Merge pull request red-hat-data-services#313 from VedantMahabaleshwarkar/eng-6506-rhoai

replace upstream Dockerfiles with ubi dockerfiles.

Author: israel-hdez

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.21 as builder
+FROM registry.access.redhat.com/ubi8/go-toolset:1.21 as builder
 
 # Copy in the go src
 WORKDIR /go/src/github.com/kserve/kserve
@@ -12,10 +12,17 @@ COPY cmd/    cmd/
 COPY pkg/    pkg/
 
 # Build
+USER root
 RUN CGO_ENABLED=0 GOOS=linux GOFLAGS=-mod=mod go build -a -o manager ./cmd/manager
 
-# Copy the controller-manager into a thin image
-FROM gcr.io/distroless/static:nonroot
+# Use distroless as minimal base image to package the manager binary
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+RUN microdnf install -y shadow-utils && \ 
+    microdnf clean all && \ 
+    useradd kserve -m -u 1000
+RUN microdnf remove -y shadow-utils
 COPY third_party/ /third_party/
 COPY --from=builder /go/src/github.com/kserve/kserve/manager /
-ENTRYPOINT ["/manager"]
+USER 1000:1000
+
+ENTRYPOINT ["/manager"]

agent.Dockerfile

@@ -1,5 +1,5 @@
 # Build the inference-agent binary
-FROM golang:1.21 as builder
+FROM registry.access.redhat.com/ubi8/go-toolset:1.21 as builder
 
 # Copy in the go src
 WORKDIR /go/src/github.com/kserve/kserve
@@ -11,11 +11,19 @@ COPY pkg/    pkg/
 COPY cmd/    cmd/
 
 # Build
+USER root
 RUN CGO_ENABLED=0 GOOS=linux GOFLAGS=-mod=mod go build -a -o agent ./cmd/agent
 
 # Copy the inference-agent into a thin image
-FROM gcr.io/distroless/static:nonroot
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+
+RUN microdnf install -y shadow-utils && \ 
+    microdnf clean all && \ 
+    useradd kserve -m -u 1000
+RUN microdnf remove -y shadow-utils
 COPY third_party/ third_party/
 WORKDIR /ko-app
 COPY --from=builder /go/src/github.com/kserve/kserve/agent /ko-app/
-ENTRYPOINT ["/ko-app/agent"]
+USER 1000:1000
+
+ENTRYPOINT ["/ko-app/agent"]

python/storage-initializer.Dockerfile

@@ -1,23 +1,22 @@
 ARG PYTHON_VERSION=3.9
-ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi
 ARG VENV_PATH=/prod_venv
 
-FROM ${BASE_IMAGE} as builder
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest as builder
+
+# Install Python and dependencies
+RUN microdnf install -y python39 python39-devel gcc libffi-devel openssl-devel krb5-workstation krb5-libs && microdnf clean all
 
 # Install Poetry
 ARG POETRY_HOME=/opt/poetry
 ARG POETRY_VERSION=1.7.1
 
-# Required for building packages for arm64 arch
-RUN yum -y update && yum -y install python39 python39-devel gcc
-
-RUN python3 -m venv ${POETRY_HOME} && ${POETRY_HOME}/bin/pip install poetry==${POETRY_VERSION}
+RUN python -m venv ${POETRY_HOME} && ${POETRY_HOME}/bin/pip install poetry==${POETRY_VERSION}
 ENV PATH="$PATH:${POETRY_HOME}/bin"
 
 # Activate virtual env
 ARG VENV_PATH
 ENV VIRTUAL_ENV=${VENV_PATH}
-RUN python3 -m venv $VIRTUAL_ENV
+RUN python -m venv $VIRTUAL_ENV
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
 # Addressing vulnerability scans by upgrading pip/setuptools
@@ -28,17 +27,11 @@ RUN cd kserve && poetry install --no-root --no-interaction --no-cache --extras "
 COPY kserve kserve
 RUN cd kserve && poetry install --no-interaction --no-cache --extras "storage"
 
-RUN yum -y update && yum install -y \
-    gcc \
-    krb5-devel \
-    && rm -rf /var/lib/apt/lists/*
-
 RUN pip install --no-cache-dir krbcontext==0.10 hdfs~=2.6.0 requests-kerberos==0.14.0
 # Fixes Quay alert GHSA-2jv5-9r88-3w3p https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
 RUN pip install --no-cache-dir starlette==0.36.2
 
-
-FROM registry.access.redhat.com/ubi8/ubi-minimal as prod
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest as prod
 
 COPY third_party third_party
 
@@ -47,8 +40,9 @@ ARG VENV_PATH
 ENV VIRTUAL_ENV=${VENV_PATH}
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-RUN microdnf install python39 shadow-utils
-RUN adduser kserve -m -u 1000 -d /home/kserve
+RUN microdnf install -y shadow-utils python39 python39-devel && \
+    microdnf clean all
+RUN useradd kserve -m -u 1000 -d /home/kserve
 
 COPY --from=builder --chown=kserve:kserve $VIRTUAL_ENV $VIRTUAL_ENV
 COPY --from=builder kserve kserve

router.Dockerfile

@@ -1,5 +1,5 @@
 # Build the inference-router binary
-FROM golang:1.21 as builder
+FROM registry.access.redhat.com/ubi8/go-toolset:1.21 as builder
 
 # Copy in the go src
 WORKDIR /go/src/github.com/kserve/kserve
@@ -12,11 +12,18 @@ COPY pkg/    pkg/
 COPY cmd/    cmd/
 
 # Build
+USER root
 RUN CGO_ENABLED=0  go build -a -o router ./cmd/router
 
 # Copy the inference-router into a thin image
-FROM gcr.io/distroless/static:nonroot
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+RUN microdnf install -y shadow-utils && \ 
+    microdnf clean all && \ 
+    useradd kserve -m -u 1000
+RUN microdnf remove -y shadow-utils
 COPY third_party/ third_party/
 WORKDIR /ko-app
 COPY --from=builder /go/src/github.com/kserve/kserve/router /ko-app/
-ENTRYPOINT ["/ko-app/router"]
+USER 1000:1000
+
+ENTRYPOINT ["/ko-app/router"]