Skip to content

NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10 #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PillaiManish wants to merge 2 commits into
base: main
Choose a base branch
from
Open

NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10 #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4bbae6f
UPSTREAM: <carry>: Migrate OpenShift Dockerfiles to UBI10 for RHCOS10
PillaiManish Mar 26, 2026
36e16ee
UPSTREAM: <carry>: Change base image to ubi-minimal for Dockerfile
PillaiManish Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Dockerfile.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder
USER 0
WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver
COPY . .
ENV BATS_VERSION="1.12.0"
Expand Down
5 changes: 3 additions & 2 deletions Dockerfile.e2eprovider
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder
USER 0
WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver
COPY . .
RUN make build-e2e-provider

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1
COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/test/e2eprovider/e2e-provider /e2e-provider

LABEL description="Mock provider for Secrets Store CSI Driver"
Expand Down
5 changes: 3 additions & 2 deletions Dockerfile.openshift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder
USER 0
WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver
COPY . .
RUN make build
# Print build settings information embedded in the binary.
RUN go version -m _output/secrets-store-csi

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify current registry domain usage in Dockerfiles touched by this migration.
rg -n 'FROM\s+registry\.(access|redhat)\.redhat\.com/ubi10/(go-toolset|ubi-minimal):10\.1' \
  Dockerfile.openshift Dockerfile.e2eprovider Dockerfile.bats

# Verify documented expectation in migration notes.
rg -n 'registry\.redhat\.io/ubi10' docs/rhcos10-ubi10-migration.md

Repository: openshift/secrets-store-csi-driver

Length of output: 1035

🏁 Script executed:

# Search for all registry.access.redhat.com references in Dockerfiles
rg -n 'registry\.access\.redhat\.com' --glob='Dockerfile*'

# Check broader migration context in docs
rg -n 'registry\.access\.redhat\.com|registry\.redhat\.io' docs/rhcos10-ubi10-migration.md -A 2 -B 2

Repository: openshift/secrets-store-csi-driver

Length of output: 1653

Standardize runtime registry domain in both Dockerfiles — extend fix to Dockerfile.e2eprovider.

Both Dockerfile.openshift (line 9) and Dockerfile.e2eprovider (line 7) use registry.access.redhat.com. Per the migration docs, both should target registry.redhat.io/ubi10/ubi-minimal:10.1 to maintain consistent registry domains across the codebase.

🔧 Proposed fixes 
-FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1

Apply to both Dockerfile.openshift (line 9) and Dockerfile.e2eprovider (line 7).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1
FROM registry.redhat.io/ubi10/ubi-minimal:10.1
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.openshift` at line 9, Update the FROM directive image registry
domain from registry.access.redhat.com to registry.redhat.io for consistency:
change the FROM line that currently references
"registry.access.redhat.com/ubi10/ubi-minimal:10.1" to
"registry.redhat.io/ubi10/ubi-minimal:10.1" in both Dockerfile.openshift and
Dockerfile.e2eprovider (look for the FROM instruction with the
"ubi10/ubi-minimal:10.1" image string).

COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/_output/secrets-store-csi /bin/secrets-store-csi

LABEL description="Secrets Store CSI Driver"
Expand Down
90 changes: 90 additions & 0 deletions docs/rhcos10-ubi10-migration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
# PR2: RHCOS10 — Migrate Base Images from OCP/UBI9 to UBI10

## Purpose

Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
`registry.redhat.io` UBI10 images, aligning with the RHCOS10 host OS.

This is the follow-up to PR1 (`rhcos10-ubi9-compat-test`), which validated that the
existing OCP/UBI9 images run correctly on RHCOS10 nodes. This PR adopts UBI10 as the
native base for RHCOS10 deployments.

## Background

Red Hat CoreOS 10 (RHCOS10) ships with RHEL10 as its host OS. Using UBI10-based images
ensures better alignment with the host OS libraries and security updates, and removes the
dependency on the OCP CI internal registry (`registry.ci.openshift.org`) for runtime
images.

## Changes

### Registry change

All OpenShift variant images move from the OCP CI registry to the authenticated Red Hat
registry:

```
registry.ci.openshift.org/ocp/builder:rhel-9-golang-* → registry.redhat.io/ubi10/go-toolset:10.1
registry.ci.openshift.org/ocp/4.20:base-rhel9 → registry.redhat.io/ubi10:10.1
```

### Dockerfile changes

#### `Dockerfile.openshift` — main driver image

| Stage | Before | After |
|---|---|---|
| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` |
| Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` |

Additional change: added `USER 0` after the builder `FROM` line (required by
`go-toolset`) and `RUN dnf install -y util-linux ca-certificates && dnf clean all` in
the runtime stage.

#### `Dockerfile.e2eprovider` — e2e mock provider

| Stage | Before | After |
|---|---|---|
| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` |
| Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` |

#### `Dockerfile.bats` — bats test runner

| Stage | Before | After |
|---|---|---|
| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` |
| Runtime | `src` (prow-injected) | unchanged |
Comment on lines +35 to +56
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Documentation version numbers appear stale.

The "Before" column references 4.20 and golang-1.24, but the AI summary indicates the actual previous images were 4.22 and golang-1.25. Ensure the documentation accurately reflects the versions being replaced to avoid confusion during reviews.

📝 Suggested fix 
-| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` |
-| Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` |
+| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22` | `registry.redhat.io/ubi10/go-toolset:10.1` |
+| Runtime | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10:10.1` |

Apply similar updates to the other Dockerfile tables.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/rhcos10-ubi10-migration.md` around lines 35 - 56, Update the documented
"Before" image tags to match the actual previous images (replace occurrences of
`4.20` with `4.22` and `golang-1.24` with `golang-1.25`) so the tables for
Dockerfile.e2eprovider, Dockerfile.bats and the primary Dockerfile reflect the
true originals; ensure the same replacements are applied to all three tables and
any inline mentions (e.g., the builder strings like
`registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20`) so
they read
`registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22` where
appropriate.


## Files NOT Changed

| File | Reason |
|---|---|
| `docker/Dockerfile` | Upstream community Dockerfile using `golang` + `debian-base` — not OCP-specific |
| `docker/crd.Dockerfile` | Uses `alpine` + `gcr.io/distroless/static` — not OCP-specific |
| `test/e2eprovider/Dockerfile` | Upstream community Dockerfile using `golang` + `gcr.io/distroless/static` |
| `.local/Dockerfile` | Local development debug image using `golang:alpine` — not for production |
| `vendor/` | Vendored dependency, not modified |

## Test Matrix

| Cluster OS | Driver image base | Expected result |
|---|---|---|
| RHCOS10 | UBI10 (this PR) | Pass — native RHEL10 base |
| RHCOS9 | UBI10 (this PR) | Pass — UBI10 containers are compatible with RHCOS9 |

## Test Plan

- [ ] `Dockerfile.openshift` builds successfully with `go-toolset:10.1` as builder and
`ubi10:10.1` as runtime
- [ ] `Dockerfile.e2eprovider` builds successfully with `go-toolset:10.1` as builder and
`ubi10:10.1` as runtime
- [ ] `Dockerfile.bats` builds successfully with `go-toolset:10.1` as builder
- [ ] CI jobs pass on RHCOS10 cluster nodes with UBI10 base images
- [ ] CI jobs pass on RHCOS9 cluster nodes with UBI10 base images (regression check)
- [ ] No regressions compared to UBI9 baseline (PR1)

## References

- [Red Hat UBI10 Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/ubi/66f2b46b122803e4937d11ae)
- [Red Hat UBI10 go-toolset Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/go-toolset)
- PR1 baseline: `docs/rhcos10-ubi9-compat-test.md`