MG-230: Migrate to UBI10 base images for RHCOS10/RHEL10 compatibility

[KeenonLee]

Summary
Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
registry.redhat.io UBI10 for native RHCOS10 compatibility.

Prerequisite

PR1 (rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.

[openshift-ci-robot]

@KeenonLee: This pull request references MG-230 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary
Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
registry.redhat.io UBI10 for native RHCOS10 compatibility.

Prerequisite

PR1 (rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Four Dockerfiles are being updated to use UBI10-based container images instead of UBI9. Dockerfile.openshift also switches the builder stage base image to UBI10 go-toolset and explicitly sets USER 0 during the build phase. All other build logic and runtime configuration remain unchanged.

Changes

Cohort / File(s)	Summary
OpenShift Builder and Runtime Update Dockerfile.openshift	Builder stage switches to registry.redhat.io/ubi10/go-toolset:10.1 with explicit USER 0 setting; final runtime stage switches to registry.redhat.io/ubi10-minimal:10.1. Build and artifact copy steps remain functionally equivalent.
Registry and Build Runtime Updates boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry, build/Dockerfile, build/Dockerfile.olm-registry	Runtime base images updated from registry.access.redhat.com/ubi9/ubi-minimal to registry.redhat.io/ubi10-minimal:10.1. All subsequent steps, commands, and configurations remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: KeenonLee
Once this PR has been reviewed and has the lgtm label, please assign bng0y for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[KeenonLee]

/test operator-e2e-azure-rhcos10-fips operator-e2e-azure-rhcos10

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry`:
- Line 7: The Dockerfile uses an unpinned base image in the FROM instruction
("FROM registry.redhat.io/ubi10/ubi-minimal:latest"); change that to the
specific pinned tag used elsewhere in the PR (e.g., replace :latest with :10.1)
so the runtime base image is deterministic and aligned with other Dockerfiles.

In `@Dockerfile.openshift`:
- Line 11: Update the FROM instruction so it uses the correct UBI10 image path:
replace the invalid registry reference `registry.redhat.io/ubi10-minimal:10.1`
with the canonical `registry.redhat.io/ubi10/ubi-minimal:10.1` (i.e., update the
FROM line in Dockerfile.openshift to use
`registry.redhat.io/ubi10/ubi-minimal:10.1`).
- Line 1: The builder base image in the Dockerfile (the FROM line:
"registry.redhat.io/ubi10/go-toolset:10.1 AS builder") supplies Go 1.20 which
mismatches go.mod's required Go 1.25.7; update that FROM line to a toolset that
provides Go 1.25+ (for example change the image tag to
"registry.redhat.io/ubi10/go-toolset:10.15" or use the CI-aligned reference
"rhel-9-release-golang-1.25-openshift-4.22") so the builder uses the correct Go
version and rebuilds will pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1f8eaaed-0fb7-41b7-8f9a-57d9f97371fd

📥 Commits

Reviewing files that changed from the base of the PR and between 2f40259 and c5441f6.

📒 Files selected for processing (4)

• Dockerfile.openshift
• boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry
• build/Dockerfile
• build/Dockerfile.olm-registry

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify mutable base tags still present in Dockerfiles.
rg -nP '^FROM\s+\S+:latest\b' --iglob '*Dockerfile*'

Repository: openshift/must-gather-operator

Length of output: 190

---

🏁 Script executed:

# Find all Dockerfiles in the boilerplate/openshift/golang-osd-operator directory
find boilerplate/openshift/golang-osd-operator -type f -name 'Dockerfile*' -exec cat -n {} +

Repository: openshift/must-gather-operator

Length of output: 1083

---

🏁 Script executed:

# Also check if there are any other Dockerfiles in the boilerplate directory using ubi-minimal images
rg 'FROM.*ubi.*minimal' --iglob '*Dockerfile*' -A 0 -B 0

Repository: openshift/must-gather-operator

Length of output: 393

---

Pin the runtime base image instead of latest.

Using :latest makes rebuilds non-deterministic and can introduce unreviewed base-image changes. Other Dockerfiles in this PR pin to 10.1; align this one accordingly.

Suggested change

-FROM registry.redhat.io/ubi10/ubi-minimal:latest
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM registry.redhat.io/ubi10/ubi-minimal:latest
	FROM registry.redhat.io/ubi10/ubi-minimal:10.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry` at line 7,
The Dockerfile uses an unpinned base image in the FROM instruction ("FROM
registry.redhat.io/ubi10/ubi-minimal:latest"); change that to the specific
pinned tag used elsewhere in the PR (e.g., replace :latest with :10.1) so the
runtime base image is deterministic and aligned with other Dockerfiles.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Go requirement from go.mod:"
rg -n '^go\s+' go.mod

echo
echo "Builder image selected in Dockerfile.openshift:"
rg -n '^FROM\s+.*go-toolset' Dockerfile.openshift

echo
echo "Current CI build-root Go reference:"
rg -n 'release-golang' .ci-operator.yaml

Repository: openshift/must-gather-operator

Length of output: 309

---

🌐 Web query:

ubi10/go-toolset:10.1 Go version

💡 Result:

The ubi10/go-toolset:10.1 container image provides the Go Toolset for Red Hat Universal Base Image 10 (UBI 10), which is based on Red Hat Enterprise Linux 10. While specific documentation for the exact Go version in ubi10/go-toolset:10.1 is not explicitly stated in the searched sources, analogous Red Hat documentation for RHEL 8 and RHEL 9 Go Toolset container images confirms Go 1.20 (specifically go-toolset-1.20.10). Given the pattern in Red Hat's toolset naming and updates (e.g., go-toolset-1.20.10 for prior RHEL versions), it is reasonable to infer that ubi10/go-toolset:10.1 includes Go 1.20 or a minor update thereof. The image is available at registry.access.redhat.com/ubi10/go-toolset or registry.redhat.io/ubi10/go-toolset, as listed in the Red Hat Ecosystem Catalog and errata like RHBA-2026:0157 and RHBA-2026:3949. To confirm the exact version, run podman pull registry.access.redhat.com/ubi10/go-toolset:10.1 && podman run --rm ubi10/go-toolset:10.1 go version.

Citations:

• 1: https://catalog.redhat.com/en/software/containers/ubi10/go-toolset/677d3db01d4db033edfda594
• 2: https://catalog.redhat.com/en/software/containers/rhel10/go-toolset/6707d40f27f63a06f78743c4
• 3: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html/using_go_1.20.10_toolset/assembly_changes-in-go-toolset_using-go-toolset
• 4: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html/using_go_1.20.10_toolset/assembly_container-images-with-go-toolset_using-go-toolset
• 5: https://developers.redhat.com/articles/2022/07/21/how-use-go-toolset-container-images
• 6: https://docs.redhat.com/ja/documentation/red_hat_developer_tools/1/html/using_go_1.22_toolset/proc_accessing-the-ubi-go-toolset-container-image_assembly_container-images-with-go-toolset
• 7: https://access.redhat.com/errata/RHBA-2026:0157
• 8: https://access.redhat.com/errata/RHBA-2026:3949

---

🏁 Script executed:

# Check if there are any build issues or error logs related to Go version in the repo
rg -i 'go.*version|toolset|builder' Dockerfile.openshift -A 3 -B 3

# Check for any related issues or comments about Go compatibility
rg -i 'go 1\.25|go toolset|builder.*image' --type md --type txt

Repository: openshift/must-gather-operator

Length of output: 637

---

Builder base image does not satisfy the required Go version and will cause build failures.

go.mod requires Go 1.25.7, but ubi10/go-toolset:10.1 provides Go 1.20. The Dockerfile builder will fail the Go version check or produce binaries incompatible with the required minimum version.

Update the builder image to use ubi10/go-toolset:10.15 or later (which provides Go 1.25+), or align with the CI toolset reference rhel-9-release-golang-1.25-openshift-4.22.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.openshift` at line 1, The builder base image in the Dockerfile
(the FROM line: "registry.redhat.io/ubi10/go-toolset:10.1 AS builder") supplies
Go 1.20 which mismatches go.mod's required Go 1.25.7; update that FROM line to a
toolset that provides Go 1.25+ (for example change the image tag to
"registry.redhat.io/ubi10/go-toolset:10.15" or use the CI-aligned reference
"rhel-9-release-golang-1.25-openshift-4.22") so the builder uses the correct Go
version and rebuilds will pass.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "UBI10 image references used across Dockerfiles:"
rg -n 'registry\.redhat\.io/ubi10(-minimal|/ubi-minimal):' --iglob '*Dockerfile*'

echo
echo "Package manager commands in Dockerfiles:"
rg -n '^RUN\s+(dnf|microdnf)\s+install' --iglob '*Dockerfile*'

Repository: openshift/must-gather-operator

Length of output: 712

---

Fix incorrect UBI10 image reference format.

The image path registry.redhat.io/ubi10-minimal:10.1 is incorrect and inconsistent with other Dockerfiles in this repository, which use registry.redhat.io/ubi10/ubi-minimal:10.1. The current reference is not a valid registry path and will fail to pull.

Suggested fix

-FROM registry.redhat.io/ubi10-minimal:10.1
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM registry.redhat.io/ubi10-minimal:10.1
	FROM registry.redhat.io/ubi10/ubi-minimal:10.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.openshift` at line 11, Update the FROM instruction so it uses the
correct UBI10 image path: replace the invalid registry reference
`registry.redhat.io/ubi10-minimal:10.1` with the canonical
`registry.redhat.io/ubi10/ubi-minimal:10.1` (i.e., update the FROM line in
Dockerfile.openshift to use `registry.redhat.io/ubi10/ubi-minimal:10.1`).

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.07%. Comparing base (2f40259) to head (c5441f6).
⚠️ Report is 8 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #338      +/-   ##
==========================================
+ Coverage   63.08%   64.07%   +0.98%     
==========================================
  Files           8        8              
  Lines         848      991     +143     
==========================================
+ Hits          535      635     +100     
- Misses        306      348      +42     
- Partials        7        8       +1     

see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[swghosh]

/test e2e-gcp-operator-rhcos10-fips

[PillaiManish]

The fips-check-or-die needs to be removed for the job to pass as of now.

[neha037]

/retest

[neha037]

/retest-required

[neha037]

/test all

[neha037]

/test all

[neha037]

/test all

[neha037]

/test all

[neha037]

/test all

[openshift-ci]

@KeenonLee: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-rhcos10-fips	c5441f6	link	false	/test e2e-gcp-operator-rhcos10-fips
ci/prow/validate-boilerplate	c5441f6	link	false	/test validate-boilerplate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.