Skip to content

OCPBUGS-87332: Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0#207

Open
openshift-bot wants to merge 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-ose-oauth-apiserver
Open

OCPBUGS-87332: Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0#207
openshift-bot wants to merge 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-ose-oauth-apiserver

Conversation

@openshift-bot

@openshift-bot openshift-bot commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-oauth-apiserver.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

@openshift-bot

Copy link
Copy Markdown
Contributor Author

@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown

Walkthrough

This PR updates container base image versions used for CI builds and artifact construction. The CI operator config and Dockerfile both reference newer OpenShift 5.0 and Golang 1.26 base images, replacing the previous OpenShift 4.22 and Golang 1.24 versions.

Changes

Base image version upgrade

Layer / File(s) Summary
Base image version updates
.ci-operator.yaml, images/Dockerfile.rhel7
CI operator build_root_image.tag and Dockerfile builder and runtime stage FROM images are updated to OpenShift 5.0 / Golang 1.26 versions.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR contains test files but uses standard Go testing (func TestXxx), not Ginkgo. The check for stable Ginkgo test names is not applicable since no Ginkgo tests exist in this codebase.
Test Structure And Quality ✅ Passed PR contains only infrastructure/build config changes (.ci-operator.yaml and images/Dockerfile.rhel7), not Ginkgo test code, so test quality check is not applicable.
Microshift Test Compatibility ✅ Passed PR updates only CI configuration (.ci-operator.yaml and images/Dockerfile.rhel7) with base image tags. No new Ginkgo e2e tests are added, so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests added. PR only updates CI configuration (.ci-operator.yaml) and container image tags in Dockerfile.rhel7; no test code changes.
Topology-Aware Scheduling Compatibility ✅ Passed PR only updates CI configuration and Dockerfile base images; no deployment manifests, operator code, or scheduling constraints are added or modified.
Ote Binary Stdout Contract ✅ Passed PR only updates CI configuration files (.ci-operator.yaml, Dockerfile.rhel7) and adds new source code; no modifications to existing OTE binary stdout paths that would violate the contract.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR adds no new Ginkgo e2e tests; only configuration updates and standard Go unit tests using testing.T. Check applies only to Ginkgo tests.
No-Weak-Crypto ✅ Passed PR is config-only (base image tags); no code changes. Existing codebase uses strong crypto (SHA256, RSA, ECDSA), no weak algorithms.
Container-Privileges ✅ Passed PR updates base image tags only; no privileged: true, hostPID/Network/IPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation settings are introduced in the changes.
No-Sensitive-Data-In-Logs ✅ Passed No logging that exposes passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data found in the changed files (.ci-operator.yaml and images/Dockerfile.rhel7).
Title check ✅ Passed The title accurately describes the main change: updating container image versions to be consistent with ART for OpenShift 5.0, which aligns with the actual modifications to .ci-operator.yaml and images/Dockerfile.rhel7.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-bot openshift-bot changed the title Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0 OCPBUGS-87332: Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0 Jun 6, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 6, 2026
@openshift-ci

openshift-ci Bot commented Jun 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kaleemsiddiqu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@openshift-bot: This pull request references Jira Issue OCPBUGS-87332, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-oauth-apiserver.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jun 6, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@openshift-bot: This pull request references Jira Issue OCPBUGS-87332, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-oauth-apiserver.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

  • Chores
  • Updated CI/CD build configuration to use newer container images, including Go 1.26 and OpenShift 5.0, for improved build stability and toolchain support.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
images/Dockerfile.rhel7 (2)

7-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the final image as a non-root user.

The runtime stage does not set USER, so it defaults to root. Please set an explicit non-root UID/GID in the final stage.

Suggested patch
 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver /usr/bin/
 COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver-tests-ext.gz /usr/bin/
+USER 1001
 ENTRYPOINT ["/usr/bin/oauth-apiserver"]

As per coding guidelines, "USER non-root; never run as root" is required for Dockerfiles.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.rhel7` around lines 7 - 13, The final image currently runs
as root (no USER set); update the final Dockerfile stage to create or use a
non-root UID/GID and set USER to that non-root account before ENTRYPOINT (e.g.,
add a group/user with a fixed UID/GID and ensure ownership/permissions of
/usr/bin/oauth-apiserver and oauth-apiserver-tests-ext.gz are adjusted so the
non-root user can execute them), then leave ENTRYPOINT as-is; reference the
Dockerfile final stage and ENTRYPOINT when making the changes.

Sources: Coding guidelines, Linters/SAST tools


7-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a container healthcheck in the runtime stage.

The final image has no HEALTHCHECK, which violates the container security guideline and weakens failure detection.

Suggested patch
 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver /usr/bin/
 COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver-tests-ext.gz /usr/bin/
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD ["/usr/bin/oauth-apiserver", "--help"] || exit 1
 ENTRYPOINT ["/usr/bin/oauth-apiserver"]

As per coding guidelines, "HEALTHCHECK defined" is required for Dockerfiles.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.rhel7` around lines 7 - 13, The final stage (the runtime
image with ENTRYPOINT ["/usr/bin/oauth-apiserver"]) lacks a HEALTHCHECK; add a
HEALTHCHECK instruction in that stage immediately after ENTRYPOINT that probes
the server (e.g., use curl or wget against the oauth-apiserver health endpoint
on localhost:8443 or the server's configured health path) with sensible flags
(for example --interval, --timeout, --start-period and --retries) and a command
that exits non‑zero on failure so container runtimes can detect unhealthy
instances; ensure the probe command uses an absolute binary path available in
the image and references the service port/path your oauth-apiserver exposes.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@images/Dockerfile.rhel7`:
- Around line 7-13: The final image currently runs as root (no USER set); update
the final Dockerfile stage to create or use a non-root UID/GID and set USER to
that non-root account before ENTRYPOINT (e.g., add a group/user with a fixed
UID/GID and ensure ownership/permissions of /usr/bin/oauth-apiserver and
oauth-apiserver-tests-ext.gz are adjusted so the non-root user can execute
them), then leave ENTRYPOINT as-is; reference the Dockerfile final stage and
ENTRYPOINT when making the changes.
- Around line 7-13: The final stage (the runtime image with ENTRYPOINT
["/usr/bin/oauth-apiserver"]) lacks a HEALTHCHECK; add a HEALTHCHECK instruction
in that stage immediately after ENTRYPOINT that probes the server (e.g., use
curl or wget against the oauth-apiserver health endpoint on localhost:8443 or
the server's configured health path) with sensible flags (for example
--interval, --timeout, --start-period and --retries) and a command that exits
non‑zero on failure so container runtimes can detect unhealthy instances; ensure
the probe command uses an absolute binary path available in the image and
references the service port/path your oauth-apiserver exposes.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6084f7da-1c79-46c6-a410-fb888ed9124b

📥 Commits

Reviewing files that changed from the base of the PR and between 97a820b and ef74e68.

📒 Files selected for processing (2)
  • .ci-operator.yaml
  • images/Dockerfile.rhel7

@openshift-ci

openshift-ci Bot commented Jun 6, 2026

Copy link
Copy Markdown

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-component-serial-ote ef74e68 link false /test e2e-gcp-component-serial-ote
ci/prow/e2e-gcp-component-serial-disruptive-ote ef74e68 link false /test e2e-gcp-component-serial-disruptive-ote
ci/prow/verify ef74e68 link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-bot

Copy link
Copy Markdown
Contributor Author

ART wants to connect issue OCPBUGS-87619 to this PR, but found it is currently hooked up to ['OCPBUGS-87332']. Please consult with #forum-ocp-art if it is not clear what there is to do.

@openshift-bot openshift-bot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants