OLS-2703: The OLS operator requires too high a version of the x86-64 ISA

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM registry.redhat.io/ubi10/go-toolset:1.25.7 AS builder
+FROM registry.redhat.io/ubi9/go-toolset:1.25.7 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -12,7 +12,7 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY cmd/main.go cmd/main.go
+COPY cmd/ cmd/
 COPY api/ api/
 COPY internal/ internal/
 
@@ -27,6 +27,8 @@ USER 0
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -tags strictfipsruntime -o manager cmd/main.go
+# Verify manager is built for at most x86-64-v2 (on amd64 only; check is a no-op elsewhere)
+RUN go build -o check-isa-level ./cmd/check-isa-level && ./check-isa-level ./manager
 
 
 FROM registry.redhat.io/ubi9/ubi-minimal:9.7

cmd/check-isa-level/main_amd64.go

@@ -0,0 +1,126 @@
+//go:build linux && amd64
+
+package main
+
+import (
+	"debug/elf"
+	"encoding/binary"
+	"fmt"
+	"os"
+)
+
+const (
+	ntGNUPropertyType0       = 5
+	gnuPropertyX86ISA1Needed = 0xc0008002
+	isaV3                    = 1 << 2
+	isaV4                    = 1 << 3
+	isaBeyondV2              = isaV3 | isaV4
+)
+
+func main() {
+	path := "manager"
+	if len(os.Args) > 1 {
+		path = os.Args[1]
+	}
+	if _, err := os.Stat(path); err != nil {
+		if os.IsNotExist(err) {
+			fmt.Fprintf(os.Stderr, "binary not found: %s\n", path)
+			os.Exit(2)
+		}
+		fmt.Fprintf(os.Stderr, "stat %s: %v\n", path, err)
+		os.Exit(2)
+	}
+	ok, err := atMostX86_64_V2(path)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "reading ELF %s: %v\n", path, err)
+		os.Exit(2)
+	}
+	if !ok {
+		val, _, _ := getX86ISA1Needed(path)
+		fmt.Fprintf(os.Stderr, "%s requires ISA level beyond x86-64-v2 (GNU_PROPERTY_X86_ISA_1_NEEDED=0x%x has v3/v4 bits)\n", path, val)
+		os.Exit(1)
+	}
+	os.Exit(0)
+}
+
+func getX86ISA1Needed(path string) (uint32, bool, error) {
+	f, err := elf.Open(path)
+	if err != nil {
+		return 0, false, err
+	}
+	defer f.Close()
+
+	var noteSection *elf.Section
+	for _, s := range f.Sections {
+		if s.Name == ".note.gnu.property" {
+			noteSection = s
+			break
+		}
+	}
+	if noteSection == nil {
+		for _, s := range f.Sections {
+			if s.Type == elf.SHT_NOTE {
+				noteSection = s
+				break
+			}
+		}
+	}
+	if noteSection == nil {
+		return 0, false, nil
+	}
+
+	r := noteSection.Open()
+	data := make([]byte, noteSection.Size)
+	if _, err := r.Read(data); err != nil {
+		return 0, false, err
+	}
+
+	order := binary.LittleEndian
+	off := 0
+	for off+12 <= len(data) {
+		namesz := order.Uint32(data[off : off+4])
+		descsz := order.Uint32(data[off+4 : off+8])
+		ntype := order.Uint32(data[off+8 : off+12])
+		off += 12
+
+		namePadded := (namesz + 3) &^ 3
+		if off+int(namePadded)+int(descsz) > len(data) {
+			break
+		}
+		name := data[off : off+int(namesz)]
+		off += int(namePadded)
+		desc := data[off : off+int(descsz)]
+		off += int((descsz + 3) &^ 3)
+
+		if ntype != ntGNUPropertyType0 {
+			continue
+		}
+		if namesz < 4 || string(name[:4]) != "GNU\x00" {
+			continue
+		}
+
+		descOff := 0
+		for descOff+8 <= len(desc) {
+			prType := order.Uint32(desc[descOff : descOff+4])
+			prDatasz := order.Uint32(desc[descOff+4 : descOff+8])
+			descOff += 8
+			if descOff+int(prDatasz) > len(desc) {
+				break
+			}
+			if prType == gnuPropertyX86ISA1Needed && prDatasz == 4 {
+				return order.Uint32(desc[descOff : descOff+4]), true, nil
+			}
+			descOff += int((prDatasz + 7) &^ 7)
+		}
+	}
+
+	return 0, false, nil
+}
+
+func atMostX86_64_V2(path string) (bool, error) {
+	val, found, err := getX86ISA1Needed(path)
+	if err != nil || !found {
+		return false, err
+	}
+	return (val & isaBeyondV2) == 0, nil
+}

cmd/check-isa-level/main_other.go

@@ -0,0 +1,10 @@
+//go:build !(linux && amd64)
+
+package main
+
+import "os"
+
+func main() {
+	// ISA level check is x86-64 only; no-op on other architectures.
+	os.Exit(0)
+}