Skip to content

OCPBUGS-87343: Updating golang-github-openshift-oauth-proxy-container image to be consistent with ART for 5.0 #367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
openshift-bot wants to merge 1 commit into
base: master
Choose a base branch
from
+3 −3
Open

OCPBUGS-87343: Updating golang-github-openshift-oauth-proxy-container image to be consistent with ART for 5.0 #367

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .ci-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
build_root_image:
name: release
namespace: openshift
tag: rhel-9-release-golang-1.25-openshift-4.22
tag: rhel-9-release-golang-1.26-openshift-5.0
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder

@coderabbitai coderabbitai Bot Jun 6, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the base image type and registry alignment with guidelines

echo "=== Checking if base-rhel9 is UBI minimal or distroless ==="
# Inspect the runtime base image metadata
skopeo inspect docker://registry.ci.openshift.org/ocp/5.0:base-rhel9 2>/dev/null | jq -r '.Labels | to_entries[] | select(.key | contains("name") or contains("summary") or contains("description")) | "\(.key): \(.value)"'

echo ""
echo "=== Checking builder image metadata ==="
skopeo inspect docker://registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 2>/dev/null | jq -r '.Labels | to_entries[] | select(.key | contains("name") or contains("summary") or contains("description")) | "\(.key): \(.value)"'

echo ""
echo "=== Note: Coding guidelines specify catalog.redhat.com as source ==="
echo "Current images use: registry.ci.openshift.org"

Repository: openshift/oauth-proxy

Length of output: 282

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Tool availability ==="
command -v skopeo || echo "skopeo not found"
command -v jq || echo "jq not found"

echo
echo "=== Inspect runtime image (base-rhel9) ==="
set +e
skopeo inspect docker://registry.ci.openshift.org/ocp/5.0:base-rhel9
rc=$?
set -e
echo "exit_code=$rc"

echo
echo "=== Inspect builder image ==="
set +e
skopeo inspect docker://registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0
rc=$?
set -e
echo "exit_code=$rc"

echo
echo "=== Fallback: try to fetch manifest (network check) ==="
# Try to detect whether sandbox has outbound network; do not parse heavily.
set +e
curl -I --max-time 10 https://catalog.redhat.com/ 1>/dev/null 2>/dev/null
echo "curl_catalog_redhat_rc=$?"
curl -I --max-time 10 https://registry.ci.openshift.org/ 1>/dev/null 2>/dev/null
echo "curl_registry_ci_openshift_rc=$?"
set -e

Repository: openshift/oauth-proxy

Length of output: 447

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Locate Dockerfile(s) ==="
fd -a -t f 'Dockerfile' . || true
fd -a -t f 'Containerfile' . || true

echo
echo "=== Show Dockerfile(s) content (first ~200 lines each) ==="
for f in $(fd -a -t f 'Dockerfile' .); do
  echo "----- $f -----"
  sed -n '1,200p' "$f"
done

Repository: openshift/oauth-proxy

Length of output: 1375

🌐 Web query:

What is the purpose/content of the OpenShift CI image tag registry.ci.openshift.org/ocp/5.0:base-rhel9 (is it UBI minimal, minimal, distroless, or something else)?

💡 Result:

The image tag registry.ci.openshift.org/ocp/5.0:base-rhel9 (often referred to as base-rhel9) serves as a foundational Red Hat Enterprise Linux 9-based image used for building and running various OpenShift components within the OpenShift CI environment [1][2]. It is not a "distroless" image, nor is it strictly defined as "minimal" or "UBI minimal" by that specific naming convention. Instead, it is an OpenShift-specific base image—commonly known as openshift-enterprise-base-rhel9—maintained by the OpenShift Automated Release Team (ART) [3]. It is designed to be the consistent, enterprise-grade RHEL 9 base layer that downstream OpenShift component images use as their parent (via FROM instructions in Dockerfiles) to ensure consistency across the product [1][3][2]. Key points regarding its purpose and content: - Base Layer: It provides the required RHEL 9 user-space environment, shared libraries, and core configuration that OpenShift binaries require to run, replacing the older RHEL 8-based base images [1][3]. - Component Building: It is used as the starting point for creating various OpenShift service images (e.g., the installer image) [2]. - Standardized Maintenance: The image is managed to remain consistent with downstream product builds, ensuring that CI testing environment reflects the production environment customers will receive [3]. In the context of the OpenShift CI ecosystem, it is effectively the RHEL 9 iteration of the standard OpenShift base image [1]. While it shares common traits with minimal RHEL/UBI images, its specific identity in the ocp namespace is as the authorized, synchronized base for OpenShift product components [1][3].

Citations:

🌐 Web query:

What is the purpose/content of the OpenShift CI builder image tag registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0?

💡 Result:

The image tag registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 is a specialized container image used as a build environment within the OpenShift CI (Continuous Integration) infrastructure [1][2]. Its primary purpose is to provide a standardized, controlled toolchain for building OpenShift Container Platform (OCP) components [1]. By referencing this image in the FROM directive of a Dockerfile (or as a build_root_image in ci-operator configuration), developers ensure that their software is compiled using a specific, tested version of the Go programming language (in this case, Go 1.26) on a RHEL 9 base, consistent with the requirements of OpenShift version 5.0 [1][2]. The components of the tag indicate its specific configuration [1]: - rhel-9: Indicates the underlying Red Hat Enterprise Linux 9 operating system used in the image [1]. - golang-1.26: Specifies that the image includes Go version 1.26 [1]. - openshift-5.0: Identifies that this builder image is aligned with the OpenShift 5.0 release stream [1]. These images are managed by the OpenShift Architecture and Release Team (ART) [1]. When the required Go version or base OS for OpenShift changes, ART updates the central build configuration, and automation propagates these changes across the various component repositories by updating their build manifests [1]. Users are generally expected to use these officially provided builder images rather than custom ones to ensure compatibility with the OCP build environment and release processes [1][3].

Citations:

Base image registry/type don’t meet container security guidelines

  • Dockerfile pulls both build and runtime images from registry.ci.openshift.org (ocp/builder... and ocp/5.0:base-rhel9), not from catalog.redhat.com as required by the guidelines.
  • base-rhel9 is an OpenShift enterprise RHEL9 base layer (“openshift-enterprise-base-rhel9”), not a UBI minimal or distroless image, so the runtime stage doesn’t satisfy the “UBI minimal or distroless” requirement.
🧰 Tools
🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 1, The Dockerfile currently pulls images from
registry.ci.openshift.org (the FROM line with the builder stage and the runtime
base-rhel9 image), which violates container security guidelines; update the FROM
lines so the build-stage uses an approved Red Hat builder image from
catalog.redhat.com (replace the current
ocp/builder:rhel-9-golang-1.26-openshift-5.0 reference) and ensure the runtime
stage no longer uses base-rhel9/openshift-enterprise-base-rhel9 but instead uses
a UBI minimal or distroless runtime image from catalog.redhat.com (for example a
UBI minimal/distroless tag), keeping the existing builder stage name (builder)
and runtime stage names intact while switching the image registry/type to
catalog.redhat.com and a UBI-minimal or distroless image.

Source: Coding guidelines

WORKDIR /go/src/github.com/openshift/oauth-proxy
COPY . .

@coderabbitai coderabbitai Bot Jun 6, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Avoid copying entire context; specify needed files.

The guideline requires "COPY specific files, not entire context." Consider copying only the files needed for the build (e.g., go.mod, go.sum, source directories).

📋 Suggested refinement 
-COPY . .
+COPY go.mod go.sum ./
+COPY cmd/ ./cmd/
+COPY pkg/ ./pkg/
+# Add other specific source directories as needed

As per coding guidelines: "COPY specific files, not entire context" from container security guidelines for **/{Dockerfile,Containerfile}*.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The Dockerfile currently uses a broad COPY . . which
pulls the entire build context; replace that with explicit COPY instructions for
only the required files and directories (for example COPY go.mod go.sum ./ and
COPY <source-dir>/ ./<dest-dir>/ or COPY cmd/ pkg/ internal/ as appropriate) so
you avoid including secrets or unnecessary files in the image; update the
Dockerfile’s COPY statements to list the specific files/directories instead of
using COPY . ..

Source: Coding guidelines

RUN go build .

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
COPY --from=builder /go/src/github.com/openshift/oauth-proxy/oauth-proxy /usr/bin/oauth-proxy
ENTRYPOINT ["/usr/bin/oauth-proxy"]