WIP: Update images for 5.0

[tchap]

Cherrypicking the following PRs since the change needs to occur at once:

• OCPBUGS-87537: Updating ose-cli-artifacts-container image to be consistent with ART for 5.0 #2285
• OCPBUGS-87378: Updating ose-tools-container image to be consistent with ART for 5.0 #2283
• OCPBUGS-87342: Updating openshift-enterprise-cli-container image to be consistent with ART for 5.0 #2282

Summary by CodeRabbit

• Chores
  • Build infrastructure and compiler toolchain updated to Go 1.26 and OpenShift 5.0. This affects CLI binaries, artifacts, and tools compiled across all supported platforms.

[coderabbitai]

Walkthrough

Coordinated upgrade of build infrastructure: CI operator configuration and Dockerfile multi-stage builder/base images updated from Go 1.25/OpenShift 4.22 to Go 1.26/OpenShift 5.0 across CLI artifacts, CLI, and tools build pipelines.

Changes

Build Infrastructure Version Upgrade

Layer / File(s)	Summary
Go 1.26 and OpenShift 5.0 version upgrade .ci-operator.yaml, images/cli-artifacts/Dockerfile.rhel, images/cli/Dockerfile.rhel, images/tools/Dockerfile	CI operator build_root_image tag and Dockerfile builder and base images updated from rhel-*-golang-1.25-openshift-4.22 to rhel-*-golang-1.26-openshift-5.0. Final runtime stages upgraded from ocp/4.22 to ocp/5.0. Build commands and artifact copying steps remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

jira/valid-reference

Suggested reviewers

• ardaguclu
• ingvagabund

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New Ginkgo e2e tests added require external connectivity to quay.io and registry.redhat.io, failing in IPv6-only disconnected environments.	Add [Skipped:Disconnected] tags to 8 ConnectedOnly tests; update image references from quay.io to internal registries for disconnected test compatibility.
Title check	❓ Inconclusive	The title 'WIP: Update images for 5.0' is vague and uses the non-descriptive term 'WIP' with a generic descriptor. While it mentions updating images for 5.0, it lacks specificity about which images or the nature of the updates.	Consider revising the title to be more specific, such as 'Update builder and base images to Go 1.26 and OpenShift 5.0' or removing the 'WIP' prefix if the PR is ready for review. The title should clearly convey the primary change without vague terminology.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only infrastructure/config files (Dockerfiles, YAML), no Ginkgo tests. Repository uses standard Go testing, not Ginkgo. Check is not applicable.
Test Structure And Quality	✅ Passed	PR contains only configuration and Dockerfile changes (image tag updates for 5.0 release), not Ginkgo test code. Custom check for test structure is not applicable.
Microshift Test Compatibility	✅ Passed	PR contains only Docker image and CI configuration updates with no new Ginkgo e2e tests; MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR contains only configuration and Dockerfile changes (image tag updates for Go 1.26/OpenShift 5.0), with no new Ginkgo e2e tests added; the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only build-time Dockerfiles and CI configuration to update base image versions. No deployment manifests, operator code, controllers, or scheduling constraints are changed.
Ote Binary Stdout Contract	✅ Passed	PR only modifies build configuration (.ci-operator.yaml, Dockerfiles with image tag updates) and does not introduce any code changes that write to stdout in process-level OTE code (main, init, etc.).
No-Weak-Crypto	✅ Passed	PR only updates container image versions (Go 1.25→1.26, OCP 4.22→5.0) with no code changes. No weak crypto algorithms, custom crypto, or insecure secret comparisons are introduced.
Container-Privileges	✅ Passed	PR updates base image tags in Dockerfiles and CI config. No K8s manifests modified, and no privileged container settings introduced.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements containing sensitive data found. PR only updates container image tags/versions with no new code or logging logic introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tchap
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

images/cli/Dockerfile.rhel (1)

7-16: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Add USER directive to run as non-root.

The Dockerfile does not specify a USER directive, causing the container to run as root by default. This violates the container security guidelines which require "USER non-root; never run as root." As per coding guidelines, all containers should run with a non-root user for security hardening.

🛡️ Proposed fix to add non-root user

Add a USER directive before the final CMD/LABEL declarations:

 RUN for i in kubectl openshift-deploy openshift-docker-build openshift-sti-build openshift-git-clone openshift-manage-dockerfile openshift-extract-image-content openshift-recycle; do ln -sf /usr/bin/oc /usr/bin/$i; done
+USER 1001
 LABEL io.k8s.display-name="OpenShift Client" \

Note: Verify that UID 1001 is appropriate for your security context, or use a different non-root UID as required by your organization's standards.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/cli/Dockerfile.rhel` around lines 7 - 16, The image currently leaves
no USER set (after the COPY and RUN lines and before the LABEL block), so update
the Dockerfile to create a non-root user and switch to it: add commands to
create a non-root user/group (e.g., UID 1001), chown the installed binaries
copied by the COPY --from=builder lines (/usr/bin/oc and
/usr/bin/oc-tests-ext.gz) and any other paths written during build, and then add
a USER directive (e.g., USER 1001) before the LABEL/CMD so the container runs
non-root; ensure no subsequent RUN steps require root or adjust ownership
accordingly.

Sources: Coding guidelines, Linters/SAST tools

images/tools/Dockerfile (1)

6-63: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Add USER directive to run as non-root.

The Dockerfile does not specify a USER directive, causing the container to run as root by default. This violates the container security guidelines which require "USER non-root; never run as root." As per coding guidelines, all containers should run with a non-root user for security hardening, even for debugging and diagnostic tools.

🛡️ Proposed fix to add non-root user

Add a USER directive before CMD:

   yum -y install $INSTALL_PKGS && rpm -V --nogroup --nosize --nofiledigest --nomtime --nomode $INSTALL_PKGS && yum clean all && rm -rf /var/cache/*
   # Disabled until they are buildable on s390x
   # numactl \
   # numactl-devel \

+USER 1001
 CMD ["/usr/bin/bash"]

Note: Verify that UID 1001 is appropriate for your security context, or use a different non-root UID as required by your organization's standards.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/tools/Dockerfile` around lines 6 - 63, The Dockerfile currently has no
USER directive so containers run as root; create a non-root user (e.g., UID
1001) and group, chown any runtime-needed files/directories (for example
/usr/bin/oc and any files under /etc/sos referenced in the Dockerfile) during
the build, and add a USER <non-root> line before the CMD to run the container as
that user; ensure the chosen UID/GID is consistent with your security policy and
that no privileged operations in the RUN steps require root at container
runtime.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@images/cli/Dockerfile.rhel`:
- Around line 7-16: The image currently leaves no USER set (after the COPY and
RUN lines and before the LABEL block), so update the Dockerfile to create a
non-root user and switch to it: add commands to create a non-root user/group
(e.g., UID 1001), chown the installed binaries copied by the COPY --from=builder
lines (/usr/bin/oc and /usr/bin/oc-tests-ext.gz) and any other paths written
during build, and then add a USER directive (e.g., USER 1001) before the
LABEL/CMD so the container runs non-root; ensure no subsequent RUN steps require
root or adjust ownership accordingly.

In `@images/tools/Dockerfile`:
- Around line 6-63: The Dockerfile currently has no USER directive so containers
run as root; create a non-root user (e.g., UID 1001) and group, chown any
runtime-needed files/directories (for example /usr/bin/oc and any files under
/etc/sos referenced in the Dockerfile) during the build, and add a USER
<non-root> line before the CMD to run the container as that user; ensure the
chosen UID/GID is consistent with your security policy and that no privileged
operations in the RUN steps require root at container runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 29eb633b-64e7-4f56-9840-db72a4dce342

📥 Commits

Reviewing files that changed from the base of the PR and between 4007283 and ca99000.

📒 Files selected for processing (4)

• .ci-operator.yaml
• images/cli-artifacts/Dockerfile.rhel
• images/cli/Dockerfile.rhel
• images/tools/Dockerfile

[tchap]

We need to wait for the rebase after all...

/close

[openshift-ci]

@tchap: Closed this PR.

Details

In response to this:

We need to wait for the rebase after all...

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@tchap: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	ca99000	link	true	/test unit
ci/prow/verify	ca99000	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.