Prepare oadp-cli for Konflux onboarding into OADP 1.6

[Joeavaikath]

Summary

• Rename konflux.Containerfile.download to konflux.Dockerfile to match ocp-build-data expectations and align with the standard OADP Konflux build pattern
• Fix FIPS flags: move GOEXPERIMENT=strictfipsruntime from global ENV to only the download-server build, keeping CLI archives as CGO_ENABLED=0 for cross-platform portability (darwin/windows)
• Change -mod=mod to -mod=readonly for hermetic Konflux builds
• Add comprehensive onboarding documentation (docs/konflux-onboarding.md) covering the end-to-end process for adding new components to the OADP Konflux pipeline

Why

oadp-cli needs to be added to the OADP 1.6 release stream. The existing konflux.Containerfile.download had several issues that would cause failures in Konflux's hermetic build environment:

• Wrong filename (ocp-build-data expects konflux.Dockerfile)
• -mod=mod fails when network is blocked during hermetic builds
• Global GOEXPERIMENT=strictfipsruntime would leak into cross-compilation of CLI archives and break darwin/windows builds

Note: CLI archives are served as file downloads — they run on user machines outside the FIPS boundary. Only the download-server binary (running in-cluster on RHEL) requires FIPS compliance.

Test plan

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Added comprehensive onboarding guide for integrating OADP image components into the Konflux build/release pipeline.

• Refactor

  • Updated Dockerfile build configuration with refined FIPS compliance settings.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds a comprehensive onboarding guide for integrating OADP image components into the Konflux build/release pipeline and updates the download-server Dockerfile to use readonly module mode with inline FIPS configuration instead of global environment variables.

Changes

Cohort / File(s)	Summary
Documentation docs/konflux-onboarding.md	New end-to-end walkthrough covering OADP component onboarding to Konflux, including source repo mirroring, build configuration in ocp-build-data, delivery repo setup, operator bundle integration, and required artifacts/configurations.
Build Configuration konflux.Dockerfile	Updated cachi2 dependency comments, moved GOEXPERIMENT=strictfipsruntime from global ENV to inline for download-server build, and switched Go build from -mod=mod to -mod=readonly mode.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Redesign download server UI and add Konflux Containerfile #158: Modifies Konflux build configuration for download-server binary with similar build command and FIPS-related Go flag changes.

Suggested labels

approved, lgtm

Suggested reviewers

• kaovilai
• mpryc
• shubham-pampattiwar

Poem

🐰 Welcome to Konflux, dear OADP friend,
We've charted the path from beginning to end,
With cachi2 and modules, all set to readonly,
FIPS flags nested just so, building hermetically,
Onboard with confidence, your pipeline flows free! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The pull request description lacks the required structure. It provides a summary and reasoning but is missing the 'How to test the changes made' section from the template.	Add a 'How to test the changes made' section to the pull request description with concrete testing instructions and verification steps.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and specifically relates to the main objective of preparing oadp-cli for Konflux onboarding into OADP 1.6, which is the core purpose of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

docs/konflux-onboarding.md (3)

198-202: Add language specifier to fenced code block.

The directory tree should have a language specifier to satisfy linting rules.

📝 Proposed fix

-```
+```text
 ocp-build-data/
   oadp-1.5/          <-- all OADP 1.5 components
   oadp-1.6/          <-- all OADP 1.6 components

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/konflux-onboarding.md around lines 198 - 202, The fenced code block
showing the directory tree in konflux-onboarding.md lacks a language specifier;
update that fenced block (the triple-backtick block containing "ocp-build-data/"
and the oadp-1.5/ and oadp-1.6/ lines) to include a language tag such as "text"
(e.g., change totext) so the linter recognizes the block type.

</details>

---

`9-27`: **Add language specifier to fenced code block.**

The ASCII diagram should have a language specifier to satisfy linting rules. Use `text` for plain text diagrams.

<details>
<summary>📝 Proposed fix</summary>

```diff
-```
+```text
 Source repo (migtools/oadp-cli)
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/konflux-onboarding.md around lines 9 - 27, In the fenced ASCII diagram
in docs/konflux-onboarding.md, add the language specifier text to the opening
triple-backtick so the block becomes a `````text` fenced code block; locate the
diagram block (the triple-backtick block containing "Source repo
(migtools/oadp-cli)" through "Stage / Prod registries") and update the opening
fence accordingly to satisfy the linter.

</details>

---

`66-89`: **Template Dockerfile inconsistent with actual `konflux.Dockerfile`.**

The template shows `GOEXPERIMENT=strictfipsruntime` as a global `ENV` (line 72), but the actual `konflux.Dockerfile` in this PR applies it inline only for the download-server build. This inconsistency could confuse users who reference this documentation.

Consider updating the template to show the inline pattern, or add a note explaining that the global `ENV` approach is the standard pattern for single-binary builds, while multi-artifact builds (like oadp-cli) may need selective application.

<details>
<summary>📝 Option 1: Add clarifying note</summary>

```diff
 Key requirements:
 - **Builder image:** `brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25`
 - **FIPS compliance:** `CGO_ENABLED=1`, `GOEXPERIMENT=strictfipsruntime`, `-tags strictfipsruntime`
+  - For builds producing multiple artifacts where only some require FIPS (e.g., in-cluster server vs. cross-platform CLI), apply `GOEXPERIMENT` inline to specific `RUN` commands rather than globally.
 - **Build flags:** `-mod=readonly` (hermetic builds don't allow network fetches)
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/konflux-onboarding.md` around lines 66 - 89, The documentation
Dockerfile shows GOEXPERIMENT=strictfipsruntime set as a global ENV, but the
actual konflux.Dockerfile applies GOEXPERIMENT inline only for the
download-server build; update docs to match reality by either changing the
template to use the inline pattern for builds (as done for the download-server
in konflux.Dockerfile) or add a brief clarifying note that GOEXPERIMENT as a
global ENV is appropriate for single-binary builds while multi-artifact projects
(e.g., oadp-cli) should apply GOEXPERIMENT selectively per build step; reference
GOEXPERIMENT, konflux.Dockerfile, download-server, and oadp-cli in the note so
readers can find the relevant examples.
```

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @docs/konflux-onboarding.md:

• Around line 198-202: The fenced code block showing the directory tree in
  konflux-onboarding.md lacks a language specifier; update that fenced block (the
  triple-backtick block containing "ocp-build-data/" and the oadp-1.5/ and
  oadp-1.6/ lines) to include a language tag such as "text" (e.g., change ``` to

- Around line 9-27: In the fenced ASCII diagram in docs/konflux-onboarding.md,
add the language specifier `text` to the opening triple-backtick so the block
becomes a `````text` fenced code block; locate the diagram block (the
triple-backtick block containing "Source repo (migtools/oadp-cli)" through
"Stage / Prod registries") and update the opening fence accordingly to satisfy
the linter.
- Around line 66-89: The documentation Dockerfile shows
GOEXPERIMENT=strictfipsruntime set as a global ENV, but the actual
konflux.Dockerfile applies GOEXPERIMENT inline only for the download-server
build; update docs to match reality by either changing the template to use the
inline pattern for builds (as done for the download-server in
konflux.Dockerfile) or add a brief clarifying note that GOEXPERIMENT as a global
ENV is appropriate for single-binary builds while multi-artifact projects (e.g.,
oadp-cli) should apply GOEXPERIMENT selectively per build step; reference
GOEXPERIMENT, konflux.Dockerfile, download-server, and oadp-cli in the note so
readers can find the relevant examples.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8fe53acf-a38f-47ee-ad63-6f3727fd4877

📥 Commits

Reviewing files that changed from the base of the PR and between 9b3b53f and c729d39.

📒 Files selected for processing (2)

• docs/konflux-onboarding.md
• konflux.Dockerfile

[mpryc]

/lgtm

[mpryc]

/cherry-pick oadp-1.6

[openshift-cherrypick-robot]

@mpryc: once the present PR merges, I will cherry-pick it on top of oadp-1.6 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick oadp-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Joeavaikath, kaovilai, mpryc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Joeavaikath,kaovilai,mpryc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-cherrypick-robot]

@mpryc: new pull request created: #172

Details

In response to this:

/cherry-pick oadp-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.