Migrate Konflux images and RPM lockfile to UBI 10

[adchauha]

Updates ubi.repo, rpms.lock.yaml, and Konflux Dockerfiles from UBI 9 to UBI 10.

Summary by CodeRabbit

• Chores
  • Updated base container images to UBI10 variants for both build and runtime stages.
  • Refreshed package lock entries across all architectures to match UBI10 package metadata.
  • Updated repository configuration to point to UBI10 repositories (BaseOS, AppStream, CodeReady Builder).

[coderabbitai]

Walkthrough

This PR upgrades the infrastructure from Red Hat UBI 9 to UBI 10 across container build artifacts, package repositories, and dependency locks. Two Dockerfiles update builder and runtime base images with refreshed digest pins, the yum repository configuration is updated with new repository identifiers and baseurl paths, and the RPM lockfile is refreshed with updated package metadata for all architectures.

Changes

UBI 9 to UBI 10 Upgrade

Layer / File(s)	Summary
Dockerfile base image updates .konflux/shared-resource-webhook/Dockerfile, .konflux/shared-resource/Dockerfile	Builder stages move from registry.redhat.io/ubi9/go-toolset to registry.redhat.io/ubi10/go-toolset, and runtime stages move from registry.redhat.io/ubi9-minimal to registry.redhat.io/ubi10-minimal, with pinned digests updated in both webhooks and shared-resource Dockerfiles.
Yum repository configuration ubi.repo	All repository section identifiers change from ubi-9-* to ubi-10-*, and all baseurl paths update from .../ubi9/9/... to .../ubi10/10/... for BaseOS, AppStream, and CodeReady Builder (OS, debug, and source variants); enablement and GPG settings remain unchanged.
RPM lockfile updates rpms.lock.yaml	Package entries for all architectures (aarch64, ppc64le, s390x, x86_64) are refreshed with UBI10 repository references, updated package checksums, sizes, and source RPM metadata, while preserving the per-arch YAML structure.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and clearly describes the main change: migration of Konflux images and RPM lockfile from UBI 9 to UBI 10, which is the primary focus of all file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies build config files, not test files. Repository uses standard Go testing, not Ginkgo. Check not applicable.
Test Structure And Quality	✅ Passed	Repository uses Go testing package, not Ginkgo. PR involves infrastructure migration only, no test code changes. Check not applicable.
Microshift Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests—only Dockerfile, lock file, and repo config updates for UBI9→UBI10 migration. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only updates Dockerfiles and package configuration files (UBI 9→10 migration), so SNO Test Compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates build infrastructure (Dockerfiles, RPM lock, repos) from UBI9 to UBI10; no deployment manifests or scheduling constraints are added/modified.
Ote Binary Stdout Contract	✅ Passed	This is not an OTE test binary. The repository is the openshift/csi-driver-shared-resource CSI driver plugin, not an OpenShift Tests Extension binary.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e test files; it only updates build configuration files (Dockerfiles, RPM lockfile, yum repo config). The custom check applies only to new tests and is not applicable here.
No-Weak-Crypto	✅ Passed	PR updates UBI base images/packages using strong SHA256 hashes; no weak crypto, custom implementations, or insecure comparisons introduced.
Container-Privileges	✅ Passed	PR updates Dockerfiles to UBI 10 without introducing privileged settings, hostPID/Network/IPC, SYS_ADMIN caps, or allowPrivilegeEscalation in container definitions.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data in logging found. All modified files contain only public URLs, standard package metadata, and configuration updates from UBI9 to UBI10.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @adchauha. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: adchauha
Once this PR has been reviewed and has the lgtm label, please assign gabemontero for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.konflux/shared-resource/Dockerfile (1)

1-40: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Specify a non-root USER for the runtime container.

The Dockerfile runs the final container as root without justification. While the microdnf install at lines 13-16 requires root privileges, the runtime container should drop to a non-root user after package installation completes.

🔒 Proposed fix to add non-root user

Add a USER directive before the ENTRYPOINT:

 COPY --from=builder /tmp/openshift-builds-shared-resource .
 COPY LICENSE /licenses/
 
+USER 65532:65532
+
 ENTRYPOINT ["./openshift-builds-shared-resource"]

Note: UID 65532 is a common non-root user ID. Adjust based on your security requirements or use a named user if the base image provides one.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/shared-resource/Dockerfile around lines 1 - 40, The final image
runs as root; after the RUN microdnf... step you must create or switch to a
non-root user and ensure the runtime files are owned appropriately before
ENTRYPOINT: create a non-root user/group (or use UID 65532), chown the binary
copied from the builder (the file placed by COPY --from=builder
/tmp/openshift-builds-shared-resource .) and the /licenses directory, then add a
USER directive before ENTRYPOINT ["./openshift-builds-shared-resource"] so the
container runs unprivileged.

Sources: Coding guidelines, Linters/SAST tools

.konflux/shared-resource-webhook/Dockerfile (1)

1-34: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Specify a non-root USER for the runtime container.

The Dockerfile runs the final container as root without justification. According to security best practices and coding guidelines, containers should run as a non-root user unless there's a specific operational requirement.

🔒 Proposed fix to add non-root user

Add a USER directive before the ENTRYPOINT:

 COPY --from=builder /tmp/openshift-builds-shared-resource-webhook .
 COPY LICENSE /licenses/
 
+USER 65532:65532
+
 ENTRYPOINT ["./openshift-builds-shared-resource-webhook"]

Note: UID 65532 is a common non-root user ID. Adjust based on your security requirements or use a named user if the base image provides one.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/shared-resource-webhook/Dockerfile around lines 1 - 34, The image
runs the final stage as root (ENTRYPOINT
"./openshift-builds-shared-resource-webhook"); fix by adding a non-root user and
switching to it in the runtime stage: create or pick an unprivileged UID/GID
(e.g. 65532), ensure ownership of the binary (COPY --from=builder ...) and any
runtime paths (WORKDIR /, /licenses) are chowned to that UID/GID, then add a
USER directive before ENTRYPOINT so the container runs as that non-root user;
update the builder/runtime COPY ownership handling to avoid permission issues
with the binary and LICENSE files.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.konflux/shared-resource-webhook/Dockerfile:
- Around line 1-34: The image runs the final stage as root (ENTRYPOINT
"./openshift-builds-shared-resource-webhook"); fix by adding a non-root user and
switching to it in the runtime stage: create or pick an unprivileged UID/GID
(e.g. 65532), ensure ownership of the binary (COPY --from=builder ...) and any
runtime paths (WORKDIR /, /licenses) are chowned to that UID/GID, then add a
USER directive before ENTRYPOINT so the container runs as that non-root user;
update the builder/runtime COPY ownership handling to avoid permission issues
with the binary and LICENSE files.

In @.konflux/shared-resource/Dockerfile:
- Around line 1-40: The final image runs as root; after the RUN microdnf... step
you must create or switch to a non-root user and ensure the runtime files are
owned appropriately before ENTRYPOINT: create a non-root user/group (or use UID
65532), chown the binary copied from the builder (the file placed by COPY
--from=builder /tmp/openshift-builds-shared-resource .) and the /licenses
directory, then add a USER directive before ENTRYPOINT
["./openshift-builds-shared-resource"] so the container runs unprivileged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5299badc-c941-4dc4-a490-76e076bb85e5

📥 Commits

Reviewing files that changed from the base of the PR and between 60b1e29 and 0b96896.

📒 Files selected for processing (4)

• .konflux/shared-resource-webhook/Dockerfile
• .konflux/shared-resource/Dockerfile
• rpms.lock.yaml
• ubi.repo

[psrvere]

Image SHAs verified — both Dockerfiles use the latest ubi10/go-toolset (d5d48915..., Go 1.26.3) and ubi10-minimal (2c20ac20..., UBI 10.2). ubi.repo and rpms.lock.yaml look good.

A few items to address:

1. cpe labels still reference el9 — both Dockerfiles have cpe="cpe:/a:redhat:openshift_builds:1.8::el9", should be updated to el10
2. Add Jira issue number in PR title — [BUILD-2063] Migrate Konflux images and RPM lockfile to UBI 10
3. Sign the commit with -s -S flags

Co-Authored-By: Claude Code

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.konflux/shared-resource-webhook/Dockerfile (1)

11-18: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set an explicit non-root runtime user in the final stage.

The final image has no USER instruction, so it defaults to root. Since this Dockerfile is directly used by the PR build pipeline, the published webhook image inherits that posture.

Suggested hardening patch

 FROM registry.redhat.io/ubi10-minimal@sha256:2c20ac20ca1ecbbbd583603feabd9cc51e7e8ea5a82e5088e20a9494794b2574

 WORKDIR /

 COPY --from=builder /tmp/openshift-builds-shared-resource-webhook .
 COPY LICENSE /licenses/

+RUN chown -R 1001:0 /openshift-builds-shared-resource-webhook /licenses && \
+    chmod -R g=u /openshift-builds-shared-resource-webhook /licenses
+USER 1001
+
 ENTRYPOINT ["./openshift-builds-shared-resource-webhook"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/shared-resource-webhook/Dockerfile around lines 11 - 18, The final
image runs as root because there is no USER set; create a non-root runtime user
and make that the container user: in the final stage (where WORKDIR, COPY and
ENTRYPOINT are present) add steps to create a dedicated user/group (e.g.,
runtime user), ensure ownership of the copied binary and /licenses (chown those
targets to the new uid/gid), drop privileges by adding a USER instruction
referencing that user, and keep the existing ENTRYPOINT untouched so
openshift-builds-shared-resource-webhook runs as the non-root user.

Source: Linters/SAST tools

.konflux/shared-resource/Dockerfile (1)

11-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden runtime image by switching from root to a non-root user.

This final stage also runs as root by default because USER is not set. Given this Dockerfile is pipeline-built and published, this should be fixed before merge.

Suggested hardening patch

 FROM registry.redhat.io/ubi10-minimal@sha256:2c20ac20ca1ecbbbd583603feabd9cc51e7e8ea5a82e5088e20a9494794b2574

 RUN \
   microdnf --assumeyes --nodocs install util-linux && \
   microdnf clean all && \
   rm -rf /var/cache/yum

 WORKDIR /

 COPY --from=builder /tmp/openshift-builds-shared-resource .
 COPY LICENSE /licenses/

+RUN chown -R 1001:0 /openshift-builds-shared-resource /licenses && \
+    chmod -R g=u /openshift-builds-shared-resource /licenses
+USER 1001
+
 ENTRYPOINT ["./openshift-builds-shared-resource"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/shared-resource/Dockerfile around lines 11 - 23, The final
Dockerfile stage is running as root; add a non-root user and switch to it before
the ENTRYPOINT: create a dedicated user/group (e.g., "sbuser"), set ownership
and minimal permissions for the copied binary and /licenses (use chown on the
files copied by COPY --from=builder and COPY LICENSE), and then add USER sbuser
(or the chosen uid:gid) after WORKDIR / and before ENTRYPOINT
["./openshift-builds-shared-resource"]; ensure the binary is executable by that
user and avoid granting unnecessary write permissions to root-owned directories.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.konflux/shared-resource-webhook/Dockerfile:
- Around line 11-18: The final image runs as root because there is no USER set;
create a non-root runtime user and make that the container user: in the final
stage (where WORKDIR, COPY and ENTRYPOINT are present) add steps to create a
dedicated user/group (e.g., runtime user), ensure ownership of the copied binary
and /licenses (chown those targets to the new uid/gid), drop privileges by
adding a USER instruction referencing that user, and keep the existing
ENTRYPOINT untouched so openshift-builds-shared-resource-webhook runs as the
non-root user.

In @.konflux/shared-resource/Dockerfile:
- Around line 11-23: The final Dockerfile stage is running as root; add a
non-root user and switch to it before the ENTRYPOINT: create a dedicated
user/group (e.g., "sbuser"), set ownership and minimal permissions for the
copied binary and /licenses (use chown on the files copied by COPY
--from=builder and COPY LICENSE), and then add USER sbuser (or the chosen
uid:gid) after WORKDIR / and before ENTRYPOINT
["./openshift-builds-shared-resource"]; ensure the binary is executable by that
user and avoid granting unnecessary write permissions to root-owned directories.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f247c876-016f-462f-a329-c3b2197a51de

📥 Commits

Reviewing files that changed from the base of the PR and between 0b96896 and e105323.

📒 Files selected for processing (4)

• .konflux/shared-resource-webhook/Dockerfile
• .konflux/shared-resource/Dockerfile
• rpms.lock.yaml
• ubi.repo

✅ Files skipped from review due to trivial changes (1)

• rpms.lock.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ubi.repo

[adchauha]

Image SHAs verified — both Dockerfiles use the latest ubi10/go-toolset (d5d48915..., Go 1.26.3) and ubi10-minimal (2c20ac20..., UBI 10.2). ubi.repo and rpms.lock.yaml look good.

A few items to address:

1. cpe labels still reference el9 — both Dockerfiles have cpe="cpe:/a:redhat:openshift_builds:1.8::el9", should be updated to el10
2. Add Jira issue number in PR title — [BUILD-2063] Migrate Konflux images and RPM lockfile to UBI 10
3. Sign the commit with -s -S flags

Co-Authored-By: Claude Code

Addressed review feedback: updated CPE labels to el10, amended commit with sign-off, updated PR title with BUILD-2063.

[openshift-ci]

@adchauha: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[avinal]

/ok-to-test

[adchauha]

Reverted CPE labels to el9 per product/certification guidance — the OpenShift Builds 1.8 component CPE remains on el9 even though runtime base images move to UBI 10. Base image digests and RPM lockfile remain on UBI 10.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.konflux/shared-resource-webhook/Dockerfile (1)

22-22: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

CPE label still references el9 instead of el10.

The base images have been migrated to UBI 10, but the CPE label still shows cpe:/a:redhat:openshift_builds:1.8::el9. This contradicts the PR objectives and the explicit request from psrvere to update CPE labels to el10. This metadata mismatch will cause incorrect CVE matching and compliance tracking.

🔧 Proposed fix

-	cpe="cpe:/a:redhat:openshift_builds:1.8::el9" \
+	cpe="cpe:/a:redhat:openshift_builds:1.8::el10" \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/shared-resource-webhook/Dockerfile at line 22, Update the CPE label
value in the Dockerfile where the cpe string
cpe:/a:redhat:openshift_builds:1.8::el9 appears so it references el10 (i.e.,
change ::el9 to ::el10) to match the migrated UBI 10 base images and ensure
CVE/compliance tooling sees the correct OS version; verify there are no other
occurrences of the old cpe:/a:redhat:openshift_builds:1.8::el9 string in the
same file.

.konflux/shared-resource/Dockerfile (1)

27-27: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

CPE label still references el9 instead of el10.

The base images have been migrated to UBI 10, but the CPE label still shows cpe:/a:redhat:openshift_builds:1.8::el9. This contradicts the PR objectives and the explicit request from psrvere to update CPE labels to el10. This metadata mismatch will cause incorrect CVE matching and compliance tracking.

🔧 Proposed fix

-	cpe="cpe:/a:redhat:openshift_builds:1.8::el9" \
+	cpe="cpe:/a:redhat:openshift_builds:1.8::el10" \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/shared-resource/Dockerfile at line 27, The CPE label in the
Dockerfile (the cpe variable value "cpe:/a:redhat:openshift_builds:1.8::el9")
still references el9; update that string to use el10
("cpe:/a:redhat:openshift_builds:1.8::el10") and scan the Dockerfile for any
other occurrences of "el9" to replace with "el10" so the metadata matches the
new UBI 10 base images and ensures correct CVE/compliance matching.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.konflux/shared-resource-webhook/Dockerfile:
- Line 22: Update the CPE label value in the Dockerfile where the cpe string
cpe:/a:redhat:openshift_builds:1.8::el9 appears so it references el10 (i.e.,
change ::el9 to ::el10) to match the migrated UBI 10 base images and ensure
CVE/compliance tooling sees the correct OS version; verify there are no other
occurrences of the old cpe:/a:redhat:openshift_builds:1.8::el9 string in the
same file.

In @.konflux/shared-resource/Dockerfile:
- Line 27: The CPE label in the Dockerfile (the cpe variable value
"cpe:/a:redhat:openshift_builds:1.8::el9") still references el9; update that
string to use el10 ("cpe:/a:redhat:openshift_builds:1.8::el10") and scan the
Dockerfile for any other occurrences of "el9" to replace with "el10" so the
metadata matches the new UBI 10 base images and ensures correct CVE/compliance
matching.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3bf13e2b-8fb5-4da5-85a9-2e52c36a62da

📥 Commits

Reviewing files that changed from the base of the PR and between e105323 and 5b631dd.

📒 Files selected for processing (4)

• .konflux/shared-resource-webhook/Dockerfile
• .konflux/shared-resource/Dockerfile
• rpms.lock.yaml
• ubi.repo

🚧 Files skipped from review as they are similar to previous changes (2)

• ubi.repo
• rpms.lock.yaml

[openshift-ci]

@adchauha: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	5b631dd	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.