[ROSAENG-973] chore: change Dockerfile to use harden images

[feichashao]

What type of PR is this?

• fix (Bug Fix)
• feat (New Feature)
• docs (Documentation)
• test (Test Coverage)
• chore (Clean Up / Maintenance Tasks)
• other (Anything that doesn't fit the above)

What this PR does / Why we need it?

Change the Dockerfile to use Red Hat Harden Images, which provides the latest upstream Go version.

When updating the Go version for backplane-cli in go.mod, the repo will need to pass CI. One CI step is to build the Dockerfile, thus we need to have the latest version for it to build.

Which Jira/Github issue(s) does this PR fix?

• Related Issue #
• Closes #

Special notes for your reviewer

Unit Test Coverage

Guidelines

• If it's a new sub-command or new function to an existing sub-command, please cover at least 50% of the code
• If it's a bug fix for an existing sub-command, please cover 70% of the code

Test coverage checks

• Added unit tests
• Created jira card to add unit test
• This PR may not need unit tests

Pre-checks (if applicable)

• Ran unit tests locally
• Validated the changes in a cluster
• Included documentation changes with PR
• Backward compatible

/label tide/merge-method-squash

Summary by CodeRabbit

• Chores
  • Updated build infrastructure to use a FIPS-compliant builder image and standardized dependency installation via the system package manager.
  • Consolidated multi-stage build steps to align builder stages and streamline tooling setup, improving reproducibility and security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3750c783-b8fd-4956-9265-f27b142dd38f

📥 Commits

Reviewing files that changed from the base of the PR and between 573f436 and 8788ad5.

📒 Files selected for processing (1)

• Dockerfile

---

Walkthrough

The Dockerfile’s multi-stage build is consolidated to use a single FIPS base image (registry.access.redhat.com/hi/go:1.25-fips-builder) for all builder stages, and package/tool installs are standardized to dnf (removing curl-downloaded jq).

Changes

Builder image and package manager standardization

Layer / File(s)	Summary
Base and bp-cli-builder stage consolidation Dockerfile	Base stage switched to registry.access.redhat.com/hi/go:1.25-fips-builder with dnf package management for jq installation; bp-cli-builder stage rebased onto the same image.
Dep-builder and dependency tooling consolidation Dockerfile	Dep-builder stage rebased to registry.access.redhat.com/hi/go:1.25-fips-builder; dependency tooling installation changed from curl-downloaded jq binary to dnf install of gawk jq tar which gzip, followed by dnf clean all.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating the Dockerfile to use hardened images instead of previous builder images.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feichashao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [feichashao]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

61-62: 💤 Low value

Consider adding dnf clean all for consistency.

The base stage (line 10) includes dnf clean all but this stage omits it. While this intermediate stage doesn't affect final image size (only /out is copied), adding cleanup maintains consistency and build cache hygiene.

Suggested change

 # Install tools
-RUN dnf --assumeyes install gawk jq tar which gzip
+RUN dnf --assumeyes install gawk jq tar which gzip \
+    && dnf clean all

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 61 - 62, The intermediate Dockerfile RUN that
installs tools (the line with "RUN dnf --assumeyes install gawk jq tar which
gzip") should include cleanup to match the base stage; append a cleanup command
(e.g., "&& dnf clean all" and optionally "&& rm -rf /var/cache/dnf") to that RUN
so cached package data is removed and the stage stays consistent with the base
stage's cleanup pattern.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile`:
- Around line 61-62: The intermediate Dockerfile RUN that installs tools (the
line with "RUN dnf --assumeyes install gawk jq tar which gzip") should include
cleanup to match the base stage; append a cleanup command (e.g., "&& dnf clean
all" and optionally "&& rm -rf /var/cache/dnf") to that RUN so cached package
data is removed and the stage stays consistent with the base stage's cleanup
pattern.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 79537250-6ac3-4921-9fed-25e855744833

📥 Commits

Reviewing files that changed from the base of the PR and between 21fbc6e and 573f436.

📒 Files selected for processing (1)

• Dockerfile

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.99%. Comparing base (21fbc6e) to head (8788ad5).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #947   +/-   ##
=======================================
  Coverage   53.99%   53.99%           
=======================================
  Files          82       82           
  Lines        6323     6323           
=======================================
  Hits         3414     3414           
  Misses       2463     2463           
  Partials      446      446           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@feichashao: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.