CNF-18836 / CNF-20367: Use ubi for both builder and runtime

[fontivan]

• Mixing rhel-els and ubi causes significant conforma issues
• Instead, use ubi for everything and add the rhel repos where required to resolve the necessary packages
• Prefer ubi repos over rhel repos by default
• Update renovate configuration to also allow parsing docker images in rpms.in.yaml files

Assisted-by: Cursor/claude-4.5-sonnet
AI-attribution: AIA,Primarily human-created,Human-initiated,Reviewed,Cursor/claude-4.5-sonnet,v1.0
For more information on AI attribution statements, see: https://aiattribution.github.io/

Summary by CodeRabbit

• Chores
  • Switched build-stage images to UBI-based images while keeping the runtime image unchanged.
  • Migrated package repository definitions to UBI equivalents and standardized verification/metadata fields and priorities.
  • Removed archived/deprecated package entries from locked runtime packages.
  • Added automation pattern to include RPM manifest files for dependency upkeep.

[openshift-ci-robot]

@fontivan: This pull request references CNF-20367 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Mixing rhel-els and ubi causes significant conforma issues
• Instead, use ubi for everything and add the rhel repos where required to resolve the necessary packages
• Prefer ubi repos over rhel repos by default
• Update renovate configuration to also allow parsing docker images in rpms.in.yaml files

Assisted-by: Cursor/claude-4.5-sonnet
AI-attribution: AIA,Primarily human-created,Human-initiated,Reviewed,Cursor/claude-4.5-sonnet,v1.0
For more information on AI attribution statements, see: https://aiattribution.github.io/

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Rate limit exceeded

@fontivan has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 3 minutes and 28 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 67df24a and 4817cae.

📒 Files selected for processing (6)

• .konflux/Dockerfile (1 hunks)
• .konflux/container_build_args.conf (1 hunks)
• .konflux/lock-build/rpms.in.yaml (4 hunks)
• .konflux/lock-runtime/rpms.in.yaml (0 hunks)
• .konflux/lock-runtime/rpms.lock.yaml (0 hunks)
• renovate.json (1 hunks)

Walkthrough

Migrates build-stage image and build-time RPM sources from RHEL 9.6 to UBI9: builder image and container build args updated to UBI, lock-build repo definitions converted to UBI-based repos/metadata, two runtime openssl-libs lock entries removed, and Renovate configured to match rpms.in.yaml.

Changes

Cohort / File(s)	Summary
Container base image & build args ​.konflux/Dockerfile, ​.konflux/container_build_args.conf	Builder stage image changed from registry.redhat.io/rhel9-6-els/rhel:9.6 to registry.access.redhat.com/ubi9/ubi:latest (pinned digest in container_build_args.conf); runtime image remains UBI minimal.
RPM repository definitions (build) ​.konflux/lock-build/rpms.in.yaml	Replaced/added many RHEL repo entries with UBI9 equivalents (AppStream, BaseOS, CodeReady Builder and EUS variants), unified varsFromImage to UBI digests, removed SSL client-cert blocks, and added metadata fields (sslverifystatus, metadata_expire, enabled_metadata, priority).
RPM lock (runtime) ​.konflux/lock-runtime/rpms.lock.yaml	Removed openssl-libs archived entries from aarch64 and x86_64 sections; other lock entries unchanged.
Renovate config renovate.json	Added "/.*rpms\\.in\\.yaml$/" to custom regex manager managerFilePatterns alongside existing container_build_args.conf pattern.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Files needing extra attention:
  • ​.konflux/lock-build/rpms.in.yaml: verify varsFromImage digests, repo IDs/URLs, and metadata fields for UBI9 correctness.
  • ​.konflux/container_build_args.conf & ​.konflux/Dockerfile: confirm build-time packages and tooling remain compatible under the UBI9 builder image.
  • ​.konflux/lock-runtime/rpms.lock.yaml: confirm removal of openssl-libs entries is intentional and safe for runtime images.

Possibly related PRs

• CNF-18836 / CNF-20367: Reconfigure repo to allow mintmaker rpm updates to work with ubi9 images #716 — switches Konflux build/runtime to UBI images and updates varsFromImage and lockfiles.
• Update container base images to rhel-els 9.6 #619 — updates Dockerfile base-image lines and related RPM lock/repo files to UBI9.
• Update rpm lock alongside rhel-els image #689 — modifies the build-stage base image in .konflux/Dockerfile and updates RPM lock/repo entries.

Suggested labels

lgtm

Suggested reviewers

• tsorya
• danmanor
• mresvanis
• omertuc

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: migrating from RHEL-ELS to UBI for both builder and runtime images, with direct reference to the related Jira tickets CNF-18836 and CNF-20367.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@fontivan: This pull request references CNF-20367 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Mixing rhel-els and ubi causes significant conforma issues
• Instead, use ubi for everything and add the rhel repos where required to resolve the necessary packages
• Prefer ubi repos over rhel repos by default
• Update renovate configuration to also allow parsing docker images in rpms.in.yaml files

Assisted-by: Cursor/claude-4.5-sonnet
AI-attribution: AIA,Primarily human-created,Human-initiated,Reviewed,Cursor/claude-4.5-sonnet,v1.0
For more information on AI attribution statements, see: https://aiattribution.github.io/

Summary by CodeRabbit

• Chores
• Updated container build images and package repositories for improved build reliability and consistency.
• Simplified SSL verification configuration.
• Cleaned up deprecated package dependencies.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5126243 and ed9d05f.

📒 Files selected for processing (5)

• .konflux/Dockerfile (1 hunks)
• .konflux/container_build_args.conf (1 hunks)
• .konflux/lock-build/rpms.in.yaml (4 hunks)
• .konflux/lock-runtime/rpms.lock.yaml (0 hunks)
• renovate.json (1 hunks)

💤 Files with no reviewable changes (1)

• .konflux/lock-runtime/rpms.lock.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / recert-4-21-on-pull-request
• GitHub Check: build

🔇 Additional comments (4)

renovate.json (1)

10-11: Renovate regex manager now correctly targets rpms.in.yaml

Adding /.*rpms\\.in\\.yaml$/ alongside container_build_args.conf looks consistent with how varsFromImage digests are encoded and should let Renovate manage those image digests as intended. Please just confirm via a Renovate dry‑run or logs that updates to .konflux/lock-*/rpms.in.yaml are detected as expected.

.konflux/container_build_args.conf (1)

8-8: BUILDER_IMAGE pin to UBI digest aligns with lock-build metadata

Switching BUILDER_IMAGE to the pinned ubi9/ubi@sha256:… matches the varsFromImage values used in .konflux/lock-build/rpms.in.yaml, which should keep Mintmaker and Conforma in sync. The Dockerfile still defaults to ubi9/ubi:latest, so it’s worth confirming your pipeline actually sources the builder image from this args file (and not the Dockerfile default) in all Konflux jobs.

.konflux/Dockerfile (1)

2-2: Builder stage now based on ubi9/ubi as intended

Updating BUILDER_IMAGE’s default to ubi9/ubi:latest aligns the Dockerfile with the UBI‑based build image used in .konflux/container_build_args.conf and .konflux/lock-build/rpms.in.yaml. Since the Dockerfile uses a tag while the lock/config files use a pinned digest, please double‑check that your Konflux build path always overrides this ARG with the digest from container_build_args.conf so builds stay reproducible.

.konflux/lock-build/rpms.in.yaml (1)

99-159: RHEL repos correctly demoted and aligned with UBI builder image

The RHEL repo block clearly documents that RHEL repos are only used for packages not available from UBI and omits EUS variants to “match ubi” (latest), which fits the PR’s goal to prefer UBI. These entries retain the expected RHSM TLS fields and now set varsFromImage to the same ubi9/ubi@sha256:bbac… digest as the builder image in container_build_args.conf, so the comment about matching BUILDER_IMAGE is accurate.

This looks consistent with the new UBI‑first strategy and should play nicely with Conforma’s known‑repos policy.

[openshift-ci-robot]

@fontivan: This pull request references CNF-20367 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Mixing rhel-els and ubi causes significant conforma issues
• Instead, use ubi for everything and add the rhel repos where required to resolve the necessary packages
• Prefer ubi repos over rhel repos by default
• Update renovate configuration to also allow parsing docker images in rpms.in.yaml files

Assisted-by: Cursor/claude-4.5-sonnet
AI-attribution: AIA,Primarily human-created,Human-initiated,Reviewed,Cursor/claude-4.5-sonnet,v1.0
For more information on AI attribution statements, see: https://aiattribution.github.io/

Summary by CodeRabbit

• Chores
• Switched build images to UBI-based images and aligned runtime image references for consistent builds.
• Migrated package repository entries to UBI equivalents and standardized repository verification fields.
• Removed archived/deprecated package entries.
• Added Renovate pattern to include RPM manifest files for automated upkeep.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.konflux/container_build_args.conf (1)

14-14: Update RUNTIME_IMAGE to the latest UBI9 minimal digest.

The digest specified at line 14 is outdated. The Red Hat registry currently serves sha256:2fe691b4392baf6c000ee7621f9f2c4d220186e53e3eb97dbcfed6aeddcf73d5 for ubi9/ubi-minimal:latest, but the code uses sha256:61d5ad475048c2e655cd46d0a55dfeaec182cc3faa6348cb85989a7c9e196483. Update to the current digest to ensure security patches and updates are included.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed9d05f and b5268e0.

📒 Files selected for processing (5)

• .konflux/Dockerfile (1 hunks)
• .konflux/container_build_args.conf (1 hunks)
• .konflux/lock-build/rpms.in.yaml (4 hunks)
• .konflux/lock-runtime/rpms.lock.yaml (0 hunks)
• renovate.json (1 hunks)

💤 Files with no reviewable changes (1)

• .konflux/lock-runtime/rpms.lock.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• renovate.json
• .konflux/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / recert-4-21-on-pull-request
• GitHub Check: build

🔇 Additional comments (2)

.konflux/lock-build/rpms.in.yaml (1)

99-160: RHEL fallback repository configuration looks correct.

The RHEL repositories intentionally lack priority fields, which ensures they serve as fallback sources after the UBI repos (which have priority: 1). This aligns with the PR objective to prefer UBI repositories by default. The addition of SSL client authentication and updated varsFromImage references to the UBI builder image are appropriate.

.konflux/container_build_args.conf (1)

8-8: Verify this digest against the current Red Hat registry.

The base image is maintained by Red Hat and updated regularly. Red Hat releases new images when critical CVEs are patched. Use skopeo inspect docker://registry.access.redhat.com/ubi9/ubi:latest or check the Red Hat Ecosystem Catalog directly to confirm the digest matches the current patched version. If this digest is older than the latest available, pull and test the current image.

[openshift-ci-robot]

@fontivan: This pull request references CNF-20367 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Mixing rhel-els and ubi causes significant conforma issues
• Instead, use ubi for everything and add the rhel repos where required to resolve the necessary packages
• Prefer ubi repos over rhel repos by default
• Update renovate configuration to also allow parsing docker images in rpms.in.yaml files

Assisted-by: Cursor/claude-4.5-sonnet
AI-attribution: AIA,Primarily human-created,Human-initiated,Reviewed,Cursor/claude-4.5-sonnet,v1.0
For more information on AI attribution statements, see: https://aiattribution.github.io/

Summary by CodeRabbit

• Chores
• Switched build-stage images to UBI-based images while keeping the runtime image unchanged.
• Migrated package repository definitions to UBI equivalents and standardized verification/metadata fields and priorities.
• Removed archived/deprecated package entries from locked runtime packages.
• Added automation pattern to include RPM manifest files for dependency upkeep.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.konflux/lock-build/rpms.in.yaml (2)

21-21: ✅ Comment corrections verified.

The comments correctly reference BUILDER_IMAGE (not RUNTIME_IMAGE), maintaining consistency with the actual varsFromImage values pointing to the builder digest. This aligns with the UBI-based builder stage in .konflux/Dockerfile.

Also applies to: 36-36, 51-51, 66-66, 81-81, 96-96, 119-119, 140-140, 161-161

---

50-50: ✅ Priority field consistency verified.

The ubi-9-for-$basearch-baseos-rpms repository now includes priority: 1, ensuring consistent package resolution behavior across all UBI repositories.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b5268e0 and 67df24a.

📒 Files selected for processing (5)

• .konflux/Dockerfile (1 hunks)
• .konflux/container_build_args.conf (1 hunks)
• .konflux/lock-build/rpms.in.yaml (4 hunks)
• .konflux/lock-runtime/rpms.lock.yaml (0 hunks)
• renovate.json (1 hunks)

💤 Files with no reviewable changes (1)

• .konflux/lock-runtime/rpms.lock.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• renovate.json
• .konflux/container_build_args.conf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / recert-4-21-on-pull-request
• GitHub Check: build

🔇 Additional comments (1)

.konflux/Dockerfile (1)

2-2: LGTM! Builder image migrated to UBI.

The update from rhel9-6-els to ubi9/ubi:latest aligns with the PR's objectives and is consistent with the UBI-based repository configuration in .konflux/lock-build/rpms.in.yaml.

[fontivan]

/cc @rauhersu @omertuc @mresvanis

[openshift-ci]

@fontivan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-single-node-recert-serial	4817cae	link	true	/test e2e-aws-ovn-single-node-recert-serial
ci/prow/e2e-aws-ovn-single-node-recert-parallel	4817cae	link	true	/test e2e-aws-ovn-single-node-recert-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rauhersu]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fontivan, rauhersu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [fontivan,rauhersu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment