Update hello-openshift base images from 4.16/4.17 to 4.22

[anuragthehatter]

Summary

• Update builder and base images in images/hello-openshift/Dockerfile.rhel from ocp/4.16 and 4.17 to 4.22
• The old images have been pruned from the CI registry, causing PullBuilderImageFailed on payload-job-with-prs runs

Test plan

• CI passes with updated base images

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated base container images to OpenShift 4.22 and Go 1.25.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anuragthehatter
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• images/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The hello-openshift Dockerfile base images are updated to OpenShift 4.22 with Go 1.25, replacing the previous 4.17/Go 1.22 builder and 4.16 runtime base images. Build steps and runtime instructions remain unchanged.

Changes

Base Image Version Bump

Layer / File(s)	Summary
Base image version updates images/hello-openshift/Dockerfile.rhel	Builder stage FROM instruction bumped to rhel-9-golang-1.25 on OpenShift 4.22; runtime stage base image updated from ocp/4.16:base-rhel9 to ocp/4.22:base-rhel9. Build and runtime instructions remain identical.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	Four new Ginkgo tests in test/e2e/upgrade/upgrade.go use config.openshift.io/v1 API without MicroShift protection tags, violating compatibility requirements.	Add [apigroup:config.openshift.io] tag to each test name or guard with exutil.IsMicroShiftCluster() skip check.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating Docker base images in the hello-openshift Dockerfile from older OpenShift versions (4.16/4.17) to 4.22.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a Dockerfile (images/hello-openshift/Dockerfile.rhel) with no Ginkgo test files or test names, so the check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	The pull request only modifies images/hello-openshift/Dockerfile.rhel (updating base image versions), not any Ginkgo test code. The custom check for Ginkgo test quality is not applicable to this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies Dockerfile.rhel (base image versions); no Ginkgo e2e tests are added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Dockerfile base images without adding deployment manifests, operator code, or scheduling constraints. Check applies to deployment/operator changes only.
Ote Binary Stdout Contract	✅ Passed	Check not applicable: PR only updates base image versions in Dockerfile.rhel (infrastructure change), not process-level code that could have stdout contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR updates Dockerfile base images but adds no new Ginkgo e2e tests; custom check applies only to new e2e tests with IPv4/external connectivity assumptions.
No-Weak-Crypto	✅ Passed	PR contains only Dockerfile base image updates with no weak cryptography, custom crypto, or insecure secret comparisons in the codebase.
Container-Privileges	✅ Passed	PR only updates base image versions in Dockerfile; no privileged settings, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation found; runs as non-root (USER 1001).
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates base image versions in Dockerfile. No logging statements that expose sensitive data (passwords, tokens, API keys, PII, session IDs, etc.) are added or modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[anuragthehatter]

@sdodson Is that something you could help reviewing?

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

images/hello-openshift/Dockerfile.rhel (1)

1-11: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add HEALTHCHECK instruction.

The Dockerfile is missing a HEALTHCHECK instruction, which is required by the coding guidelines. Since the application exposes ports 8080 and 8888, consider adding a health check to verify the service is responding.

🏥 Proposed addition of HEALTHCHECK

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=builder /hello-openshift /hello-openshift
 EXPOSE 8080 8888
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/usr/bin/curl", "-f", "http://localhost:8080/", "||", "exit", "1"]
 USER 1001
 ENTRYPOINT ["/hello-openshift"]

Note: Verify that curl is available in the base image, or use an alternative health check method appropriate for the hello-openshift application.

As per coding guidelines, the container security (prodsec-skills) section requires: "HEALTHCHECK defined".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/hello-openshift/Dockerfile.rhel` around lines 1 - 11, Add a
HEALTHCHECK instruction to the Dockerfile to satisfy the "HEALTHCHECK defined"
guideline: add a HEALTHCHECK that calls the running binary (ENTRYPOINT
/hello-openshift) over an exposed port (e.g., HTTP GET to :8080 or :8888) and
returns non-zero on failure; ensure the command uses binaries available in the
base image (curl/wget or an exec-style check) and set sensible
--interval/--timeout/--retries values so the container health reflects the
application responsiveness.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/hello-openshift/Dockerfile.rhel`:
- Line 1: Add a HEALTHCHECK instruction to
images/hello-openshift/Dockerfile.rhel to satisfy container security guidelines
(e.g., a minimal CMD that probes the app or exits appropriately) and ensure it
uses sensible intervals/retries; also review the two FROM lines (the builder
stage "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22" and the
runtime stage that also references registry.ci.openshift.org) and either change
them to the approved catalog.redhat.com equivalents or document/confirm the
OpenShift CI exception for using registry.ci.openshift.org with the
release/maintainers so the base image registry usage is intentional.

---

Outside diff comments:
In `@images/hello-openshift/Dockerfile.rhel`:
- Around line 1-11: Add a HEALTHCHECK instruction to the Dockerfile to satisfy
the "HEALTHCHECK defined" guideline: add a HEALTHCHECK that calls the running
binary (ENTRYPOINT /hello-openshift) over an exposed port (e.g., HTTP GET to
:8080 or :8888) and returns non-zero on failure; ensure the command uses
binaries available in the base image (curl/wget or an exec-style check) and set
sensible --interval/--timeout/--retries values so the container health reflects
the application responsiveness.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 53384846-3916-459b-95b4-d41255985737

📥 Commits

Reviewing files that changed from the base of the PR and between b1497b7 and 35acd4f.

📒 Files selected for processing (1)

• images/hello-openshift/Dockerfile.rhel

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check base image registry usage across Dockerfiles in the repository

# Search for FROM statements in Dockerfiles
echo "=== Checking FROM statements in Dockerfiles ==="
rg -n --type dockerfile 'FROM\s+' -C 1

echo -e "\n=== Counting registry usage ==="
echo "registry.ci.openshift.org:"
rg --type dockerfile 'FROM.*registry\.ci\.openshift\.org' --count-matches

echo -e "\ncatalog.redhat.com:"
rg --type dockerfile 'FROM.*catalog\.redhat\.com' --count-matches

Repository: openshift/origin

Length of output: 312

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect the target Dockerfile for HEALTHCHECK and actual base images
echo "=== Target Dockerfile: images/hello-openshift/Dockerfile.rhel ==="
if [ -f "images/hello-openshift/Dockerfile.rhel" ]; then
  nl -ba images/hello-openshift/Dockerfile.rhel | sed -n '1,200p'
else
  echo "Missing file: images/hello-openshift/Dockerfile.rhel"
fi

# 2) Collect all Dockerfile-like files and re-run FROM-registry counts
echo
echo "=== Repo-wide scan: Dockerfile-like files ==="
DOCKERFILES=$(fd -t f 'Dockerfile*' . && true; fd -t f '*Dockerfile*' . && true) || true
# Deduplicate
DOCKERFILES=$(printf "%s\n" $DOCKERFILES | awk 'NF{print}' | sort -u)

echo "Found $(printf "%s\n" $DOCKERFILES | wc -l | tr -d ' ') dockerfile-like files."

echo
echo "=== FROM statements (first 200 matches) ==="
rg -n "^\s*FROM\s+" $DOCKERFILES | head -n 200

echo
echo "=== Count FROM usages by registry ==="
echo "registry.ci.openshift.org:"
rg -n "^\s*FROM\s+.*registry\.ci\.openshift\.org" $DOCKERFILES | wc -l | tr -d ' '

echo "catalog.redhat.com:"
rg -n "^\s*FROM\s+.*catalog\.redhat\.com" $DOCKERFILES | wc -l | tr -d ' '

# Also output Dockerfiles that use registry.ci.openshift.org for quick context
echo
echo "=== Dockerfiles using registry.ci.openshift.org (up to 50 files) ==="
rg -l "^\s*FROM\s+.*registry\.ci\.openshift\.org" $DOCKERFILES | head -n 50

echo
echo "=== Dockerfiles using catalog.redhat.com (up to 50 files) ==="
rg -l "^\s*FROM\s+.*catalog\.redhat\.com" $DOCKERFILES | head -n 50

Repository: openshift/origin

Length of output: 187

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="images/hello-openshift/Dockerfile.rhel"

echo "=== Target Dockerfile: $FILE ==="
if [ -f "$FILE" ]; then
  echo "--- First 200 lines (with numbers) ---"
  awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,200p'

  echo
  echo "--- Check directives ---"
  echo "HEALTHCHECK:"
  rg -n --hidden --no-ignore-vcs "^\s*HEALTHCHECK\b" "$FILE" || true
  echo "USER (non-root):"
  rg -n --hidden --no-ignore-vcs "^\s*USER\b" "$FILE" || true
  echo "Base FROM lines:"
  rg -n --hidden --no-ignore-vcs "^\s*FROM\s+" "$FILE" || true
else
  echo "Missing file: $FILE"
fi

echo
echo "=== Repo-wide scan: Dockerfile* files (using git-tracked paths) ==="
DOCKERFILES=$(git ls-files | rg -i '(^|/)(dockerfile[^/]*|containerfile[^/]*).*' || true)

COUNT=$(printf "%s\n" "$DOCKERFILES" | awk 'NF{c++} END{print c+0}')
echo "Dockerfile-like tracked files found: $COUNT"

# Count FROM lines by registry
echo
echo "Count FROM by registry:"
echo "registry.ci.openshift.org:"
printf "%s\n" "$DOCKERFILES" | rg -n "^\s*FROM\s+.*registry\.ci\.openshift\.org" --count-matches || true

echo
echo "catalog.redhat.com:"
printf "%s\n" "$DOCKERFILES" | rg -n "^\s*FROM\s+.*catalog\.redhat\.com" --count-matches || true

# Show a few examples for context
echo
echo "Example FROM lines using registry.ci.openshift.org (up to 30):"
printf "%s\n" "$DOCKERFILES" | xargs -r rg -n "^\s*FROM\s+.*registry\.ci\.openshift\.org" | head -n 30 || true

echo
echo "Example FROM lines using catalog.redhat.com (up to 30):"
printf "%s\n" "$DOCKERFILES" | xargs -r rg -n "^\s*FROM\s+.*catalog\.redhat\.com" | head -n 30 || true

Repository: openshift/origin

Length of output: 2068

---

Add HEALTHCHECK and align/confirm base image registry guidance

• images/hello-openshift/Dockerfile.rhel has no HEALTHCHECK; add one per the container security guideline.
• Both stages use registry.ci.openshift.org for the FROM bases (lines 1 and 6) instead of catalog.redhat.com; the repo-wide scan found 0 catalog.redhat.com usages across 41 Dockerfile-like tracked files and many registry.ci.openshift.org usages, so confirm whether this is an approved OpenShift CI exception or update the bases accordingly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/hello-openshift/Dockerfile.rhel` at line 1, Add a HEALTHCHECK
instruction to images/hello-openshift/Dockerfile.rhel to satisfy container
security guidelines (e.g., a minimal CMD that probes the app or exits
appropriately) and ensure it uses sensible intervals/retries; also review the
two FROM lines (the builder stage "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22" and the
runtime stage that also references registry.ci.openshift.org) and either change
them to the approved catalog.redhat.com equivalents or document/confirm the
OpenShift CI exception for using registry.ci.openshift.org with the
release/maintainers so the base image registry usage is intentional.

Source: Coding guidelines

[openshift-ci]

@anuragthehatter: This PR was included in a payload test run from openshift/cluster-network-operator#3015
trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-1of2
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-2of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/30323330-6145-11f1-8085-18a113a858ae-0

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@anuragthehatter: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.