ROX-14475: Upgrade to UBI9 #15178

BradLugo · 2025-05-05T17:17:11Z

Description

Upgrade to UBI9. This is currently a proof-of-concept to see what will break or otherwise block us from moving forward with this upgrade.

Related PRs:

ROX-14475: Upgrade to UBI9 rox-ci-image#226

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

change me!

openshift-ci · 2025-05-05T17:17:16Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

rhacs-bot · 2025-05-05T18:09:34Z

Images are ready for the commit at 007ed67.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.9.x-506-g007ed67599.

codecov · 2025-05-05T18:43:46Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.08%. Comparing base (397179b) to head (007ed67).
⚠️ Report is 900 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #15178      +/-   ##
==========================================
+ Coverage   49.04%   49.08%   +0.03%     
==========================================
  Files        2635     2640       +5     
  Lines      195420   195603     +183     
==========================================
+ Hits        95852    96008     +156     
- Misses      92067    92089      +22     
- Partials     7501     7506       +5

Flag	Coverage Δ
go-unit-tests	`49.08% <ø> (+0.03%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

BradLugo · 2025-05-12T17:57:11Z

/retest

davdhacs · 2025-05-16T19:00:40Z

operator/bundle_helpers/requirements-gha.txt

 # PyYAML > 6.0 requires Python > 3.6.
 PyYAML==6.0
-# pytest==7.0.1 is the latest available for the quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.8 job container's Python.
+# pytest==7.0.1 is the latest available for the quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.8-3-g679cfb72eb job container's Python.


I think this change can be removed, but later can be resolved because UBI9 system python is 3.9 (I checked in quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.8-3-g679cfb72eb).

BradLugo · 2025-06-15T04:13:33Z

Rebased, added messages to the fixups commits (you can read them by clicking on the kabob / more-options icon), and hopefully fixed the permission issues we were seeing.

BradLugo · 2025-06-15T08:08:51Z

Cherry-picking some commits from #15337. One of them should resolve the scanner build errors. Hoping it shares the history cleanly.

BradLugo · 2025-06-15T16:39:59Z

/retest-required

BradLugo · 2025-06-15T23:08:23Z

/retest-required

BradLugo · 2025-06-16T15:57:24Z

/retest

BradLugo · 2025-06-16T20:33:30Z

/retest

BradLugo · 2025-06-16T23:10:40Z

/retest

BradLugo · 2025-06-17T06:36:19Z

/retest

BradLugo · 2025-08-11T19:24:57Z

rebasing and testing a simpler change

BradLugo · 2025-08-12T15:43:37Z

/retest

BradLugo · 2025-08-12T20:36:23Z

/retest

BradLugo · 2025-08-13T07:10:15Z

/retest

Missed the actually runtime container images in the last commit (only changed the builder images).

Should resolve the permission issues we're seeing in CI. Regarding why we do all the certificate business in the first place, I think it's because we want to update the trusted certificates in the container with any stackrox-generate certs+any relevant OCP certs. However, there may be a better way to go about it. Needs further investigation and possibly roping in other teams (e.g., Install team).

Update `pg_rhel_major` to 9 for the rest of the download scripts.

Don't globber files when restoring. Should resolve the sensor errors. I suspect this approach won't be the one we ship - just trying to get everything to work for now.

Turns out we weren't running the `update-ca-trust` command from the last fixup since we were restoring `/etc/pki/ca-trust/extracted` that was saved during the container build process. These changes should implement the original fixup correctly and allow the operator-related CA tests to pass.

BradLugo · 2025-08-13T16:51:32Z

/retest

red-hat-konflux · 2025-08-13T16:51:41Z

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
central-db-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
main-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
operator-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
operator-bundle-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
retag-collector	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
retag-scanner-db-slim	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
retag-scanner-db	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
retag-scanner-slim	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
retag-scanner	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
roxctl-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
scanner-v4-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`
scanner-v4-db-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: pull_request`

BradLugo · 2025-08-14T20:14:32Z

/retest

openshift-ci bot added the do-not-merge/work-in-progress label May 5, 2025

BradLugo force-pushed the ROX-14475-ubi9 branch from 797190f to a7b1e41 Compare May 5, 2025 17:42

github-actions bot added area/operator area/ci labels May 5, 2025

stackrox deleted a comment from openshift-ci bot May 12, 2025

BradLugo added the ci-all-qa-tests Tells CI to run all API tests (not just BAT). label May 12, 2025

BradLugo force-pushed the ROX-14475-ubi9 branch from a7b1e41 to 6a7f365 Compare May 14, 2025 01:01

github-actions bot added the area/helm label May 14, 2025

davdhacs reviewed May 16, 2025

View reviewed changes

BradLugo force-pushed the ROX-14475-ubi9 branch from 6a7f365 to b2afd4e Compare May 20, 2025 17:35

BradLugo force-pushed the ROX-14475-ubi9 branch from b2afd4e to e80a128 Compare June 15, 2025 04:10

github-actions bot added area/postgres area/scanner labels Jun 15, 2025

BradLugo force-pushed the ROX-14475-ubi9 branch from fe889a6 to 822716b Compare June 16, 2025 22:42

BradLugo force-pushed the ROX-14475-ubi9 branch from 822716b to 80f80ef Compare August 11, 2025 19:24

BradLugo and others added 11 commits August 13, 2025 09:26

ROX-14475: Upgrade to UBI9

e33c8a5

fixup! ROX-14475: Upgrade to UBI9

b47de6e

Missed the actually runtime container images in the last commit (only changed the builder images).

fixup! ROX-14475: Upgrade to UBI9

94df1ef

Update `pg_rhel_major` to 9 for the rest of the download scripts.

ubi8->9 in op and scanner dockerfiles

f642908

"c9s" base postgres image

1a26e63

fixup! ROX-14475: Upgrade to UBI9

c49a69d

Don't globber files when restoring. Should resolve the sensor errors. I suspect this approach won't be the one we ship - just trying to get everything to work for now.

wip

a048886

update images for go upgrade

1b9516d

wip

0cdb846

BradLugo force-pushed the ROX-14475-ubi9 branch from a39a7d5 to 0cdb846 Compare August 13, 2025 16:26

wip

007ed67

davdhacs mentioned this pull request Nov 19, 2025

chore(build): Upgrade to UBI9 #17874

Closed

ROX-14475: Upgrade to UBI9 #15178

Are you sure you want to change the base?

ROX-14475: Upgrade to UBI9 #15178

Uh oh!

Conversation

BradLugo commented May 5, 2025

Description

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

openshift-ci bot commented May 5, 2025

Uh oh!

rhacs-bot commented May 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented May 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

BradLugo commented May 12, 2025

Uh oh!

davdhacs May 16, 2025

Choose a reason for hiding this comment

Uh oh!

BradLugo commented Jun 15, 2025

Uh oh!

BradLugo commented Jun 15, 2025

Uh oh!

BradLugo commented Jun 15, 2025

Uh oh!

BradLugo commented Jun 15, 2025

Uh oh!

BradLugo commented Jun 16, 2025

Uh oh!

BradLugo commented Jun 16, 2025

Uh oh!

BradLugo commented Jun 16, 2025

Uh oh!

BradLugo commented Jun 17, 2025

Uh oh!

BradLugo commented Aug 11, 2025

Uh oh!

BradLugo commented Aug 12, 2025

Uh oh!

BradLugo commented Aug 12, 2025

Uh oh!

BradLugo commented Aug 13, 2025

Uh oh!

BradLugo commented Aug 13, 2025

Uh oh!

red-hat-konflux bot commented Aug 13, 2025

Uh oh!

BradLugo commented Aug 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

rhacs-bot commented May 5, 2025 •

edited

Loading

codecov bot commented May 5, 2025 •

edited

Loading