Conversation
|
Pipeline controller notification For optional jobs, comment |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Hello @jacobsee! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/XXL
|
/test all |
openshift-merge-robot
added
the
needs-rebase
jacobsee
force-pushed
the
rebase-1.35
branch
from
766c5eb to
ab9d438
Compare
openshift-merge-robot
removed
the
needs-rebase
jacobsee
force-pushed
the
rebase-1.35
branch
from
ab9d438 to
1e4d8ce
Compare
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis pull request updates the Go toolchain and build images from Go 1.24 to 1.25, bumps numerous module versions (including Kubernetes modules to v0.35.0 and multiple golang.org/x packages), and updates container base images to use golang-1.25. Several CRD OpenAPI descriptions are edited to add toleration operators Lt and Gt (noting they perform numeric comparisons and require the TaintTolerationComparisonOperators feature gate) and to remove RecoverVolumeExpansionFailure feature-gate wording from PVC/resource descriptions. Codegen now loads boilerplate via gengo with error handling. 🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Comment |
|
/test all |
jacobsee
force-pushed
the
rebase-1.35
branch
3 times, most recently
from
ae1d8fc to
9a02b63
Compare
jacobsee
force-pushed
the
rebase-1.35
branch
2 times, most recently
from
fef37d6 to
e980854
Compare
jacobsee
force-pushed
the
rebase-1.35
branch
from
e980854 to
a018c47
Compare
jacobsee
force-pushed
the
rebase-1.35
branch
from
a018c47 to
54c7f8e
Compare
jacobsee
force-pushed
the
rebase-1.35
branch
4 times, most recently
from
e5e4e13 to
6736e67
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@tools/go.mod`:
- Line 36: The replace directive for sigs.k8s.io/controller-tools in go.mod
points to an OpenShift fork at v0.12.1-0.20260129094627-81028d02e14a which is
incompatible with Kubernetes v0.35.0 dependencies; update the replace or module
target referenced in the replace line to a fork/version of controller-tools that
matches or is compatible with upstream v0.18.0 (or remove the replace to use
sigs.k8s.io/controller-tools v0.18.0), ensuring k8s.io/apiextensions-apiserver,
k8s.io/apimachinery, k8s.io/code-generator and k8s.io/kube-openapi versions
align with Kubernetes v0.35.0; if the downgrade is intentional, add a clear
comment in go.mod and the PR explaining why this specific OpenShift fork/version
is required and which downstream compatibility constraints were validated.
🧹 Nitpick comments (1)
tools/go.mod (1)
21-21: Note: golang.org/x/tools version differs from root go.mod.The tools module uses
golang.org/x/tools v0.41.0while the root module usesv0.38.0. This version difference may be intentional if the tools module has different requirements, but worth confirming this is expected.
| ) | ||
|
|
||
| replace sigs.k8s.io/controller-tools => github.com/openshift/controller-tools v0.12.1-0.20260120141914-b0865777b142 | ||
| replace sigs.k8s.io/controller-tools => github.com/openshift/controller-tools v0.12.1-0.20260129094627-81028d02e14a |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Check if the pseudo-version resolves via Go proxy
curl -s "https://proxy.golang.org/github.com/openshift/controller-tools/@v/v0.12.1-0.20260129094627-81028d02e14a.info" | jq . 2>/dev/null || curl -s "https://proxy.golang.org/github.com/openshift/controller-tools/@v/v0.12.1-0.20260129094627-81028d02e14a.info"Repository: openshift/api
Length of output: 299
🏁 Script executed:
# Check the format of the pseudo-version (date part: 20260129 = Jan 29, 2026)
# This appears to be a future date; let's check what's actually available
echo "Pseudo-version breakdown:"
echo "- Base version: v0.12.1"
echo "- Timestamp: 20260129 (January 29, 2026)"
echo "- Short commit: 81028d02e14a"
echo ""
echo "Checking Go module proxy for available versions:"
curl -s "https://proxy.golang.org/github.com/openshift/controller-tools/@v/list" | head -20Repository: openshift/api
Length of output: 384
🏁 Script executed:
# Also check the base module that's being replaced
echo "Checking upstream controller-tools available versions:"
curl -s "https://proxy.golang.org/sigs.k8s.io/controller-tools/@v/list" | head -20Repository: openshift/api
Length of output: 280
🏁 Script executed:
cat -n tools/go.mod | head -60Repository: openshift/api
Length of output: 2834
Address critical version mismatch: controller-tools fork v0.12.1 is incompatible with Kubernetes v0.35.0 dependencies.
The go.mod requires sigs.k8s.io/controller-tools v0.18.0 (upstream) but replaces it with the OpenShift fork at v0.12.1-0.20260129094627-81028d02e14a. This is a 6 minor version downgrade applied to Kubernetes v0.35.0 dependencies (k8s.io/apiextensions-apiserver, k8s.io/apimachinery, k8s.io/code-generator, k8s.io/kube-openapi). The fork version is significantly older than what the upstream K8s libraries expect and will cause API incompatibilities. Upgrade the OpenShift fork to a version compatible with K8s v0.35.0, or document why this downgrade is intentional.
🤖 Prompt for AI Agents
In `@tools/go.mod` at line 36, The replace directive for
sigs.k8s.io/controller-tools in go.mod points to an OpenShift fork at
v0.12.1-0.20260129094627-81028d02e14a which is incompatible with Kubernetes
v0.35.0 dependencies; update the replace or module target referenced in the
replace line to a fork/version of controller-tools that matches or is compatible
with upstream v0.18.0 (or remove the replace to use sigs.k8s.io/controller-tools
v0.18.0), ensuring k8s.io/apiextensions-apiserver, k8s.io/apimachinery,
k8s.io/code-generator and k8s.io/kube-openapi versions align with Kubernetes
v0.35.0; if the downgrade is intentional, add a clear comment in go.mod and the
PR explaining why this specific OpenShift fork/version is required and which
downstream compatibility constraints were validated.
|
/test all |
openshift-merge-robot
added
the
needs-rebase
|
PR-Agent: could not fine a component named |
|
Changes look good here |
openshift-ci
bot
added
the
approved
jacobsee
force-pushed
the
rebase-1.35
branch
from
6736e67 to
f62f47e
Compare
openshift-merge-robot
removed
the
needs-rebase
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
Dockerfile.ocp (1)
1-23:⚠️ Potential issue | 🟠 MajorRun the runtime stage as a non-root user.
The image currently runs as root, which is a security posture gap.🔒 Suggested change
FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 @@ -COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/ -COPY --from=builder /go/src/github.com/openshift/api/write-available-featuresets /usr/bin/ +COPY --from=builder --chown=1001:0 /go/src/github.com/openshift/api/render /usr/bin/ +COPY --from=builder --chown=1001:0 /go/src/github.com/openshift/api/write-available-featuresets /usr/bin/ @@ -RUN mkdir -p /usr/share/bootkube/manifests/manifests +RUN mkdir -p /usr/share/bootkube/manifests/manifests /manifests \ + && chown -R 1001:0 /usr/share/bootkube/manifests /manifests @@ COPY payload-command/empty-resources /manifests + +USER 1001
🤖 Fix all issues with AI agents
In `@Dockerfile.ocp`:
- Line 1: The runtime stage currently runs as root; add a non-root USER
directive (e.g., USER nobody) in the runtime stage before the final LABEL
instruction to enforce least-privilege at container runtime—update the
Dockerfile runtime stage that begins after the builder stage and insert the USER
directive immediately prior to the existing final LABEL line so all subsequent
container processes run as that non-root user.
| @@ -1,4 +1,4 @@ | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS builder | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Explore repository structure to understand the Dockerfile context
git ls-files | grep -i dockerfile | head -20Repository: openshift/api
Length of output: 799
🏁 Script executed:
# Check if there are any references to this specific image tag in the codebase
rg "rhel-9-golang-1.25-openshift-4.22" --type dockerfileRepository: openshift/api
Length of output: 91
🏁 Script executed:
# Look for OpenShift or builder-related files
fd -i dockerfileRepository: openshift/api
Length of output: 799
🏁 Script executed:
# Check if there are any release notes, docs, or CI configs that might reference this tag
find . -type f \( -name "*.md" -o -name "*.txt" -o -name "*.yaml" -o -name "*.yml" \) | head -20Repository: openshift/api
Length of output: 1498
🏁 Script executed:
# Read the Dockerfile.ocp to see the context
cat -n Dockerfile.ocpRepository: openshift/api
Length of output: 1167
🏁 Script executed:
# Check the .ci-operator.yaml for build configuration
cat -n .ci-operator.yaml | head -100Repository: openshift/api
Length of output: 190
🏁 Script executed:
# Search for any references to the builder image or related tags
rg "ocp/builder" -A 2 -B 2Repository: openshift/api
Length of output: 239
🏁 Script executed:
# Check for any documentation about OpenShift builder images
rg "rhel-9-golang" -A 2 -B 2Repository: openshift/api
Length of output: 239
🏁 Script executed:
# Search for any git history or comments about this image update
git log --oneline --all -- Dockerfile.ocp | head -10Repository: openshift/api
Length of output: 1342
🏁 Script executed:
# Check if there are any build/release documentation
find . -type f -name "*.md" | xargs grep -l "builder\|openshift-4.22" 2>/dev/null | head -5Repository: openshift/api
Length of output: 148
🏁 Script executed:
# Look for any CI/CD workflows or scripts that might reference these images
find . -type f \( -name "*.sh" -o -name "Makefile" \) | xargs grep -l "builder\|4.22" 2>/dev/null | head -10Repository: openshift/api
Length of output: 111
🏁 Script executed:
# Check the specific commits that updated Dockerfile.ocp
git show 183d7c65:Dockerfile.ocp 2>/dev/null | head -5
git show 8d996d52:Dockerfile.ocp 2>/dev/null | head -5Repository: openshift/api
Length of output: 496
🏁 Script executed:
# Check the README to understand the project and build context
cat README.md | head -50Repository: openshift/api
Length of output: 2064
🏁 Script executed:
# Look at the build_root_image more closely in ci-operator config
cat .ci-operator.yaml | grep -A 10 "build_root"Repository: openshift/api
Length of output: 162
🏁 Script executed:
# Check if there's a recent change to the Dockerfile that updated the version
git diff HEAD~3 HEAD -- Dockerfile.ocp 2>/dev/null || git show --stat Dockerfile.ocp 2>/dev/null | head -20Repository: openshift/api
Length of output: 313
🏁 Script executed:
# Look for any additional references to the 1.25 golang version or 4.22 release
rg "1.25.*4.22|4.22.*1.25" -iRepository: openshift/api
Length of output: 50371
🏁 Script executed:
# Check if the runtime image also matches this version pattern
rg "ocp/4.22" -A 1 -B 1Repository: openshift/api
Length of output: 154
🏁 Script executed:
# Check if there's a USER directive in the runtime stage of the Dockerfile
cat -n Dockerfile.ocp | tail -15Repository: openshift/api
Length of output: 838
🏁 Script executed:
# Check for any recent changes or related configuration about the image tag
git log --oneline -5 -- Dockerfile.ocp .ci-operator.yamlRepository: openshift/api
Length of output: 88
Add a non-root USER directive to the runtime stage for container security.
The runtime stage (starting at line 7) runs all processes as root. Add a USER instruction before the final LABEL to follow security best practices.
Suggested change
LABEL io.openshift.release.operator true
+USER nobody🧰 Tools
🪛 Trivy (0.69.1)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
In `@Dockerfile.ocp` at line 1, The runtime stage currently runs as root; add a
non-root USER directive (e.g., USER nobody) in the runtime stage before the
final LABEL instruction to enforce least-privilege at container runtime—update
the Dockerfile runtime stage that begins after the builder stage and insert the
USER directive immediately prior to the existing final LABEL line so all
subsequent container processes run as that non-root user.
|
/test integration |
|
PR-Agent: could not fine a component named |
…targets for codegen New function was introduced in kubernetes/kube-openapi@24f99be
jacobsee
force-pushed
the
rebase-1.35
branch
from
f62f47e to
7f6dfdc
Compare
|
Scheduling tests matching the |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
1 similar comment
|
/retest |
|
@jacobsee: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
No description provided.