[WIP] Update Dockerfile.plugins.demo to use maintained OpenShift CI builder image

[sg00dwin]

The quay.io/coreos/tectonic-console-builder:v29 image is stale/non-existent
and causes OpenSSL error 1C800066:Provider routines:bad decrypt during
yarn install in CI builds.

Update to use the same rhel-9-base-nodejs-openshift-4.21 base image as
the main Dockerfile, which is actively maintained by the OpenShift CI team
and has proper Node.js v22 + OpenSSL 3.x configuration.

Resolves: console-plugin-demo build failures

Co-Authored-By: Claude Sonnet 4.5

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Docker build configuration with a new node-based builder image and modified build paths
  • Adjusted working directories and file handling in the multi-stage build process

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Single Dockerfile updated to replace base image with nodebuilder, shift build context paths from /src to /opt/app-root, introduce YARN_VERSION ARG with bootstrap logic, and adjust final-stage artifact sourcing accordingly.

Changes

Cohort / File(s)	Summary
Docker Build Configuration Dockerfile.plugins.demo	Replaced base image with nodebuilder, migrated working directories from /src/console/* to /opt/app-root/src/*, introduced YARN_VERSION ARG with npm-based Yarn bootstrap (cached/remote tarball), switched from COPY to ADD instruction, and updated final-stage COPY directives to source artifacts from nodebuilder stage instead of build stage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly identifies the main change: updating Dockerfile.plugins.demo to use a maintained OpenShift CI builder image instead of the stale quay.io/coreos/tectonic-console-builder image.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sg00dwin
Once this PR has been reviewed and has the lgtm label, please assign rhamilto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

Dockerfile.plugins.demo (2)

8-8: Prefer COPY over ADD for copying local files.

Per Dockerfile best practices (and the Hadolint DL3020 rule), COPY should be used for copying files and folders from the build context. ADD has additional capabilities (URL fetching, tar auto-extraction) that aren't needed here and can introduce unexpected behavior.

Suggested fix

-ADD . .
+COPY . .

---

29-33: Final stage artifact paths correctly updated.

The COPY --from=nodebuilder instructions properly reference the new paths from the build stage. The node:22 base image aligns with the Node.js version in the builder.

For CI reproducibility, you might consider pinning to a more specific tag (e.g., node:22-slim or node:22.x.y) to avoid unexpected behavior from upstream image updates, though for a demo plugin this is less critical.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 4e7a8f7 and 8417448.

📒 Files selected for processing (1)

• Dockerfile.plugins.demo

🧰 Additional context used

🪛 Hadolint (2.14.0)

Dockerfile.plugins.demo

[error] 8-8: Use COPY instead of ADD for files and folders

(DL3020)

🔇 Additional comments (3)

Dockerfile.plugins.demo (3)

6-6: Good choice using the maintained OpenShift CI builder image.

This aligns with the main Dockerfile's base image and ensures consistent tooling (Node.js v22, OpenSSL 3.x) across the console build artifacts. The rhel-9-base-nodejs-openshift-4.21 image is actively maintained by the OpenShift CI team, which should prevent the stale image issues that triggered the bad decrypt errors.

---

22-26: The path structure changes are correct. The repository root contains frontend/ and dynamic-demo-plugin/ directories, and the ADD . . at line 8 places them under /opt/app-root/src/ (the default WORKDIR for the OpenShift builder base image). The subsequent WORKDIR commands in lines 22 and 25 correctly navigate to /opt/app-root/src/frontend and /opt/app-root/src/dynamic-demo-plugin. The removal of /console from the path hierarchy reflects the base image layout change, not a misconfiguration—no action needed.

---

10-20: Yarn bootstrap pattern is sound for this OpenShift builder context.

The cached tarball strategy with GitHub fallback is a solid CI optimization. USER 0 is correctly placed here since the OpenShift builder base image requires root for npm operations; the later switch to USER 1001 in the final stage maintains proper non-root production runtime behavior.

Two points to ensure consistency:

1. The ./artifacts/ path is relative to the working directory (/opt/app-root/src). Verify this directory is included in your build context if you intend to leverage tarball caching in CI pipelines.
2. The v1.22.22 pinning is current (latest Yarn 1.x Classic stable) and avoids the documentation/release discrepancy that exists on the Yarn classic site.

The two-stage build cleanly separates build dependencies from runtime, following K8s container best practices.

[openshift-ci]

@sg00dwin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-console	8417448	link	true	/test e2e-gcp-console
ci/prow/backend	8417448	link	true	/test backend

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.