From 995887090812ca0a91e64b9b9e5d5b85a69a18ac Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragsta@redhat.com>
Date: Mon, 16 Dec 2024 16:43:19 -0600
Subject: [PATCH] Add Konflux container file for content builds

Add a containerfile so we can configure Konflux to build the compliance
content for the Compliance Operator.
---
 ...nce-operator-content-konflux.Containerfile | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 Dockerfiles/compliance-operator-content-konflux.Containerfile

diff --git a/Dockerfiles/compliance-operator-content-konflux.Containerfile b/Dockerfiles/compliance-operator-content-konflux.Containerfile
new file mode 100644
index 00000000000..d5db7be5531
--- /dev/null
+++ b/Dockerfiles/compliance-operator-content-konflux.Containerfile
@@ -0,0 +1,102 @@
+FROM registry.redhat.io/ubi9/ubi:latest
+
+RUN yum -y update
+RUN yum -y install wget
+WORKDIR /tmp
+RUN wget http://download.eng.bos.redhat.com/brewroot/packages/openscap/1.3.4/4.el9/data/signed/fd431d51/$(uname -m)/openscap-1.3.4-4.el9.$(uname -m).rpm
+RUN wget http://download.eng.bos.redhat.com/brewroot/packages/openscap/1.3.4/4.el9/data/signed/fd431d51/$(uname -m)/openscap-utils-1.3.4-4.el9.$(uname -m).rpm
+RUN wget http://download.eng.bos.redhat.com/brewroot/packages/openscap/1.3.4/4.el9/data/signed/fd431d51/$(uname -m)/openscap-scanner-1.3.4-4.el9.$(uname -m).rpm
+RUN yum -y install python3 cmake make python3-pyyaml python3-jinja2
+RUN yum localinstall -y openscap-1.3.4-4.el9.$(uname -m).rpm openscap-utils-1.3.4-4.el9.$(uname -m).rpm openscap-scanner-1.3.4-4.el9.$(uname -m).rpm
+
+COPY . .
+
+WORKDIR /tmp/content
+
+# Disable all profiles so we don't accidentally ship a profile we don't intend to ship
+RUN find . -name "*.profile" -exec sed -i 's/\(documentation_complete: \).*/\1false/' '{}' \;
+# Enable the default.profiles as they maintain a list rules to be added to the datastream
+RUN find . -name "default\.profile" -exec sed -i 's/\(documentation_complete: \).*/\1true/' '{}' \;
+
+# Choose profile to enable for all architectures
+RUN sed -i 's/\(documentation_complete: \).*/\1true/' \
+    products/ocp4/profiles/pci-dss-node-3-2.profile \
+    products/ocp4/profiles/pci-dss-3-2.profile \
+    products/ocp4/profiles/pci-dss-node-4-0.profile \
+    products/ocp4/profiles/pci-dss-4-0.profile \
+    products/ocp4/profiles/pci-dss-node.profile \
+    products/ocp4/profiles/pci-dss.profile \
+    products/ocp4/profiles/cis-node.profile \
+    products/ocp4/profiles/cis.profile \
+    products/ocp4/profiles/cis-node-1-4.profile \
+    products/ocp4/profiles/cis-1-4.profile \
+    products/ocp4/profiles/cis-node-1-5.profile \
+    products/ocp4/profiles/cis-1-5.profile \
+    products/ocp4/profiles/moderate-node.profile \
+    products/ocp4/profiles/moderate.profile \
+    products/ocp4/profiles/moderate-node-rev-4.profile \
+    products/ocp4/profiles/moderate-rev-4.profile
+
+# Only enable for x86_64
+RUN if [ "$(uname -m)" = "x86_64" ]; then \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/e8.profile && \
+        sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high.profile && \
+        sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high-node.profile && \
+        sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high-rev-4.profile && \
+        sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high-node-rev-4.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/nerc-cip.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/nerc-cip-node.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/moderate.profile && \
+        sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/high.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/moderate-rev-4.profile && \
+        sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/high-rev-4.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/e8.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/nerc-cip.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss-node.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss-node-3-2.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss-3-2.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-node.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/stig.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-v1r1.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-node-v1r1.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/stig-v1r1.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-v2r1.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-node-v2r1.profile && \
+	sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/stig-v2r1.profile; \
+	fi
+
+# OCPBUGS-32794: Ensure stability of rules shipped
+# Before building the content we re-enable all profiles as hidden, this will include any rule selected
+# by these profiles in the data stream without creating a profile for them.
+RUN grep -lr 'documentation_complete: false' ./products | xargs -I '{}' \
+    sed -i -e 's/\(documentation_complete: \).*/\1true/' -e '/documentation_complete/a hidden: true' {}
+
+# Build the OpenShift and RHCOS content for x86 architectures. Only build
+# OpenShift content for ppc64le and s390x architectures.
+RUN if [ "$(uname -m)" = "x86_64" ]; then \
+        ./build_product ocp4 rhcos4 --datastream-only; \
+        else ./build_product ocp4 --datastream-only; \
+        fi
+
+FROM registry.redhat.io/ubi9/ubi-minimal:latest
+
+RUN microdnf -y update glibc
+
+LABEL \
+        io.k8s.display-name="Compliance Content" \
+        io.k8s.description="OpenSCAP content for the compliance-operator." \
+        io.openshift.tags="openshift,compliance,security" \
+        com.redhat.delivery.appregistry="false" \
+        maintainer="Red Hat ISC <isc-team@redhat.com>" \
+        License="GPLv2+" \
+        name="openshift-compliance-content" \
+        com.redhat.component="openshift-compliance-content-container" \
+        io.openshift.maintainer.product="OpenShift Container Platform" \
+        io.openshift.maintainer.component="Compliance Operator"
+        # Implement this using Konflux dynamic labels
+        # version=1.6.1-dev
+
+WORKDIR /
+COPY --from=builder /tmp/content/build/ssg-*-ds.xml .