NO-ISSUE: rebase-main-nightly_amd64-2026-04-16-172425_arm64-2026-04-16-232425

[pacevedom]

Summary by CodeRabbit

• Chores
  • Upgraded base release from 4.22.x to 5.0.0 for ARM64 and x86_64.
  • Retargeted numerous component images to the release-5 image stream (core components, Multus, OLM, CLI, networking, storage).
  • Adjusted test and build tooling to handle cross-major version boundaries (4.x → 5.0).
• Chores
  • Added service-ca controller RBAC entries and exposed an operator image version env var.

[openshift-ci-robot]

@pacevedom: This pull request explicitly references no jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This pull request advances OCP references from 4.22 → 5.0 across manifests and configs, swaps image repositories from ocp-v4.0-art-dev to ocp-v5.0-art-dev with updated digests, adds RBAC rules for featuregates and pkis, and updates test tooling to handle a major-version boundary (4→5) via conditional next-version logic.

Changes

Cohort / File(s)	Summary
Version Baseline Updates Makefile.version.aarch64.var, Makefile.version.x86_64.var	Bumped OCP_VERSION nightly identifiers from 4.22 → 5.0.
Multus Component Images assets/components/multus/kustomization.aarch64.yaml, assets/components/multus/kustomization.x86_64.yaml, assets/components/multus/release-multus-aarch64.json, assets/components/multus/release-multus-x86_64.json	Switched multus-cni-microshift and containernetworking-plugins-microshift image references from ocp-v4.0-art-dev to ocp-v5.0-art-dev and updated SHA256 digests; updated release.base to 5.0 nightlies for each arch.
OLM Component Images assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml, assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml, assets/optional/operator-lifecycle-manager/release-olm-aarch64.json, assets/optional/operator-lifecycle-manager/release-olm-x86_64.json	Retargeted OLM, operator-registry, and kube-rbac-proxy images to ocp-v5.0-art-dev with new digests; patched env vars referencing new pullspecs; updated release.base to 5.0 nightlies.
Core Release Images assets/release/release-aarch64.json, assets/release/release-x86_64.json	Updated release.base to 5.0 nightlies and replaced many component image digests (cli, coredns, haproxy-router, kube-rbac-proxy, ovn-kubernetes-microshift, pod, service-ca-operator, csi-snapshot-controller) to ocp-v5.0-art-dev equivalents.
Service-CA Configuration assets/components/service-ca/clusterrole.yaml, assets/components/service-ca/deployment.yaml	Added RBAC rules granting get,list,watch on config.openshift.io/featuregates and config.openshift.io/pkis; added OPERATOR_IMAGE_VERSION env var to service-ca-controller container.
CRI-O Pause Image packaging/crio.conf.d/10-microshift_amd64.conf, packaging/crio.conf.d/10-microshift_arm64.conf	Updated [crio.image].pause_image pullspecs to ocp-v5.0-art-dev SHA256 digests.
Rebase Tracking / Automation scripts/auto-rebase/changelog.txt, scripts/auto-rebase/commits.txt, scripts/auto-rebase/last_rebase.sh, scripts/auto-rebase/rebase_job_entrypoint.sh	Replaced many embedded-component commit hashes and changelog entries; switched release pullspec forms from ocp/release → ocp/release-5 and ocp-arm64/release-arm64 → ocp-arm64/release-5-arm64.
Test Versioning Infrastructure test/assets/common_versions.sh.template, test/bin/common_versions.sh, test/bin/build_images.sh, test/bin/pyutils/build_bootc_images.py, test/bin/pyutils/generate_common_versions.py	Bumped MAJOR from 4→5 and MINOR 22→0; added FAKE_NEXT_MAJOR_VERSION and conditional logic to handle last-minor→next-major boundary; adjusted version globs and build image selection to use <major>.<minor>.*; updated release repo pointers.
Test Image Blueprints / Containerfiles test/image-blueprints-bootc/.../rhel*.containerfile, test/image-blueprints/layer2-presubmit/group1/rhel98-source-fake-next-minor.toml	Replaced hardcoded 4.<FAKE_NEXT_MINOR_VERSION>.* package/image globs with {{ .Env.FAKE_NEXT_MAJOR_VERSION }}.{{ .Env.FAKE_NEXT_MINOR_VERSION }}.* (template/env-driven major version).
Go Module Pin etcd/go.mod	Updated github.com/openshift/api pseudo-version commit to a newer commit.
Small Misc Configs & Scripts packaging/..., various small files	Minor single-line image/pullspec/digest and script-format updates across packaging and helper scripts.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main purpose of this PR: a rebase update with specific nightly build dates and architecture tags (amd64 and arm64) for version 5.0.0.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files with test definitions; changes are configuration files only.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code modifications, only configuration files. Check not applicable.
Microshift Test Compatibility	✅ Passed	PR is a nightly build rebase updating infrastructure configuration and version numbers. No new Ginkgo e2e tests introduced; test/ changes are build scripts and image specifications only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR is a rebase update with no new Ginkgo e2e tests, so custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates versions and digests without introducing new scheduling constraints. Pre-existing service-ca nodeSelector unchanged.
Ote Binary Stdout Contract	✅ Passed	PR contains no Go source code modifications or changes to process-level code entry points that execute within OTE framework.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR contains no new Ginkgo e2e tests, only configuration updates. No Go test files were modified and no Ginkgo test patterns appear in the diff.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@assets/components/service-ca/deployment.yaml`:
- Around line 40-42: The env entry OPERATOR_IMAGE_VERSION is declared without a
value and will be empty at runtime; either remove this env var if it's unused or
set a concrete source—add a value: "1.18.1" (or the correct operator version) or
a valueFrom that references the release payload/Helm value used by your charts
(e.g., replace the nonexistent {{ .ReleaseImage.service_ca_operator_version }}
with the correct template key like a .Values or other release variable); update
the Deployment spec where OPERATOR_IMAGE_VERSION is set so the operator receives
a non-empty value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 9882be4e-6815-470b-922f-6b32ea14dc87

📥 Commits

Reviewing files that changed from the base of the PR and between bbad4d6 and b8099d5.

⛔ Files ignored due to path filters (2)

• etcd/go.sum is excluded by !**/*.sum
• etcd/vendor/modules.txt is excluded by !**/vendor/**

📒 Files selected for processing (20)

• Makefile.version.aarch64.var
• Makefile.version.x86_64.var
• assets/components/multus/kustomization.aarch64.yaml
• assets/components/multus/kustomization.x86_64.yaml
• assets/components/multus/release-multus-aarch64.json
• assets/components/multus/release-multus-x86_64.json
• assets/components/service-ca/clusterrole.yaml
• assets/components/service-ca/deployment.yaml
• assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml
• assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml
• assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
• assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
• assets/release/release-aarch64.json
• assets/release/release-x86_64.json
• etcd/go.mod
• packaging/crio.conf.d/10-microshift_amd64.conf
• packaging/crio.conf.d/10-microshift_arm64.conf
• scripts/auto-rebase/changelog.txt
• scripts/auto-rebase/commits.txt
• scripts/auto-rebase/last_rebase.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find consumers of OPERATOR_IMAGE_VERSION in vendored service-ca-operator, and any templating of this env elsewhere in assets.
rg -nP -C2 '\bOPERATOR_IMAGE_VERSION\b'
fd -t f 'deployment.yaml' assets/components | xargs rg -nP -C2 'OPERATOR_IMAGE_VERSION|ReleaseImage'

Repository: openshift/microshift

Length of output: 3732

---

🏁 Script executed:

cat assets/components/service-ca/deployment.yaml

Repository: openshift/microshift

Length of output: 2146

---

🏁 Script executed:

rg -n 'ReleaseImage' assets/ -A 1 -B 1 | head -50

Repository: openshift/microshift

Length of output: 3792

---

🏁 Script executed:

rg -n 'service_ca_operator' assets/ -A 2 -B 2

Repository: openshift/microshift

Length of output: 515

---

🏁 Script executed:

rg -n 'OPERATOR_IMAGE_VERSION' --type yaml assets/

Repository: openshift/microshift

Length of output: 250

---

🏁 Script executed:

find . -name "*.go" -o -name "*.py" | xargs rg -l 'OPERATOR_IMAGE_VERSION' 2>/dev/null | head -5

Repository: openshift/microshift

Length of output: 46

---

OPERATOR_IMAGE_VERSION env var has no value (or valueFrom)—resolves to empty string at runtime.

This is missing a value assignment. Compare to cert-manager/manager.yaml, which sets this to 1.18.1. If the operator consumes this variable, an empty string will likely cause issues (blank version metadata or operand misbehavior).

The suggested template field {{ .ReleaseImage.service_ca_operator_version }} does not exist in the codebase. Either:

• Drop the env entry entirely if unused, or
• Provide the correct value source (hardcoded, templated, or from release payload)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/components/service-ca/deployment.yaml` around lines 40 - 42, The env
entry OPERATOR_IMAGE_VERSION is declared without a value and will be empty at
runtime; either remove this env var if it's unused or set a concrete source—add
a value: "1.18.1" (or the correct operator version) or a valueFrom that
references the release payload/Helm value used by your charts (e.g., replace the
nonexistent {{ .ReleaseImage.service_ca_operator_version }} with the correct
template key like a .Values or other release variable); update the Deployment
spec where OPERATOR_IMAGE_VERSION is set so the operator receives a non-empty
value.

[pmtk]

/lgtm

[coderabbitai]

🧹 Nitpick comments (2)

test/bin/pyutils/generate_common_versions.py (1)

358-392: LGTM — VERSION_MAP serialization is clean.

Generates [4]=22 ... string consumable by declare -A. Empty-map case (declare -A X=()) also remains valid. One tiny nit if you ever revisit: you could sort items for deterministic output across Python dict reorderings, but not a concern at current size.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/bin/pyutils/generate_common_versions.py` around lines 358 - 392, The
generated last_minor_for_major_bash string should be deterministic across dict
orderings: update the comprehension that builds last_minor_for_major_bash to
iterate over a sorted VERSION_MAP (e.g., sorted(VERSION_MAP.items(), key=lambda
kv: int(kv[0]) or kv[0])) so entries like "[{major}]={info['last_minor']}" are
produced in a stable order; locate the last_minor_for_major_bash construction in
generate_common_versions.py and replace the unsorted VERSION_MAP.items()
iteration with a sorted version.

test/image-blueprints/layer2-presubmit/group1/rhel98-source-fake-next-minor.toml (1)

14-14: Nit: parent ref still hardcodes 4..

The # parent = "rhel-9.6-microshift-4.{{ .Env.PREVIOUS_MINOR_VERSION }}" line keeps a literal 4. prefix. Fine for this rebase (previous minor is still 4.x), but it'll need the same major-aware treatment the next time PREVIOUS_MINOR_VERSION crosses a major boundary. Worth a follow-up to introduce a PREVIOUS_MAJOR_VERSION env for symmetry.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@test/image-blueprints/layer2-presubmit/group1/rhel98-source-fake-next-minor.toml`
at line 14, The parent line hardcodes the literal "4." prefix in the string
"rhel-9.6-microshift-4.{{ .Env.PREVIOUS_MINOR_VERSION }}", which will break when
PREVIOUS_MINOR_VERSION crosses a major boundary; update the template to derive
the full previous version using both major and minor env vars by adding a
PREVIOUS_MAJOR_VERSION environment variable and replacing the hardcoded "4."
with "{{ .Env.PREVIOUS_MAJOR_VERSION }}.{{ .Env.PREVIOUS_MINOR_VERSION }}" (or
equivalent concatenation) so the parent reference becomes major-aware and
symmetric with PREVIOUS_MINOR_VERSION.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/bin/pyutils/generate_common_versions.py`:
- Around line 358-392: The generated last_minor_for_major_bash string should be
deterministic across dict orderings: update the comprehension that builds
last_minor_for_major_bash to iterate over a sorted VERSION_MAP (e.g.,
sorted(VERSION_MAP.items(), key=lambda kv: int(kv[0]) or kv[0])) so entries like
"[{major}]={info['last_minor']}" are produced in a stable order; locate the
last_minor_for_major_bash construction in generate_common_versions.py and
replace the unsorted VERSION_MAP.items() iteration with a sorted version.

In
`@test/image-blueprints/layer2-presubmit/group1/rhel98-source-fake-next-minor.toml`:
- Line 14: The parent line hardcodes the literal "4." prefix in the string
"rhel-9.6-microshift-4.{{ .Env.PREVIOUS_MINOR_VERSION }}", which will break when
PREVIOUS_MINOR_VERSION crosses a major boundary; update the template to derive
the full previous version using both major and minor env vars by adding a
PREVIOUS_MAJOR_VERSION environment variable and replacing the hardcoded "4."
with "{{ .Env.PREVIOUS_MAJOR_VERSION }}.{{ .Env.PREVIOUS_MINOR_VERSION }}" (or
equivalent concatenation) so the parent reference becomes major-aware and
symmetric with PREVIOUS_MINOR_VERSION.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 8eebcb37-90f9-4b1c-bd40-b2e7343c6317

📥 Commits

Reviewing files that changed from the base of the PR and between c781b76 and 8cc368b.

📒 Files selected for processing (9)

• test/assets/common_versions.sh.template
• test/bin/build_images.sh
• test/bin/common.sh
• test/bin/common_versions.sh
• test/bin/pyutils/build_bootc_images.py
• test/bin/pyutils/generate_common_versions.py
• test/image-blueprints-bootc/el10/layer2-presubmit/group2/rhel102-bootc-source-fake-next-minor.containerfile
• test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fake-next-minor.containerfile
• test/image-blueprints/layer2-presubmit/group1/rhel98-source-fake-next-minor.toml

[pacevedom]

/hold

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/bin/pyutils/generate_common_versions.py`:
- Around line 352-356: The fallback grep path currently uses subprocess.run(...,
check=True) which will raise CalledProcessError if grep finds no match and
converts a previously soft empty gitops_version into a hard crash; update the
block that runs when gitops_version is falsy (after get_gitops_version calls) to
run grep with check=False (or wrap subprocess.run in try/except
CalledProcessError), safely handle an empty stdout (keep gitops_version as empty
or preserve a prior value), and change the logging message in that branch to
neutral wording (e.g., "Falling back to local common_versions.sh, resulting
GITOPS_VERSION=<value_or_empty>") so it no longer implies an API failure; refer
to the gitops_version variable and the subprocess.run invocation in this section
to locate and fix the code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: dd45b87d-4dda-4df0-8ab0-6b7fa6ee4e8d

📥 Commits

Reviewing files that changed from the base of the PR and between c8a39a8 and 5137c1b.

📒 Files selected for processing (8)

• test/assets/common_versions.sh.template
• test/bin/build_images.sh
• test/bin/common_versions.sh
• test/bin/pyutils/build_bootc_images.py
• test/bin/pyutils/generate_common_versions.py
• test/image-blueprints-bootc/el10/layer2-presubmit/group2/rhel102-bootc-source-fake-next-minor.containerfile
• test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fake-next-minor.containerfile
• test/image-blueprints/layer2-presubmit/group1/rhel98-source-fake-next-minor.toml

✅ Files skipped from review due to trivial changes (2)

• test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fake-next-minor.containerfile
• test/image-blueprints/layer2-presubmit/group1/rhel98-source-fake-next-minor.toml

🚧 Files skipped from review as they are similar to previous changes (4)

• test/image-blueprints-bootc/el10/layer2-presubmit/group2/rhel102-bootc-source-fake-next-minor.containerfile
• test/bin/build_images.sh
• test/bin/pyutils/build_bootc_images.py
• test/assets/common_versions.sh.template

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fallback grep can crash the run; log message is also slightly misleading.

Switching the guard to if not gitops_version: now routes empty-string returns from get_gitops_version (lines 279, 293 — e.g. no OCP-compatible GitOps version found after 4 Y-1 hops) through the grep path. Two small gotchas here:

1. subprocess.run(..., check=True) raises CalledProcessError when grep finds no match (exit 1), turning a previously soft "" outcome into a hard crash of the whole generator. A missing/renamed GITOPS_VERSION= line in common_versions.sh would take the whole PR workflow down with it.
2. The log says "API fetch failed, preserving existing GITOPS_VERSION=...", but we reach this branch even when the API succeeded and simply returned no compatible version — worth wording more neutrally.

🛡️ Proposed hardening

     if not gitops_version:
         target_file = pathlib.Path(__file__).resolve().parent / '../common_versions.sh'
         args = ['grep', '-oP', '(?<=GITOPS_VERSION=).*', str(target_file)]
-        gitops_version = subprocess.run(args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, check=True).stdout.strip()
-        logging.info(f"API fetch failed, preserving existing GITOPS_VERSION={gitops_version}")
+        result = subprocess.run(args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, check=False)
+        gitops_version = result.stdout.strip() if result.returncode == 0 else ""
+        logging.info(f"Could not resolve GITOPS_VERSION from API; preserving existing GITOPS_VERSION={gitops_version!r}")

🧰 Tools

🪛 Ruff (0.15.10)

[error] 355-355: subprocess call: check for execution of untrusted input

(S603)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/bin/pyutils/generate_common_versions.py` around lines 352 - 356, The
fallback grep path currently uses subprocess.run(..., check=True) which will
raise CalledProcessError if grep finds no match and converts a previously soft
empty gitops_version into a hard crash; update the block that runs when
gitops_version is falsy (after get_gitops_version calls) to run grep with
check=False (or wrap subprocess.run in try/except CalledProcessError), safely
handle an empty stdout (keep gitops_version as empty or preserve a prior value),
and change the logging message in that branch to neutral wording (e.g., "Falling
back to local common_versions.sh, resulting GITOPS_VERSION=<value_or_empty>") so
it no longer implies an API failure; refer to the gitops_version variable and
the subprocess.run invocation in this section to locate and fix the code.

[pacevedom]

/retest

[pacevedom]

/test ?

[pacevedom]

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

[pacevedom]

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

[pacevedom]

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

[pacevedom]

/test e2e-aws-tests-bootc-periodic-el9
/test e2e-aws-tests-bootc-periodic-el10

[pacevedom]

/test e2e-aws-tests-bootc-arm-el10
/test e2e-aws-tests-bootc-periodic-arm-el9
/test e2e-aws-tests-bootc-periodic-arm-el10

[pmtk]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pacevedom,pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pacevedom]

/hold cancel

[pacevedom]

/verified by CI

[openshift-ci-robot]

@pacevedom: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@pacevedom: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.