From 9dced5ee0463c405ce775769951663ab4d084904 Mon Sep 17 00:00:00 2001
From: KevFan <chfan@redhat.com>
Date: Thu, 5 Sep 2024 11:37:31 +0100
Subject: [PATCH 1/2] feat: set quay image expiry to prevent overflow of images

Signed-off-by: KevFan <chfan@redhat.com>
---
 .github/workflows/build-images-base.yaml     | 12 ++++++++++++
 .github/workflows/build-images-branches.yaml |  2 ++
 .github/workflows/build-images-nightly.yaml  |  1 +
 Dockerfile                                   |  7 ++++++-
 Makefile                                     |  5 +++--
 bundle.Dockerfile                            |  5 +++++
 make/catalog.mk                              | 15 ++++++++++++++-
 7 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-images-base.yaml b/.github/workflows/build-images-base.yaml
index f4f95b11d..afeeae5f3 100644
--- a/.github/workflows/build-images-base.yaml
+++ b/.github/workflows/build-images-base.yaml
@@ -35,6 +35,10 @@ on:
         description: Bundle and catalog channels, comma separated
         default: preview
         type: string
+      quayImageExpiry:
+        description: When to expire the built quay images. The time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively, from the time the image is built.
+        default: never
+        type: string
   workflow_dispatch:
     inputs:
       kuadrantOperatorTag:
@@ -69,6 +73,10 @@ on:
         description: Bundle and catalog channels, comma separated
         default: preview
         type: string
+      quayImageExpiry:
+        description: When to expire the built quay images. The time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively, from the time the image is built.
+        default: never
+        type: string
 
 env:
   IMG_TAGS: ${{ inputs.kuadrantOperatorTag }}
@@ -77,6 +85,7 @@ env:
   IMG_REGISTRY_ORG: kuadrant
   MAIN_BRANCH_NAME: main
   OPERATOR_NAME: kuadrant-operator
+  QUAY_IMAGE_EXPIRY: ${{ inputs.quayImageExpiry }}
 
 jobs:
   build:
@@ -107,6 +116,7 @@ jobs:
           provenance: false
           tags: |
             ${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.OPERATOR_NAME }}:${{ env.IMG_TAGS }}
+          build-args: QUAY_IMAGE_EXPIRY=${{ inputs.quayImageExpiry }}
       - name: Print Image URL
         run: echo "Image pushed to ${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.OPERATOR_NAME }}:${{ env.IMG_TAGS }}"
 
@@ -155,6 +165,7 @@ jobs:
           provenance: false
           tags: |
             ${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.OPERATOR_NAME }}-bundle:${{ env.IMG_TAGS }}
+          build-args: QUAY_IMAGE_EXPIRY=${{ inputs.quayImageExpiry }}
       - name: Print Bundle Image URL
         run: echo "Bundle image pushed to ${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.OPERATOR_NAME }}-bundle:${{ env.IMG_TAGS }}"
 
@@ -202,5 +213,6 @@ jobs:
           provenance: false
           tags: |
             ${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.OPERATOR_NAME }}-catalog:${{ env.IMG_TAGS }}
+          # The Quay image expiry label for the generated catalog Dockerfile is set via opm, using the value set in the QUAY_IMAGE_EXPIRY environment variable
       - name: Print Catalog Image URL
         run: echo "Catalog image pushed to ${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.OPERATOR_NAME }}-catalog:${{ env.IMG_TAGS }}"
\ No newline at end of file
diff --git a/.github/workflows/build-images-branches.yaml b/.github/workflows/build-images-branches.yaml
index 065191a50..2c36af4a3 100644
--- a/.github/workflows/build-images-branches.yaml
+++ b/.github/workflows/build-images-branches.yaml
@@ -13,3 +13,5 @@ jobs:
     with:
       kuadrantOperatorVersion: ${{ github.ref_name }}
       kuadrantOperatorTag: ${{ github.ref_name }}
+      # Conditionally set quayImageExpiry to expire quay images only for non-release branches
+      quayImageExpiry: ${{ startsWith(github.ref_name, 'release') && 'never' || '1w' }}
\ No newline at end of file
diff --git a/.github/workflows/build-images-nightly.yaml b/.github/workflows/build-images-nightly.yaml
index 6966a4cfc..e88c84c9f 100644
--- a/.github/workflows/build-images-nightly.yaml
+++ b/.github/workflows/build-images-nightly.yaml
@@ -25,3 +25,4 @@ jobs:
       limitadorOperatorVersion: ${{ vars.LIMITADOR_OPERATOR_SHA }}
       dnsOperatorVersion: ${{ vars.DNS_OPERATOR_SHA }}
       wasmShimVersion: ${{ vars.WASM_SHIM_SHA }}
+      quayImageExpiry: 2w
diff --git a/Dockerfile b/Dockerfile
index b2e105887..75958ebc2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.22 as builder
+FROM --platform=$BUILDPLATFORM golang:1.22 AS builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -28,4 +28,9 @@ WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532
 
+# Quay image expiry
+ARG QUAY_IMAGE_EXPIRY
+ENV QUAY_IMAGE_EXPIRY=${QUAY_IMAGE_EXPIRY:-never}
+LABEL quay.expires-after=$QUAY_IMAGE_EXPIRY
+
 ENTRYPOINT ["/manager"]
diff --git a/Makefile b/Makefile
index cc87545a7..11a6eac1c 100644
--- a/Makefile
+++ b/Makefile
@@ -341,7 +341,7 @@ run: generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 docker-build: ## Build docker image with the manager.
-	$(CONTAINER_ENGINE) build -t $(IMG) .
+	$(CONTAINER_ENGINE) build --build-arg QUAY_IMAGE_EXPIRY=$(QUAY_IMAGE_EXPIRY) -t $(IMG) .
 
 docker-push: ## Push docker image with the manager.
 	$(CONTAINER_ENGINE) push $(IMG)
@@ -390,6 +390,7 @@ bundle: $(OPM) $(YQ) manifests dependencies-manifests kustomize operator-sdk ##
 	$(call update-operator-dependencies,dns-operator,$(DNS_OPERATOR_BUNDLE_IMG))
 	$(OPERATOR_SDK) bundle validate ./bundle
 	$(MAKE) bundle-ignore-createdAt
+	echo "$$QUAY_DOCKERFILE_LABEL" >> bundle.Dockerfile
 
 .PHONY: bundle-ignore-createdAt
 bundle-ignore-createdAt:
@@ -404,7 +405,7 @@ bundle-ignore-createdAt:
 
 .PHONY: bundle-build
 bundle-build: ## Build the bundle image.
-	$(CONTAINER_ENGINE) build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
+	$(CONTAINER_ENGINE) build --build-arg QUAY_IMAGE_EXPIRY=$(QUAY_IMAGE_EXPIRY) -f bundle.Dockerfile -t $(BUNDLE_IMG) .
 
 .PHONY: bundle-push
 bundle-push: ## Push the bundle image.
diff --git a/bundle.Dockerfile b/bundle.Dockerfile
index f5f5e8dc8..d3daffb48 100644
--- a/bundle.Dockerfile
+++ b/bundle.Dockerfile
@@ -19,3 +19,8 @@ LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/
 COPY bundle/manifests /manifests/
 COPY bundle/metadata /metadata/
 COPY bundle/tests/scorecard /tests/scorecard/
+
+# Quay image expiry
+ARG QUAY_IMAGE_EXPIRY
+ENV QUAY_IMAGE_EXPIRY=${QUAY_IMAGE_EXPIRY:-never}
+LABEL quay.expires-after=${QUAY_IMAGE_EXPIRY}
diff --git a/make/catalog.mk b/make/catalog.mk
index 9a91d8979..e2c7d4193 100644
--- a/make/catalog.mk
+++ b/make/catalog.mk
@@ -7,9 +7,22 @@ CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:$(IMAGE_TAG)
 CATALOG_FILE = $(PROJECT_PATH)/catalog/kuadrant-operator-catalog/operator.yaml
 CATALOG_DOCKERFILE = $(PROJECT_PATH)/catalog/kuadrant-operator-catalog.Dockerfile
 
+# Quay image default expiry
+QUAY_IMAGE_EXPIRY ?= never
+
+# A LABEL that can be appended to a generated Dockerfile to set the Quay image expiration through Docker arguments.
+define QUAY_DOCKERFILE_LABEL
+
+# Quay image expiry
+ARG QUAY_IMAGE_EXPIRY
+ENV QUAY_IMAGE_EXPIRY=$${QUAY_IMAGE_EXPIRY:-never}
+LABEL quay.expires-after=$${QUAY_IMAGE_EXPIRY}
+endef
+export QUAY_DOCKERFILE_LABEL
+
 $(CATALOG_DOCKERFILE): $(OPM)
 	-mkdir -p $(PROJECT_PATH)/catalog/kuadrant-operator-catalog
-	cd $(PROJECT_PATH)/catalog && $(OPM) generate dockerfile kuadrant-operator-catalog
+	cd $(PROJECT_PATH)/catalog && $(OPM) generate dockerfile kuadrant-operator-catalog -l quay.expires-after=$(QUAY_IMAGE_EXPIRY)
 catalog-dockerfile: $(CATALOG_DOCKERFILE) ## Generate catalog dockerfile.
 
 CHANNELS ?= preview

From 4321d37780d583fb1661f09c55d116886c8ab8bd Mon Sep 17 00:00:00 2001
From: KevFan <chfan@redhat.com>
Date: Thu, 12 Sep 2024 16:37:38 +0100
Subject: [PATCH 2/2] fixup: rename QUAY_DOCKERFILE_LABEL to
 QUAY_EXPIRY_TIME_LABEL

Signed-off-by: KevFan <chfan@redhat.com>
---
 Makefile        | 2 +-
 make/catalog.mk | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 11a6eac1c..141c6b7c4 100644
--- a/Makefile
+++ b/Makefile
@@ -390,7 +390,7 @@ bundle: $(OPM) $(YQ) manifests dependencies-manifests kustomize operator-sdk ##
 	$(call update-operator-dependencies,dns-operator,$(DNS_OPERATOR_BUNDLE_IMG))
 	$(OPERATOR_SDK) bundle validate ./bundle
 	$(MAKE) bundle-ignore-createdAt
-	echo "$$QUAY_DOCKERFILE_LABEL" >> bundle.Dockerfile
+	echo "$$QUAY_EXPIRY_TIME_LABEL" >> bundle.Dockerfile
 
 .PHONY: bundle-ignore-createdAt
 bundle-ignore-createdAt:
diff --git a/make/catalog.mk b/make/catalog.mk
index e2c7d4193..c350e848a 100644
--- a/make/catalog.mk
+++ b/make/catalog.mk
@@ -11,14 +11,14 @@ CATALOG_DOCKERFILE = $(PROJECT_PATH)/catalog/kuadrant-operator-catalog.Dockerfil
 QUAY_IMAGE_EXPIRY ?= never
 
 # A LABEL that can be appended to a generated Dockerfile to set the Quay image expiration through Docker arguments.
-define QUAY_DOCKERFILE_LABEL
+define QUAY_EXPIRY_TIME_LABEL
 
 # Quay image expiry
 ARG QUAY_IMAGE_EXPIRY
 ENV QUAY_IMAGE_EXPIRY=$${QUAY_IMAGE_EXPIRY:-never}
 LABEL quay.expires-after=$${QUAY_IMAGE_EXPIRY}
 endef
-export QUAY_DOCKERFILE_LABEL
+export QUAY_EXPIRY_TIME_LABEL
 
 $(CATALOG_DOCKERFILE): $(OPM)
 	-mkdir -p $(PROJECT_PATH)/catalog/kuadrant-operator-catalog