New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Container labels inherited from UBI image #24414
Comments
There isn't a convienent way to remove the inherited labels from what I can see. A workaround is mentioned here: moby/moby#3465 (comment) @vmuzikar what jobs are responsible for pushing the images to quay? Presumably we can use maven / application.properties for the operator - I've confirmed you can't even specify an empty string for a quarkus.container-image.labels value, so removing is not expected. |
@shawkins Please see https://github.com/keycloak-rel/keycloak-rel/blob/main/.github/workflows/x-keycloak-container.yml |
On the operator side, I tried out:
With overrides in application-rhbk.properties.However even though the image building logs shows adding all of the labels, the acutal image does not have summary, vendor and all of dummy values (version, release, url, etc.) overriden. I tried some of the same overrides with a LABEL command directly in the Dockerfile, and still hit the same problem. For whatever reason it looks like quite a few of these labels are fixed. What we seem to be able to set: name For consistency I'm now thinking that I'll just do this directly in the respective Docker files with appropriate env interpolation, such that the defaults will apply to the community. @stianst @vmuzikar Does this sound good enough, or should I try to track down what Docker issue is in play with not being able to override everything? |
closes: keycloak#24414 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: keycloak#24414 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
@stianst @vmuzikar Please ignore the previous comment it is invalid. After looking over keycloak-rel, it looks like keycloak-rel/keycloak-rel#103 overlaps with this concern - we should consider merging that. To have consistency with how labels are set we'll need to change the x-keycloak-operator workflow to directly use the Dockerfile, rather than the maven build. @ASzc does that logic already exist downstream somewhere? |
@shawkins Downstream builds server and operator from a plain Dockerfile that |
@ASzc can you point me to where than lives? I'd like to line everything up as closely as possible. |
Current state:
The base proposal here is to convert the community release of the operator into one that looks like the product release. The labels being manuplated by the product release can be accounted for by the community release as well. The next possibility would be to see if the Dockerfiles could be made identical, if not reused, across the releases. At the very least it would require parameterizing the label values. So we'll have one set of labels to maintain in both the operator and the keycloak Dockerfiles. The last option is that it seems possible to create a secondary Dockerfile that will apply the set of labels we are interested in via a lot of build args. We'd then use that against in an secondary build against the image created by the particular release. Ideally this would give us just one place to maintain the labels. @ASzc @vmuzikar is it good enough to stop at the base proposal or is there a value in trying to align this even more? |
Re: Dockerfile parameters, I'm limited by the capabilities of OSBS, and I don't think it supports setting these as far as I can see in its docs or schema. So you could use them, but the defaults would have to be for product, which is awkward. Similar story for more than one Dockerfile per component, it's not easily supported by OSBS |
@ASzc thank you for the perspective, so the best we can do is having 4 different Dockerfiles each maintaining their own labels. |
@ASzc @shawkins What if we generated the Dockerfile via Maven? It would then include a lengthy list of label overrides. A different Dockefile would be generated based on activation of If that's not feasible then I'd then vote for handling the labels in the existing 4 Dockerfiles independently. |
@vmuzikar Unfortunately there's no capability provided by CPaaS to alter containers' source files during build execution. So we can't replace the Dockerfile itself. However we can If we |
@vmuzikar are you thinking about the build producing not only the tar.gz, but the associated Dockerfile artifacts as well? |
Exactly. :) But seems like we can't use a generated Dockerfile in prod based on @ASzc answer. |
I looked into it as well and I can confirm it really looks like there's not way to load
|
4 discrete Dockerfiles does look like the only way to go at present. Maybe if we move the product containers to Konflux sometime, things will change. The code duplication is unfortunate but they are relatively simple to synchronize by hand, since they all do the same thing more or less |
Okay, let me start down this path. |
closes: keycloak#24414 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: keycloak#24414 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: #24414 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: keycloak#24414 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Before reporting an issue
Area
dist/quarkus
Describe the bug
A number of labels are set on the container metadata that are simply inherited from UBI:
We should investigate if we can replace some (like
name
,maintainer
, andio.k8s.*
), and potentially remove some (com.redhat.*
).Version
main
Expected behavior
Container metadata labels contain information relevant to Keycloak and not the base image
Actual behavior
Container metadata labels contain information relevant to the base image
How to Reproduce?
Anything else?
No response
The text was updated successfully, but these errors were encountered: