dockerfile: comment out iptables-wrapper

spotlesstofu · littlejawa · commit 1c56c07b22c5 · 2025-02-07T17:25:39.000+01:00
We don't need it on RHEL because we know the iptables mode we support, nft. The wrapper provides an easy way to support both "legacy" and "nft" modes when you don't know the system the container will run in. RHEL only supports nft, so there is no point in supporting legacy through the wrapper. See docs at https://github.com/kubernetes-sigs/iptables-wrappers
diff --git a/src/cloud-api-adaptor/Dockerfile.openshift b/src/cloud-api-adaptor/Dockerfile.openshift
@@ -19,9 +19,8 @@ USER root
 # the build process assumes go is under "/go", so let's make sure it works
 RUN ln -s /opt/app-root/src/go /go
 RUN go install github.com/mikefarah/yq/v4@$YQ_VERSION
-
 # This registering RHEL when building on an unsubscribed system
-# If you are running a UBI container on a registered and subscribed RHEL host, 
+# If you are running a UBI container on a registered and subscribed RHEL host,
 # the main RHEL Server repository is enabled inside the standard UBI container.
 RUN if command -v subscription-manager; then \
         REPO_ARCH=$(uname -m) && \
@@ -63,19 +62,19 @@ ENV BUILTIN_CLOUD_PROVIDERS="strictfipsruntime aws azure ibmcloud vsphere libvir
 ENV PATH=/opt/app-root/src/go/bin:$PATH
 RUN CC=gcc make ARCH=$TARGETARCH COMMIT=$COMMIT VERSION=$VERSION RELEASE_BUILD=$RELEASE_BUILD cloud-api-adaptor
 
-FROM builder-release AS iptables
-
+# FROM builder-release AS iptables
+#
 #ARG TARGETARCH
-
-WORKDIR /iptables
-ENV PATH=/opt/app-root/src/go/bin:$PATH
-RUN --mount=type=bind,target=/versions.yaml,source=cloud-api-adaptor/versions.yaml,readonly \
-    version=$(yq -r .tools.iptables-wrapper /versions.yaml) && \
-    GOARCH=$TARGETARCH go install "github.com/kubernetes-sigs/iptables-wrappers@$version" && \
-    shopt -s globstar && \
-    cp /go/bin/**/iptables-wrappers ./iptables-wrapper && \
-    curl -L -o iptables-wrapper-installer.sh "https://raw.githubusercontent.com/kubernetes-sigs/iptables-wrappers/${version#v*-*-}/iptables-wrapper-installer.sh" && \
-    chmod 755 iptables-wrapper-installer.sh
+#
+# WORKDIR /iptables
+# ENV PATH=/opt/app-root/src/go/bin:$PATH
+# RUN --mount=type=bind,target=/versions.yaml,source=cloud-api-adaptor/versions.yaml,readonly \
+#     version=$(yq -r .tools.iptables-wrapper /versions.yaml) && \
+#     GOARCH=$TARGETARCH go install "github.com/kubernetes-sigs/iptables-wrappers@$version" && \
+#     shopt -s globstar && \
+#     cp /go/bin/**/iptables-wrappers ./iptables-wrapper && \
+#     curl -L -o iptables-wrapper-installer.sh "https://raw.githubusercontent.com/kubernetes-sigs/iptables-wrappers/${version#v*-*-}/iptables-wrapper-installer.sh" && \
+#     chmod 755 iptables-wrapper-installer.sh
 
 FROM registry.access.redhat.com/ubi9/ubi:9.5 AS base-release
 USER root
@@ -87,10 +86,9 @@ RUN if command -v subscription-manager; then \
         dnf -y install 'dnf-command(config-manager)' && dnf config-manager --enable crb; \
     fi
 
-RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y
-RUN dnf install -y iptables iptables-legacy iptables-nft nftables && dnf clean all
-RUN --mount=type=cache,target=/iptables,from=iptables,source=/iptables,readonly \
-    cd /iptables && ./iptables-wrapper-installer.sh --no-sanity-check --no-cleanup
+RUN dnf install -y iptables iptables-nft nftables && dnf clean all
+# RUN --mount=type=cache,target=/iptables,from=iptables,source=/iptables,readonly \
+#     cd /iptables && ./iptables-wrapper-installer.sh --no-sanity-check --no-cleanup
 
 #FROM base-release AS base-dev
 RUN dnf install -y libvirt-libs /usr/bin/ssh && dnf clean all
