Skip to content

OCPBUGS-87517: Updating openshift-enterprise-console-operator-container image to be consistent with ART for 5.0 #1171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
openshift-bot wants to merge 1 commit into
base: main
Choose a base branch
from
+3 −3
Open

OCPBUGS-87517: Updating openshift-enterprise-console-operator-container image to be consistent with ART for 5.0 #1171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .ci-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
build_root_image:
name: release
namespace: openshift
tag: rhel-9-release-golang-1.25-openshift-4.22
tag: rhel-9-release-golang-1.26-openshift-5.0
4 changes: 2 additions & 2 deletions Dockerfile.ocp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder

@coderabbitai coderabbitai Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use approved Red Hat base image source per container policy.

Both updated FROM images are pulled from registry.ci.openshift.org, but this policy requires base images from catalog.redhat.com (UBI minimal or distroless). Please switch both builder/runtime bases to approved catalog sources for production image compliance.
As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com."

Also applies to: 8-8

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` at line 1, The Dockerfile uses an unapproved base image "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS
builder"; update this (and any other FROM lines, e.g., the runtime image) to use
an approved catalog.redhat.com base (UBI minimal or approved distroless) to
comply with container policy. Replace the builder FROM line and the runtime FROM
line(s) with the corresponding catalog.redhat.com UBI minimal or distroless
image tags that match the required runtime (e.g., UBI for Go builds or a
distroless runtime), ensuring the AS builder alias and any subsequent stages
still reference the renamed base.

Source: Coding guidelines

ARG TAGS=ocp
WORKDIR /go/src/github.com/openshift/console-operator
COPY . .

@coderabbitai coderabbitai Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid copying full build context into the builder stage.

COPY . . imports unnecessary files and increases secret/supply-chain exposure risk. Copy only required paths (go.mod, go.sum, cmd/, pkg/, and needed assets).
As per coding guidelines, "COPY specific files, not entire context."

Proposed tightening 
-COPY . .
+COPY go.mod go.sum ./
+COPY cmd ./cmd
+COPY pkg ./pkg
+COPY manifests ./manifests
+COPY quickstarts ./quickstarts
+COPY vendor ./vendor
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
COPY . .
COPY go.mod go.sum ./
COPY cmd ./cmd
COPY pkg ./pkg
COPY manifests ./manifests
COPY quickstarts ./quickstarts
COPY vendor ./vendor
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` at line 4, The Dockerfile currently uses a broad COPY . . in
the builder stage which brings the entire build context (and secrets) into the
image; replace that with explicit COPY commands for only required build inputs
(e.g., COPY go.mod go.sum ./, COPY cmd/ ./cmd/, COPY pkg/ ./pkg/, and any
required assets) and ensure these COPY lines are placed in the same stage
referenced by the builder stage name (the existing COPY . . symbol in the
builder stage). This reduces attack surface and build noise while preserving the
same build output.

Source: Coding guidelines

ENV GO_PACKAGE github.com/openshift/console-operator
RUN go build -ldflags "-X $GO_PACKAGE/pkg/version.versionFromGit=$(git describe --long --tags --abbrev=7 --match 'v[0-9]*')" -tags="${TAGS}" -o console ./cmd/console

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
RUN useradd console-operator
USER console-operator
COPY --from=builder /go/src/github.com/openshift/console-operator/console /usr/bin/console
Expand Down