OCPBUGS-87488: Updating cluster-network-operator-container image to be consistent with ART for 5.0

[openshift-bot]

Updating cluster-network-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
cluster-network-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/216

[coderabbitai]

Walkthrough

This PR upgrades the build infrastructure for the cluster network operator from OpenShift 4.22 / Go 1.25 to OpenShift 5.0 / Go 1.26. The CI operator configuration and the multi-stage Dockerfile both reference updated base image tags, while all build steps and build outputs remain functionally identical.

Changes

Build Infrastructure Upgrade

Layer / File(s)	Summary
Go toolchain and container image versions .ci-operator.yaml, Dockerfile	CI operator build_root_image.tag and Dockerfile multi-stage builder and runtime FROM statements updated from Go 1.25 / OCP 4.22 to Go 1.26 / OCP 5.0; all build commands, work directories, and copied artifacts unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR updates container images for OpenShift 5.0. No Ginkgo tests exist in repo (uses standard Go testing). No test names modified in PR, check not applicable.
Test Structure And Quality	✅ Passed	This PR modifies only CI configuration (.ci-operator.yaml) and Dockerfile—no Ginkgo test files are present or modified, making the test structure check not applicable.
Microshift Test Compatibility	✅ Passed	PR only updates CI build configuration (.ci-operator.yaml, Dockerfile). No new Ginkgo e2e tests are added, so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR contains only CI configuration and Dockerfile updates; no new Ginkgo e2e tests are added. The SNO compatibility check applies only to new tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates only CI/build configuration (.ci-operator.yaml and Dockerfile image tags), not deployment manifests or operator scheduling constraints. No topology-aware scheduling issues introduced.
Ote Binary Stdout Contract	✅ Passed	PR only modifies infrastructure config files (.ci-operator.yaml, Dockerfile) updating container image tags. No Go source code changes, so no OTE stdout contract violations possible.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. PR only modifies CI/build configuration files (.ci-operator.yaml, Dockerfile).
No-Weak-Crypto	✅ Passed	PR only modifies CI configuration files (.ci-operator.yaml, Dockerfile) with no cryptographic code changes. Existing MD5 usage in pkg/util/k8s/unstructured.go predates this PR and was not modified.
Container-Privileges	✅ Passed	PR only modifies .ci-operator.yaml and Dockerfile (build configs), neither containing privileged settings. No Kubernetes manifests with privileged configurations were added or modified.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates configuration files with public image registry refs and version tags. No logging statements, passwords, tokens, API keys, PII, or sensitive data introduced.
Title check	✅ Passed	The title accurately reflects the main change: updating base/builder images in CI configuration to align with ART's OpenShift 5.0 build configuration.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87488, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating cluster-network-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
cluster-network-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87488, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating cluster-network-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
cluster-network-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Updated CI/CD build configuration and runtime container base images to latest versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

1-16: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive to run container as non-root.

The Dockerfile violates the security guideline that requires "USER non-root; never run as root". The container currently runs as root, which is a security risk. Add a USER directive before the CMD instruction to run as a non-root user.

As per coding guidelines: "USER non-root; never run as root" for container security.

🛡️ Proposed fix

 COPY manifests /manifests
 COPY bindata /bindata
 ENV OPERATOR_NAME=cluster-network-operator
+USER 1001
 CMD ["/usr/bin/cluster-network-operator"]
 LABEL io.openshift.release.operator true

Note: You may need to ensure the non-root user has appropriate permissions for any directories or files the operator needs to access at runtime.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 1 - 16, Add a USER directive to ensure the container
does not run as root: create or use a non-root user and add a USER <username>
(or UID:GID) line before the CMD ["/usr/bin/cluster-network-operator"]
instruction in the Dockerfile; also ensure the non-root user has appropriate
ownership/permissions for the copied runtime artifacts
(/usr/bin/cluster-network-operator, /usr/bin/cluster-network-check-*,
/manifests, /bindata) so the operator can read/execute them at runtime (adjust
ownership/permissions during the builder stage or with chown/chmod prior to
switching users).

Sources: Coding guidelines, Linters/SAST tools

🧹 Nitpick comments (1)

Dockerfile (1)

1-16: ⚡ Quick win

Add HEALTHCHECK directive.

The Dockerfile is missing a HEALTHCHECK directive, which is required by the container security guidelines. A health check helps Kubernetes/OpenShift detect when the operator is unhealthy and needs to be restarted.

As per coding guidelines: "HEALTHCHECK defined" for container security.

🏥 Example HEALTHCHECK

 ENV OPERATOR_NAME=cluster-network-operator
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/usr/bin/cluster-network-operator", "--health-check"] || exit 1
 CMD ["/usr/bin/cluster-network-operator"]
 LABEL io.openshift.release.operator true

Note: Adjust the health check command based on the actual health check mechanism supported by the cluster-network-operator binary.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 1 - 16, Add a Docker HEALTHCHECK entry to the
Dockerfile (place it before the existing CMD) that probes the operator binary at
/usr/bin/cluster-network-operator (or its HTTP/CLI health endpoint, e.g.
healthz) using an exec form; configure reasonable parameters such as interval
(e.g. 30s), timeout (e.g. 5s) and retries (e.g. 3) so container
runtime/OpenShift can mark the pod unhealthy and restart it; ensure the
healthcheck references the same binary path used in CMD and does not change ENV
OPERATOR_NAME.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Dockerfile`:
- Around line 1-16: Add a USER directive to ensure the container does not run as
root: create or use a non-root user and add a USER <username> (or UID:GID) line
before the CMD ["/usr/bin/cluster-network-operator"] instruction in the
Dockerfile; also ensure the non-root user has appropriate ownership/permissions
for the copied runtime artifacts (/usr/bin/cluster-network-operator,
/usr/bin/cluster-network-check-*, /manifests, /bindata) so the operator can
read/execute them at runtime (adjust ownership/permissions during the builder
stage or with chown/chmod prior to switching users).

---

Nitpick comments:
In `@Dockerfile`:
- Around line 1-16: Add a Docker HEALTHCHECK entry to the Dockerfile (place it
before the existing CMD) that probes the operator binary at
/usr/bin/cluster-network-operator (or its HTTP/CLI health endpoint, e.g.
healthz) using an exec form; configure reasonable parameters such as interval
(e.g. 30s), timeout (e.g. 5s) and retries (e.g. 3) so container
runtime/OpenShift can mark the pod unhealthy and restart it; ensure the
healthcheck references the same binary path used in CMD and does not change ENV
OPERATOR_NAME.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 06d1cc78-0d89-4050-af38-c4b35da6749b

📥 Commits

Reviewing files that changed from the base of the PR and between 6dc1804 and ddf4967.

📒 Files selected for processing (2)

• .ci-operator.yaml
• Dockerfile

[openshift-ci]

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/hypershift-e2e-aks	ddf4967	link	true	/test hypershift-e2e-aks
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	ddf4967	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/e2e-aws-ovn-rhcos10-techpreview	ddf4967	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/security	ddf4967	link	false	/test security
ci/prow/5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade	ddf4967	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-upgrade	ddf4967	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-ovn-ipsec-step-registry	ddf4967	link	true	/test e2e-ovn-ipsec-step-registry

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

ART wants to connect issue OCPBUGS-87741 to this PR, but found it is currently hooked up to ['OCPBUGS-87488']. Please consult with #forum-ocp-art if it is not clear what there is to do.