From 8089aa3776675400a53e921c2a85257a4a28a0d5 Mon Sep 17 00:00:00 2001
From: Joep van Delft <jdelft@redhat.com>
Date: Wed, 27 Nov 2024 10:39:26 +0100
Subject: [PATCH] Use preconfigured repositories at brew build time

---
 .../rhel-8/ci-openshift-build-root/Dockerfile |  3 +-
 .../Dockerfile.previous                       | 69 -------------------
 .../rhel-9/ci-openshift-build-root/Dockerfile |  3 +-
 .../Dockerfile.previous                       | 69 -------------------
 ...ci-openshift-build-root-previous.rhel8.yml |  2 +-
 ...ci-openshift-build-root-previous.rhel9.yml |  2 +-
 6 files changed, 6 insertions(+), 142 deletions(-)
 delete mode 100644 ci_images/rhel-8/ci-openshift-build-root/Dockerfile.previous
 delete mode 100644 ci_images/rhel-9/ci-openshift-build-root/Dockerfile.previous

diff --git a/ci_images/rhel-8/ci-openshift-build-root/Dockerfile b/ci_images/rhel-8/ci-openshift-build-root/Dockerfile
index 3fb3281356..0b232490c9 100644
--- a/ci_images/rhel-8/ci-openshift-build-root/Dockerfile
+++ b/ci_images/rhel-8/ci-openshift-build-root/Dockerfile
@@ -27,7 +27,8 @@ RUN set -euxo pipefail && \
     /tmp/install_protoc.sh "23.4" && \
     /tmp/install_etcd.sh "3.5.10"
 
-RUN INSTALL_PKGS="glibc libatomic libsemanage annobin go-srpm-macros libstdc++ llvm-libs qt5-srpm-macros redhat-rpm-config bc procps-ng util-linux bind-utils bsdtar createrepo_c device-mapper device-mapper-persistent-data e2fsprogs ethtool file findutils gcc git glib2-devel gpgme gpgme-devel hostname iptables jq krb5-devel libassuan libassuan-devel libseccomp-devel lsof make nmap-ncat openssl rsync socat systemd-devel tar tree wget which xfsprogs zip goversioninfo gettext python3 iproute rpm-build jq" && \
+RUN INSTALL_PKGS="glibc libatomic libsemanage annobin go-srpm-macros libstdc++ llvm-libs qt5-srpm-macros redhat-rpm-config bc procps-ng util-linux bind-utils bsdtar createrepo_c device-mapper device-mapper-persistent-data e2fsprogs ethtool file findutils gcc git glib2-devel gpgme gpgme-devel hostname iptables jq krb5-devel libassuan libassuan-devel libseccomp-devel lsof make nmap-ncat openssl rsync socat systemd-devel tar tree wget which xfsprogs zip goversioninfo gettext python3 iproute rpm-build" && \
+    export ART_DNF_WRAPPER_POLICY=skip && \
     dnf install -y --nobest $INSTALL_PKGS && \
     dnf clean all && \
     touch /os-build-image && \
diff --git a/ci_images/rhel-8/ci-openshift-build-root/Dockerfile.previous b/ci_images/rhel-8/ci-openshift-build-root/Dockerfile.previous
deleted file mode 100644
index dd22b6b157..0000000000
--- a/ci_images/rhel-8/ci-openshift-build-root/Dockerfile.previous
+++ /dev/null
@@ -1,69 +0,0 @@
-FROM replaced_by_doozer
-
-# Used by builds scripts to detect whether they are running in the context
-# of OpenShift CI or elsewhere (e.g. brew).
-ENV OPENSHIFT_CI="true"
-
-ENV GO_COMPLIANCE_POLICY=exempt_all
-
-# Install, matching upstream k8s, protobuf-3.x, see:
-# https://github.com/kubernetes/kubernetes/blob/master/hack/lib/protoc.sh
-# and etcd, see:
-# https://github.com/kubernetes/kubernetes/blob/master/hack/lib/etcd.sh
-# for CI only testing.
-ENV PATH=/opt/google/protobuf/bin:$PATH
-
-# Note that GHPROXY requests will only pass certificate checks in brew if
-# SSL_CERT_FILE=/tmp/tls-ca-bundle.pem (the CA injected by brew which
-# trusts the RH certificate used by ocp-artifacts)
-ENV GHPROXY_PREFIX="https://ocp-artifacts.engineering.redhat.com/github"
-
-ADD ci_images/install_protoc.sh /tmp
-ADD ci_images/install_etcd.sh /tmp
-
-RUN set -euxo pipefail && \
-    chmod +x /tmp/*.sh && \
-    export SSL_CERT_FILE=`test -f /tmp/tls-ca-bundle.pem && echo /tmp/tls-ca-bundle.pem || echo /tmp/Current-IT-Root-CAs.pem` && cat $SSL_CERT_FILE && \
-    /tmp/install_protoc.sh "23.4" && \
-    /tmp/install_etcd.sh "3.5.10"
-
-RUN INSTALL_PKGS="glibc libatomic libsemanage annobin go-srpm-macros libstdc++ llvm-libs qt5-srpm-macros redhat-rpm-config bc procps-ng util-linux bind-utils bsdtar createrepo_c device-mapper device-mapper-persistent-data e2fsprogs ethtool file findutils gcc git glib2-devel gpgme gpgme-devel hostname iptables jq krb5-devel libassuan libassuan-devel libseccomp-devel lsof make nmap-ncat openssl rsync socat systemd-devel tar tree wget which xfsprogs zip goversioninfo gettext python3 iproute rpm-build" && \
-    dnf install -y --nobest $INSTALL_PKGS && \
-    dnf clean all && \
-    touch /os-build-image && \
-    git config --system user.name origin-release-container && \
-    git config --system user.email origin-release@redhat.com
-
-# Notes:
-# - brew will not be able to access go modules outside RH, setting GOPROXY allows them to be sourced from ocp-artifacts
-# - brew will not be able to connect to https://sum.golang.org/ . GOSUMDB='off' disables this check.
-# - brew temporarily injects a trust store at /tmp/tls-ca-bundle.pem. Setting SSL_CERT_FILE allows go install to use it.
-#   this is important because the system trust store does not trust Red Hat IT certificates.
-RUN export GOPROXY="https://ocp-artifacts.engineering.redhat.com/goproxy/" && \
-    export GOSUMDB='off' && \
-    export GOFLAGS='' && export GO111MODULE=on && \
-    export SSL_CERT_FILE=`test -f /tmp/tls-ca-bundle.pem && echo /tmp/tls-ca-bundle.pem || echo /tmp/Current-IT-Root-CAs.pem` && cat $SSL_CERT_FILE && \
-    go install golang.org/x/tools/cmd/goimports@v0.24.0 && \
-    go install github.com/tools/godep@latest && \
-    go install golang.org/x/lint/golint@latest && \
-    go install gotest.tools/gotestsum@latest && \
-    go install github.com/openshift/release/tools/gotest2junit@latest && \
-    go install github.com/openshift/imagebuilder/cmd/imagebuilder@latest && \
-    mv $GOPATH/bin/* /usr/bin/ && \
-    rm -rf $GOPATH/* $GOPATH/.cache && \
-    mkdir $GOPATH/bin && \
-    mkdir -p /go/src/github.com/openshift/origin && \
-    ln -s /usr/bin/imagebuilder $GOPATH/bin/imagebuilder && \
-    ln -s /usr/bin/goimports $GOPATH/bin/goimports && \
-    curl --fail -L -k $GHPROXY_PREFIX/golang/dep/releases/download/v0.5.4/dep-linux-amd64 > /usr/bin/dep && \
-    chmod +x /usr/bin/dep
-
-# make go related directories writeable since builds in CI will run as non-root. go install
-# may have created new directories.
-RUN mkdir -p $GOPATH && \
-    chmod g+xw -R $GOPATH && \
-    chmod g+xw -R $(go env GOROOT)
-
-# Some image building tools don't create a missing WORKDIR
-RUN mkdir -p /go/src/github.com/openshift/origin
-WORKDIR /go/src/github.com/openshift/origin
diff --git a/ci_images/rhel-9/ci-openshift-build-root/Dockerfile b/ci_images/rhel-9/ci-openshift-build-root/Dockerfile
index c1991ee547..2b9202fabf 100644
--- a/ci_images/rhel-9/ci-openshift-build-root/Dockerfile
+++ b/ci_images/rhel-9/ci-openshift-build-root/Dockerfile
@@ -27,7 +27,8 @@ RUN set -euxo pipefail && \
     /tmp/install_protoc.sh "23.4" && \
     /tmp/install_etcd.sh "3.5.10"
 
-RUN INSTALL_PKGS="glibc libatomic libsemanage annobin go-srpm-macros kernel-srpm-macros libstdc++ llvm-libs qt5-srpm-macros redhat-rpm-config bc procps-ng util-linux bind-utils bsdtar createrepo_c device-mapper device-mapper-persistent-data e2fsprogs ethtool file findutils gcc git glib2-devel gpgme gpgme-devel hostname iptables jq krb5-devel libassuan libassuan-devel libseccomp-devel lsof make nmap-ncat openssl rsync socat systemd-devel tar tree wget which xfsprogs zip goversioninfo gettext python3 iproute rpm-build rpmdevtools selinux-policy-devel jq" && \
+RUN INSTALL_PKGS="glibc libatomic libsemanage annobin go-srpm-macros kernel-srpm-macros libstdc++ llvm-libs qt5-srpm-macros redhat-rpm-config bc procps-ng util-linux bind-utils bsdtar createrepo_c device-mapper device-mapper-persistent-data e2fsprogs ethtool file findutils gcc git glib2-devel gpgme gpgme-devel hostname iptables jq krb5-devel libassuan libassuan-devel libseccomp-devel lsof make nmap-ncat openssl rsync socat systemd-devel tar tree wget which xfsprogs zip goversioninfo gettext python3 iproute rpm-build rpmdevtools selinux-policy-devel" && \
+    export ART_DNF_WRAPPER_POLICY=skip && \
     dnf install -y --nobest $INSTALL_PKGS && \
     dnf clean all && \
     touch /os-build-image && \
diff --git a/ci_images/rhel-9/ci-openshift-build-root/Dockerfile.previous b/ci_images/rhel-9/ci-openshift-build-root/Dockerfile.previous
deleted file mode 100644
index dfba028dcc..0000000000
--- a/ci_images/rhel-9/ci-openshift-build-root/Dockerfile.previous
+++ /dev/null
@@ -1,69 +0,0 @@
-FROM replaced_by_doozer
-
-# Used by builds scripts to detect whether they are running in the context
-# of OpenShift CI or elsewhere (e.g. brew).
-ENV OPENSHIFT_CI="true"
-
-ENV GO_COMPLIANCE_POLICY=exempt_all
-
-# Install, matching upstream k8s, protobuf-3.x, see:
-# https://github.com/kubernetes/kubernetes/blob/master/hack/lib/protoc.sh
-# and etcd, see:
-# https://github.com/kubernetes/kubernetes/blob/master/hack/lib/etcd.sh
-# for CI only testing.
-ENV PATH=/opt/google/protobuf/bin:$PATH
-
-# Note that GHPROXY requests will only pass certificate checks in brew if
-# SSL_CERT_FILE=/tmp/tls-ca-bundle.pem (the CA injected by brew which
-# trusts the RH certificate used by ocp-artifacts)
-ENV GHPROXY_PREFIX="https://ocp-artifacts.engineering.redhat.com/github"
-
-ADD ci_images/install_protoc.sh /tmp
-ADD ci_images/install_etcd.sh /tmp
-
-RUN set -euxo pipefail && \
-    chmod +x /tmp/*.sh && \
-    export SSL_CERT_FILE=`test -f /tmp/tls-ca-bundle.pem && echo /tmp/tls-ca-bundle.pem || echo /tmp/Current-IT-Root-CAs.pem` && cat $SSL_CERT_FILE && \
-    /tmp/install_protoc.sh "23.4" && \
-    /tmp/install_etcd.sh "3.5.10"
-
-RUN INSTALL_PKGS="glibc libatomic libsemanage annobin go-srpm-macros kernel-srpm-macros libstdc++ llvm-libs qt5-srpm-macros redhat-rpm-config bc procps-ng util-linux bind-utils bsdtar createrepo_c device-mapper device-mapper-persistent-data e2fsprogs ethtool file findutils gcc git glib2-devel gpgme gpgme-devel hostname iptables jq krb5-devel libassuan libassuan-devel libseccomp-devel lsof make nmap-ncat openssl rsync socat systemd-devel tar tree wget which xfsprogs zip goversioninfo gettext python3 iproute rpm-build rpmdevtools selinux-policy-devel" && \
-    dnf install -y --nobest $INSTALL_PKGS && \
-    dnf clean all && \
-    touch /os-build-image && \
-    git config --system user.name origin-release-container && \
-    git config --system user.email origin-release@redhat.com
-
-# Notes:
-# - brew will not be able to access go modules outside RH, setting GOPROXY allows them to be sourced from ocp-artifacts
-# - brew will not be able to connect to https://sum.golang.org/ . GOSUMDB='off' disables this check.
-# - brew temporarily injects a trust store at /tmp/tls-ca-bundle.pem. Setting SSL_CERT_FILE allows go install to use it.
-#   this is important because the system trust store does not trust Red Hat IT certificates.
-RUN export GOPROXY="https://ocp-artifacts.engineering.redhat.com/goproxy/" && \
-    export GOSUMDB='off' && \
-    export GOFLAGS='' && export GO111MODULE=on && \
-    export SSL_CERT_FILE=`test -f /tmp/tls-ca-bundle.pem && echo /tmp/tls-ca-bundle.pem || echo /tmp/Current-IT-Root-CAs.pem` && cat $SSL_CERT_FILE && \
-    go install golang.org/x/tools/cmd/goimports@v0.24.0 && \
-    go install github.com/tools/godep@latest && \
-    go install golang.org/x/lint/golint@latest && \
-    go install gotest.tools/gotestsum@latest && \
-    go install github.com/openshift/release/tools/gotest2junit@latest && \
-    go install github.com/openshift/imagebuilder/cmd/imagebuilder@latest && \
-    mv $GOPATH/bin/* /usr/bin/ && \
-    rm -rf $GOPATH/* $GOPATH/.cache && \
-    mkdir $GOPATH/bin && \
-    mkdir -p /go/src/github.com/openshift/origin && \
-    ln -s /usr/bin/imagebuilder $GOPATH/bin/imagebuilder && \
-    ln -s /usr/bin/goimports $GOPATH/bin/goimports && \
-    curl --fail -L -k $GHPROXY_PREFIX/golang/dep/releases/download/v0.5.4/dep-linux-amd64 > /usr/bin/dep && \
-    chmod +x /usr/bin/dep
-
-# make go related directories writeable since builds in CI will run as non-root. go install
-# may have created new directories.
-RUN mkdir -p $GOPATH && \
-    chmod g+xw -R $GOPATH && \
-    chmod g+xw -R $(go env GOROOT)
-
-# Some image building tools don't create a missing WORKDIR
-RUN mkdir -p /go/src/github.com/openshift/origin
-WORKDIR /go/src/github.com/openshift/origin
diff --git a/images/ci-openshift-build-root-previous.rhel8.yml b/images/ci-openshift-build-root-previous.rhel8.yml
index 4bf7ee1c8c..0048a4fcbc 100644
--- a/images/ci-openshift-build-root-previous.rhel8.yml
+++ b/images/ci-openshift-build-root-previous.rhel8.yml
@@ -2,7 +2,7 @@ content:
   # set_build_variables is necessary in order to set CI_RPM_SVC (see .envs below) in the Dockerfile.
   set_build_variables: true
   source:
-    dockerfile: ci_images/rhel-8/ci-openshift-build-root/Dockerfile.previous
+    dockerfile: ci_images/rhel-8/ci-openshift-build-root/Dockerfile
     git:
       branch:
         target: openshift-{MAJOR}.{MINOR}
diff --git a/images/ci-openshift-build-root-previous.rhel9.yml b/images/ci-openshift-build-root-previous.rhel9.yml
index 06158b6bec..7176a0123e 100644
--- a/images/ci-openshift-build-root-previous.rhel9.yml
+++ b/images/ci-openshift-build-root-previous.rhel9.yml
@@ -2,7 +2,7 @@ content:
   # set_build_variables is necessary in order to set CI_RPM_SVC (see .envs below) in the Dockerfile.
   set_build_variables: true
   source:
-    dockerfile: ci_images/rhel-9/ci-openshift-build-root/Dockerfile.previous
+    dockerfile: ci_images/rhel-9/ci-openshift-build-root/Dockerfile
     git:
       branch:
         target: openshift-{MAJOR}.{MINOR}