OCPBUGS-87336: Updating ose-route-controller-manager-container image to be consistent with ART for 5.0

[aswinsuryan]

Description:

Updates for OpenShift 5.0 ART alignment:

Update base image: registry.ci.openshift.org/ocp/4.22:base-rhel9 → registry.ci.openshift.org/ocp/5.0:base-rhel9
Update builder image: rhel-9-golang-1.25-openshift-4.22 → rhel-9-golang-1.26-openshift-5.0
Align go.mod: 1.25.0 → 1.26.3

Updates: #95

Summary by CodeRabbit

• Chores
  • Updated build environment and runtime infrastructure to newer platform versions, improving compatibility with current system standards and enabling access to latest runtime improvements.

[openshift-ci-robot]

@aswinsuryan: This pull request references Jira Issue OCPBUGS-87336, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description:

Updates for OpenShift 5.0 ART alignment:

Update base image: registry.ci.openshift.org/ocp/4.22:base-rhel9 → registry.ci.openshift.org/ocp/5.0:base-rhel9
Update builder image: rhel-9-golang-1.25-openshift-4.22 → rhel-9-golang-1.26-openshift-5.0
Align go.mod: 1.25.0 → 1.26.0

Updates: #95

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updates the Go toolchain directive in go.mod from 1.25.0 to 1.26.3, bumps both Dockerfile build stages from OpenShift 4.22/Go 1.25 to OpenShift 5.0/Go 1.26 images, and updates the CI operator release build tag to the corresponding OpenShift 5.0/Go 1.26 value.

Changes

Go 1.26 / OpenShift 5.0 upgrade

Layer / File(s)	Summary
Go toolchain and base image upgrade go.mod, Dockerfile, .ci-operator.yaml	go.mod bumps the go directive to 1.26.3; Dockerfile updates the builder stage to rhel-9-golang-1.26-openshift-5.0 and the final stage to ocp/5.0:base-rhel9; .ci-operator.yaml updates the release build tag to rhel-9-release-golang-1.26-openshift-5.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main objective of the pull request: updating the ose-route-controller-manager-container image for OpenShift 5.0 alignment, which matches the changes in the Dockerfile, .ci-operator.yaml, and go.mod files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies build configuration and Go module files only. The codebase uses standard Go testing (func Test*), not Ginkgo framework. Ginkgo test name stability check is not applicable.
Test Structure And Quality	✅ Passed	The custom check targets Ginkgo test code review. This PR adds standard Go unit tests using testing.T (not Ginkgo), so the check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR updates build configuration files (.ci-operator.yaml, Dockerfile, go.mod) to align with OpenShift 5.0. No Ginkgo e2e tests are added or modified in this PR, so the MicroShift compatibility...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It only modifies build configuration files (.ci-operator.yaml, Dockerfile, go.mod) for OpenShift 5.0 alignment, so the SNO test compatibility check do...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only updates build configuration files (.ci-operator.yaml, Dockerfile, go.mod) for OpenShift 5.0 alignment. No deployment manifests, operator code, or scheduling constraints are added or mo...
Ote Binary Stdout Contract	✅ Passed	PR only updates build configuration (.ci-operator.yaml, Dockerfile) and go.mod version; no source code changes that could violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; PR only updates build configuration, Dockerfile base images, and Go version for OpenShift 5.0 alignment.
No-Weak-Crypto	✅ Passed	No weak crypto implementations (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or insecure comparisons found. PR only updates build configuration and base image tags.
Container-Privileges	✅ Passed	No privileged container settings found. PR only updates base images and Go version; contains no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation configurations.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure in logs detected. The PR only updates base images and Go version; existing logging statements use klog appropriately without exposing passwords, tokens, PII, or other sen...
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

6-11: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set a non-root runtime user in the final stage.

Line 6 onward defines the runtime image, but no USER is set, so the container runs as root by default.

Suggested fix

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/route-controller-manager/route-controller-manager /usr/bin/
+USER 1001
 LABEL io.k8s.display-name="OpenShift Route Controller Manager Command" \
       io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
       io.openshift.tags="openshift,route-controller-manager"

As per path instructions, "USER non-root; never run as root" is required for Dockerfile paths.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 6 - 11, The final runtime stage in the Dockerfile
(starting with the FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
instruction) lacks a USER directive, causing the container to run as root. Add a
USER directive after the LABEL statements to specify a non-root user for runtime
execution. Use a numeric user ID (such as 1000) or a non-privileged user account
defined in the base image to comply with security requirements.

Sources: Path instructions, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 3: Replace the COPY . . command in the builder stage with specific COPY
statements that only copy the files and directories required for the build.
Instead of copying the entire context, identify which files are necessary (such
as package.json, source code directories, configuration files, etc.) and use
individual COPY commands for each required item. This reduces the image size,
improves build security by excluding unnecessary files, and minimizes the attack
surface.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 6-11: The final runtime stage in the Dockerfile (starting with the
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9 instruction) lacks a USER
directive, causing the container to run as root. Add a USER directive after the
LABEL statements to specify a non-root user for runtime execution. Use a numeric
user ID (such as 1000) or a non-privileged user account defined in the base
image to comply with security requirements.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 15a8bce2-3b6b-46f6-b515-5049a6c3b13a

📥 Commits

Reviewing files that changed from the base of the PR and between e454c01 and d825fa2.

📒 Files selected for processing (3)

• .ci-operator.yaml
• Dockerfile
• go.mod

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Avoid COPY . . in the builder stage.

Line 3 copies the full context, which can unintentionally include sensitive or irrelevant files and expands attack surface. Copy only required files/directories.

Suggested fix

 WORKDIR /go/src/github.com/openshift/route-controller-manager
-COPY . .
+COPY go.mod go.sum ./
+COPY cmd/ ./cmd/
+COPY pkg/ ./pkg/
+COPY Makefile ./
 RUN make build --warn-undefined-variables

As per path instructions, Dockerfiles should "COPY specific files, not entire context."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	COPY . .
	WORKDIR /go/src/github.com/openshift/route-controller-manager
	COPY go.mod go.sum ./
	COPY cmd/ ./cmd/
	COPY pkg/ ./pkg/
	COPY Makefile ./
	RUN make build --warn-undefined-variables

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, Replace the COPY . . command in the builder stage with
specific COPY statements that only copy the files and directories required for
the build. Instead of copying the entire context, identify which files are
necessary (such as package.json, source code directories, configuration files,
etc.) and use individual COPY commands for each required item. This reduces the
image size, improves build security by excluding unnecessary files, and
minimizes the attack surface.

Source: Path instructions

[candita]

@CodeRabbit this is outside the scope of this PR. We can address in a followup.

[coderabbitai]

@candita, understood — that's a reasonable call for a targeted version-bump PR. Would you like me to open a GitHub issue to track the COPY . . improvement as a follow-up task?

[openshift-ci]

@aswinsuryan: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[candita]

Align go.mod: 1.25.0 → 1.26.0

I did not see where codeRabbit asked for the go.mod update in #95, and wondering if 1.26.3 is too new and it should be 1.26.0. However, as we discussed today, the builder will use the go version it selects.

[candita]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aswinsuryan, candita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [candita]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[aswinsuryan]

Align go.mod: 1.25.0 → 1.26.0

I did not see where codeRabbit asked for the go.mod update in #95, and wondering if 1.26.3 is too new and it should be 1.26.0. However, as we discussed today, the builder will use the go version it selects.

Ya that is right the coderabbit , complained about it in openshift/coredns#187 (review). I saw the same pattern here and hence updated go.mod.