OCPBUGS-87409: Updating openshift-enterprise-helm-operator-container image to be consistent with ART for 5.0#456
Conversation
openshift-bot
force-pushed
the
art-consistency-openshift-5.0-openshift-enterprise-helm-operator
branch
from
7b97496 to
ec02f09
Compare
|
Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/201 |
WalkthroughThis PR updates base image versions across the CI operator configuration and Helm operator Dockerfile. The CI operator root image tag is updated to Go 1.26 and OpenShift 5.0, and the Helm operator's builder and final stage base images are updated to match the newer release versions. ChangesBase image upgrade
Possibly related PRs
Suggested labels
Suggested reviewers
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
openshift-bot
changed the title
openshift-ci-robot
added
jira/valid-reference
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-87409, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: openshift-bot The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-87409, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
release/helm/Dockerfile (1)
11-25:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd HEALTHCHECK instruction as required by security guidelines.
The Dockerfile is missing a HEALTHCHECK instruction, which is explicitly required by the container security guidelines. For a Helm operator, the healthcheck should verify that the operator process is running and responsive.
🏥 Proposed HEALTHCHECK addition
Add a HEALTHCHECK instruction before the ENTRYPOINT. For a Helm operator, you might check if the process is responsive:
RUN /usr/local/bin/user_setup WORKDIR ${HOME} USER ${USER_UID} + +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD pgrep -x helm-operator || exit 1 + ENTRYPOINT ["/usr/local/bin/helm-operator", "run", "--watches-file=./watches.yaml"]Alternatively, if the operator exposes a health endpoint, use that for a more sophisticated check:
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD ["/usr/local/bin/healthcheck.sh"]As per coding guidelines, "HEALTHCHECK defined" is required for all container images.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@release/helm/Dockerfile` around lines 11 - 25, Add a Docker HEALTHCHECK instruction just before the existing ENTRYPOINT to satisfy the "HEALTHCHECK defined" guideline: implement an exec-form HEALTHCHECK that confirms the helm-operator process (the ENTRYPOINT binary "/usr/local/bin/helm-operator") is running and responsive (e.g., pgrep -f helm-operator or curl against a /healthz endpoint if the operator exposes one), include sensible options (--interval, --timeout, --start-period, --retries), run the check as the non-root USER (${USER_UID}) or ensure the command can run in that context, and ensure the healthcheck command returns exit 0 on success and non‑zero on failure.Source: Coding guidelines
🧹 Nitpick comments (1)
release/helm/Dockerfile (1)
7-7: ⚡ Quick winConsider copying specific files instead of entire context.
The guideline requires "COPY specific files, not entire context" to minimize attack surface. While this is in the builder stage and the final image properly copies only specific artifacts, the guideline applies to all COPY instructions.
♻️ Refactor to copy only necessary files
If the build process requires specific files/directories rather than the entire context, consider:
-COPY . /go/src/github.com/operator-framework/operator-sdk +COPY go.mod go.sum Makefile ci/ /go/src/github.com/operator-framework/operator-sdk/ +COPY cmd/ /go/src/github.com/operator-framework/operator-sdk/cmd/ +COPY pkg/ /go/src/github.com/operator-framework/operator-sdk/pkg/ +# Add other necessary directoriesHowever, if the Makefile and build process genuinely require the full source tree, document this exception with a comment explaining why the full context is needed.
As per coding guidelines, "COPY specific files, not entire context".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@release/helm/Dockerfile` at line 7, The Dockerfile currently uses a broad COPY instruction (COPY . /go/src/github.com/operator-framework/operator-sdk) which copies the entire build context; replace this with explicit COPY entries for only the required files and directories (e.g., go.mod, go.sum, cmd/, pkg/, Makefile, etc. as required by your build) so the builder stage only receives minimal inputs, or if the full repo is genuinely required by the Makefile/build, add a clear inline comment above the COPY line explaining the exception and why the entire context is necessary; edit the COPY . /go/src/github.com/operator-framework/operator-sdk line accordingly in the Dockerfile.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@release/helm/Dockerfile`:
- Line 1: Update the Dockerfile builder and runtime base images to use the
catalog.redhat.com mirror instead of registry.ci.openshift.org (replace the FROM
lines in release/helm/Dockerfile), and in the builder stage narrow the COPY by
replacing the broad "COPY . /go/src/github.com/operator-framework/operator-sdk"
with explicit COPY instructions for only the required files and directories
(e.g., go.mod, go.sum, cmd/, pkg/, Makefile) so the build context is minimal;
ensure the destination path remains
/go/src/github.com/operator-framework/operator-sdk to preserve build references.
---
Outside diff comments:
In `@release/helm/Dockerfile`:
- Around line 11-25: Add a Docker HEALTHCHECK instruction just before the
existing ENTRYPOINT to satisfy the "HEALTHCHECK defined" guideline: implement an
exec-form HEALTHCHECK that confirms the helm-operator process (the ENTRYPOINT
binary "/usr/local/bin/helm-operator") is running and responsive (e.g., pgrep -f
helm-operator or curl against a /healthz endpoint if the operator exposes one),
include sensible options (--interval, --timeout, --start-period, --retries), run
the check as the non-root USER (${USER_UID}) or ensure the command can run in
that context, and ensure the healthcheck command returns exit 0 on success and
non‑zero on failure.
---
Nitpick comments:
In `@release/helm/Dockerfile`:
- Line 7: The Dockerfile currently uses a broad COPY instruction (COPY .
/go/src/github.com/operator-framework/operator-sdk) which copies the entire
build context; replace this with explicit COPY entries for only the required
files and directories (e.g., go.mod, go.sum, cmd/, pkg/, Makefile, etc. as
required by your build) so the builder stage only receives minimal inputs, or if
the full repo is genuinely required by the Makefile/build, add a clear inline
comment above the COPY line explaining the exception and why the entire context
is necessary; edit the COPY . /go/src/github.com/operator-framework/operator-sdk
line accordingly in the Dockerfile.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 045f8135-7dd9-4a2c-9ad8-0cb513460c45
📒 Files selected for processing (2)
.ci-operator.yamlrelease/helm/Dockerfile
| @@ -1,4 +1,4 @@ | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify if registry.ci.openshift.org images are approved exceptions for OpenShift CI builds
# Check if there are other Dockerfiles using catalog.redhat.com base images
echo "=== Searching for catalog.redhat.com base images in repository ==="
rg -n "FROM.*catalog\.redhat\.com" --type dockerfile
echo -e "\n=== Searching for other registry.ci.openshift.org usage ==="
rg -n "FROM.*registry\.ci\.openshift\.org" --type dockerfile
echo -e "\n=== Checking for container security documentation or exceptions ==="
fd -e md -e txt | xargs rg -l "catalog\.redhat\.com|container.*security|base.*image.*policy" 2>/dev/null | head -10Repository: openshift/ocp-release-operator-sdk
Length of output: 573
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Listing Dockerfile/Containerfile paths ==="
fd -e Dockerfile -e Containerfile . 2>/dev/null | head -n 200 || true
# More reliable: use fd with exact names
fd -t f -a . -e Dockerfile -e Containerfile . 2>/dev/null || true
echo
echo "=== Find base images from catalog.redhat.com ==="
fd -t f -a . -g 'Dockerfile*' -g 'Containerfile*' -e dockerfile 2>/dev/null >/dev/null || true
# Use fd to find any file named Dockerfile/Containerfile exactly (case-sensitive)
fd -t f -g 'Dockerfile' . | head -n 200 | cat >/dev/null
# Actually gather files:
dockerfiles=$(fd -t f -a . -g 'Dockerfile' -g 'Containerfile' || true)
echo "Found Dockerfile/Containerfile count: $(echo "$dockerfiles" | wc -l | tr -d ' ')"
echo "$dockerfiles" | head -n 50
# Search FROM lines in those files
if [ -n "${dockerfiles:-}" ]; then
rg -n --no-heading "^\s*FROM\s+.*catalog\.redhat\.com" $dockerfiles || true
echo
rg -n --no-heading "^\s*FROM\s+.*registry\.ci\.openshift\.org" $dockerfiles || true
echo
rg -n --no-heading "^\s*COPY\s+\.\s" $dockerfiles || true
fi
echo
echo "=== Inspect release/helm/Dockerfile header and copy lines ==="
if [ -f release/helm/Dockerfile ]; then
sed -n '1,80p' release/helm/Dockerfile | cat -n
echo "---- grep COPY lines ----"
rg -n "^\s*COPY\s" release/helm/Dockerfile || true
else
echo "File release/helm/Dockerfile not found"
fiRepository: openshift/ocp-release-operator-sdk
Length of output: 2661
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Listing Dockerfile/Containerfile paths ==="
dockerfiles="$(fd -t f -g 'Dockerfile' . || true; fd -t f -g 'Containerfile' . || true)"
echo "$dockerfiles" | head -n 50
echo "Found: $(echo "$dockerfiles" | wc -l | tr -d ' ')"
echo
echo "=== Search base images from catalog.redhat.com ==="
if [ -n "$dockerfiles" ]; then
rg -n --no-heading "^\s*FROM\s+.*catalog\.redhat\.com" $dockerfiles || true
fi
echo
echo "=== Search base images from registry.ci.openshift.org ==="
if [ -n "$dockerfiles" ]; then
rg -n --no-heading "^\s*FROM\s+.*registry\.ci\.openshift\.org" $dockerfiles || true
fi
echo
echo "=== Search for COPY . (entire context) ==="
if [ -n "$dockerfiles" ]; then
rg -n --no-heading "^\s*COPY\s+\.\s" $dockerfiles || true
fi
echo
echo "=== Inspect release/helm/Dockerfile (lines 1-120) ==="
if [ -f release/helm/Dockerfile ]; then
sed -n '1,120p' release/helm/Dockerfile | cat -n
echo
echo "=== COPY/USER/HEALTHCHECK lines ==="
rg -n "^\s*(FROM|COPY|USER|HEALTHCHECK)" release/helm/Dockerfile || true
else
echo "release/helm/Dockerfile not found"
fiRepository: openshift/ocp-release-operator-sdk
Length of output: 3037
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Search for container security/base image policy docs in repo ==="
rg -n "catalog\.redhat\.com|registry\.ci\.openshift\.org/ocp|UBI minimal|distroless|prodsec-skills|container.*security|base image|base.*image.*policy|COPY specific files|COPY \\. \\/go|COPY \\. " \
-S --hidden \
--glob='!vendor/**' \
--glob='!**/node_modules/**' \
--glob='!**/dist/**' .
echo
echo "=== Check for any explicit exception text mentioning registry.ci.openshift.org ==="
rg -n "exception|allowed|permit|whitelist|approved|disallow|prohibit|policy" \
-S --hidden \
--glob='!vendor/**' \
--glob='!**/node_modules/**' \
--glob='!**/dist/**' \
. | rg -n "catalog\.redhat\.com|registry\.ci\.openshift\.org/ocp|UBI|distroless|prodsec-skills|COPY specific files|COPY \\.\\s" || trueRepository: openshift/ocp-release-operator-sdk
Length of output: 587
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Search for container security guidance keywords ==="
rg -n --hidden \
"prodsec-skills|container security|base image policy|base image|COPY specific files|COPY \\. \\/|COPY \\.|UBI minimal|distroless" .
echo
echo "=== Search for explicit registry exceptions (catalog.redhat.com / registry.ci.openshift.org) ==="
rg -n --hidden \
"catalog\.redhat\.com|registry\.ci\.openshift\.org/ocp" .Repository: openshift/ocp-release-operator-sdk
Length of output: 434
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Search for prodsec-skills / container security keywords (fixed strings) ==="
rg -n --hidden -F "prodsec-skills" .
rg -n --hidden -F "container security" .
rg -n --hidden -F "base image policy" .
rg -n --hidden -F "UBI minimal" .
rg -n --hidden -F "distroless" .
echo
echo "=== Search for COPY guidance phrases ==="
rg -n --hidden -F "COPY specific files" .
rg -n --hidden -F "COPY ." .Repository: openshift/ocp-release-operator-sdk
Length of output: 158
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Repo mentions of prodsec / container security / base image policy (fixed strings) ==="
rg -n --hidden -F "prodsec" .
rg -n --hidden -F "container security" .
rg -n --hidden -F "base image" .
rg -n --hidden -F "base image policy" .
rg -n --hidden -F "catalog.redhat.com" .
rg -n --hidden -F "registry.ci.openshift.org/ocp" .
rg -n --hidden -F "COPY specific files" .
rg -n --hidden -F "COPY . " .
echo
echo "=== All Dockerfiles FROM lines (excluding vendor) ==="
dockerfiles="$(fd -t f -g 'Dockerfile' . --exclude 'vendor/**' || true)"
echo "$dockerfiles" | wc -l | tr -d ' '
if [ -n "$dockerfiles" ]; then
rg -n --no-heading "^\s*FROM\s+" $dockerfiles | head -n 200
fi
echo
echo "=== All Dockerfiles with COPY . (excluding vendor) ==="
if [ -n "$dockerfiles" ]; then
rg -n --no-heading "^\s*COPY\s+\.\s" $dockerfiles | head -n 200
fiRepository: openshift/ocp-release-operator-sdk
Length of output: 168
Switch release/helm/Dockerfile base images to catalog.redhat.com (and narrow the builder COPY).
release/helm/DockerfileusesFROM registry.ci.openshift.org/ocp/...for both the builder and runtime stages; this repo has noFROM ... catalog.redhat.comusage and no explicit exception/allowlist forregistry.ci.openshift.org.- The builder stage does
COPY . /go/src/github.com/operator-framework/operator-sdk, which violates the “COPY specific files, not entire context” guideline.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@release/helm/Dockerfile` at line 1, Update the Dockerfile builder and runtime
base images to use the catalog.redhat.com mirror instead of
registry.ci.openshift.org (replace the FROM lines in release/helm/Dockerfile),
and in the builder stage narrow the COPY by replacing the broad "COPY .
/go/src/github.com/operator-framework/operator-sdk" with explicit COPY
instructions for only the required files and directories (e.g., go.mod, go.sum,
cmd/, pkg/, Makefile) so the build context is minimal; ensure the destination
path remains /go/src/github.com/operator-framework/operator-sdk to preserve
build references.
Source: Coding guidelines
|
@openshift-bot: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
ART wants to connect issue OCPBUGS-87694 to this PR, but found it is currently hooked up to ['OCPBUGS-87409']. Please consult with #forum-ocp-art if it is not clear what there is to do. |
openshift-bot
added
the
verified
2 participants
Updating openshift-enterprise-helm-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.
The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-helm-operator.yml.
Detail:
This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.
Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.
PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.
Roles & Responsibilities:
tests OR that necessary metadata changes are reported to the ART team
in
#forum-ocp-arton Slack. If necessary, the changes required by this pull request can beintroduced with a separate PR opened by the component team. Once the repository is aligned,
this PR will be closed automatically.
verify-depsis complaining. In that case, please opena new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
any required labels to ensure the PR merges once tests are passing. In cases where ART config is
canonical, downstream builds are already being built with these changes, and merging this PR
only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
a grace period for the component team to align their CI with ART's configuration before it becomes
canonical in product builds.
ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:
Change behavior of future PRs:
set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
To do so, open a PR to set the
auto_labelattribute in the image configuration. ExampleUPSTREAM: <carry>:. An example.If you have any questions about this pull request, please reach out in the
#forum-ocp-artSlack channel.