SANDBOX-1561 | feature: enable debug builds for the service

[MikelAlejoBR]

In order to be able to debug the service live in the local cluster, we need the binary to be executed with Delve instead, and we need it to be built without any code optimizations or minimization so that the breakpoints work.

For that purose, a new Dockerfile has been added which can build the image that way, and the corresponding Make target make it easy to kick off the whole process with a single command.

The Makefile target also enable the "toolchain-e2e" repository to easily build the "debug" image.

The "scripts/deploy-dev.sh" script is also modified to be able to refresh the registration service with the debug image if so desired.

Related pull requetss

• SANDBOX-1561 | feature: debug builds for the host operator host-operator#1228
• SANDBOX-1561 | feature: Makefile targets to build the operator in debug mode member-operator#721
• SANDBOX-1561 | feature: Make targets for debugging services and operators toolchain-e2e#1251

Jira ticket

[SANDBOX-1561]

Summary by CodeRabbit

• New Features
  • Added a debug build option that produces a debuggable image (includes Delve, disables optimizations).
  • New build and push targets for debugger-enabled images and architecture-aware builds.
  • Added a "refresh debug" command to rebuild, push, deploy, and run the registration service under Delve (port 50000) with adjusted rollout/wait behavior.
• Other
  • Help text and deployment flow updated to support the debug workflow.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MikelAlejoBR
Once this PR has been reviewed and has the lgtm label, please assign rajivnathan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds a debug build flow: disables Go optimizations for dev builds, compiles Delve into debug images via new Docker build stages, adds podman targets for debug images, and extends deploy-dev.sh to optionally refresh deployments to run under Delve.

Changes

Cohort / File(s)	Summary
Build flags / Makefile make/go.mk	Added -gcflags "all=-N -l" to build-dev to disable optimizations/inlining; expanded dev build comments and minor formatting adjustments.
Podman image targets make/podman.mk	Added TARGET_ARCH variable, new podman-image-debug and podman-push-debug targets and PHONY entries; adjusted namespace warning logic.
Deployment script scripts/deploy-dev.sh	Added DEBUG mode (argument-driven); conditional use of build-dev/build and debug podman targets; replaced scale with patch for replicas; patches CSV/deployment to set debug image, command (Delve) and waits for rollout; updated help text.
Multi-stage build build/Dockerfile	Added BUILD_TYPE, GOLANG_VERSION, and TARGET_ARCH args; new debug-initial-build stage to install Go and build Delve, debug-build to include Delve, and final-build selecting prod vs debug images.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Script as scripts/deploy-dev.sh
    participant Make as Make / make targets
    participant Podman as Podman
    participant Registry as Image Registry
    participant K8s as Kubernetes

    User->>Script: run "refresh" or "refresh debug"
    Script->>Script: set DEBUG flag
    Script->>Make: invoke build (build-dev when DEBUG)
    Make->>Podman: podman-image(-debug)
    Podman->>Registry: podman-push(-debug)
    Script->>K8s: patch ToolchainConfig / CSV to set image
    alt DEBUG=true
        Script->>K8s: patch deployment command/env to run Delve
    end
    Script->>K8s: wait for deployment rollout
    K8s->>User: deployment rolled out (image/command applied)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I tuck my flags and build with care,
A little Delve hops into the lair.
Images pushed, commands replaced by charm,
Deployments roll and keep me warm.
Hooray — a debug hop, safe from harm!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly describes the main feature: enabling debug builds for the service, which aligns with all the file changes that add debug-build support to the Dockerfile, Makefiles, and deployment scripts.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @make/podman.mk:
- Around line 13-16: Add a .PHONY declaration for the podman-image-debug
Makefile target to prevent conflicts with any filesystem object named
"podman-image-debug"; mirror the existing pattern used for podman-push-debug by
adding podman-image-debug to the .PHONY list so the target always runs
regardless of a same-named file.

In @scripts/deploy-dev.sh:
- Around line 77-81: The oc patch JSON string for the deployment command is
missing the closing ] for the outer array, causing a JSON syntax error; fix the
patch in the DEBUG block by adding the missing closing bracket before the final
single quote in the oc patch call so the --patch value is a valid JSON array
(ensure the string passed to oc patch in the if block for DEBUG ends with
..."}]') and verify shell quoting remains correct for the command that calls dlv
and registration-service.

🧹 Nitpick comments (2)

build/Dockerfile.debug (2)

4-7: Consider validating GOLANG_VERSION argument.

If GOLANG_VERSION is not provided or is empty, the build will fail with a confusing error when attempting to download Go. Consider adding a validation step.

Proposed validation

 # The Golang version must be provided as a build arguments, which will ensure
 # that Delve gets built with the same version the service's binary gets built
 # with, to avoid any discrepancies.
 ARG GOLANG_VERSION
+
+# Validate that GOLANG_VERSION is provided.
+RUN if [ -z "${GOLANG_VERSION}" ]; then echo "ERROR: GOLANG_VERSION build argument is required" && exit 1; fi

---

42-43: Minor documentation inconsistency.

The comment refers to "operator" but this is the "registration-service". Consider updating for clarity.

Suggested fix

-# Copy Delve to the image so that we can execute the operator with it.
+# Copy Delve to the image so that we can execute the registration-service with it.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8b532ca and edc063d.

📒 Files selected for processing (4)

• build/Dockerfile.debug
• make/go.mk
• make/podman.mk
• scripts/deploy-dev.sh

🔇 Additional comments (3)

make/go.mk (1)

14-23: LGTM!

The -gcflags "all=-N -l" flags correctly disable optimizations (-N) and inlining (-l) for Delve compatibility. The updated comment block accurately describes the purpose of the development build.

build/Dockerfile.debug (1)

45-49: LGTM on Delve configuration.

The Delve flags are well-chosen for remote debugging:

• --listen=:50000 exposes the debug port
• --headless enables IDE attachment
• --continue starts execution without waiting for debugger
• --accept-multiclient allows reconnection after disconnect

The exposed ports (50000 for Delve, 8080-8082 for service) are appropriate.

scripts/deploy-dev.sh (1)

34-50: LGTM on DEBUG flag logic.

The conditional build logic cleanly separates debug and non-debug paths. Using string comparison [[ "${DEBUG}" = true ]] is appropriate for this use case.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@scripts/deploy-dev.sh`:
- Around line 81-84: The unconditional oc wait that checks the
deployment/registration-service command equals "dlv" will fail when DEBUG is not
set; move the oc wait
--for=jsonpath='{.spec.template.spec.containers[0].command[0]}'="dlv"
"deployment/registration-service" (and the subsequent oc rollout status for
registration-service if it only relates to the debug patch) inside the DEBUG
conditional block that patches the container command (the block that checks the
DEBUG variable and applies the Delve patch), or remove the jsonpath wait
entirely and only keep rollout status when you do not patch the command,
ensuring the wait is only executed when DEBUG=true and the container command is
actually changed to "dlv".

🧹 Nitpick comments (2)

build/Dockerfile (1)

28-57: Consider pinning Delve to a specific version for reproducibility.

Using @latest for Delve installation (line 57) means builds may produce different results over time as Delve releases new versions. For development/debugging tooling this is often acceptable, but pinning to a specific version would improve reproducibility.

Example with pinned version

-RUN GOBIN=/tmp/bin go install github.com/go-delve/delve/cmd/dlv@latest
+RUN GOBIN=/tmp/bin go install github.com/go-delve/delve/cmd/dlv@v1.24.0

scripts/deploy-dev.sh (1)

86-99: Redundant wait logic and flow clarification needed.

Lines 92-96 duplicate the wait logic from lines 81-84. Additionally, the structure is confusing:

1. The outer if at line 89 checks if REGISTRATION_SERVICE_COMMAND env var exists and adds it if missing
2. Line 98 patches the deployment command regardless of whether the env var was added

Consider simplifying the flow - if the deployment command patch at line 98 always runs when DEBUG=true, the inner conditional wait (lines 92-96) may be unnecessary since the final patch will trigger a new rollout anyway.

Simplified flow

     if [[ "${DEBUG}" = true ]]
     then
       echo "✏️ patching the deployment's command to execute the registration service with Delve instead"
-      	if ! oc get --namespace="${HOST_NS}" "${HOST_CSV_NAME}" --output jsonpath="{.spec.install.spec.deployments[0].spec.template.spec.containers[1].env}" | grep -q "REGISTRATION_SERVICE_COMMAND"; then \
-      		oc patch --namespace="${HOST_NS}" "${HOST_CSV_NAME}" --type='json' --patch='[{"op": "add", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/1/env/-", "value": {"name": "REGISTRATION_SERVICE_COMMAND", "value": "[\"dlv\", \"--listen=:50000\", \"--headless\", \"--continue\", \"--api-version=2\", \"--accept-multiclient\", \"exec\", \"/usr/local/bin/registration-service\"]"}}]'
-
-      		# Wait for the registration service's command to have the "dlv" bit, and the rollout for its deployment to be
-      		# complete.
-      		echo "Waiting for the registration service's deployment to get updated..."
-      		oc wait --namespace="${HOST_NS}" --timeout=3m --for=jsonpath='{.spec.template.spec.containers[0].command[0]}'="dlv" "deployment/registration-service"
-      		oc rollout status --namespace="${HOST_NS}" --timeout=3m deployment/registration-service
-      	fi
+      if ! oc get --namespace="${HOST_NS}" "${HOST_CSV_NAME}" --output jsonpath="{.spec.install.spec.deployments[0].spec.template.spec.containers[1].env}" | grep -q "REGISTRATION_SERVICE_COMMAND"; then
+        oc patch --namespace="${HOST_NS}" "${HOST_CSV_NAME}" --type='json' --patch='[{"op": "add", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/1/env/-", "value": {"name": "REGISTRATION_SERVICE_COMMAND", "value": "[\"dlv\", \"--listen=:50000\", \"--headless\", \"--continue\", \"--api-version=2\", \"--accept-multiclient\", \"exec\", \"/usr/local/bin/registration-service\"]"}}]'
+      fi
       oc patch deployment/registration-service --namespace "${HOST_NS}" --type='json' --patch='[{"op": "replace", "path": "/spec/template/spec/containers/0/command", "value": ["dlv", "--listen=:50000", "--headless", "--continue", "--api-version=2", "--accept-multiclient", "exec", "/usr/local/bin/registration-service"]}]'
+      
+      # Wait for the deployment to roll out with the new command
+      oc wait --namespace="${HOST_NS}" --timeout=3m --for=jsonpath='{.spec.template.spec.containers[0].command[0]}'="dlv" "deployment/registration-service"
+      oc rollout status --namespace="${HOST_NS}" --timeout=3m deployment/registration-service
     fi

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@scripts/deploy-dev.sh`:
- Around line 85-98: The script can skip waiting for the registration-service
rollout when REGISTRATION_SERVICE_COMMAND already exists; after the
unconditional oc patch that replaces the container command (the patch applied to
deployment/registration-service), always run the same rollout wait steps (oc
wait --for=jsonpath='{.spec.template.spec.containers[0].command[0]}'="dlv"
"deployment/registration-service" and oc rollout status --namespace="${HOST_NS}"
--timeout=3m deployment/registration-service) so the deployment finishes
updating before the script continues; place these oc wait/oc rollout status
calls immediately after the oc patch that sets the dlv command to ensure the
debug command is active.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud