fix: update mariadb version, fix minio-copy-pod securityContext

[adolfo-ab]

Description

• Previous mariadb operator version wasn't present in some test clusters
• missing securityContext caused failures in some test clusters

How Has This Been Tested?

Executing updated tests in different clusters

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated the MariaDB operator version used during installation in testing.
  • Improved security and permissions handling for test containers by enforcing non-root execution and stricter security settings.
  • Adjusted test container commands to prevent permission errors and enhance reliability.

Walkthrough

This change updates the MariaDB operator version used in a test fixture and enhances the security context for MinIO-related pod containers in another test fixture. The modifications enforce non-root execution, restrict privileges, and adjust environment configuration for MinIO client commands.

Changes

Cohort / File(s)	Change Summary
MariaDB Operator Version Update tests/conftest.py	Updates the starting ClusterServiceVersion for the MariaDB operator in the test fixture from mariadb-operator.v0.38.1 to mariadb-operator.v25.8.1. No other logic or control flow is changed.
MinIO Pod Security Enhancements tests/model_explainability/lm_eval/conftest.py	Adds a securityContext to both the init and main containers in the lmeval_minio_copy_pod fixture, enforcing non-root execution, disabling privilege escalation, dropping all capabilities, and applying a default seccomp profile. The main container's command is updated to set the MC_CONFIG_DIR environment variable to a writable directory and reformatted to use && for command chaining. No changes to public entity signatures.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Update MinIo pod privileges to run on ocp 4.19 #277: Both PRs modify securityContext settings for MinIO-related pod containers in test fixtures to enforce non-root execution and restrict privileges, directly relating to enhanced pod security configurations.

Suggested labels

Verified, lgtm-by-lugi0, lgtm-by-sheltoncyril

Suggested reviewers

• sheltoncyril
• lugi0

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 05c976c and afdd5d1.

📒 Files selected for processing (2)

• tests/conftest.py (1 hunks)
• tests/model_explainability/lm_eval/conftest.py (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: adolfo-ab
PR: opendatahub-io/opendatahub-tests#334
File: tests/model_explainability/trustyai_service/test_trustyai_service.py:52-65
Timestamp: 2025-06-05T10:05:17.642Z
Learning: For TrustyAI image validation tests: operator image tests require admin_client, related_images_refs, and trustyai_operator_configmap fixtures, while service image tests would require different fixtures like trustyai_service_with_pvc_storage, model_namespace, and current_client_token.

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#401
File: tests/model_registry/rest_api/mariadb/conftest.py:89-110
Timestamp: 2025-07-04T00:17:47.799Z
Learning: In tests/model_registry/rest_api/mariadb/conftest.py, the model_registry_with_mariadb fixture should always use OAUTH_PROXY_CONFIG_DICT for the oauth_proxy parameter regardless of the is_model_registry_oauth parameter value, based on expected product behavior for MariaDB-backed ModelRegistry instances.

tests/model_explainability/lm_eval/conftest.py (4)

Learnt from: adolfo-ab
PR: #334
File: tests/model_explainability/trustyai_service/test_trustyai_service.py:52-65
Timestamp: 2025-06-05T10:05:17.642Z
Learning: For TrustyAI image validation tests: operator image tests require admin_client, related_images_refs, and trustyai_operator_configmap fixtures, while service image tests would require different fixtures like trustyai_service_with_pvc_storage, model_namespace, and current_client_token.

Learnt from: lugi0
PR: #446
File: tests/model_registry/conftest.py:666-676
Timestamp: 2025-07-17T15:41:54.284Z
Learning: In tests/model_registry/conftest.py, the db_secret_1 and db_secret_2 fixtures do not require the admin_client parameter in their signatures, unlike some other Secret fixtures in the codebase. The user lugi0 confirmed this is the correct pattern for these specific fixtures.

Learnt from: lugi0
PR: #446
File: tests/model_registry/conftest.py:595-612
Timestamp: 2025-07-17T15:42:04.167Z
Learning: In tests/model_registry/conftest.py, the db_deployment_1 fixture (and similar duplicated resource fixtures) do not require the admin_client parameter or explicit dependencies on related fixtures like db_secret_1, db_pvc_1, and db_service_1, even though the original model_registry_db_deployment fixture includes these parameters.

Learnt from: lugi0
PR: #446
File: tests/model_registry/conftest.py:579-591
Timestamp: 2025-07-17T15:43:04.876Z
Learning: In tests/model_registry/conftest.py, the db_service_1 and db_service_2 fixtures do not require the admin_client parameter for Service resource creation, despite the existing model_registry_db_service fixture using client=admin_client. This inconsistency was confirmed as intentional by user lugi0.

tests/conftest.py (1)

Learnt from: dbasunag
PR: #401
File: tests/model_registry/rest_api/mariadb/conftest.py:89-110
Timestamp: 2025-07-04T00:17:47.799Z
Learning: In tests/model_registry/rest_api/mariadb/conftest.py, the model_registry_with_mariadb fixture should always use OAUTH_PROXY_CONFIG_DICT for the oauth_proxy parameter regardless of the is_model_registry_oauth parameter value, based on expected product behavior for MariaDB-backed ModelRegistry instances.

🧬 Code Graph Analysis (1)

tests/model_explainability/lm_eval/conftest.py (2)

tests/conftest.py (1)

• minio_service (531-549)

utilities/constants.py (3)

• MinIo (249-302)
• Metadata (250-253)
• Credentials (255-259)

🔇 Additional comments (4)

tests/conftest.py (1)

670-670: Verify MariaDB Operator Version Availability

LGTM on updating the MariaDB operator from v0.38.1 to v25.8.1 to address cluster availability issues. We weren’t able to confirm the new CSV in the community-operators catalog automatically (the oc CLI isn’t available in this environment). Please manually verify that mariadb-operator.v25.8.1 exists in your target operator catalog before merging.

tests/model_explainability/lm_eval/conftest.py (3)

353-358: Excellent security enhancement for init container.

Adding the securityContext with non-root execution, privilege escalation disabled, and all capabilities dropped follows Kubernetes security best practices. This addresses the PR objective of fixing missing securityContext that caused failures in test clusters.

---

367-372: Smart fix for MinIO client permission issues.

Setting MC_CONFIG_DIR=/shared/.mc prevents permission errors when the MinIO client tries to create its configuration directory while running as non-root. The command formatting with && chaining is also cleaner and more readable than the previous newline-separated approach.

---

375-380: Consistent security context applied to main container.

The security context configuration matches the init container, ensuring both containers run with the same security restrictions. This maintains consistency and follows the principle of least privilege.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/lgtm', '/build-push-pr-image', '/verified', '/hold', '/wip', '/cherry-pick'}

[adolfo-ab]

/verified

[kpunwatk]

/lgtm

[adolfo-ab]

/cherry-pick 2.23

[adolfo-ab]

/cherry-pick 2.23

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.

[rhods-ci-bot]

Cherry pick action created PR #471 successfully 🎉!
See: https://github.com/opendatahub-io/opendatahub-tests/actions/runs/16594005496

[rhods-ci-bot]

Cherry pick action created PR #472 successfully 🎉!
See: https://github.com/opendatahub-io/opendatahub-tests/actions/runs/16594137817