feat: Replace podmand with oras in backup container

Signed-off-by: Ales Raszka <[email protected]>

Author: Allda

apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go

@@ -81,6 +81,10 @@ type RegistryConfig struct {
 	// type kubernetes.io/dockerconfigjson
 	// +kubebuilder:validation:Optional
 	AuthSecret string `json:"authSecret,omitempty"`
+
+	// ExtraArgs are additional arguments passed to the oras CLI
+	// +kubebuilder:validation:Optional
+	ExtraArgs string `json:"extraArgs,omitempty"`
 }
 
 type BackupCronJobConfig struct {

controllers/backupcronjob/backupcronjob_controller.go

@@ -365,9 +365,10 @@ func (r *BackupCronJobReconciler) createBackupJob(
 									Value: "/workspace/" + workspacePath,
 								},
 								{Name: "DEVWORKSPACE_BACKUP_REGISTRY", Value: backUpConfig.Registry.Path},
-								{Name: "PODMAN_PUSH_OPTIONS", Value: "--tls-verify=false"},
+								{Name: "ORAS_EXTRA_ARGS", Value: backUpConfig.Registry.ExtraArgs},
 							},
-							Image: images.GetProjectBackupImage(),
+							Image:           images.GetProjectBackupImage(),
+							ImagePullPolicy: "Always",
 							Args: []string{
 								"/workspace-recovery.sh",
 								"--backup",
@@ -383,7 +384,7 @@ func (r *BackupCronJobReconciler) createBackupJob(
 								},
 							},
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: ptr.To[int64](1000),
+								AllowPrivilegeEscalation: ptr.To[bool](false),
 							},
 						},
 					},
@@ -422,12 +423,12 @@ func (r *BackupCronJobReconciler) createBackupJob(
 		})
 		job.Spec.Template.Spec.Containers[0].VolumeMounts = append(job.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
 			Name:      "registry-auth-secret",
-			MountPath: "/home/podman/.docker",
+			MountPath: "/tmp/.docker",
 			ReadOnly:  true,
 		})
 		job.Spec.Template.Spec.Containers[0].Env = append(job.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
 			Name:  "REGISTRY_AUTH_FILE",
-			Value: "/home/podman/.docker/.dockerconfigjson",
+			Value: "/tmp/.docker/.dockerconfigjson",
 		})
 
 	}

deploy/bundle/manifests/controller.devfile.io_devworkspaceoperatorconfigs.yaml

@@ -1,13 +1,21 @@
-FROM quay.io/podman/stable:latest
+FROM quay.io/konflux-ci/oras:3d83c68 AS oras
+FROM registry.access.redhat.com/ubi10/ubi@sha256:8405dd7146117f019670429f93ce044f0839f47ff81ec45bb53cf528f1f6ce11
 
-RUN set -e && \
-  dnf update -y && \
+LABEL project="devworkspace-operator"
+
+RUN dnf update -y && \
   dnf clean all
 
-COPY --chown=1000:1000 entrypoint.sh /
-COPY --chown=1000:1000 workspace-recovery.sh /
+RUN useradd -u 1000 -g 0 -m oras && \
+  mkdir -p /home/oras/ && \
+  chown -R oras:0 /home/oras
+
+COPY --chown=1000:0 entrypoint.sh /
+COPY --chown=1000:0 workspace-recovery.sh /
 
 RUN chmod +x /entrypoint.sh ; \
   chmod +x /workspace-recovery.sh
 
+COPY --from=oras /usr/bin/oras /usr/bin/oras
+
 ENTRYPOINT ["/entrypoint.sh"]

deploy/deployment/kubernetes/combined.yaml

@@ -4,4 +4,3 @@ set -x
 set -e
 
 exec "$@"
-