Skip to content

OCPBUGS-87505: Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0#1037

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-ose-cloud-credential-operator
Jun 29, 2026
Merged

OCPBUGS-87505: Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0#1037
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-ose-cloud-credential-operator

Conversation

@openshift-bot

@openshift-bot openshift-bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-cloud-credential-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

@openshift-bot

Copy link
Copy Markdown
Contributor Author

@openshift-bot openshift-bot changed the title Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0 OCPBUGS-87505: Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0 Jun 7, 2026
@coderabbitai

coderabbitai Bot commented Jun 7, 2026

Copy link
Copy Markdown

Walkthrough

CI operator and Docker build infrastructure upgraded from Go 1.25 / OpenShift 4.22 to Go 1.26 / OpenShift 5.0. RHEL9 builder and runtime images updated. RHEL8 builder refactored to compile only ccoctl using the new runtime environment.

Changes

Build Infrastructure Upgrade to Go 1.26 and OpenShift 5.0

Layer / File(s) Summary
CI operator build root configuration
.ci-operator.yaml
Build root image tag updated from rhel-9-release-golang-1.25-openshift-4.22 to rhel-9-release-golang-1.26-openshift-5.0.
Dockerfile build stages and runtime image
Dockerfile
RHEL9 builder base image bumped to Go 1.26 / OpenShift 5.0 variant. RHEL8 builder switched to the same Go 1.26 / OpenShift 5.0 RHEL8 image, with build steps reduced to compile ccoctl only (removing prior rhel8 cloud-credential-operator build). Runtime stage base image updated to ocp/5.0:base-rhel9. Multi-stage copy wiring adjusted to pull cloud-credential-operator from builder_rhel9 and ccoctl from both builder stages.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR modifies only CI configuration files (.ci-operator.yaml, Dockerfile) with no changes to test code or Ginkgo test names.
Test Structure And Quality ✅ Passed PR modifies only CI/build configuration files (.ci-operator.yaml, Dockerfile) and a standard Go unit test; it contains no Ginkgo test code, making the Ginkgo test quality check inapplicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. Changes are limited to CI configuration (.ci-operator.yaml) and Docker image versions (Dockerfile), with no test files modified.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests (It/Describe/Context/When) are added. This PR only updates CI configuration files and adds non-Ginkgo e2e-framework tests, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility ✅ Passed PR only modifies CI configuration (.ci-operator.yaml) and Dockerfile (build configs), not deployment manifests, operator code, or controllers. Check applies only when these are modified.
Ote Binary Stdout Contract ✅ Passed OTE binary cmd/cloud-credential-tests-ext/main.go uses logs.InitLogs() and outputs errors to os.Stderr. No non-JSON stdout writes found in process-level code.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR contains only CI/build configuration changes (.ci-operator.yaml, Dockerfile) with no new Ginkgo e2e tests added. Check is not applicable.
No-Weak-Crypto ✅ Passed PR only modifies infrastructure config (Docker base/builder images for OpenShift 5.0); no code changes introduce weak crypto, custom crypto implementations, or insecure secret comparisons.
Container-Privileges ✅ Passed PR updates build images for OpenShift 5.0; all K8s manifests have secure settings with allowPrivilegeEscalation: false and runAsNonRoot: true.
No-Sensitive-Data-In-Logs ✅ Passed PR contains only build configuration updates (Dockerfile and .ci-operator.yaml) with no logging statements exposing passwords, tokens, API keys, PII, or other sensitive data.
Title check ✅ Passed The title accurately describes the main change: updating container images for OpenShift 5.0 consistency with ART, which matches the .ci-operator.yaml and Dockerfile updates.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jun 7, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@openshift-bot: This pull request references Jira Issue OCPBUGS-87505, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-cloud-credential-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from 2uasimojo and jstuever June 7, 2026 21:37
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@openshift-bot: This pull request references Jira Issue OCPBUGS-87505, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-cloud-credential-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

  • Chores
  • Updated build infrastructure to use newer Go and base image versions for improved compatibility and security.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
Dockerfile (1)

19-36: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add USER directive to run as non-root.

The Dockerfile violates container security guidelines by not specifying a non-root user. The container will run as root, which increases the attack surface and violates the principle of least privilege.

As per coding guidelines, container images must specify USER non-root and never run as root. The static analysis tool (Trivy DS-0002) also flagged this violation.

🔒 Proposed fix to add non-root user

Add a USER directive before the ENTRYPOINT to run as a non-root user. OpenShift base images typically support arbitrary user IDs in the range 1000-65534:

 RUN chmod -R g+w /etc/pki/ca-trust/extracted/pem/
+USER 1001
 LABEL io.openshift.release.operator=true
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 19 - 36, The Dockerfile runs as root (no USER) so
add a non-root user directive (e.g., USER 1000) before the ENTRYPOINT to comply
with least-privilege rules; ensure any files/dirs the process needs are
readable/writable by that UID by adjusting ownership or permissions (for
example, change ownership of /usr/bin/cloud-credential-operator, /manifests and
/etc/pki/ca-trust/extracted/pem/ as needed) — update the existing RUN chmod -R
g+w /etc/pki/ca-trust/extracted/pem/ line or add RUN chown -R 1000:0 <paths> so
the non-root UID can access them, then place USER 1000 immediately prior to
ENTRYPOINT [ "/usr/bin/cloud-credential-operator" ].

Sources: Coding guidelines, Linters/SAST tools

🧹 Nitpick comments (1)
Dockerfile (1)

19-36: ⚡ Quick win

Add HEALTHCHECK directive for container health monitoring.

The Dockerfile is missing a HEALTHCHECK directive, which is required per container security guidelines. Without it, orchestrators cannot verify whether the container is healthy or needs to be restarted.

🏥 Proposed fix to add health check

Add a HEALTHCHECK directive appropriate for the operator. If the operator exposes a health endpoint, use that; otherwise, a simple process check:

 COPY manifests /manifests
 
+HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
+  CMD ps aux | grep -v grep | grep -q cloud-credential-operator || exit 1
+
 # Update perms so we can copy updated CA if needed
 RUN chmod -R g+w /etc/pki/ca-trust/extracted/pem/

Note: If the operator exposes a /healthz or /readyz endpoint, prefer an HTTP health check instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 19 - 36, The Dockerfile lacks a HEALTHCHECK which
prevents runtime health monitoring; add a HEALTHCHECK directive near the end
(after COPY/LABEL/ENTRYPOINT) that probes the operator process launched by
ENTRYPOINT (/usr/bin/cloud-credential-operator): prefer an HTTP probe to the
operator's /healthz or /readyz endpoint if available (use curl/wget against
localhost and appropriate port), otherwise use a lightweight process check
(e.g., verify the cloud-credential-operator binary is running via pid or pgrep)
and configure sensible interval/retries/start-period values so orchestrators can
detect and restart unhealthy containers.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Dockerfile`:
- Around line 19-36: The Dockerfile runs as root (no USER) so add a non-root
user directive (e.g., USER 1000) before the ENTRYPOINT to comply with
least-privilege rules; ensure any files/dirs the process needs are
readable/writable by that UID by adjusting ownership or permissions (for
example, change ownership of /usr/bin/cloud-credential-operator, /manifests and
/etc/pki/ca-trust/extracted/pem/ as needed) — update the existing RUN chmod -R
g+w /etc/pki/ca-trust/extracted/pem/ line or add RUN chown -R 1000:0 <paths> so
the non-root UID can access them, then place USER 1000 immediately prior to
ENTRYPOINT [ "/usr/bin/cloud-credential-operator" ].

---

Nitpick comments:
In `@Dockerfile`:
- Around line 19-36: The Dockerfile lacks a HEALTHCHECK which prevents runtime
health monitoring; add a HEALTHCHECK directive near the end (after
COPY/LABEL/ENTRYPOINT) that probes the operator process launched by ENTRYPOINT
(/usr/bin/cloud-credential-operator): prefer an HTTP probe to the operator's
/healthz or /readyz endpoint if available (use curl/wget against localhost and
appropriate port), otherwise use a lightweight process check (e.g., verify the
cloud-credential-operator binary is running via pid or pgrep) and configure
sensible interval/retries/start-period values so orchestrators can detect and
restart unhealthy containers.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8728c5ad-d169-49a7-8646-8921f0b9dcc8

📥 Commits

Reviewing files that changed from the base of the PR and between 833d9a3 and 8cae1ed.

📒 Files selected for processing (2)
  • .ci-operator.yaml
  • Dockerfile

@openshift-bot

Copy link
Copy Markdown
Contributor Author

ART wants to connect issue OCPBUGS-87758 to this PR, but found it is currently hooked up to ['OCPBUGS-87505']. Please consult with #forum-ocp-art if it is not clear what there is to do.

@openshift-bot openshift-bot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 10, 2026
@tmshort

tmshort commented Jun 26, 2026

Copy link
Copy Markdown

/test security

@tmshort

tmshort commented Jun 26, 2026

Copy link
Copy Markdown

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@tmshort

tmshort commented Jun 26, 2026

Copy link
Copy Markdown

@dlom can you approve this?

@tmshort

tmshort commented Jun 29, 2026

Copy link
Copy Markdown

/retest

@dlom

dlom commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

/approve

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, openshift-bot, tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 29, 2026
@tmshort

tmshort commented Jun 29, 2026

Copy link
Copy Markdown

/retest

@dlom

dlom commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

/override ci/prow/security

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@dlom: Overrode contexts on behalf of dlom: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 383d3a2 and 2 for PR HEAD 8cae1ed in total

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@openshift-bot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit b9b0355 into openshift:master Jun 29, 2026
11 checks passed
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@openshift-bot: Jira Issue Verification Checks: Jira Issue OCPBUGS-87505
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-87505 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Updating ose-cloud-credential-operator-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-cloud-credential-operator.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants