OCPBUGS-87298: Updating ingress-node-firewall-daemon-container image to be consistent with ART for 5.0

[openshift-bot]

Updating ingress-node-firewall-daemon-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ingress-node-firewall-daemon.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/201

[coderabbitai]

Walkthrough

This pull request updates the build infrastructure to use Go 1.26 and OpenShift 5.0. The CI operator configuration and daemon Dockerfile are both updated to reference the new base image tags, while build and assembly logic remain unchanged.

Changes

Base Image and Builder Version Updates

Layer / File(s)	Summary
OpenShift 5.0 and Go 1.26 base image updates .ci-operator.yaml, Dockerfile.daemon.openshift	CI operator build_root_image.tag updated from Go 1.25 / OpenShift 4.22 to Go 1.26 / OpenShift 5.0; Dockerfile builder and runtime base images updated to matching 5.0 versions. Build steps and artifact assembly are unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	This PR introduces 3 Ginkgo tests with dynamic test names using fmt.Sprintf, violating stable/deterministic naming requirements.	Replace dynamic test names: Line 107-108 in ingressnodefirewallnodestate_controller_test.go and line 754 in ingressnodefirewall_controller_rules_test.go use fmt.Sprintf. Use static descriptive strings instead.
Test Structure And Quality	⚠️ Warning	Test files lack appropriate timeouts on Eventually/Consistently calls and missing assertion messages for error expectations, violating requirements 3 and 4 of test quality guidelines.	Add explicit timeout/interval parameters to all Eventually calls and add meaningful messages to all Expect().NotTo(HaveOccurred()) assertions for diagnostic clarity.
Microshift Test Compatibility	⚠️ Warning	New Ginkgo tests added use ingressnodefirewall.openshift.io/v1alpha1 CRD which is operator-provided and unavailable on MicroShift. Tests lack MicroShift skip guards or apigroup tags.	Add [apigroup:ingressnodefirewall.openshift.io] tags to test names or [Skipped:MicroShift] labels, or guard with exutil.IsMicroShiftCluster() checks.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR updates CI config for OpenShift 5.0. No new Ginkgo e2e tests are added; existing test files are just being added to the repository.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies build configuration files (base image tag updates). No deployment manifests, operator code, or scheduling constraints were added or modified.
Ote Binary Stdout Contract	✅ Passed	PR only modifies CI configuration files and Dockerfile for base image updates; no Go source code or test code changed. OTE Binary Stdout Contract check not applicable to configuration changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; this PR only updates CI/CD configuration (.ci-operator.yaml) and Dockerfile base images. The check is not applicable.
No-Weak-Crypto	✅ Passed	PR only updates base image tags in .ci-operator.yaml and Dockerfile.daemon.openshift. No weak cryptographic code or implementations are introduced.
Container-Privileges	✅ Passed	PR only updates base image tags; no privileged container settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) are introduced.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements exposing passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data found in PR changes (.ci-operator.yaml, Dockerfile.daemon.openshift).
Title check	✅ Passed	The title clearly describes the main change: updating the ingress-node-firewall-daemon-container image configuration to be consistent with ART (Automated Release Tooling) for OpenShift 5.0, which aligns with the file-level changes switching from 1.25-4.22 to 1.26-5.0 versions.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87298, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating ingress-node-firewall-daemon-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ingress-node-firewall-daemon.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign tssurya for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

Dockerfile.daemon.openshift (2)

1-11: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Critical security violation: Container runs as root.

The Dockerfile does not include a USER directive, meaning the container runs as root by default. As per coding guidelines, containers must run as non-root users. This is a critical security risk in production environments.

🛡️ Proposed fix to add non-root user

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
+RUN useradd -r -u 1001 -g 0 daemon-user
 COPY --from=builder /go/src/github.com/openshift/ingress-node-firewall/bin/daemon /usr/bin/
 COPY --from=builder /go/src/github.com/openshift/ingress-node-firewall/bin/syslog /usr/bin/
+USER 1001
 CMD ["/usr/bin/daemon"]

As per coding guidelines, "USER non-root; never run as root" is required for all Dockerfiles.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon.openshift` around lines 1 - 11, The image runs as root
because Dockerfile.daemon.openshift lacks a USER directive; add a non-root user
and switch to it in the final stage: create a dedicated uid/gid (or use a
minimal non-root user), ensure the two copied binaries (/usr/bin/daemon and
/usr/bin/syslog) and any required directories are owned and executable by that
user (chown/chmod during the final stage), then set USER to that non-root user
so the container does not run as root.

Source: Coding guidelines

---

1-11: ⚠️ Potential issue | 🟠 Major

Add HEALTHCHECK to Dockerfile.daemon.openshift

Dockerfile.daemon.openshift has no HEALTHCHECK directive, and there are no HEALTHCHECK directives in any Dockerfile*/Containerfile* in this repo. The daemon already registers controller-runtime health/ready checks (healthz, readyz) on the probe listener (--health-probe-bind-address, default 127.0.0.1:39400), so the container HEALTHCHECK should query that same probe endpoint.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon.openshift` around lines 1 - 11, Add a Docker HEALTHCHECK
that queries the daemon's controller-runtime probe listener (use the same probe
address flag --health-probe-bind-address and the /healthz or /readyz endpoints)
so the container reports unhealthy when the app probe fails; modify
Dockerfile.daemon.openshift (which sets CMD ["/usr/bin/daemon"]) to include a
HEALTHCHECK line (for example: HEALTHCHECK --interval=30s CMD curl -f
http://127.0.0.1:39400/readyz || exit 1) or an equivalent command available in
the base image, ensuring it targets 127.0.0.1:39400 (the default for
--health-probe-bind-address) and returns non-zero on failure.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.daemon.openshift`:
- Line 4: Replace the insecure "COPY . ." in Dockerfile.daemon.openshift with
explicit COPY instructions that only copy the files and directories required by
the build script; inspect ./hack/build-daemon.sh to determine the minimal set
(e.g., scripts, Dockerfile fragments, configs, source directories) and add
individual COPY lines for each required path, and add/adjust a .dockerignore to
exclude secrets and unnecessary files so sensitive data and large unrelated
context are not included in the image/build cache.

---

Outside diff comments:
In `@Dockerfile.daemon.openshift`:
- Around line 1-11: The image runs as root because Dockerfile.daemon.openshift
lacks a USER directive; add a non-root user and switch to it in the final stage:
create a dedicated uid/gid (or use a minimal non-root user), ensure the two
copied binaries (/usr/bin/daemon and /usr/bin/syslog) and any required
directories are owned and executable by that user (chown/chmod during the final
stage), then set USER to that non-root user so the container does not run as
root.
- Around line 1-11: Add a Docker HEALTHCHECK that queries the daemon's
controller-runtime probe listener (use the same probe address flag
--health-probe-bind-address and the /healthz or /readyz endpoints) so the
container reports unhealthy when the app probe fails; modify
Dockerfile.daemon.openshift (which sets CMD ["/usr/bin/daemon"]) to include a
HEALTHCHECK line (for example: HEALTHCHECK --interval=30s CMD curl -f
http://127.0.0.1:39400/readyz || exit 1) or an equivalent command available in
the base image, ensuring it targets 127.0.0.1:39400 (the default for
--health-probe-bind-address) and returns non-zero on failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 392c2065-5bcf-43d8-b679-4fdc03652de8

📥 Commits

Reviewing files that changed from the base of the PR and between 1c7880a and 5f47b5e.

📒 Files selected for processing (2)

• .ci-operator.yaml
• Dockerfile.daemon.openshift

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Security best practice: Copy specific files instead of entire context.

Line 4 copies the entire build context (. .), which violates the guideline to "COPY specific files, not entire context". This can inadvertently include sensitive files, secrets, or unnecessary data in the build cache.

Consider updating to copy only the necessary files and directories required by ./hack/build-daemon.sh. You may need to inspect the build script to determine the minimal required file set.

As per coding guidelines, "COPY specific files, not entire context" is required for container security.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon.openshift` at line 4, Replace the insecure "COPY . ." in
Dockerfile.daemon.openshift with explicit COPY instructions that only copy the
files and directories required by the build script; inspect
./hack/build-daemon.sh to determine the minimal set (e.g., scripts, Dockerfile
fragments, configs, source directories) and add individual COPY lines for each
required path, and add/adjust a .dockerignore to exclude secrets and unnecessary
files so sensitive data and large unrelated context are not included in the
image/build cache.

Source: Coding guidelines

[openshift-ci]

@openshift-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-deps	5f47b5e	link	true	/test verify-deps

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87298, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating ingress-node-firewall-daemon-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ingress-node-firewall-daemon.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

ART wants to connect issue OCPBUGS-87612 to this PR, but found it is currently hooked up to ['OCPBUGS-87298']. Please consult with #forum-ocp-art if it is not clear what there is to do.