OCPBUGS-87480: Updating ose-cluster-authentication-operator-container image to be consistent with ART for 5.0

[liouk]

Replaces #910

Summary by CodeRabbit

• Chores
  • Updated build and CI configurations to use newer OpenShift/RHEL 9 release images.
  • Upgraded the Go toolchain version to 1.26.
  • Refreshed the container runtime base image to match the newer platform release.

[openshift-ci-robot]

@liouk: This pull request references Jira Issue OCPBUGS-87480, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Replaces #910

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The Go toolchain directive, CI build root image tag, and Dockerfile base images were updated from Go 1.25 / OpenShift 4.22 to Go 1.26 / OpenShift 5.0.

Changes

Go 1.26 build and image updates

Layer / File(s)	Summary
Toolchain and CI root image go.mod, .ci-operator.yaml	go is updated to 1.26.0, and the CI build root tag is switched to the matching Go 1.26 / OpenShift 5.0 release image.
Container base images Dockerfile.rhel7	The builder stage and runtime stage base images are switched to the newer OpenShift 5.0 / Go 1.26 images.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	The new Ginkgo e2e tests in test/e2e/network_policy*.go use many bare Expect(err).NotTo(HaveOccurred()) assertions with no diagnostic context.	Add descriptive failure messages to those Expect calls (and similar bare assertions) in the network policy e2e tests; cleanup and timeouts already look fine.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New e2e tests deploy public images from docker.io, quay.io, and registry.k8s.io, so they need external registry access.	Use mirrored/internal images or mark disconnected tests [Skipped:Disconnected]; rerun in IPv6 disconnected CI if applicable.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly reflects the main change: updating the container image to match ART requirements for OpenShift 5.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only changes build config and Go toolchain files; no Ginkgo test titles were added or modified in the touched files.
Microshift Test Compatibility	✅ Passed	No new/modified Ginkgo e2e tests were added; the PR only changes CI, Dockerfile, and go.mod, so MicroShift test compatibility is not implicated.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added or modified in this PR; only image, Go toolchain, and dependency updates changed.
Topology-Aware Scheduling Compatibility	✅ Passed	Only image/toolchain version bumps in .ci-operator.yaml, Dockerfile.rhel7, and go.mod; no scheduling, affinity, nodeSelector, or replica logic changed.
Ote Binary Stdout Contract	✅ Passed	PR only changes CI/Docker/toolchain files; the main entrypoint uses klog.LogToStderr(true) and no process-level stdout writes were added.
No-Weak-Crypto	✅ Passed	PR only bumps release/base image tags and the Go toolchain; the modified files contain no weak crypto or secret-comparison code.
Container-Privileges	✅ Passed	PASS: The PR only bumps image/toolchain versions; the touched files add no privileged/host* settings, allowPrivilegeEscalation, SYS_ADMIN, or new root/runAsUser changes.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements or sensitive fields were added; the patch only updates build images and the Go toolchain.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tjungblu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@liouk: This pull request references Jira Issue OCPBUGS-87480, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Replaces #910

Summary by CodeRabbit

• Chores
• Updated build and CI configurations to use newer OpenShift/RHEL 9 release images.
• Upgraded the Go toolchain version to 1.26.
• Refreshed the container runtime base image to match the newer platform release.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.rhel7 (1)

11-16: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set an explicit non-root USER in the final stage.

The runtime image still defaults to root, which keeps the operator unnecessarily privileged. Add a non-root user before ENTRYPOINT and make sure the copied files remain readable.

As per path instructions, "USER non-root; never run as root".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.rhel7` around lines 11 - 16, The final stage in Dockerfile.rhel7
still runs as root, so add an explicit non-root USER before ENTRYPOINT and keep
the copied binaries and manifests readable/executable for that user. Update the
final runtime stage that starts from the base image to switch away from root
using a standard non-root account, and verify the COPY targets used by
authentication-operator and cluster-authentication-operator-tests-ext.gz remain
accessible after the change.

Sources: Path instructions, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Dockerfile.rhel7`:
- Around line 11-16: The final stage in Dockerfile.rhel7 still runs as root, so
add an explicit non-root USER before ENTRYPOINT and keep the copied binaries and
manifests readable/executable for that user. Update the final runtime stage that
starts from the base image to switch away from root using a standard non-root
account, and verify the COPY targets used by authentication-operator and
cluster-authentication-operator-tests-ext.gz remain accessible after the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e514e0be-2a7f-4347-b447-fdb041a017b3

📥 Commits

Reviewing files that changed from the base of the PR and between 682de83 and 7be6318.

📒 Files selected for processing (3)

• .ci-operator.yaml
• Dockerfile.rhel7
• go.mod

[liouk]

/retest-required

[openshift-ci]

@liouk: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic	7be6318	link	true	/test e2e-agnostic

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ehearne-redhat]

I might be wrong, but does OpenShift 5.0 run with RHEL 10?

[liouk]

AFAIU, this refers to the CI environment that will build the operator -- I don't see why RHEL 10 wouldn't work but I'm guessing that the ART haven't transitioned fully to 10.

This was taken as-is from the automated ART PR: https://github.com/openshift/cluster-authentication-operator/pull/910/changes

[ehearne-redhat]

/lgtm