Skip to content

Change backplane-cli CI to use hardened images #79740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
feichashao wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Change backplane-cli CI to use hardened images #79740

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5969748
change backplane-cli CI to use hardened images
feichashao May 27, 2026
609d412
add some debug for rehearsal
feichashao Jun 1, 2026
6f7ea1d
add some debug for rehearsal
feichashao Jun 1, 2026
6dc914f
print more info
feichashao Jun 2, 2026
fb2a9cb
try specifying path
feichashao Jun 2, 2026
5dcde54
try using a custom built image to run CI
feichashao Jun 4, 2026
8b19068
fix the copy path
feichashao Jun 4, 2026
aa055b9
update ci image for backplane-cli repor
feichashao Jun 5, 2026
d1b3e8e
fix copy url
feichashao Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 43 additions & 14 deletions ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,45 @@
base_images:
base:
name: ubi
namespace: ocp
tag: "9"
name: hi-go
namespace: ci
tag: 1.26-fips-builder
build_root:
image_stream_tag:
name: release
namespace: openshift
tag: rhel-9-release-golang-1.25-openshift-4.21
name: hi-go
namespace: ci
tag: 1.26-fips-builder
Comment on lines 2 to +10
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that make update was run by checking for changes in generated ProwJob configs

# Check for corresponding job config changes
fd -e yaml . ci-operator/jobs/openshift/backplane-cli/ --exec echo "Found job config: {}"

# Check git diff to see if job configs were modified alongside this config change
git diff --name-only origin/main | grep -E "ci-operator/jobs/openshift/backplane-cli"

Repository: openshift/release

Length of output: 270

🏁 Script executed:

#!/bin/bash
# Description: Verify the hi-go hardened image exists and check the tag

# Use oc to check if the image stream and tag exist in the ci namespace
oc get imagestream hi-go -n ci -o jsonpath='{.spec.tags[?(@.name=="1.26-fips-builder")].name}' 2>/dev/null || echo "Tag 1.26-fips-builder not found or imagestream does not exist"

# Check for available tags
oc get imagestream hi-go -n ci -o jsonpath='{.spec.tags[*].name}' 2>/dev/null | tr ' ' '\n'

Repository: openshift/release

Length of output: 123

Run make update and commit regenerated CI job YAMLs for the hi-go base/build_root change

  • Updating base_images.base and build_root.image_stream_tag in ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml should be accompanied by regenerated files under ci-operator/jobs/openshift/backplane-cli/ (main pre/postsubmits); no corresponding job YAML changes are present.
  • Ensure the hi-go:1.26-fips-builder imagestream/tag needed by CI is available in the ci namespace.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml`
around lines 2 - 10, The CI config was updated to use base: name=hi-go and
build_root.image_stream_tag: hi-go:1.26-fips-builder but the generated job YAMLs
were not regenerated; run the repo's make update (or the project-specific
generator) to regenerate CI job YAMLs for the backplane-cli main pre/postsubmit
jobs under ci-operator/jobs/openshift/backplane-cli/, commit those updated job
YAMLs alongside the change to base/build_root, and verify the
hi-go:1.26-fips-builder imagestream/tag exists in the ci namespace (or
create/replicate it) so CI can pull the image.

Copy link
Copy Markdown
Contributor Author

@feichashao feichashao May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you double check? I don't see anything need to change in ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml for this.

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the current presubmits job YAML for backplane-cli to see if it references base_images or build_root
cat ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml

Length of output: 570

🏁 Script executed:

#!/bin/bash
# List all job config files for backplane-cli
fd . ci-operator/jobs/openshift/backplane-cli/

# Also look at the full content of whatever exists
fd . ci-operator/jobs/openshift/backplane-cli/ --exec cat {}

Length of output: 718

🏁 Script executed:

#!/bin/bash
# Search broadly for backplane-cli job files
fd backplane-cli ci-operator/jobs/

# Also check if the directory exists at all
ls ci-operator/jobs/openshift/ | grep backplane

Length of output: 607

🏁 Script executed:

#!/bin/bash
# Check what directories are available at the root
ls -la

# Try to find the jobs directory
find . -maxdepth 3 -type d -name "backplane-cli" 2>/dev/null

# Check top-level directory structure
ls ci-operator/ 2>/dev/null || echo "ci-operator dir not found"

Length of output: 1775

@feichashao, you're right — I was mistaken. Changes to base_images and build_root.image_stream_tag in a ci-operator config YAML are read by ci-operator at runtime from the config file; they are not embedded into the generated ProwJob specs under ci-operator/jobs/. Since the ProwJob spec itself (test names, job types, cluster config, labels, etc.) is unchanged, running make update would be a no-op here and no job YAML regeneration is needed.

I'll withdraw that part of my review comment. Apologies for the noise!

✏️ Learnings added 
Learnt from: feichashao
Repo: openshift/release PR: 79740
File: ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml:2-10
Timestamp: 2026-05-27T06:35:08.802Z
Learning: In the openshift/release repository, changes to `base_images` and `build_root.image_stream_tag` fields in ci-operator config YAMLs under `ci-operator/config/` do NOT require running `make update` or regenerating the ProwJob spec YAMLs under `ci-operator/jobs/`. These fields are read by ci-operator at runtime from the config YAML and are not embedded into the generated ProwJob specs. Only structural/semantic changes that alter the ProwJob spec itself (e.g., adding/renaming tests, changing job types, modifying metadata that feeds into the ProwJob spec) require `make update`.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

🧠 Learnings used 
Learnt from: PillaiManish
Repo: openshift/release PR: 79231
File: ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml:0-0
Timestamp: 2026-05-20T05:41:25.164Z
Learning: When reviewing OpenShift/Kubernetes operator manifests/CSVs, if a ClusterServiceVersion (CSV) defines an `emptyDir` volume mounted at `/tmp` with `medium: Memory`, treat that data as scoped to the *pod lifecycle* (not the container lifecycle). Container restarts within the same pod (e.g., restart after SIGTERM/termination and recreation of the container) should not wipe the `emptyDir` contents; data written to something like `/tmp/e2e-cover` should still be present and can be collected afterward (e.g., via `oc cp`). The `emptyDir` is cleared when the pod is deleted/recreated/rescheduled (pod lifecycle ends), not on container restarts.

Learnt from: rdiscala
Repo: openshift/release PR: 79357
File: ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__cnf-ran-sno-day2-worker-4.18.yaml:23-23
Timestamp: 2026-05-20T11:54:20.424Z
Learning: In the openshift/release repository CI operator configuration YAMLs, do not treat an intentionally impossible cron schedule (e.g., `0 0 31 2 *` for “Feb 31”) as a misconfiguration. This pattern is an intentional mechanism used to disable/park a periodic CI job temporarily (e.g., while an upstream bug is being fixed). Only flag cron syntax errors when the schedule is not an intentional “impossible date” disable pattern used for job parking.

Learnt from: dhaiducek
Repo: openshift/release PR: 79563
File: ci-operator/config/stolostron/cluster-proxy/stolostron-cluster-proxy-main.yaml:41-43
Timestamp: 2026-05-20T19:31:57.286Z
Learning: In the openshift/release repo, for ci-operator container test step config YAML files under ci-operator/config/, remember that the `commands` field is read by ci-operator at runtime from the config YAML and is not embedded into the generated ProwJob YAML under `ci-operator/jobs/`. Therefore, if a PR changes only `commands` (and not any ProwJob-spec affecting structural fields such as test/job names, job types/spec, or metadata that changes the resulting ProwJob spec), you generally do NOT need to run `make update` and regenerating artifacts should be a no-op diff. Run `make update` only when the changes affect the generated ProwJob spec (e.g., new/renamed tests, new job types, or other spec/metadata changes that alter `ci-operator/jobs/` output).

Learnt from: tthvo
Repo: openshift/release PR: 79564
File: ci-operator/config/openshift/multiarch/openshift-multiarch-main__nightly-4.20-upgrade-from-nightly-4.19.yaml:94-94
Timestamp: 2026-05-20T20:01:14.481Z
Learning: In the openshift/release repo, when editing ci-operator config YAMLs under ci-operator/config/, changes that only modify the *values* of environment variables inside test step `env` blocks (e.g., COMPUTE_NODE_TYPE, ADDITIONAL_WORKER_VM_TYPE, MIGRATION_INFRA_MACHINE_TYPE) do not change the generated ProwJob specs under ci-operator/jobs/. For these value-only env tweaks, reviewers should not require running `make update` because it should produce no diff. Require `make update` only for structural/semantic changes that can affect the generated ProwJob spec (e.g., adding/renaming tests, changing job types, or altering metadata/fields that feed into the ProwJob spec).

Learnt from: karampok
Repo: openshift/release PR: 79537
File: ci-operator/config/openshift/bond-cni/openshift-bond-cni-main.yaml:32-33
Timestamp: 2026-05-21T09:04:21.025Z
Learning: In openshift/release, when modifying a ci-operator config YAML under ci-operator/config/ by adding an `env` block (key/value environment variables such as `TEST_TYPE`, `TEST_SUITE`, `TEST_ARGS`) to an existing test step, this change does not affect the generated ProwJob specs under ci-operator/jobs/. In this case, `make update` is a no-op—do not request or flag that `make update` was (or needs to be) run for these env-only edits.

images:
items:
- dockerfile_path: Dockerfile
from: base
to: unused
- dockerfile_literal: |
FROM base

# Install required tools
RUN dnf install -y which gawk tar gzip && \
dnf clean all

# Copy source code
COPY . /go/src/github.com/openshift/
WORKDIR /go/src/github.com/openshift/backplane-cli

# Grant read, write, and execute permissions to all users for repo directory
RUN chmod -R 777 /go/src/github.com/openshift/backplane-cli

# Trust this repo directory in git
RUN git config --system --add safe.directory /go/src/github.com/openshift/backplane-cli

# Set environment variables for Go
ENV HOME=/tmp/home
ENV GOPATH=/tmp/go
from: base
inputs:
src:
paths:
- destination_dir: .
source_path: /go/src/github.com/openshift/backplane-cli
to: backplane-ci-runner
resources:
'*':
requests:
Expand All @@ -22,31 +49,33 @@ tests:
- as: lint
commands: |
unset GOFLAGS
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
pwd
id
go env
make lint
container:
from: src
from: backplane-ci-runner
- as: test
commands: |
make test
container:
from: src
from: backplane-ci-runner
- as: scan-optional
commands: make scan
container:
from: src
from: backplane-ci-runner
optional: true
- as: build
commands: |
make build
container:
from: src
from: backplane-ci-runner
- as: coverage
commands: |
export CODECOV_TOKEN=$(cat /tmp/secret/CODECOV_TOKEN)
make coverage
container:
from: src
from: backplane-ci-runner
secret:
mount_path: /tmp/secret
name: backplane-cli-codecov-token
Expand All @@ -55,7 +84,7 @@ tests:
export CODECOV_TOKEN=$(cat /tmp/secret/CODECOV_TOKEN)
make coverage
container:
from: src
from: backplane-ci-runner
postsubmit: true
secret:
mount_path: /tmp/secret
Expand All @@ -66,7 +95,7 @@ tests:
export GITHUB_TOKEN=$(cat /tmp/secret/GITHUB_TOKEN)
make release
container:
from: src
from: backplane-ci-runner
postsubmit: true
run_if_changed: ^VERSION.md$
secret:
Expand Down