OCPBUGS-87525: Updating ose-aws-cluster-api-controllers-container image to be consistent with ART for 5.0

[openshift-bot]

Updating ose-aws-cluster-api-controllers-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-aws-cluster-api-controllers.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/216

[coderabbitai]

Walkthrough

CI operator and OpenShift Dockerfile base images are updated from Go 1.25 / OpenShift 4.22 to Go 1.26 / OpenShift 5.0. Build root image tag in CI operator config and builder/runtime base image tags in Dockerfile are synchronized to the newer versions.

Changes

Build Infrastructure Version Upgrade

Layer / File(s)	Summary
Build image version updates .ci-operator.yaml, openshift/Dockerfile.openshift	CI operator build_root_image tag is updated from rhel-9-release-golang-1.25-openshift-4.22 to rhel-9-release-golang-1.26-openshift-5.0. Dockerfile builder stage FROM image is updated to registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0, and runtime stage base image is updated from registry.ci.openshift.org/ocp/4.22:base-rhel9 to registry.ci.openshift.org/ocp/5.0:base-rhel9.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/cluster-api-provider-aws#597: Both PRs update CI operator and OpenShift Dockerfile base image tags to newer OCP/golang versions.
• openshift/cluster-api-provider-aws#585: Both PRs synchronize .ci-operator.yaml build root image and Dockerfile builder/runtime base images to match newer OpenShift release versions.

Suggested labels

approved, lgtm, jira/valid-reference, verified

Suggested reviewers

• sunzhaohua2
• chrischdi
• damdo

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Ginkgo test names are stable and deterministic. No dynamic values, random strings, or generated identifiers found in test titles.
Test Structure And Quality	✅ Passed	PR contains only configuration (.ci-operator.yaml) and Dockerfile changes; no Ginkgo test code is modified or introduced, so the test quality check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are configuration-only: updating build/runtime image tags in .ci-operator.yaml and openshift/Dockerfile.openshift.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only configuration changes (.ci-operator.yaml and openshift/Dockerfile.openshift) with no new Ginkgo e2e tests added; custom check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates CI configuration and Dockerfile base images; no deployment manifests, operator code, or controllers are modified.
Ote Binary Stdout Contract	✅ Passed	PR only updates CI configuration and Dockerfile image tags; no code changes to process-level stdout behavior, init functions, or logging setup that could violate OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are configuration-only: updating CI build root image tag and Dockerfile base images for OpenShift 5.0 compatibility.
No-Weak-Crypto	✅ Passed	PR only modifies CI configuration files (.ci-operator.yaml, openshift/Dockerfile.openshift) to update base image tags; no cryptographic code, implementations, or weak crypto algorithms present.
Container-Privileges	✅ Passed	Modified files contain only image tag updates with no privileged directives, hostPID/Network/IPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation: true.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only image tag updates in configuration files; no new logging statements or code changes. No sensitive data exposure detected in Dockerfile or CI configuration.
Title check	✅ Passed	The title accurately reflects the main change: updating container image tags for OpenShift 5.0 consistency with ART. It is specific and directly related to the actual changes in .ci-operator.yaml and openshift/Dockerfile.openshift.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nrb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87525, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating ose-aws-cluster-api-controllers-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-aws-cluster-api-controllers.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87525, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating ose-aws-cluster-api-controllers-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-aws-cluster-api-controllers.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Updated build and runtime dependencies to Go 1.26 and OpenShift 5.0 for enhanced compatibility and performance.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

openshift/Dockerfile.openshift (2)

14-17: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the final image as non-root.

Line 17 starts the manager without a USER directive, so it runs as root by default. Add a non-root UID/GID in the runtime stage before ENTRYPOINT.

As per coding guidelines, "USER non-root; never run as root".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift/Dockerfile.openshift` around lines 14 - 17, The runtime stage
currently invokes ENTRYPOINT [ "/manager" ] which runs as root; update the
openshift/Dockerfile.openshift runtime stage to run the manager binary as a
non-root user by creating or using a non-root UID/GID and adding a USER
directive before ENTRYPOINT (ensure the /manager binary and any required dirs
are chowned to that UID/GID so the process can read/execute them). Specifically,
locate the runtime stage that copies /manager and add steps to create the
user/group (or use an existing numeric UID/GID), chown the files, and then add
USER <uid>:<gid> immediately before ENTRYPOINT [ "/manager" ].

Source: Coding guidelines

---

10-17: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a container health check in the runtime stage.

The runtime image lacks HEALTHCHECK. Define one so orchestration can detect unhealthy containers reliably.

As per coding guidelines, "HEALTHCHECK defined".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift/Dockerfile.openshift` around lines 10 - 17, The runtime Dockerfile
stage is missing a HEALTHCHECK which prevents orchestrators from detecting an
unhealthy /manager process; add a HEALTHCHECK instruction in
Dockerfile.openshift after the ENTRYPOINT (or just before it) that runs a
lightweight command to verify the manager is responsive (for example curl or nc
against the manager’s HTTP probe or a pidcheck), and include sensible options
(e.g., --interval, --timeout, --retries). Ensure the HEALTHCHECK exits 0 on
success and non‑zero on failure so orchestration respects container health for
the ENTRYPOINT [ "/manager" ] process.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@openshift/Dockerfile.openshift`:
- Line 4: The Dockerfile currently uses a broad COPY . . which pulls the entire
build context including potential secrets; replace this with explicit COPY
directives for only the required build artifacts (e.g., COPY go.mod go.sum ./,
COPY cmd/ ./cmd/, COPY pkg/ ./pkg/, COPY main.go ./ or whatever top-level source
dirs your build uses) and remove any COPY that would include hidden files/.env;
update the Dockerfile's build steps to first copy go.mod/go.sum and run go mod
download, then copy source directories to leverage caching and avoid including
sensitive files.

---

Outside diff comments:
In `@openshift/Dockerfile.openshift`:
- Around line 14-17: The runtime stage currently invokes ENTRYPOINT [ "/manager"
] which runs as root; update the openshift/Dockerfile.openshift runtime stage to
run the manager binary as a non-root user by creating or using a non-root
UID/GID and adding a USER directive before ENTRYPOINT (ensure the /manager
binary and any required dirs are chowned to that UID/GID so the process can
read/execute them). Specifically, locate the runtime stage that copies /manager
and add steps to create the user/group (or use an existing numeric UID/GID),
chown the files, and then add USER <uid>:<gid> immediately before ENTRYPOINT [
"/manager" ].
- Around line 10-17: The runtime Dockerfile stage is missing a HEALTHCHECK which
prevents orchestrators from detecting an unhealthy /manager process; add a
HEALTHCHECK instruction in Dockerfile.openshift after the ENTRYPOINT (or just
before it) that runs a lightweight command to verify the manager is responsive
(for example curl or nc against the manager’s HTTP probe or a pidcheck), and
include sensible options (e.g., --interval, --timeout, --retries). Ensure the
HEALTHCHECK exits 0 on success and non‑zero on failure so orchestration respects
container health for the ENTRYPOINT [ "/manager" ] process.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e8bb0d24-f7ee-4761-beef-b2c70af549fb

📥 Commits

Reviewing files that changed from the base of the PR and between 77b3287 and b7acd75.

📒 Files selected for processing (2)

• .ci-operator.yaml
• openshift/Dockerfile.openshift

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid copying the entire build context.

Line 4 uses COPY . ., which violates the policy and can unintentionally include sensitive or unnecessary files. Copy only required files (e.g., go.mod, go.sum, source dirs, main.go) explicitly.

As per coding guidelines, "COPY specific files, not entire context" and "No secrets in ENV, ARG, or COPY".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift/Dockerfile.openshift` at line 4, The Dockerfile currently uses a
broad COPY . . which pulls the entire build context including potential secrets;
replace this with explicit COPY directives for only the required build artifacts
(e.g., COPY go.mod go.sum ./, COPY cmd/ ./cmd/, COPY pkg/ ./pkg/, COPY main.go
./ or whatever top-level source dirs your build uses) and remove any COPY that
would include hidden files/.env; update the Dockerfile's build steps to first
copy go.mod/go.sum and run go mod download, then copy source directories to
leverage caching and avoid including sensitive files.

Source: Coding guidelines

[openshift-ci]

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	b7acd75	link	true	/test unit
ci/prow/e2e-aws-serial-2of2	b7acd75	link	true	/test e2e-aws-serial-2of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

ART wants to connect issue OCPBUGS-87778 to this PR, but found it is currently hooked up to ['OCPBUGS-87525']. Please consult with #forum-ocp-art if it is not clear what there is to do.