(actions): Fix Ansible-Operator base image build problems due to `cry…

…ptography` package (#6348) * revert recent ansible-operator changes including the base.Dockerfile and repinning cryptography to v3.3.2 to fix image build issues that are blocking releases && CI * update changelog * update changelog * fix typo in pipfile * update Pipfile.lock * disregard a CVE for now * disregard a CVE for now * try this * disregard all cryptography CVEs for now * disregard all cryptography CVEs for now * missed one Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
operator-framework · Mar 6, 2023 · 9d2f672 · 9d2f672
1 parent 93ed65f
commit 9d2f672
Show file tree

Hide file tree

Showing 7 changed files with 255 additions and 333 deletions.
diff --git a/...log/fragments/01-ansible-image-fixes.yaml → changelog/fragments/04-ansible-revert.yaml b/...log/fragments/01-ansible-image-fixes.yaml → changelog/fragments/04-ansible-revert.yaml
@@ -2,16 +2,16 @@
 # release notes and/or the migration guide
 entries:
   - description: >
-     For ansible operators: fix a bug where the quay.io/operator-framework/ansible-operator image did not
-     include the cryptography package on ppc64le & s390x architectures.
+      (ansible): Revert the cryptography package unpinning and repin to v3.3.2
 
     # kind is one of:
     # - addition
     # - change
     # - deprecation
     # - removal
     # - bugfix
-    kind: "bugfix"
+    kind: "change"
 
     # Is this a breaking change?
     breaking: false
+
diff --git a/images/ansible-operator-2.11-preview/Pipfile b/images/ansible-operator-2.11-preview/Pipfile
@@ -9,7 +9,7 @@ ansible-runner-http = "==1.0.0"
 ipaddress = "==1.0.23"
 openshift = "~=0.13.0"
 jmespath = "==0.10.0"
-cryptography = "*"
+cryptography = "==3.3.2"
 ansible-core = "~=2.11.0"
 oauthlib = "==3.2.1"
 

diff --git a/images/ansible-operator-2.11-preview/Pipfile.lock b/images/ansible-operator-2.11-preview/Pipfile.lock
diff --git a/images/ansible-operator-2.11-preview/base.Dockerfile b/images/ansible-operator-2.11-preview/base.Dockerfile
@@ -2,12 +2,19 @@
 # It is built with dependencies that take a while to download, thus speeding
 # up ansible deploy jobs.
 
-FROM registry.access.redhat.com/ubi8/ubi:8.7 AS builder
+FROM registry.access.redhat.com/ubi8/ubi:8.7
+ARG TARGETARCH
+
+# Label this image with the repo and commit that built it, for freshmaking purposes.
+ARG GIT_COMMIT=devel
+LABEL git_commit=$GIT_COMMIT
+
+RUN mkdir -p /etc/ansible \
+  && echo "localhost ansible_connection=local" > /etc/ansible/hosts \
+  && echo '[defaults]' > /etc/ansible/ansible.cfg \
+  && echo 'roles_path = /opt/ansible/roles' >> /etc/ansible/ansible.cfg \
+  && echo 'library = /usr/share/ansible/openshift' >> /etc/ansible/ansible.cfg
 
-# Install Rust so that we can ensure backwards compatibility with installing/building the cryptography wheel across all platforms
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-ENV PATH="/root/.cargo/bin:${PATH}"
-RUN rustc --version
 
 # Copy python dependencies (including ansible) to be installed using Pipenv
 COPY Pipfile* ./
@@ -23,38 +30,14 @@ ENV PIP_NO_CACHE_DIR=1 \
 RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
   && yum update -y \
   && yum install -y libffi-devel openssl-devel python38-devel gcc python38-pip python38-setuptools \
-  && pip3 install --upgrade pip~=23.0.1 \
-  && pip3 install pipenv==2023.2.18 \
+  && pip3 install --upgrade pip~=21.1.0 \
+  && pip3 install pipenv==2022.1.8 \
   && pipenv install --deploy \
-  && pipenv check  -i 42926 -i 42923 -i 45114 \
+  && pipenv check -i 45114 -i 53304 -i 53303 -i 53302 -i 53299 -i 53298 -i 53301 -i 53306 -i 53307 -i 53305 -i 53048 \
   && yum remove -y gcc libffi-devel openssl-devel python38-devel \
   && yum clean all \
   && rm -rf /var/cache/yum
 
-FROM registry.access.redhat.com/ubi8/ubi:8.7
-ARG TARGETARCH
-
-# Label this image with the repo and commit that built it, for freshmaking purposes.
-ARG GIT_COMMIT=devel
-LABEL git_commit=$GIT_COMMIT
-
-RUN mkdir -p /etc/ansible \
-  && echo "localhost ansible_connection=local" > /etc/ansible/hosts \
-  && echo '[defaults]' > /etc/ansible/ansible.cfg \
-  && echo 'roles_path = /opt/ansible/roles' >> /etc/ansible/ansible.cfg \
-  && echo 'library = /usr/share/ansible/openshift' >> /etc/ansible/ansible.cfg
-
-RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
-  && yum update -y \
-  && yum install -y python38-pip python38-setuptools \
-  && pip3 install --upgrade pip~=23.0.1 \
-  && pip3 install pipenv==2023.2.18 \
-  && yum clean all \
-  && rm -rf /var/cache/yum
-
-COPY --from=builder /usr/local/lib64/python3.8/site-packages /usr/local/lib64/python3.8/site-packages
-COPY --from=builder /usr/local/lib/python3.8/site-packages /usr/local/lib/python3.8/site-packages
-
 ENV TINI_VERSION=v0.19.0
 RUN curl -L -o /tini https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TARGETARCH} \
-  && chmod +x /tini && /tini --version
+  && chmod +x /tini && /tini --version
diff --git a/images/ansible-operator/Pipfile b/images/ansible-operator/Pipfile
@@ -10,7 +10,7 @@ ipaddress = "==1.0.23"
 openshift = "~=0.13.0"
 ansible = "~=2.9.15"
 jmespath = "==0.10.0"
-cryptography = "*"
+cryptography = "==3.3.2"
 oauthlib = "==3.2.1"
 
 [dev-packages]