From 7b89f7e8ebc4b6feb16288f59e5351d44213768b Mon Sep 17 00:00:00 2001
From: Ship Help Bot <ship-help-bot@redhat.com>
Date: Tue, 28 Apr 2026 19:19:24 +0000
Subject: [PATCH 1/2] ship-help-bot: Add Konflux build support for node image

Add dedicated Containerfile.konflux and konflux-build-node-image.sh for
building the OCP node image via Konflux. These new files are fully
independent of the existing Containerfile and build-node-image.sh,
allowing both build paths to coexist on master without risk of breaking
existing builds.

Key differences from the existing build path:
- Uses direct rpm-ostree install instead of treefile-apply
- Does not reference packages-openshift.yaml
- Embeds all postprocess steps inline in the build script
- No OPENSHIFT_CI conditional logic (Konflux handles repo injection)
- No OKD/CentOS-specific repo filtering

This is a follow-up to #1929 and is part of the effort tracked in
ART-14453 to get node layer RHCOS builds to Konflux.

This is intended as a starting point for discussion. The Containerfile
base image reference and other details will need to be refined as the
Konflux build pipeline is set up.
---
 Containerfile.konflux       |  23 +++++++
 konflux-build-node-image.sh | 124 ++++++++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)
 create mode 100644 Containerfile.konflux
 create mode 100755 konflux-build-node-image.sh

diff --git a/Containerfile.konflux b/Containerfile.konflux
new file mode 100644
index 00000000..30dea5c2
--- /dev/null
+++ b/Containerfile.konflux
@@ -0,0 +1,23 @@
+# This builds the OCP node image on top of the base CoreOS image using
+# Konflux. Unlike the main `Containerfile`, this does not use
+# `packages-openshift.yaml` or `rpm-ostree treefile-apply`. Instead, the
+# package list and all postprocess steps are embedded directly in the
+# `konflux-build-node-image.sh` script.
+#
+# This file intentionally does not modify any existing build path — it can
+# coexist with `Containerfile` and `build-node-image.sh` on `master`.
+#
+# See also: https://github.com/openshift/os/pull/1929
+
+# TODO: Replace this with the appropriate base image reference for Konflux.
+# For now, use the same base as the main Containerfile.
+FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:c9s-coreos as build
+RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo /run/src/konflux-build-node-image.sh
+
+FROM build as metadata
+RUN --mount=type=bind,target=/run/src /run/src/scripts/generate-metadata
+
+FROM build
+COPY --from=metadata /usr/share/openshift /usr/share/openshift
+LABEL io.openshift.metalayer=true
+LABEL ostree.linux=true
diff --git a/konflux-build-node-image.sh b/konflux-build-node-image.sh
new file mode 100755
index 00000000..e0b9dc43
--- /dev/null
+++ b/konflux-build-node-image.sh
@@ -0,0 +1,124 @@
+#!/bin/bash
+set -euxo pipefail
+
+# This script builds the OpenShift node image for Konflux builds.
+# It's called from `Containerfile.konflux`.
+#
+# Unlike `build-node-image.sh` (which uses rpm-ostree treefile-apply with
+# packages-openshift.yaml), this script uses direct rpm-ostree install and
+# embeds all postprocess steps inline. This keeps the Konflux build path
+# fully independent of the existing CI/Jenkins build path.
+#
+# See also: https://github.com/openshift/os/pull/1929
+
+# Avoid shipping modified .pyc files. Due to
+# https://github.com/ostreedev/ostree/issues/1469, any Python apps that
+# run (e.g. dnf) will cause pyc creation. We do this by backing them up and
+# restoring them at the end.
+find /usr -name '*.pyc' -exec mv {} {}.bak \;
+
+# Install the OCP packages. Repos are expected to be injected via
+# Konflux secrets/mounts in the Containerfile.
+rpm-ostree install \
+    cri-o cri-tools conmon-rs \
+    openshift-clients openshift-kubelet \
+    openvswitch3.5 \
+    NetworkManager-ovs \
+    ose-aws-ecr-image-credential-provider \
+    ose-azure-acr-image-credential-provider \
+    ose-gcp-gcr-image-credential-provider \
+    ose-crio-credential-provider
+
+# --- postprocess steps ---
+# These are migrated from the `postprocess` section of packages-openshift.yaml.
+# They must run after package installation.
+
+# Disable any built-in repos. We need to work in disconnected environments by
+# default, and default-enabled repos will be attempted to be fetched by
+# rpm-ostree when doing node-local kernel overrides today for e.g. kernel-rt.
+mkdir -p /etc/yum.repos.d
+for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
+    # ignore repo files that are mountpoints since they're likely secrets
+    if ! mountpoint "$x"; then
+        sed -i -e 's/enabled\s*=\s*1/enabled=0/g' "$x"
+    fi
+done
+
+# Enable librhsm which enables host subscriptions to work in containers
+# https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
+ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
+ln -sr /run/secrets/rhsm /etc/rhsm-host
+
+# Manually modify SELinux booleans that are needed for OCP use cases
+semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+# https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+mkdir -p /usr/share/containers/oci/hooks.d
+
+# crio conmon symlink
+mkdir -p /usr/libexec/crio
+ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+# Inject OpenShift-specific release fields
+# NOTE: The OCP version here should be kept in sync with the version used
+# in the branch-specific packages-openshift.yaml. For master, we use
+# the latest version.
+cat >> /usr/lib/os-release <<EOF
+OPENSHIFT_VERSION="4.22"
+EOF
+
+# Generate MOTD
+. /etc/os-release
+# For Konflux RHCOS builds, we always use the RHCOS variant
+colloquial_name=RHCOS
+project_name=OpenShift
+# in the el-only variants, we already have CoreOS in the NAME, so don't
+# re-add it when building the node image
+if [[ $NAME != *CoreOS* ]]; then
+    NAME="$NAME CoreOS"
+fi
+cat > /etc/motd <<EOF
+$NAME $OSTREE_VERSION
+  Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
+  managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+WARNING: Direct SSH access to machines is not recommended; instead,
+make configuration changes via \`machineconfig\` objects:
+  https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+---
+EOF
+
+# Delete leftover files in the layering path
+if [ -f /run/.containerenv ]; then
+    # lockfiles and backup files
+    rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
+    rm -f /etc/selinux/targeted/*.LOCK
+    # cache, logs, etc...
+    rm -rf /var && mkdir /var
+    # All the entries here should instead be part of their respective
+    # packages. But we carry them here for now to maintain compatibility.
+    cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
+L /opt/cni - - - - ../../usr/lib/opt/cni
+d /var/lib/cni 0755 root root - -
+d /var/lib/cni/bin 0755 root root - -
+d /var/lib/containers 0755 root root - -
+d /var/lib/openvswitch 0755 root root - -
+d /var/lib/openvswitch/pki 0755 root root - -
+d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
+d /var/lib/unbound 0755 unbound unbound - -
+EOF
+fi
+
+# --- end postprocess steps ---
+
+# Cleanup any repo files we injected
+rm -f /etc/yum.repos.d/{ocp,git,okd,secret}.repo
+
+# Restore .pyc files
+find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \;
+
+# Commit the ostree changes
+ostree container commit

From 256ce776773461f49af510b7735832a908fefffe Mon Sep 17 00:00:00 2001
From: Ship Help Bot <ship-help-bot@redhat.com>
Date: Tue, 28 Apr 2026 19:45:52 +0000
Subject: [PATCH 2/2] ship-help-bot: Update OPENSHIFT_VERSION to 4.23

Apply review suggestion from PR #1932.
---
 konflux-build-node-image.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/konflux-build-node-image.sh b/konflux-build-node-image.sh
index e0b9dc43..5439c117 100755
--- a/konflux-build-node-image.sh
+++ b/konflux-build-node-image.sh
@@ -66,7 +66,7 @@ ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
 # in the branch-specific packages-openshift.yaml. For master, we use
 # the latest version.
 cat >> /usr/lib/os-release <<EOF
-OPENSHIFT_VERSION="4.22"
+OPENSHIFT_VERSION="4.23"
 EOF
 
 # Generate MOTD