From 4bbae6fd0e84991c6fbd3cdef2f01c37a01bb99b Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Fri, 27 Mar 2026 00:24:11 +0530 Subject: [PATCH 1/2] UPSTREAM: : Migrate OpenShift Dockerfiles to UBI10 for RHCOS10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace OCP CI registry RHEL9-based builder and runtime images with registry.redhat.io UBI10 equivalents across all OpenShift-variant Dockerfiles: - Dockerfile.openshift: rhel-9-golang-1.24-openshift-4.20 → ubi10/go-toolset:10.1 ocp/4.20:base-rhel9 → ubi10:10.1 - Dockerfile.bats: rhel-9-golang-1.24-openshift-4.20 → ubi10/go-toolset:10.1 - Dockerfile.e2eprovider: rhel-9-golang-1.24-openshift-4.20 → ubi10/go-toolset:10.1 ocp/4.20:base-rhel9 → ubi10:10.1 Adds USER 0 (required by go-toolset) and installs util-linux/ca-certificates in the runtime stage of Dockerfile.openshift. Also adds docs/rhcos10-ubi10-migration.md documenting the migration. Made-with: Cursor --- Dockerfile.bats | 3 +- Dockerfile.e2eprovider | 5 +- Dockerfile.openshift | 6 ++- docs/rhcos10-ubi10-migration.md | 90 +++++++++++++++++++++++++++++++++ 4 files changed, 99 insertions(+), 5 deletions(-) create mode 100644 docs/rhcos10-ubi10-migration.md diff --git a/Dockerfile.bats b/Dockerfile.bats index 5efba78a0..f30a42439 100644 --- a/Dockerfile.bats +++ b/Dockerfile.bats @@ -1,4 +1,5 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder +FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder +USER 0 WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver COPY . . ENV BATS_VERSION="1.12.0" diff --git a/Dockerfile.e2eprovider b/Dockerfile.e2eprovider index 5ac3c8439..e25f15b68 100644 --- a/Dockerfile.e2eprovider +++ b/Dockerfile.e2eprovider @@ -1,9 +1,10 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder +FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder +USER 0 WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver COPY . . RUN make build-e2e-provider -FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 +FROM registry.redhat.io/ubi10:10.1 COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/test/e2eprovider/e2e-provider /e2e-provider LABEL description="Mock provider for Secrets Store CSI Driver" diff --git a/Dockerfile.openshift b/Dockerfile.openshift index 0f469f48c..9fff6ea07 100644 --- a/Dockerfile.openshift +++ b/Dockerfile.openshift @@ -1,11 +1,13 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder +FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder +USER 0 WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver COPY . . RUN make build # Print build settings information embedded in the binary. RUN go version -m _output/secrets-store-csi -FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 +FROM registry.redhat.io/ubi10:10.1 +RUN dnf install -y util-linux ca-certificates && dnf clean all COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/_output/secrets-store-csi /bin/secrets-store-csi LABEL description="Secrets Store CSI Driver" diff --git a/docs/rhcos10-ubi10-migration.md b/docs/rhcos10-ubi10-migration.md new file mode 100644 index 000000000..912376690 --- /dev/null +++ b/docs/rhcos10-ubi10-migration.md @@ -0,0 +1,90 @@ +# PR2: RHCOS10 — Migrate Base Images from OCP/UBI9 to UBI10 + +## Purpose + +Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to +`registry.redhat.io` UBI10 images, aligning with the RHCOS10 host OS. + +This is the follow-up to PR1 (`rhcos10-ubi9-compat-test`), which validated that the +existing OCP/UBI9 images run correctly on RHCOS10 nodes. This PR adopts UBI10 as the +native base for RHCOS10 deployments. + +## Background + +Red Hat CoreOS 10 (RHCOS10) ships with RHEL10 as its host OS. Using UBI10-based images +ensures better alignment with the host OS libraries and security updates, and removes the +dependency on the OCP CI internal registry (`registry.ci.openshift.org`) for runtime +images. + +## Changes + +### Registry change + +All OpenShift variant images move from the OCP CI registry to the authenticated Red Hat +registry: + +``` +registry.ci.openshift.org/ocp/builder:rhel-9-golang-* → registry.redhat.io/ubi10/go-toolset:10.1 +registry.ci.openshift.org/ocp/4.20:base-rhel9 → registry.redhat.io/ubi10:10.1 +``` + +### Dockerfile changes + +#### `Dockerfile.openshift` — main driver image + +| Stage | Before | After | +|---|---|---| +| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` | +| Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` | + +Additional change: added `USER 0` after the builder `FROM` line (required by +`go-toolset`) and `RUN dnf install -y util-linux ca-certificates && dnf clean all` in +the runtime stage. + +#### `Dockerfile.e2eprovider` — e2e mock provider + +| Stage | Before | After | +|---|---|---| +| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` | +| Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` | + +#### `Dockerfile.bats` — bats test runner + +| Stage | Before | After | +|---|---|---| +| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` | +| Runtime | `src` (prow-injected) | unchanged | + +## Files NOT Changed + +| File | Reason | +|---|---| +| `docker/Dockerfile` | Upstream community Dockerfile using `golang` + `debian-base` — not OCP-specific | +| `docker/crd.Dockerfile` | Uses `alpine` + `gcr.io/distroless/static` — not OCP-specific | +| `test/e2eprovider/Dockerfile` | Upstream community Dockerfile using `golang` + `gcr.io/distroless/static` | +| `.local/Dockerfile` | Local development debug image using `golang:alpine` — not for production | +| `vendor/` | Vendored dependency, not modified | + +## Test Matrix + +| Cluster OS | Driver image base | Expected result | +|---|---|---| +| RHCOS10 | UBI10 (this PR) | Pass — native RHEL10 base | +| RHCOS9 | UBI10 (this PR) | Pass — UBI10 containers are compatible with RHCOS9 | + +## Test Plan + +- [ ] `Dockerfile.openshift` builds successfully with `go-toolset:10.1` as builder and + `ubi10:10.1` as runtime +- [ ] `Dockerfile.e2eprovider` builds successfully with `go-toolset:10.1` as builder and + `ubi10:10.1` as runtime +- [ ] `Dockerfile.bats` builds successfully with `go-toolset:10.1` as builder +- [ ] CI jobs pass on RHCOS10 cluster nodes with UBI10 base images +- [ ] CI jobs pass on RHCOS9 cluster nodes with UBI10 base images (regression check) +- [ ] No regressions compared to UBI9 baseline (PR1) + +## References + +- [Red Hat UBI10 Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/ubi/66f2b46b122803e4937d11ae) +- [Red Hat UBI10 go-toolset Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/go-toolset) +- PR1 baseline: `docs/rhcos10-ubi9-compat-test.md` From 36e16eefa6faea3b10a3b886baf3f5bf47dcfb5c Mon Sep 17 00:00:00 2001 From: Manish Pillai Date: Thu, 16 Apr 2026 10:48:53 +0530 Subject: [PATCH 2/2] UPSTREAM: : Change base image to ubi-minimal for Dockerfile --- Dockerfile.e2eprovider | 2 +- Dockerfile.openshift | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile.e2eprovider b/Dockerfile.e2eprovider index e25f15b68..37903484e 100644 --- a/Dockerfile.e2eprovider +++ b/Dockerfile.e2eprovider @@ -4,7 +4,7 @@ WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver COPY . . RUN make build-e2e-provider -FROM registry.redhat.io/ubi10:10.1 +FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1 COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/test/e2eprovider/e2e-provider /e2e-provider LABEL description="Mock provider for Secrets Store CSI Driver" diff --git a/Dockerfile.openshift b/Dockerfile.openshift index 9fff6ea07..77dc78b6c 100644 --- a/Dockerfile.openshift +++ b/Dockerfile.openshift @@ -6,8 +6,7 @@ RUN make build # Print build settings information embedded in the binary. RUN go version -m _output/secrets-store-csi -FROM registry.redhat.io/ubi10:10.1 -RUN dnf install -y util-linux ca-certificates && dnf clean all +FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1 COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/_output/secrets-store-csi /bin/secrets-store-csi LABEL description="Secrets Store CSI Driver"