Add Red Hat UBI image

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

.github/workflows/push-ubi.yml

@@ -0,0 +1,65 @@
+name: push-ubi
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  CONTROLLER: ${{ github.event.repository.name }}
+
+jobs:
+  flux-push:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Prepare
+        id: prep
+        run: |
+          RELEASE=$(gh release view --json tagName -q '.tagName')
+          echo "VERSION=${RELEASE}" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: |
+            ghcr.io/controlplaneio-fluxcd/${{ env.CONTROLLER }}
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}-ubi
+      - name: Publish images
+        id: build-push
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
+        with:
+          sbom: true
+          provenance: true
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./config/olm/build/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: "VERSION=${{ steps.prep.outputs.VERSION }}"
+      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign --yes ghcr.io/controlplaneio-fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}

Makefile

@@ -110,6 +110,9 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform
 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
 	- $(CONTAINER_TOOL) buildx rm flux-operator-builder
 
+docker-build-ubi: ## Build docker image with the manager using UBI base image.
+	$(CONTAINER_TOOL) build -t ${IMG}-ubi --build-arg VERSION=$(FLUX_OPERATOR_VERSION) -f config/olm/build/Dockerfile .
+
 .PHONY: build-installer
 build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment.
 	mkdir -p dist

config/olm/build/Dockerfile

@@ -0,0 +1,26 @@
+ARG VERSION
+
+FROM --platform=${BUILDPLATFORM} ghcr.io/controlplaneio-fluxcd/flux-operator:${VERSION} AS distroless
+FROM --platform=${BUILDPLATFORM} registry.access.redhat.com/ubi8/ubi-minimal
+
+### Required OpenShift Labels
+LABEL name="flux-operator" \
+      vendor="ControlPlane" \
+      version="${VERSION}" \
+      release="1" \
+      summary="This is the flux-operator image." \
+      description="This image contains the operator of ControlPlane Enterprise for Flux."
+
+WORKDIR /
+
+# Copy the license.
+COPY LICENSE /licenses/LICENSE.txt
+
+# Copy the manifests data.
+COPY config/data/ /data/
+
+# Copy the operator binary.
+COPY --from=distroless flux-operator .
+
+# Run the operator as the default user.
+ENTRYPOINT ["/flux-operator"]