OCPBUGS-87332: Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0#207
Conversation
|
Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/201 |
WalkthroughThis PR updates container base image versions used for CI builds and artifact construction. The CI operator config and Dockerfile both reference newer OpenShift 5.0 and Golang 1.26 base images, replacing the previous OpenShift 4.22 and Golang 1.24 versions. ChangesBase image version upgrade
🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-87332, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-87332, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
images/Dockerfile.rhel7 (2)
7-13:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRun the final image as a non-root user.
The runtime stage does not set
USER, so it defaults to root. Please set an explicit non-root UID/GID in the final stage.Suggested patch
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9 COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver /usr/bin/ COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver-tests-ext.gz /usr/bin/ +USER 1001 ENTRYPOINT ["/usr/bin/oauth-apiserver"]As per coding guidelines, "USER non-root; never run as root" is required for Dockerfiles.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/Dockerfile.rhel7` around lines 7 - 13, The final image currently runs as root (no USER set); update the final Dockerfile stage to create or use a non-root UID/GID and set USER to that non-root account before ENTRYPOINT (e.g., add a group/user with a fixed UID/GID and ensure ownership/permissions of /usr/bin/oauth-apiserver and oauth-apiserver-tests-ext.gz are adjusted so the non-root user can execute them), then leave ENTRYPOINT as-is; reference the Dockerfile final stage and ENTRYPOINT when making the changes.Sources: Coding guidelines, Linters/SAST tools
7-13:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd a container healthcheck in the runtime stage.
The final image has no
HEALTHCHECK, which violates the container security guideline and weakens failure detection.Suggested patch
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9 COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver /usr/bin/ COPY --from=builder /go/src/github.com/openshift/oauth-apiserver/oauth-apiserver-tests-ext.gz /usr/bin/ +HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \ + CMD ["/usr/bin/oauth-apiserver", "--help"] || exit 1 ENTRYPOINT ["/usr/bin/oauth-apiserver"]As per coding guidelines, "HEALTHCHECK defined" is required for Dockerfiles.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/Dockerfile.rhel7` around lines 7 - 13, The final stage (the runtime image with ENTRYPOINT ["/usr/bin/oauth-apiserver"]) lacks a HEALTHCHECK; add a HEALTHCHECK instruction in that stage immediately after ENTRYPOINT that probes the server (e.g., use curl or wget against the oauth-apiserver health endpoint on localhost:8443 or the server's configured health path) with sensible flags (for example --interval, --timeout, --start-period and --retries) and a command that exits non‑zero on failure so container runtimes can detect unhealthy instances; ensure the probe command uses an absolute binary path available in the image and references the service port/path your oauth-apiserver exposes.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@images/Dockerfile.rhel7`:
- Around line 7-13: The final image currently runs as root (no USER set); update
the final Dockerfile stage to create or use a non-root UID/GID and set USER to
that non-root account before ENTRYPOINT (e.g., add a group/user with a fixed
UID/GID and ensure ownership/permissions of /usr/bin/oauth-apiserver and
oauth-apiserver-tests-ext.gz are adjusted so the non-root user can execute
them), then leave ENTRYPOINT as-is; reference the Dockerfile final stage and
ENTRYPOINT when making the changes.
- Around line 7-13: The final stage (the runtime image with ENTRYPOINT
["/usr/bin/oauth-apiserver"]) lacks a HEALTHCHECK; add a HEALTHCHECK instruction
in that stage immediately after ENTRYPOINT that probes the server (e.g., use
curl or wget against the oauth-apiserver health endpoint on localhost:8443 or
the server's configured health path) with sensible flags (for example
--interval, --timeout, --start-period and --retries) and a command that exits
non‑zero on failure so container runtimes can detect unhealthy instances; ensure
the probe command uses an absolute binary path available in the image and
references the service port/path your oauth-apiserver exposes.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 6084f7da-1c79-46c6-a410-fb888ed9124b
📒 Files selected for processing (2)
.ci-operator.yamlimages/Dockerfile.rhel7
|
@openshift-bot: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
ART wants to connect issue OCPBUGS-87619 to this PR, but found it is currently hooked up to ['OCPBUGS-87332']. Please consult with #forum-ocp-art if it is not clear what there is to do. |
Updating ose-oauth-apiserver-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.
The configuration in the following ART component metadata is driving this alignment request:
ose-oauth-apiserver.yml.
Detail:
This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.
Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.
PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.
Roles & Responsibilities:
tests OR that necessary metadata changes are reported to the ART team
in
#forum-ocp-arton Slack. If necessary, the changes required by this pull request can beintroduced with a separate PR opened by the component team. Once the repository is aligned,
this PR will be closed automatically.
verify-depsis complaining. In that case, please opena new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
any required labels to ensure the PR merges once tests are passing. In cases where ART config is
canonical, downstream builds are already being built with these changes, and merging this PR
only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
a grace period for the component team to align their CI with ART's configuration before it becomes
canonical in product builds.
ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:
Change behavior of future PRs:
set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
To do so, open a PR to set the
auto_labelattribute in the image configuration. ExampleUPSTREAM: <carry>:. An example.If you have any questions about this pull request, please reach out in the
#forum-ocp-artSlack channel.