NO-JIRA: Update hello-openshift base images from 4.16/4.17 to 4.22 by anuragthehatter · Pull Request #31264 · openshift/origin

anuragthehatter · 2026-06-06T01:08:26Z

Summary

Update builder and base images in images/hello-openshift/Dockerfile.rhel from ocp/4.16 and 4.17 to 4.22
The old images have been pruned from the CI registry, causing PullBuilderImageFailed on payload-job-with-prs runs

Test plan

CI passes with updated base images

🤖 Generated with Claude Code

Summary by CodeRabbit

Chores
- Updated base container images to OpenShift 4.22 and Go 1.25.

The builder and base images referenced ocp/4.16 and 4.17 which have been pruned from the CI registry, causing PullBuilderImageFailed on all payload-job-with-prs runs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

openshift-merge-bot · 2026-06-06T01:08:29Z

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

coderabbitai · 2026-06-06T01:08:47Z

Walkthrough

The hello-openshift Dockerfile base images are updated to OpenShift 4.22 with Go 1.25, replacing the previous 4.17/Go 1.22 builder and 4.16 runtime base images. Build steps and runtime instructions remain unchanged.

Changes

Base Image Version Bump

Layer / File(s)	Summary
Base image version updates `images/hello-openshift/Dockerfile.rhel`	Builder stage `FROM` instruction bumped to `rhel-9-golang-1.25` on OpenShift 4.22; runtime stage base image updated from `ocp/4.16:base-rhel9` to `ocp/4.22:base-rhel9`. Build and runtime instructions remain identical.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	Four new Ginkgo tests in test/e2e/upgrade/upgrade.go use config.openshift.io/v1 API without MicroShift protection tags, violating compatibility requirements.	Add [apigroup:config.openshift.io] tag to each test name or guard with exutil.IsMicroShiftCluster() skip check.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a Dockerfile (images/hello-openshift/Dockerfile.rhel) with no Ginkgo test files or test names, so the check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	The pull request only modifies images/hello-openshift/Dockerfile.rhel (updating base image versions), not any Ginkgo test code. The custom check for Ginkgo test quality is not applicable to this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies Dockerfile.rhel (base image versions); no Ginkgo e2e tests are added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Dockerfile base images without adding deployment manifests, operator code, or scheduling constraints. Check applies to deployment/operator changes only.
Ote Binary Stdout Contract	✅ Passed	Check not applicable: PR only updates base image versions in Dockerfile.rhel (infrastructure change), not process-level code that could have stdout contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR updates Dockerfile base images but adds no new Ginkgo e2e tests; custom check applies only to new e2e tests with IPv4/external connectivity assumptions.
No-Weak-Crypto	✅ Passed	PR contains only Dockerfile base image updates with no weak cryptography, custom crypto, or insecure secret comparisons in the codebase.
Container-Privileges	✅ Passed	PR only updates base image versions in Dockerfile; no privileged settings, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation found; runs as non-root (USER 1001).
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates base image versions in Dockerfile. No logging statements that expose sensitive data (passwords, tokens, API keys, PII, session IDs, etc.) are added or modified.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating Docker base images from older OpenShift versions (4.16/4.17) to version 4.22, which directly matches the single-file changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

anuragthehatter · 2026-06-06T01:09:12Z

@sdodson Is that something you could help reviewing?

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

images/hello-openshift/Dockerfile.rhel (1)
1-11: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add HEALTHCHECK instruction.

The Dockerfile is missing a HEALTHCHECK instruction, which is required by the coding guidelines. Since the application exposes ports 8080 and 8888, consider adding a health check to verify the service is responding.
🏥 Proposed addition of HEALTHCHECK
 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=builder /hello-openshift /hello-openshift
 EXPOSE 8080 8888
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/usr/bin/curl", "-f", "http://localhost:8080/", "||", "exit", "1"]
 USER 1001
 ENTRYPOINT ["/hello-openshift"]
Note: Verify that curl is available in the base image, or use an alternative health check method appropriate for the hello-openshift application.
As per coding guidelines, the container security (prodsec-skills) section requires: "HEALTHCHECK defined".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/hello-openshift/Dockerfile.rhel` around lines 1 - 11, Add a
HEALTHCHECK instruction to the Dockerfile to satisfy the "HEALTHCHECK defined"
guideline: add a HEALTHCHECK that calls the running binary (ENTRYPOINT
/hello-openshift) over an exposed port (e.g., HTTP GET to :8080 or :8888) and
returns non-zero on failure; ensure the command uses binaries available in the
base image (curl/wget or an exec-style check) and set sensible
--interval/--timeout/--retries values so the container health reflects the
application responsiveness.
Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/hello-openshift/Dockerfile.rhel`:
- Line 1: Add a HEALTHCHECK instruction to
images/hello-openshift/Dockerfile.rhel to satisfy container security guidelines
(e.g., a minimal CMD that probes the app or exits appropriately) and ensure it
uses sensible intervals/retries; also review the two FROM lines (the builder
stage "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22" and the
runtime stage that also references registry.ci.openshift.org) and either change
them to the approved catalog.redhat.com equivalents or document/confirm the
OpenShift CI exception for using registry.ci.openshift.org with the
release/maintainers so the base image registry usage is intentional.

---

Outside diff comments:
In `@images/hello-openshift/Dockerfile.rhel`:
- Around line 1-11: Add a HEALTHCHECK instruction to the Dockerfile to satisfy
the "HEALTHCHECK defined" guideline: add a HEALTHCHECK that calls the running
binary (ENTRYPOINT /hello-openshift) over an exposed port (e.g., HTTP GET to
:8080 or :8888) and returns non-zero on failure; ensure the command uses
binaries available in the base image (curl/wget or an exec-style check) and set
sensible --interval/--timeout/--retries values so the container health reflects
the application responsiveness.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 53384846-3916-459b-95b4-d41255985737

📥 Commits

Reviewing files that changed from the base of the PR and between b1497b7 and 35acd4f.

📒 Files selected for processing (1)

images/hello-openshift/Dockerfile.rhel

openshift-ci · 2026-06-06T01:15:25Z

@anuragthehatter: This PR was included in a payload test run from openshift/cluster-network-operator#3015
trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-1of2
periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-2of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/30323330-6145-11f1-8085-18a113a858ae-0

openshift-merge-bot · 2026-06-06T01:38:43Z

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

openshift-ci · 2026-06-08T14:24:05Z

@anuragthehatter: This PR was included in a payload test run from openshift/cluster-network-operator#3015
trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-1of2
periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-2of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a0e017d0-6345-11f1-9c80-ac8ee1ba40aa-0

anuragthehatter · 2026-06-08T14:24:05Z

Seems job passing now

https://pr-payload-tests.ci.openshift.org/runs/ci/30323330-6145-11f1-8085-18a113a858ae-0

anuragthehatter · 2026-06-08T14:27:44Z

/pj-rehearse ack

sdodson · 2026-06-08T16:28:58Z

/lgtm
/verified by CI
/retitle NO-JIRA: Update hello-openshift base images from 4.16/4.17 to 4.22

openshift-ci-robot · 2026-06-08T16:29:05Z

@anuragthehatter: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

Update builder and base images in images/hello-openshift/Dockerfile.rhel from ocp/4.16 and 4.17 to 4.22

The old images have been pruned from the CI registry, causing PullBuilderImageFailed on payload-job-with-prs runs

Test plan

CI passes with updated base images

🤖 Generated with Claude Code

Summary by CodeRabbit

Chores

Updated base container images to OpenShift 4.22 and Go 1.25.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-06-08T16:29:11Z

@sdodson: This PR has been marked as verified by CI.

Details

In response to this:

/lgtm
/verified by CI
/retitle NO-JIRA: Update hello-openshift base images from 4.16/4.17 to 4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2026-06-08T16:29:22Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anuragthehatter, sdodson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~images/OWNERS~~ [sdodson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2026-06-08T17:27:10Z

@anuragthehatter: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Update hello-openshift base images from 4.16/4.17 to 4.22

35acd4f

The builder and base images referenced ocp/4.16 and 4.17 which have been pruned from the CI registry, causing PullBuilderImageFailed on all payload-job-with-prs runs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

openshift-ci Bot requested review from deads2k and sdodson June 6, 2026 01:08

coderabbitai Bot requested changes Jun 6, 2026

View reviewed changes

Comment thread images/hello-openshift/Dockerfile.rhel

anuragthehatter mentioned this pull request Jun 6, 2026

[CNO] Setup OTE framework and migrate test cases from tests-private openshift/cluster-network-operator#3015

Open

4 tasks

coderabbitai Bot approved these changes Jun 8, 2026

View reviewed changes

openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jun 8, 2026

openshift-ci Bot changed the title ~~Update hello-openshift base images from 4.16/4.17 to 4.22~~ NO-JIRA: Update hello-openshift base images from 4.16/4.17 to 4.22 Jun 8, 2026

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 8, 2026

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 8, 2026

openshift-ci Bot assigned sdodson Jun 8, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 8, 2026

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 8, 2026

sdodson merged commit 61099e5 into openshift:main Jun 8, 2026
20 of 21 checks passed

Conversation

anuragthehatter commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Summary by CodeRabbit

Uh oh!

openshift-merge-bot Bot commented Jun 6, 2026

Uh oh!

coderabbitai Bot commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning)

Uh oh!

anuragthehatter commented Jun 6, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-ci Bot commented Jun 6, 2026

Uh oh!

openshift-merge-bot Bot commented Jun 6, 2026

Uh oh!

openshift-ci Bot commented Jun 8, 2026

Uh oh!

anuragthehatter commented Jun 8, 2026

Uh oh!

anuragthehatter commented Jun 8, 2026

Uh oh!

sdodson commented Jun 8, 2026

Uh oh!

openshift-ci-robot commented Jun 8, 2026

Summary

Test plan

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented Jun 8, 2026

Uh oh!

openshift-ci Bot commented Jun 8, 2026

Uh oh!

Uh oh!

openshift-ci Bot commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

anuragthehatter commented Jun 6, 2026 •

edited

Loading

coderabbitai Bot commented Jun 6, 2026 •

edited

Loading