certificates \
+    openssl && \
+    dnf clean all --installroot=/ubi-micro-base-root/ && \
+    rm -rf /ubi-micro-base-root/var/cache/*
+
+
+# Stage 4: Runtime - Minimal runtime image
+FROM ubi-micro-base
 
 # Set default environment variables
 ENV LOG_LEVEL=INFO
 
 # Set working directory
 WORKDIR /app
 
-# Copy trusted certificates from builder
-COPY --from=builder /etc/pki/ca-trust/extracted/ /etc/pki/ca-trust/extracted/
-COPY --from=builder /etc/ssl/certs/ /etc/ssl/certs/
+COPY --from=package_installer /ubi-micro-base-root/ /
 
 # Copy binary from builder
 COPY --from=builder /tmp/stackrox-mcp /app/stackrox-mcp
