[WIP] konflux: use RHAI base image

[raptorsun]

Description

use RHAI base image, that comes with dependant libraries such as openMPI already installed.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Enhanced build configurability: customizable builder/runtime base images, package manager commands, and a new build-args-file pipeline parameter for flexible build-time configuration.
  • Switched package sources and pins from UBI to RHEL/EUS endpoints and updated package metadata accordingly.
  • Removed legacy UBI repository definitions and trimmed several packages from the package list.

[coderabbitai]

Walkthrough

Adds a Tekton pipeline parameter build-args-file and wires it into build matrices; makes Containerfile base images and package manager commands configurable via build ARGs; replaces UBI repo usage with RHEL/EUS repo definitions and updates rpms.lock accordingly.

Changes

Cohort / File(s)	Summary
Tekton pipeline .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Added build-args-file parameter (default build-args-konflux.conf) and propagated it into the build matrix as BUILD_ARGS_FILE.
Container build Containerfile, build-args-konflux.conf	Containerfile: introduced build ARGs for builder/runtime base images and DNF commands, replaced hard-coded FROM and package manager invocations, added LSC_SOURCE_DIR usage and chown step. build-args-konflux.conf: new defaults for BUILDER/RUNTIME base images and DNF commands.
Repository manifests redhat.repo, ubi.repo	Removed ubi.repo entirely and added/expanded redhat.repo with multiple RHEL/EUS repository stanzas (BaseOS, AppStream, CodeReady, OCP 4.17).
RPM lists / locks rpms.in.yaml, rpms.lock.yaml	rpms.in.yaml: removed several packages and switched contentOrigin repofile to redhat.repo. rpms.lock.yaml: extensive replacement of package entries from UBI/ubi9 to RHEL9/EUS sources (URLs, repoid, EVR, checksums) across arches. Attention: large, heterogeneous metadata changes.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer / CI trigger
    participant Tekton as Tekton Pipeline
    participant Build as Build Task (buildah/kaniko)
    participant Repo as RPM repos (redhat.repo / rpms.lock)
    participant Registry as Image Registry

    Dev->>Tekton: push PR / start Pipeline (params incl. build-args-file)
    Tekton->>Build: start build task with matrix (BUILD_ARGS_FILE -> build-args-konflux.conf)
    Build->>Repo: resolve RPMs using `redhat.repo` and `rpms.lock`
    Build->>Build: use Containerfile ARGs (BUILDER_BASE_IMAGE, RUNTIME_BASE_IMAGE, DNF commands)
    Build->>Registry: push built images (using runtime/base images)
    Registry-->>Dev: build completed / image available

Loading

Note: colored rectangles not used because sequence diagram focuses on interactions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• LCORE-858: konflux - correct RPM repo id #860 — Modifies RPM repository configuration and rpms.lock/ubi.repo files; closely related to the repo/lock adjustments in this change.
• LCORE-431: how to build the lightspeed core image #391 — Changes to the Containerfile and build arguments; relevant to the Containerfile ARG and build-time configurability edits.

Suggested reviewers

• tisnik
• radofuchs

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[WIP] konflux: use RHAI base image' directly reflects the main objective: replacing the Konflux base image with RHAI base image. It is specific, concise, and clearly communicates the primary change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Containerfile (1)

57-85: Add ARG RUNTIME_DNF_COMMAND to the final stage to fix empty variable expansion.

ARGs declared before the first FROM (line 3) have global scope but are not automatically available inside build stages. At line 85, ${RUNTIME_DNF_COMMAND} expands to empty, causing the command to fail with install: invalid option -- 'y'. Re-declare the ARG in the final stage.

Fix

 FROM ${RUNTIME_BASE_IMAGE}
+ARG RUNTIME_DNF_COMMAND
 ARG APP_ROOT=/app-root
 WORKDIR /app-root

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Containerfile (1)

59-87: ⚠️ Potential issue | 🔴 Critical

Critical: Same ARG scoping issue in the runtime stage.

RUNTIME_DNF_COMMAND is undefined after FROM ${RUNTIME_BASE_IMAGE}. This will cause the same pipeline failure at line 87.

🐛 Proposed fix to re-declare ARG in runtime stage

 FROM ${RUNTIME_BASE_IMAGE}
+ARG RUNTIME_DNF_COMMAND=microdnf
 ARG APP_ROOT=/app-root
 WORKDIR /app-root

🤖 Fix all issues with AI agents

In `@Containerfile`:
- Around line 2-7: The build ARGs declared before the first FROM (ARG
BUILDER_BASE_IMAGE, ARG BUILDER_DNF_COMMAND, ARG RUNTIME_BASE_IMAGE, ARG
RUNTIME_DNF_COMMAND) are not available inside the builder stage, causing
${BUILDER_DNF_COMMAND} to be empty; re-declare the required ARGs immediately
after the corresponding FROM lines (e.g., after "FROM ${BUILDER_BASE_IMAGE} AS
builder" add "ARG BUILDER_DNF_COMMAND" and any other builder ARGs you need) so
RUN steps that reference ${BUILDER_DNF_COMMAND} resolve correctly, and likewise
re-declare runtime ARGs after the runtime FROM if used in that stage.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: ARGs must be re-declared after FROM to be available in the build stage.

The pipeline failure (install: invalid option -- 'y') occurs because BUILDER_DNF_COMMAND is undefined inside the builder stage. In Docker/Podman, ARGs declared before the first FROM are only available for use in FROM instructions themselves. To use them in subsequent RUN commands, they must be re-declared after FROM.

When ${BUILDER_DNF_COMMAND} is empty, the command becomes install -y ..., invoking the shell's install utility instead of dnf.

🐛 Proposed fix to re-declare ARGs after FROM

 ARG BUILDER_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312
 ARG BUILDER_DNF_COMMAND=dnf
 ARG RUNTIME_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312-minimal
 ARG RUNTIME_DNF_COMMAND=microdnf

 FROM ${BUILDER_BASE_IMAGE} AS builder
+ARG BUILDER_DNF_COMMAND=dnf

 ARG APP_ROOT=/app-root
 ARG LSC_SOURCE_DIR=.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ARG BUILDER_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312
	ARG BUILDER_DNF_COMMAND=dnf
	ARG RUNTIME_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312-minimal
	ARG RUNTIME_DNF_COMMAND=microdnf
	FROM ${BUILDER_BASE_IMAGE} AS builder
	ARG BUILDER_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312
	ARG BUILDER_DNF_COMMAND=dnf
	ARG RUNTIME_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312-minimal
	ARG RUNTIME_DNF_COMMAND=microdnf
	FROM ${BUILDER_BASE_IMAGE} AS builder
	ARG BUILDER_DNF_COMMAND=dnf

🤖 Prompt for AI Agents

In `@Containerfile` around lines 2 - 7, The build ARGs declared before the first
FROM (ARG BUILDER_BASE_IMAGE, ARG BUILDER_DNF_COMMAND, ARG RUNTIME_BASE_IMAGE,
ARG RUNTIME_DNF_COMMAND) are not available inside the builder stage, causing
${BUILDER_DNF_COMMAND} to be empty; re-declare the required ARGs immediately
after the corresponding FROM lines (e.g., after "FROM ${BUILDER_BASE_IMAGE} AS
builder" add "ARG BUILDER_DNF_COMMAND" and any other builder ARGs you need) so
RUN steps that reference ${BUILDER_DNF_COMMAND} resolve correctly, and likewise
re-declare runtime ARGs after the runtime FROM if used in that stage.