Skip to content

OCPBUGS-87352: Updating coredns-container image to be consistent with ART for 5.0#189

Open
aswinsuryan wants to merge 2 commits into
openshift:mainfrom
aswinsuryan:OCPBUGS-87352-go-1.26
Open

OCPBUGS-87352: Updating coredns-container image to be consistent with ART for 5.0#189
aswinsuryan wants to merge 2 commits into
openshift:mainfrom
aswinsuryan:OCPBUGS-87352-go-1.26

Conversation

@aswinsuryan

@aswinsuryan aswinsuryan commented Jun 17, 2026

Copy link
Copy Markdown

Description:

Updates for OpenShift 5.0 ART alignment:

  • Update base image: registry.ci.openshift.org/ocp/4.22:base-rhel9registry.ci.openshift.org/ocp/5.0:base-rhel9
  • Update builder image: rhel-9-golang-1.25-openshift-4.22rhel-9-golang-1.26-openshift-5.0
  • Align .go-version: 1.24.6 → 1.26.0
  • Align go.mod: 1.25.0 → 1.26.0

Updates : #187

1. Why is this pull request needed and what does it do?

2. Which issues (if any) are related?

3. Which documentation changes (if any) need to be made?

4. Does this introduce a backward incompatible change or deprecation?

Summary by CodeRabbit

  • Chores
    • Upgraded the Go toolchain to 1.26.3 (from 1.25.0), improving performance and security.
    • Updated container base images to align with OpenShift 5.0 (from 4.22), including builder/runtime image refreshes.
    • Refreshed CI/CD release image tags and build image configuration to match the new toolchain and platform versions.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 17, 2026
@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jun 17, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@aswinsuryan: This pull request references Jira Issue OCPBUGS-87352, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description:

Updates for OpenShift 5.0 ART alignment:

  • Update base image: registry.ci.openshift.org/ocp/4.22:base-rhel9registry.ci.openshift.org/ocp/5.0:base-rhel9
  • Update builder image: rhel-9-golang-1.25-openshift-4.22rhel-9-golang-1.26-openshift-5.0
  • Align .go-version: 1.24.6 → 1.26.0
  • Align go.mod: 1.25.0 → 1.26.0

Updates #187 #187

1. Why is this pull request needed and what does it do?

2. Which issues (if any) are related?

3. Which documentation changes (if any) need to be made?

4. Does this introduce a backward incompatible change or deprecation?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested a review from melvinjoseph86 June 17, 2026 20:28
@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign candita for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Walkthrough

Go toolchain is bumped from 1.25.0/1.24.6 to 1.26.3, and OpenShift base images are upgraded from 4.22 to 5.0 across configuration files. Test assertion formatting is corrected from string-style to numeric formatting for DNS and SOA integer values.

Changes

Go 1.26 / OpenShift 5.0 Toolchain Upgrade

Layer / File(s) Summary
Toolchain version and base image configuration
go.mod, .go-version, Dockerfile.ocp, .ci-operator.yaml
go.mod directive updated to 1.26.3; .go-version pinned to 1.26.3; Dockerfile.ocp builder and runtime FROM tags changed from ...-1.25-openshift-4.22/ocp/4.22 to ...-1.26-openshift-5.0/ocp/5.0; .ci-operator.yaml build_root_image.tag updated to rhel-9-release-golang-1.26-openshift-5.0.
Test assertion formatting fixes
plugin/dns64/dns64_test.go, plugin/file/secondary_test.go, plugin/test/helpers.go
Test failure messages now use numeric formatting (%d) instead of quoted formatting (%q) for DNS result codes, SOA serial values, and MX preference comparisons.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (14 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately reflects the main objective: updating CoreDNS container images and Go versions for OpenShift 5.0 alignment with ART standards, matching the file changes across configuration and source files.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed This PR does not use Ginkgo tests. The codebase uses Go's standard testing package. No Ginkgo test patterns found in modified files or anywhere in the repository.
Test Structure And Quality ✅ Passed PR modifies standard Go tests (not Ginkgo), with only formatting changes to error messages. Ginkgo-specific quality check is not applicable to this PR.
Microshift Test Compatibility ✅ Passed This PR adds no new Ginkgo e2e tests. Changes are infrastructure/config updates (Go 1.26, OpenShift 5.0) and test assertion formatting fixes only.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR does not add new Ginkgo e2e tests; it only updates configuration and Go version pins in CoreDNS repo (uses standard Go tests). Check not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed This PR updates CoreDNS build configuration and Go version pins. It contains no deployment manifests, operator code, controllers, or scheduling constraints that would require topology-aware schedul...
Ote Binary Stdout Contract ✅ Passed PR contains only configuration updates, test code changes, and message formatting fixes. No stdout writes in process-level code (main, init, TestMain, BeforeSuite, etc.) are introduced. OTE Binary...
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR does not add any Ginkgo e2e tests. The check is only applicable when new Ginkgo tests are added. CoreDNS is a DNS server library with unit tests, not an e2e test suite.
No-Weak-Crypto ✅ Passed PR contains no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons. Only Go version and container image updates plus test...
Container-Privileges ✅ Passed PR modifies only Go version, builder images, and test formatting—no container/K8s manifests with privilege configurations are changed or introduced.
No-Sensitive-Data-In-Logs ✅ Passed PR contains no logging exposing passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data. Changes are Go version updates and test error message formatting improvements only.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
Dockerfile.ocp (1)

1-13: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Add USER directive for non-root execution and refine COPY pattern; define HEALTHCHECK.

The Dockerfile has three security/hardening gaps per container security guidelines:

  1. No USER directive (line 9): Container will run as root. CoreDNS should run as a non-root user for security hardening.
  2. Overly broad COPY (line 3): COPY . . copies the entire build context including test files, docs, and VCS metadata. Use selective COPY.
  3. Missing HEALTHCHECK: Guidelines require HEALTHCHECK to be defined for container orchestration health monitoring.
🛡️ Proposed fixes for container hardening
 FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder
 WORKDIR /go/src/github.com/coredns/coredns
-COPY . .
+COPY go.mod go.sum ./
+COPY . .
 RUN GO111MODULE=on GOFLAGS=-mod=vendor go build -o coredns .
 
 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/coredns/coredns/coredns /usr/bin/
 
+USER 1001
 ENTRYPOINT ["/usr/bin/coredns"]
 
+HEALTHCHECK --interval=10s --timeout=2s --start-period=5s --retries=3 \
+  CMD exec nslookup localhost 127.0.0.1:53 || exit 1
+
 LABEL io.k8s.display-name="CoreDNS" \

Note: If the base image does not include nslookup or dig, use a simpler check like a TCP probe or adjust the UID to match the base image's expected non-root user. Verify the UID 1001 is appropriate for the runtime image.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.ocp` around lines 1 - 13, The Dockerfile has three security
hardening issues to address. First, replace the overly broad COPY . . command in
the builder stage with a more selective pattern that copies only essential files
needed for the build, excluding test files, documentation, and VCS metadata
directories. Second, add a USER directive in the runtime stage after the COPY
--from=builder command to ensure CoreDNS runs as a non-root user (verify the
appropriate UID with your base image, commonly 1001 or similar). Third, add a
HEALTHCHECK directive after the ENTRYPOINT to enable container orchestration
health monitoring; use an appropriate health check command such as a TCP probe
or DNS query depending on what tools are available in the base image.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 5: The Go version specified in the go.mod file is set to 1.26.0, which
contains known security vulnerabilities. Update the version number in the line
go 1.26.0 from 1.26.0 to 1.26.4 (the current stable release) or at minimum to
1.26.1 to receive the necessary security patches that address the known CVEs.

---

Outside diff comments:
In `@Dockerfile.ocp`:
- Around line 1-13: The Dockerfile has three security hardening issues to
address. First, replace the overly broad COPY . . command in the builder stage
with a more selective pattern that copies only essential files needed for the
build, excluding test files, documentation, and VCS metadata directories.
Second, add a USER directive in the runtime stage after the COPY --from=builder
command to ensure CoreDNS runs as a non-root user (verify the appropriate UID
with your base image, commonly 1001 or similar). Third, add a HEALTHCHECK
directive after the ENTRYPOINT to enable container orchestration health
monitoring; use an appropriate health check command such as a TCP probe or DNS
query depending on what tools are available in the base image.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5160c812-d564-437e-935e-4db656c6176b

📥 Commits

Reviewing files that changed from the base of the PR and between 97f7cc3 and 384cbeb.

📒 Files selected for processing (4)
  • .ci-operator.yaml
  • .go-version
  • Dockerfile.ocp
  • go.mod

Comment thread go.mod Outdated
@aswinsuryan aswinsuryan force-pushed the OCPBUGS-87352-go-1.26 branch 2 times, most recently from 7fa85fc to d07a143 Compare June 17, 2026 21:39
@aswinsuryan aswinsuryan marked this pull request as ready for review June 17, 2026 21:58
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 17, 2026
@openshift-ci openshift-ci Bot requested review from gcs278 and grzpiotrowski June 17, 2026 21:58
Update .go-version and go.mod to match Go 1.26.3 builder images.

Signed-off-by: Aswin Suryanarayanan <asuryana@redhat.com>
@aswinsuryan aswinsuryan force-pushed the OCPBUGS-87352-go-1.26 branch from d07a143 to 62c0e7e Compare June 18, 2026 17:36
@openshift-ci

openshift-ci Bot commented Jun 18, 2026

Copy link
Copy Markdown

@aswinsuryan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-serial-2of2 62c0e7e link true /test e2e-gcp-serial-2of2
ci/prow/e2e-aws-ovn-upgrade 62c0e7e link true /test e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gcs278

gcs278 commented Jun 24, 2026

Copy link
Copy Markdown

/assign @Thealisyed

@Thealisyed Thealisyed left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai you can also do review on this PR or answer/ pushback / agree with my comments!

Comment thread go.mod
// Note this minimum version requirement. CoreDNS supports the last two
// Go versions. This follows the upstream Go project support.
go 1.25.0
go 1.26.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The go directive is set to 1.26.3 rather than 1.26.0. Was that intentional?
Typically the go directive tracks the minimum language version needed and pinning to a patch forces all consumers to have at least that patch. The .go-version file at 1.26.3 is fine since that controls the local toolchain but go.mod could arguably stay at 1.26.0?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1.26.0 flagged by coderabbit [1] due to security vulnerabilities hence updated to 1.26.3

[1] #189 (comment)

actual := rec.Msg
if actual.Rcode != rc {
t.Fatalf("ServeDNS should return real result code %q != %q", actual.Rcode, rc)
t.Fatalf("ServeDNS should return real result code %d != %d", actual.Rcode, rc)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Were these flagged by go vet under 1.26 or caught manually? Just want to confirm the build actually fails without these on the new toolchain.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that is right the build was failing and these where flagged by go vet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants