fix: add operator-sdk to Cypress test runner image

[DavidRajnoha]

Adds operator-sdk binary to the Cypress test runner image (web/cypress/Dockerfile).

Fixes operator-sdk: command not found (exit 127) when CYPRESS_CUSTOM_COO_BUNDLE_IMAGE is set in CI periodic jobs.

Made with Cursor

Summary by CodeRabbit

• Chores
  • Updated testing environment configuration to use a specific version of the operator SDK, improving consistency across test runs.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: DavidRajnoha
Once this PR has been reviewed and has the lgtm label, please assign kyoto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The Cypress test Docker container is updated to include operator-sdk v1.42.0 by adding a COPY instruction that pulls the binary from the official operator-framework builder image into /usr/local/bin/operator-sdk.

Changes

Cypress test container dependencies

Layer / File(s)	Summary
Operator SDK binary dependency web/cypress/Dockerfile	Cypress container now explicitly includes operator-sdk v1.42.0 binary copied from the operator-framework/operator-sdk:v1.42.0 build stage into /usr/local/bin/operator-sdk.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding operator-sdk to the Cypress test runner image, which directly addresses the PR's objective of fixing a missing binary issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies Dockerfile to add operator-sdk binary. No test code (Ginkgo or otherwise) was changed, so stable test names check does not apply.
Test Structure And Quality	✅ Passed	PR modifies only web/cypress/Dockerfile to add operator-sdk binary. Custom check evaluates Ginkgo test code quality, which is not present in this Dockerfile change.
Microshift Test Compatibility	✅ Passed	The PR modifies only web/cypress/Dockerfile to add operator-sdk binary. No Ginkgo e2e tests are added; the check only applies to new Ginkgo tests, not Cypress/JavaScript tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies web/cypress/Dockerfile (Cypress tests). No new Ginkgo e2e tests are added, making SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Change modifies only a test infrastructure Dockerfile with no deployment manifests or Kubernetes scheduling constraints; check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only modifies web/cypress/Dockerfile to add operator-sdk binary; no source code changes that could violate OTE stdout contract (which applies to Go test binaries).
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only the Cypress Dockerfile to add operator-sdk binary. The custom check applies to Ginkgo e2e tests only, and this repository uses Cypress tests, not Ginkgo. No e2e tests were added.
No-Weak-Crypto	✅ Passed	No weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure secret comparisons found in the PR.
Container-Privileges	✅ Passed	The PR's change to add operator-sdk binary does not introduce privileged: true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation in container/K8s manifests.
No-Sensitive-Data-In-Logs	✅ Passed	The PR only adds a COPY instruction to copy operator-sdk binary from a public image; it introduces no logging statements and does not expose sensitive data like passwords, tokens, API keys, or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

web/cypress/Dockerfile (1)

1-9: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Add a USER instruction to run as non-root.

The Dockerfile does not specify a USER instruction, which means the container runs as root by default. Running containers as root is a critical security risk.

Add a USER instruction after setting up the filesystem to ensure the container runs with a non-root user.

🔒 Proposed fix: Add non-root user

 COPY . /tmp/monitoring-plugin
 RUN chmod -R 777 /tmp/monitoring-plugin
+
+# Create and use non-root user
+RUN useradd -u 1001 -m -s /bin/bash cypress
+USER 1001
+
 WORKDIR /tmp/monitoring-plugin/web/cypress

Note: The chmod -R 777 on line 8 may also need adjustment—consider more restrictive permissions that still allow the non-root user to access required files.

As per coding guidelines: "USER non-root; never run as root"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@web/cypress/Dockerfile` around lines 1 - 9, The Dockerfile currently leaves
the container running as root after COPY/RUN/WORKDIR steps; add a USER
instruction after the filesystem setup (after RUN chmod -R 777
/tmp/monitoring-plugin and before/after WORKDIR
/tmp/monitoring-plugin/web/cypress) to switch to a non-root account (either
create a dedicated user/group earlier in the Dockerfile or switch to a provided
non-root UID/GID), and tighten file permissions (replace or relax chmod -R 777)
so the chosen non-root user has only the required access; reference the COPY,
RUN chmod -R 777, and WORKDIR instructions when applying the change.

🧹 Nitpick comments (1)

web/cypress/Dockerfile (1)

1-9: 💤 Low value

Consider adding a HEALTHCHECK instruction.

The Dockerfile does not define a HEALTHCHECK instruction, which is recommended by the container security guidelines. While less critical for a test runner than for long-running services, a health check can still help orchestration systems detect when the container is ready or has failed.

Example HEALTHCHECK for Cypress runner

 WORKDIR /tmp/monitoring-plugin/web/cypress
+
+# Basic health check to verify container is operational
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD test -f /tmp/monitoring-plugin/web/cypress/package.json || exit 1

As per coding guidelines: "HEALTHCHECK defined"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@web/cypress/Dockerfile` around lines 1 - 9, Add a HEALTHCHECK instruction to
the Dockerfile (after WORKDIR /tmp/monitoring-plugin/web/cypress) that performs
a lightweight readiness probe for the Cypress test runner; implement the command
to return non-zero on failure (e.g., a small shell/curl/command that verifies
the container can run Cypress or that required resources are present), and
include sensible options like --interval, --timeout, --start-period and
--retries so orchestrators can detect unhealthy containers; reference the
HEALTHCHECK keyword and place it in the Dockerfile near the existing WORKDIR
line.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@web/cypress/Dockerfile`:
- Line 2: The Dockerfile uses a non-approved floating base image in the FROM
instruction ("quay.io/redhat-distributed-tracing-qe/cypress-base:latest");
replace that FROM line with an approved image from catalog.redhat.com (UBI
minimal or distroless) and avoid the :latest floating tag by pinning to a stable
Red Hat tag or digest; if you need a Cypress-specific base, create and reference
a custom image you build FROM a UBI minimal/distroless image instead and pin
that image by tag or digest.
- Line 7: The Dockerfile currently uses COPY . /tmp/monitoring-plugin which
copies the entire build context; change it to copy only the required files and
directories for Cypress tests (for example COPY package.json package-lock.json
/tmp/monitoring-plugin/ and COPY web/ /tmp/monitoring-plugin/web/ and COPY
cypress/ /tmp/monitoring-plugin/cypress/ or other specific fixtures) so
unnecessary files (like .git, dev tooling, build artifacts) are excluded; update
the Dockerfile's COPY commands to list the specific paths needed for test
execution and adjust any subsequent paths/WORKDIR references that rely on
/tmp/monitoring-plugin accordingly.

---

Outside diff comments:
In `@web/cypress/Dockerfile`:
- Around line 1-9: The Dockerfile currently leaves the container running as root
after COPY/RUN/WORKDIR steps; add a USER instruction after the filesystem setup
(after RUN chmod -R 777 /tmp/monitoring-plugin and before/after WORKDIR
/tmp/monitoring-plugin/web/cypress) to switch to a non-root account (either
create a dedicated user/group earlier in the Dockerfile or switch to a provided
non-root UID/GID), and tighten file permissions (replace or relax chmod -R 777)
so the chosen non-root user has only the required access; reference the COPY,
RUN chmod -R 777, and WORKDIR instructions when applying the change.

---

Nitpick comments:
In `@web/cypress/Dockerfile`:
- Around line 1-9: Add a HEALTHCHECK instruction to the Dockerfile (after
WORKDIR /tmp/monitoring-plugin/web/cypress) that performs a lightweight
readiness probe for the Cypress test runner; implement the command to return
non-zero on failure (e.g., a small shell/curl/command that verifies the
container can run Cypress or that required resources are present), and include
sensible options like --interval, --timeout, --start-period and --retries so
orchestrators can detect unhealthy containers; reference the HEALTHCHECK keyword
and place it in the Dockerfile near the existing WORKDIR line.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f80a7a86-69a9-4152-a6eb-509627e6546a

📥 Commits

Reviewing files that changed from the base of the PR and between f9b2b03 and 4018383.

📒 Files selected for processing (1)

• web/cypress/Dockerfile

[DavidRajnoha]

/cc @etmurasaki

[DavidRajnoha]

/retest

[DavidRajnoha]

/retest

[openshift-ci]

@DavidRajnoha: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	4018383	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.