OCPBUGS-87367: Updating ose-agent-installer-utils-container image to be consistent with ART for 5.0

[openshift-bot]

Updating ose-agent-installer-utils-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-agent-installer-utils.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/201

[coderabbitai]

Walkthrough

This PR upgrades the build infrastructure from OpenShift 4.22 with Go 1.25 to OpenShift 5.0 with Go 1.26. The CI operator configuration and Docker build files are updated consistently to use the newer base images and compiler version, with no changes to build logic or final runtime behavior.

Changes

Build Infrastructure Upgrade

Layer / File(s)	Summary
CI operator configuration .ci-operator.yaml	Build root image tag updated from rhel-9-release-golang-1.25-openshift-4.22 to rhel-9-release-golang-1.26-openshift-5.0.
Docker build images images/Dockerfile.ocp	Builder stage and runtime base image updated from OpenShift 4.22 to OpenShift 5.0 / Go 1.26. Final stage operations for package install, binary copy, and OpenShift release label remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR changes are configuration/build files (.ci-operator.yaml, Dockerfile.ocp), not test files. Repository uses Go testing.T, not Ginkgo. Check is not applicable.
Test Structure And Quality	✅ Passed	PR modifies only CI/CD config (.ci-operator.yaml) and Dockerfile (images/Dockerfile.ocp); no Ginkgo test code is present or changed, making this check not applicable.
Microshift Test Compatibility	✅ Passed	This PR only modifies CI configuration (.ci-operator.yaml) and Dockerfile.ocp for image updates; no new Ginkgo e2e tests are added, making the check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; it only updates CI configuration and Dockerfiles. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies CI configuration (.ci-operator.yaml) and container build files (Dockerfile.ocp), not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR only modifies CI configuration files (.ci-operator.yaml, images/Dockerfile.ocp). Project is a standard TUI app, not an OTE binary, so OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates CI configuration and Dockerfile (no new Ginkgo e2e tests added). The check for IPv6/disconnected network compatibility of new tests is not applicable here.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto) detected in codebase. PR only updates build configuration/Docker image tags with no cryptographic code changes.
Container-Privileges	✅ Passed	PR changes only update builder/base image tags; no privileged: true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings are introduced.
No-Sensitive-Data-In-Logs	✅ Passed	The PR only modifies CI configuration and Dockerfile image tags. No logging statements contain sensitive data like passwords, tokens, API keys, PII, or credentials.
Title check	✅ Passed	The title clearly references the main change: updating the ose-agent-installer-utils-container image configuration for OpenShift 5.0 consistency with ART.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87367, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating ose-agent-installer-utils-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-agent-installer-utils.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign pawanpinjarkar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87367, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating ose-agent-installer-utils-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-agent-installer-utils.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Updated Go language version from 1.25 to 1.26
• Updated OpenShift platform from version 4.22 to 5.0
• Updated build and deployment infrastructure to support the latest versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

images/Dockerfile.ocp (1)

7-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden final image: run as non-root and define a HEALTHCHECK.

The runtime stage has no USER and no HEALTHCHECK, so it defaults to root execution and lacks liveness signaling.

Proposed fix

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 RUN dnf install -y nmstate-libs && dnf clean all
 COPY --from=builder /go/src/github.com/openshift/agent-installer-utils/bin/agent-tui /usr/bin/agent-tui
+USER 1001
+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 CMD ["/usr/bin/agent-tui", "--help"] || exit 1
 LABEL io.openshift.release.operator=true

As per coding guidelines, “USER non-root; never run as root” and “HEALTHCHECK defined”.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.ocp` around lines 7 - 11, The runtime Dockerfile omits USER
and HEALTHCHECK causing the container to run as root and lack liveness checks;
fix by creating or using a non-root UID/GID, chowning the runtime artifact
(/usr/bin/agent-tui) and adding a USER instruction (e.g., add group/user with
RUN and then USER <uid>:<gid>), and add a HEALTHCHECK instruction that probes
the process (e.g., exec curl -f http://localhost:8080/health || exit 1 or a
simple pgrep /usr/bin/agent-tui) with sensible interval/retries; update the
final image stage (the FROM ...:base-rhel9 stage that copies /usr/bin/agent-tui)
to include these changes.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/Dockerfile.ocp`:
- Line 3: The Dockerfile currently uses a broad COPY . . which pulls the entire
build context into the builder stage; replace that with explicit, minimal COPY
instructions that only copy required build inputs (e.g., COPY package.json
package-lock.json ./ and COPY src/ ./ or other exact files/directories needed)
and ensure a .dockerignore excludes secrets and unnecessary files; update the
builder stage in this Dockerfile to reference those specific COPY targets
instead of the global "COPY . ." and remove any secrets from ENV/ARG entries if
present.
- Line 1: Replace the builder base image reference to a supported UBI minimal or
distroless image from catalog.redhat.com (swap the FROM
registry.ci.openshift.org/... line to the appropriate catalog.redhat.com UBI Go
builder), change the broad COPY . . to copy only the needed files/artifacts
(replace COPY . . with explicit COPY statements for go.mod, go.sum, source files
and built binary used by the final stage), ensure the final stage in this
Dockerfile sets a non-root user (add USER <non-root-uid> or create a user and
switch to it in the final stage) and add a HEALTHCHECK instruction to the final
stage that verifies the app is alive (e.g., curl or tcp check) so the image
satisfies policy; locate these changes around the builder stage name "builder",
the COPY directives, and the final stage where USER and HEALTHCHECK must be
added.

---

Outside diff comments:
In `@images/Dockerfile.ocp`:
- Around line 7-11: The runtime Dockerfile omits USER and HEALTHCHECK causing
the container to run as root and lack liveness checks; fix by creating or using
a non-root UID/GID, chowning the runtime artifact (/usr/bin/agent-tui) and
adding a USER instruction (e.g., add group/user with RUN and then USER
<uid>:<gid>), and add a HEALTHCHECK instruction that probes the process (e.g.,
exec curl -f http://localhost:8080/health || exit 1 or a simple pgrep
/usr/bin/agent-tui) with sensible interval/retries; update the final image stage
(the FROM ...:base-rhel9 stage that copies /usr/bin/agent-tui) to include these
changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b5ee82e9-e9ff-49b1-bda1-5f5bba451f6c

📥 Commits

Reviewing files that changed from the base of the PR and between 546c1a9 and 3105434.

📒 Files selected for processing (2)

• .ci-operator.yaml
• images/Dockerfile.ocp

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and show the Dockerfile content with line numbers
ls -la images || true
sed -n '1,200p' images/Dockerfile.ocp | cat -n

# Quick focused checks
echo "---- FROM lines ----"
rg -n '^FROM ' images/Dockerfile.ocp || true

echo "---- USER lines ----"
rg -n '^\s*USER\s+' images/Dockerfile.ocp || true

echo "---- HEALTHCHECK lines ----"
rg -n '^\s*HEALTHCHECK\s+' images/Dockerfile.ocp || true

echo "---- COPY . . patterns ----"
rg -n 'COPY\s+\.\s+\.' images/Dockerfile.ocp || true
rg -n 'COPY\s+\.\s+/' images/Dockerfile.ocp || true
rg -n 'COPY\s+\.\s+\.' -S images/Dockerfile.ocp || true

Repository: openshift/agent-installer-utils

Length of output: 1065

---

Fix container policy violations in images/Dockerfile.ocp (base image, COPY scope, USER, HEALTHCHECK)

• FROM registry.ci.openshift.org/... (lines 1 and 7) violates the requirement to use UBI minimal/distroless images from catalog.redhat.com.
• COPY . . (line 3) violates “COPY specific files, not entire context”.
• Final stage has no USER non-root and no HEALTHCHECK (no USER/HEALTHCHECK present in the file).

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.ocp` at line 1, Replace the builder base image reference to
a supported UBI minimal or distroless image from catalog.redhat.com (swap the
FROM registry.ci.openshift.org/... line to the appropriate catalog.redhat.com
UBI Go builder), change the broad COPY . . to copy only the needed
files/artifacts (replace COPY . . with explicit COPY statements for go.mod,
go.sum, source files and built binary used by the final stage), ensure the final
stage in this Dockerfile sets a non-root user (add USER <non-root-uid> or create
a user and switch to it in the final stage) and add a HEALTHCHECK instruction to
the final stage that verifies the app is alive (e.g., curl or tcp check) so the
image satisfies policy; locate these changes around the builder stage name
"builder", the COPY directives, and the final stage where USER and HEALTHCHECK
must be added.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid copying full build context into the builder stage.

Line 3 uses COPY . ., which conflicts with the policy and increases accidental secret/context exposure risk.

Proposed fix

-COPY . .
+COPY go.mod go.sum ./
+COPY hack/ ./hack/
+COPY tools/ ./tools/
+COPY pkg/ ./pkg/
+COPY Makefile ./

As per coding guidelines, “COPY specific files, not entire context” and “No secrets in ENV, ARG, or COPY”.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/Dockerfile.ocp` at line 3, The Dockerfile currently uses a broad COPY
. . which pulls the entire build context into the builder stage; replace that
with explicit, minimal COPY instructions that only copy required build inputs
(e.g., COPY package.json package-lock.json ./ and COPY src/ ./ or other exact
files/directories needed) and ensure a .dockerignore excludes secrets and
unnecessary files; update the builder stage in this Dockerfile to reference
those specific COPY targets instead of the global "COPY . ." and remove any
secrets from ENV/ARG entries if present.

Source: Coding guidelines

[openshift-ci]

@openshift-bot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

ART wants to connect issue OCPBUGS-87653 to this PR, but found it is currently hooked up to ['OCPBUGS-87367']. Please consult with #forum-ocp-art if it is not clear what there is to do.