Skip to content

OSASINFRA-4389: Use EPEL for openstackclient#80522

Open
stephenfin wants to merge 4 commits into
openshift:mainfrom
shiftstack:openstack-epel-repos
Open

OSASINFRA-4389: Use EPEL for openstackclient#80522
stephenfin wants to merge 4 commits into
openshift:mainfrom
shiftstack:openstack-epel-repos

Conversation

@stephenfin

@stephenfin stephenfin commented Jun 15, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Add support for the EPEL repos, giving us an alternative to the OSP 17.1 repos that will eventually be removed.

Summary by CodeRabbit

This PR updates OpenShift CI infrastructure to stop relying on the deprecated OpenStack Package Repository (OSP) 17.1 for packages needed by installer workflows, and instead sources those dependencies from EPEL.

What changes in practice

  • Installer/origin CI pipelines now fetch EPEL-backed base YUM repos: the ci-operator configuration for OpenShift installer and origin has its raw_steps logic updated to pull repository metadata from internal base-*-epel-* endpoints (EPEL 9 for OCP 4.x, EPEL 10 for OCP 5.x), writing them into the CI yum repo artifact locations used during builds.
  • RPM mirroring is extended to include EPEL base repositories in the build-shared release-controller configuration:
    • New content-mirror Service/Deployment pairs are added for base-4.x-epel-9 and base-5.0-epel-10 / base-5.1-epel-10 so CI can mirror and consume EPEL packages reliably.
  • vSphere02 release-controller mirroring is adjusted to exclude/avoid the EPEL-specific base repos:
    • Generated Service/Deployment resources previously tied to base-openstack-* are replaced with the corresponding non-EPEL “default” base resources, using *-default.repo config map keys.

Supporting infrastructure updates

  • New EPEL repo configuration files were added under core-services/release-controller/_repos/ for the relevant OCP versions, defining the EPEL 9/10 [epel] stanzas with enabled GPG verification and correct base URLs.
  • Generator logic updated to support per-cluster repo exclusions:
    • add_rpm_mirror_service() now supports an exclude_repo_keys option.
    • generate-release-controllers.py uses this to compute EPEL-related exclusions for vsphere02.
  • Release-controller coverage extended to OCP 5.1:
    • Generator config now includes 5.1.
    • RBAC and ImageStream manifests are updated to add support for the 5.1 release.

Overall, the practical outcome is that OpenShift CI (installer/origin pipelines and RPM mirroring) switches its base package source to EPEL to maintain continuity as OSP 17.1 approaches end-of-life.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 15, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 15, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

@stephenfin: This pull request references OSASINFRA-4389 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add support for the EPEL repos, giving us an alternative to the OSP 17.1 repos that will eventually be removed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Walkthrough

Replaces OpenStack-based RPM mirror services with EPEL 9/10 mirrors across all OCP releases (4.6–5.1), adds generator support for conditional repo exclusion on vsphere02, deploys EPEL content-mirror workloads to build-shared, removes openstack mirrors from vsphere02, updates ci-operator pipeline cache steps to use EPEL endpoints, and introduces OCP 5.1 release infrastructure including RBAC, ImageStreams, RPM mirror manifests, and complex multi-variant RHEL repository configuration.

Changes

EPEL Mirror Migration

Layer / File(s) Summary
Generator: exclude_repo_keys support
hack/generators/release-controllers/config/__init__.py, hack/generators/release-controllers/content/art_rpm_mirroring_services.py, hack/generators/release-controllers/generate-release-controllers.py		 add_rpm_mirror_service gains an optional exclude_repo_keys parameter; the generation loop is refactored to compute an exclude list when the path contains vsphere02 and passes it to each call.
EPEL 9/10 yum repo config files
core-services/release-controller/_repos/ocp-4.6-epel-9.repo, core-services/release-controller/_repos/ocp-4.7-epel-9.repo, core-services/release-controller/_repos/ocp-4.8-epel-9.repo, core-services/release-controller/_repos/ocp-4.9-epel-9.repo, core-services/release-controller/_repos/ocp-4.1*-epel-9.repo, core-services/release-controller/_repos/ocp-4.2*-epel-9.repo, core-services/release-controller/_repos/ocp-5.0-epel-10.repo, core-services/release-controller/_repos/ocp-5.1-epel-10.repo		 Adds 20 new .repo files, each defining the [epel] repository section with baseurl, enabled, gpgcheck, and gpgkey for EPEL 9 (OCP 4.6–4.23) or EPEL 10 (OCP 5.0–5.1).
build-shared: new EPEL Service+Deployment per OCP release
clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.6.yaml, clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.7.yaml, clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.8.yaml, clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.9.yaml, clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.1*.yaml, clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.2*.yaml, clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.0.yaml		 Inserts a new ClusterIP Service and content-mirror Deployment (base-N-epel-9 or base-5-0-epel-10) in each file, mounting the EPEL-specific ConfigMap repo entry and standard mirror auth secrets with an emptyDir cache.
vsphere02: remove OpenStack mirrors
clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.6.yaml, clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.7.yaml, clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.8.yaml, clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.9.yaml, clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.1*.yaml, clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.2*.yaml, clusters/build-clusters/vsphere02/release-controller/rpms-ocp-5.0.yaml		 Removes or replaces base-openstack-N Service/Deployment pairs; some versions switch to base-N resources using ocp-N-default.repo ConfigMap keys, others rely on the new generator exclusion logic to skip openstack repos entirely.
ci-operator: switch pipeline cache curl to EPEL endpoints
ci-operator/config/openshift/installer/openshift-installer-*.yaml, ci-operator/config/openshift/origin/openshift-origin-*.yaml		 Updates the raw_steps pipeline_image_cache_step curl command in all installer and origin configs (4.16–4.23, 5.0, 5.1, main) to fetch from base-N-epel-9.ocp.svc or base-N-epel-10.ocp.svc instead of base-openstack-N.ocp.svc.

OCP 5.1 Release Infrastructure

Layer / File(s) Summary
RBAC and ImageStreams for 5.1
clusters/app.ci/release-controller/admin_deploy-ocp-controller.yaml, clusters/app.ci/release-controller/admin_deploy-ocp-publish-art.yaml		 Grant release-controller modify permissions for OCP image version 5.1; add 5.1 and 5.1-art-latest ImageStream pairs to all namespace variants (ocp, ocp-s390x, ocp-ppc64le, ocp-arm64, ocp-multi, ocp-priv, and -priv suffixed variants).
build-shared: OCP 5.1 RPM mirror manifests
clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.1.yaml		 Create full release-controller manifest with 20 Service/Deployment pairs covering base, ppc64le, rhel-8/9 ironic variants, rhel10/101/102, rhel8-aarch64, rhel8/9 variants, and s390x, each running content-mirror container with EPEL 10 and release-specific repo ConfigMaps.
vsphere02: OCP 5.1 RPM mirror manifests
clusters/build-clusters/vsphere02/release-controller/rpms-ocp-5.1.yaml		 Create corresponding OCP 5.1 mirror manifest for vsphere02 cluster with all variant Services and Deployments, using amd64 nodeSelector across all resources.
OCP 5.1 RHEL 10.2 repository configuration
core-services/release-controller/_repos/ocp-5.1-rhel102.repo		 Add comprehensive yum/dnf repository definition for RHEL 10.2 with seven stanzas (baseos, appstream, nfv, highavailability, fast-datapath, server-ose-5.0, early-kernel) including client certificate/key mounting, basic-auth file references, and kernel/iptables includepkgs filtering.
Generator: 5.1 release version
hack/generators/release-controllers/config/__init__.py		 Extend Config._get_releases() to include hardcoded 5.1 release alongside existing 4.23 and 5.0 versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • openshift/release#80230: Both PRs touch the OpenShift installer CI raw_steps yum-repo bootstrap logic in openshift-installer-main.yaml and related release YAMLs, changing the base repo endpoint sources.

Suggested reviewers

  • AlexNPavel
  • danilo-gemoli
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

@stephenfin

stephenfin commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

/jira refresh

@openshift-ci-robot

openshift-ci-robot commented Jun 15, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

@stephenfin: This pull request references OSASINFRA-4389 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@stephenfin

stephenfin commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

/cc @mandre

@openshift-ci openshift-ci Bot requested review from deads2k, deepsm007 and mandre June 15, 2026 12:13
coderabbitai[bot]
coderabbitai Bot reviewed Jun 15, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml`:
- Line 119: The curl commands fetching EPEL repo files across four release
versions lack robustness flags. Update the curl invocations in
ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml
(line 119), openshift-installer-release-4.21.yaml (line 126),
openshift-installer-release-4.22.yaml (line 126), and
openshift-installer-release-4.23.yaml (line 130) by adding the flags --fail
--silent --show-error to fail fast on HTTP errors, plus --connect-timeout and
--max-time options to bound connection and total request time, and --retry with
--retry-delay flags to enable automatic retries on transient failures. Apply the
same hardened curl flags to all four locations to ensure consistent and reliable
repo materialization across all release branches.

In `@ci-operator/config/openshift/installer/openshift-installer-release-5.1.yaml`:
- Line 130: The curl command in the build step references the
base-5-1-epel-10.ocp.svc endpoint which does not have corresponding
infrastructure defined. Create the missing infrastructure manifest file
clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.1.yaml that
defines the Service and Deployment resources needed for the base-5-1-epel-10
service. Use the existing rpms-ocp-5.0.yaml as a reference template, adapting
the resource names and labels appropriately for the 5.1 version to match what
the curl command on line 130 expects to reach.

In `@ci-operator/config/openshift/origin/openshift-origin-release-4.23.yaml`:
- Line 39: Update the EPEL mirror endpoint in the curl command on line 39 to
match the 4.23 release context. Change the reference from base-4-22-epel-9 to
base-4-23-epel-9 in both the URL and the output file path to ensure the correct
repository metadata is fetched for 4.23 jobs.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.16.yaml`:
- Around line 126-202: This Deployment manifest is generated from a template and
is missing required hardening and operability controls. Fix the template in
hack/generators/release-controllers/content/art_rpm_mirroring_services.py by
adding to the mirror container: a securityContext block with
allowPrivilegeEscalation set to false, readOnlyRootFilesystem set to true,
runAsNonRoot set to true, and capabilities with drop containing ALL; liveness
and readiness probes appropriate for the HTTP service on port 8080; and resource
limits (cpu and memory) to complement the existing memory requests. After
updating the template, regenerate the manifest so the changes appear in the
Deployment specification.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.21.yaml`:
- Around line 126-202: The base-4-21-epel-9 Deployment lacks required security
hardening and resource controls as per the coding guidelines. In the container
spec for the mirror container, add a securityContext with runAsNonRoot true,
readOnlyRootFilesystem true, allowPrivilegeEscalation false, and capabilities
drop set to ALL. Additionally, add resources.limits specifying memory and CPU
constraints to the container. Finally, add both livenessProbe and readinessProbe
health checks to the container definition. If this Deployment is generated from
a template, apply these same security context, resource limits, and health probe
configurations to the template so all generated mirror Deployments inherit these
controls consistently.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.6.yaml`:
- Around line 126-202: The Deployment manifests for the EPEL mirror are missing
essential security hardening controls across both ocp-4.6 and ocp-4.7
configurations. In both files
(clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.6.yaml at
lines 126-202 and
clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.7.yaml at
lines 126-202), add container-level security context settings to the mirror
container with runAsNonRoot: true, allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, and capabilities.drop for all unnecessary
capabilities. Additionally, add pod-level security context settings at the
spec.template.spec level, and ensure the mirror container has explicit resource
limits and health check probes. Apply these same hardening controls identically
to both deployment files to establish consistent security defaults.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.8.yaml`:
- Around line 126-202: The base-4-8-epel-9 Deployment and similar content-mirror
Deployments lack required security hardening settings including
allowPrivilegeEscalation: false, runAsNonRoot: true, readOnlyRootFilesystem:
true, and dropped ALL capabilities, as well as missing resource limits and
liveness/readiness probes. Update the generator template that produces these
Deployments to include these security context configurations and probe
definitions by default in the mirror container specification, then regenerate
the manifests to apply the changes across all affected deployments.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5caf504d-95cb-48ea-a9bc-7fe6492257ce

📥 Commits

Reviewing files that changed from the base of the PR and between b3e0d71 and 989aca6.

📒 Files selected for processing (82)
  • ci-operator/config/openshift/installer/openshift-installer-main.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.16.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.17.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.18.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.19.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.21.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-5.1.yaml
  • ci-operator/config/openshift/origin/openshift-origin-main.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.16.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.17.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.18.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.19.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.20.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.21.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.23.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-5.0.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-5.1.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.10.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.11.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.12.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.13.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.14.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.15.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.16.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.17.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.18.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.19.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.20.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.21.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.22.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.23.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.6.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.7.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.8.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.9.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.0.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.10.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.11.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.12.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.13.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.14.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.15.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.16.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.17.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.18.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.19.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.20.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.21.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.22.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.23.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.6.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.7.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.8.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.9.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-5.0.yaml
  • core-services/release-controller/_repos/ocp-4.10-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.11-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.12-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.13-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.14-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.15-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.16-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.17-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.18-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.19-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.20-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.21-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.22-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.23-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.6-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.7-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.8-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.9-epel-9.repo
  • core-services/release-controller/_repos/ocp-5.0-epel-10.repo
  • core-services/release-controller/_repos/ocp-5.1-epel-10.repo
  • hack/generators/release-controllers/content/art_rpm_mirroring_services.py
  • hack/generators/release-controllers/generate-release-controllers.py
💤 Files with no reviewable changes (19)
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.21.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.23.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.12.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.20.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.17.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.10.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.7.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.22.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.19.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.8.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.16.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.11.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.9.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.15.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.6.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.13.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.18.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-5.0.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.14.yaml

Comment thread ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml
Comment thread ci-operator/config/openshift/installer/openshift-installer-release-5.1.yaml
Comment thread ci-operator/config/openshift/origin/openshift-origin-release-4.23.yaml Outdated
Comment thread clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.16.yaml
Comment thread clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.21.yaml
Comment thread clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.6.yaml
Comment thread clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.8.yaml
@stephenfin

stephenfin commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-openshift-installer-main-e2e-openstack-ovn

@openshift-merge-bot

openshift-merge-bot Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@stephenfin: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@stephenfin
Stop mirroring openstack on vsphere
fbcf9bb 
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
@stephenfin
Add EPEL repos
4d05327 
OSP 17.1 is nearing end-of-life, meaning these repos will soon disappear.
Switch to EPEL instead.

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
@stephenfin
installer, origin: Switch to EPEL for OSC installation
b91f37b 
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
@stephenfin
Add missing OCP 5.1 entry for release controllers
14f3833 
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
@stephenfin stephenfin force-pushed the openstack-epel-repos branch from 989aca6 to 14f3833 Compare June 15, 2026 14:20
@openshift-ci

openshift-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: stephenfin
Once this PR has been reviewed and has the lgtm label, please assign danilo-gemoli, sosiouxme, vr4manta for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@stephenfin

stephenfin commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-openshift-installer-main-e2e-openstack-ovn

@openshift-merge-bot

openshift-merge-bot Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@stephenfin: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot

openshift-merge-bot Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@stephenfin: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-custom-security-groups openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-fips openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-imdsv2 openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-localzones openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-proxy openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-public-ipv4-pool openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-shared-vpc openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-shared-vpc-local-zones openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-shared-vpc-wavelength-zones openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-single-node openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-wavelengthzones openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-azure-capi-ovn openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-azure-ovn-shared-vpc openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-gcp-capi-ovn openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-gcp-ovn-byo-network-capi openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-gcp-ovn-secureboot-capi openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-gcp-ovn-xpn-capi openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-ibmcloud-capi-ovn openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-nutanix-capi-ovn openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-openstack-capi-ccpmso openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-openstack-capi-dualstack openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-openstack-capi-dualstack-upi openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-openstack-capi-dualstack-v6primary openshift/installer presubmit Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-openstack-capi-externallb openshift/installer presubmit Ci-operator config changed

A total of 2191 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 15, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (2)
hack/generators/release-controllers/generate-release-controllers.py (1)

63-63: 💤 Low value

Consider unpacking syntax for cleaner list construction.

The current concatenation works correctly, but Python's unpacking syntax is more idiomatic.

♻️ Proposed refactor 
-        for major_minor in ['3.11'] + config.releases:
+        for major_minor in ['3.11', *config.releases]:
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/generators/release-controllers/generate-release-controllers.py` at line
63, Replace the list concatenation using the plus operator with Python's
unpacking syntax in the for loop that iterates over major_minor versions.
Instead of concatenating ['3.11'] with config.releases using the plus operator,
use the unpacking operator inside the list literal to combine them in a more
idiomatic way. This applies to the for loop statement where major_minor is being
assigned.

Source: Linters/SAST tools

clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.10.yaml (1)

126-201: 🏗️ Heavy lift

Harden security posture and add resource limits in EPEL mirror deployments. All EPEL mirror deployments share a missing security context and resource limit configuration because they are generated from the same template in art_rpm_mirroring_services.py. Fix in the generator to apply to all versions.

  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.10.yaml#L126-L201: Add securityContext with allowPrivilegeEscalation: false, runAsNonRoot: true, and readOnlyRootFilesystem: true to the base-4-10-epel-9 Deployment container spec; add CPU and memory limits alongside the existing memory request.
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.11.yaml#L126-L202: Apply the same security context and resource limits to the base-4-11-epel-9 Deployment.
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.12.yaml#L126-L202: Apply the same security context and resource limits to the base-4-12-epel-9 Deployment.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.10.yaml`
around lines 126 - 201, Add security hardening and resource limits to the
container specs across three EPEL mirror deployment files. In rpms-ocp-4.10.yaml
lines 126-201, add a securityContext block to the base-4-10-epel-9 Deployment
container with allowPrivilegeEscalation set to false, runAsNonRoot set to true,
and readOnlyRootFilesystem set to true; additionally add CPU and memory limits
to the resources section alongside the existing memory request. Apply the
identical securityContext and resource limits changes to rpms-ocp-4.11.yaml
lines 126-202 for the base-4-11-epel-9 Deployment container, and to
rpms-ocp-4.12.yaml lines 126-202 for the base-4-12-epel-9 Deployment container.
Consider updating the template generator in art_rpm_mirroring_services.py to
ensure these configurations are applied consistently to all future EPEL mirror
deployments.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.13.yaml`:
- Around line 126-202: The Deployment base-4-13-epel-9 and its mirror container
lack required security hardening controls. Update the generator template that
produces this manifest to add: a securityContext with allowPrivilegeEscalation
set to false, runAsNonRoot set to true, readOnlyRootFilesystem set to true, and
capabilities dropping ALL; add resource limits alongside the existing memory
request; add readiness and liveness probes for the mirror container; and set
automountServiceAccountToken to false at the pod spec level unless the service
account token is explicitly required. After updating the generator template,
regenerate the manifest to apply these hardening controls.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.19.yaml`:
- Around line 126-202: The Deployment for base-4-19-epel-9 in the generated
manifest file lacks required security hardening controls including
securityContext settings, resource limits, and health probes. Since this file is
generated from the template, locate the generator file at
hack/generators/release-controllers/content/art_rpm_mirroring_services.py and
update it to add the missing security controls to all generated mirror
Deployments. The fixes must include: adding securityContext with runAsNonRoot
true, readOnlyRootFilesystem true, and allowPrivilegeEscalation false to both
the pod and container specs; dropping ALL capabilities in securityContext;
defining resources.limits for cpu and memory in the container; and adding both
livenessProbe and readinessProbe to the mirror container. Ensure these controls
are applied in the template so they are inherited by all generated mirror
Deployments.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.1.yaml`:
- Around line 28-104: The generated Kubernetes Deployment manifest lacks
security hardening including securityContext settings, explicit resource limits,
and health check probes. Rather than patching this YAML directly, update the
generator script in
hack/generators/release-controllers/content/art_rpm_mirroring_services.py to
include these configurations in the baseline template. Add a
non-root/no-privilege-escalation securityContext at both pod and container level
in the generated templates, define resource limits alongside the existing memory
requests, and include appropriate liveness and readiness probes for the mirror
service. After updating the generator, regenerate the YAML manifests to apply
these hardening measures across all newly generated mirror workloads.

In `@core-services/release-controller/_repos/ocp-5.1-rhel102.repo`:
- Around line 1-88: All repository stanzas in the file (rhel-10.2-baseos,
rhel-10.2-appstream, rhel-10.2-nfv, rhel-10.2-highavailability,
rhel-10.2-fast-datapath, rhel-10.2-server-ose-5.0, and rhel-10.2-early-kernel)
have both sslverify disabled and gpgcheck disabled, creating a critical security
vulnerability. Change sslverify from false to 1 and gpgcheck from 0 to 1 across
all repository stanzas. If these restrictive settings are required due to
infrastructure constraints such as internal CA issues, document the specific
justification with comments explaining why and what compensating controls are in
place (such as network-level access restrictions or post-installation integrity
verification), rather than leaving the security settings disabled without
explanation.

---

Nitpick comments:
In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.10.yaml`:
- Around line 126-201: Add security hardening and resource limits to the
container specs across three EPEL mirror deployment files. In rpms-ocp-4.10.yaml
lines 126-201, add a securityContext block to the base-4-10-epel-9 Deployment
container with allowPrivilegeEscalation set to false, runAsNonRoot set to true,
and readOnlyRootFilesystem set to true; additionally add CPU and memory limits
to the resources section alongside the existing memory request. Apply the
identical securityContext and resource limits changes to rpms-ocp-4.11.yaml
lines 126-202 for the base-4-11-epel-9 Deployment container, and to
rpms-ocp-4.12.yaml lines 126-202 for the base-4-12-epel-9 Deployment container.
Consider updating the template generator in art_rpm_mirroring_services.py to
ensure these configurations are applied consistently to all future EPEL mirror
deployments.

In `@hack/generators/release-controllers/generate-release-controllers.py`:
- Line 63: Replace the list concatenation using the plus operator with Python's
unpacking syntax in the for loop that iterates over major_minor versions.
Instead of concatenating ['3.11'] with config.releases using the plus operator,
use the unpacking operator inside the list literal to combine them in a more
idiomatic way. This applies to the for loop statement where major_minor is being
assigned.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 684a24e2-d834-4de3-adfc-fe57dbf639d3

📥 Commits

Reviewing files that changed from the base of the PR and between 989aca6 and 14f3833.

📒 Files selected for processing (88)
  • ci-operator/config/openshift/installer/openshift-installer-main.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.16.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.17.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.18.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.19.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.21.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-5.1.yaml
  • ci-operator/config/openshift/origin/openshift-origin-main.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.16.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.17.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.18.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.19.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.20.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.21.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.23.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-5.0.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-5.1.yaml
  • clusters/app.ci/release-controller/admin_deploy-ocp-controller.yaml
  • clusters/app.ci/release-controller/admin_deploy-ocp-publish-art.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.10.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.11.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.12.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.13.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.14.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.15.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.16.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.17.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.18.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.19.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.20.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.21.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.22.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.23.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.6.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.7.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.8.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.9.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.0.yaml
  • clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.1.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.10.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.11.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.12.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.13.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.14.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.15.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.16.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.17.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.18.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.19.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.20.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.21.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.22.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.23.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.6.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.7.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.8.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.9.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-5.0.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-5.1.yaml
  • core-services/release-controller/_repos/ocp-4.10-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.11-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.12-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.13-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.14-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.15-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.16-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.17-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.18-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.19-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.20-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.21-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.22-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.23-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.6-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.7-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.8-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.9-epel-9.repo
  • core-services/release-controller/_repos/ocp-5.0-epel-10.repo
  • core-services/release-controller/_repos/ocp-5.1-epel-10.repo
  • core-services/release-controller/_repos/ocp-5.1-rhel102.repo
  • hack/generators/release-controllers/config/__init__.py
  • hack/generators/release-controllers/content/art_rpm_mirroring_services.py
  • hack/generators/release-controllers/generate-release-controllers.py
💤 Files with no reviewable changes (19)
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.12.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.8.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.6.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.23.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.10.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.7.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.20.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.14.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.17.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.22.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.13.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.11.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.21.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.9.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-5.0.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.16.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.15.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.19.yaml
  • clusters/build-clusters/vsphere02/release-controller/rpms-ocp-4.18.yaml
✅ Files skipped from review due to trivial changes (7)
  • core-services/release-controller/_repos/ocp-4.12-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.13-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.17-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.19-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.23-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.15-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.11-epel-9.repo
🚧 Files skipped from review as they are similar to previous changes (31)
  • core-services/release-controller/_repos/ocp-5.0-epel-10.repo
  • ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml
  • core-services/release-controller/_repos/ocp-4.10-epel-9.repo
  • ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml
  • core-services/release-controller/_repos/ocp-4.14-epel-9.repo
  • core-services/release-controller/_repos/ocp-4.9-epel-9.repo
  • ci-operator/config/openshift/origin/openshift-origin-release-4.17.yaml
  • core-services/release-controller/_repos/ocp-4.18-epel-9.repo
  • ci-operator/config/openshift/installer/openshift-installer-release-4.17.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.16.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml
  • core-services/release-controller/_repos/ocp-4.20-epel-9.repo
  • ci-operator/config/openshift/origin/openshift-origin-release-5.1.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.19.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.18.yaml
  • core-services/release-controller/_repos/ocp-4.16-epel-9.repo
  • ci-operator/config/openshift/installer/openshift-installer-release-4.19.yaml
  • core-services/release-controller/_repos/ocp-5.1-epel-10.repo
  • ci-operator/config/openshift/installer/openshift-installer-main.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.23.yaml
  • ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml
  • ci-operator/config/openshift/origin/openshift-origin-release-4.18.yaml
  • core-services/release-controller/_repos/ocp-4.6-epel-9.repo
  • ci-operator/config/openshift/origin/openshift-origin-release-4.20.yaml
  • core-services/release-controller/_repos/ocp-4.7-epel-9.repo
  • ci-operator/config/openshift/installer/openshift-installer-release-4.21.yaml
  • core-services/release-controller/_repos/ocp-4.8-epel-9.repo
  • ci-operator/config/openshift/origin/openshift-origin-main.yaml
  • hack/generators/release-controllers/content/art_rpm_mirroring_services.py
  • ci-operator/config/openshift/installer/openshift-installer-release-4.16.yaml

Comment thread clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.13.yaml
Comment on lines +126 to +202
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
keel.sh/matchTag: 'true'
keel.sh/policy: force
keel.sh/pollSchedule: '@every 5m'
keel.sh/trigger: poll
labels:
app: base-4-13-epel-9
name: base-4-13-epel-9
namespace: ocp
spec:
replicas: 2
selector:
matchLabels:
app: base-4-13-epel-9
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
labels:
app: base-4-13-epel-9
spec:
containers:
- command:
- content-mirror
- --path=/tmp/config
- --max-size=5g
- --timeout=30m
- /tmp/repos
- /tmp/key
- /tmp/mirror-enterprise-basic-auth
image: quay-proxy.ci.openshift.org/openshift/ci:ci_content-mirror_latest
imagePullPolicy: Always
name: mirror
ports:
- containerPort: 8080
name: http
resources:
requests:
memory: 500Mi
volumeMounts:
- mountPath: /tmp/repos
name: repos
readOnly: true
- mountPath: /tmp/key
name: key
readOnly: true
- mountPath: /tmp/mirror-enterprise-basic-auth
name: mirror-enterprise-basic-auth
readOnly: true
- mountPath: /tmp/cache
name: cache
workingDir: /tmp/repos
nodeSelector:
kubernetes.io/arch: amd64
kubernetes.io/os: linux
volumes:
- configMap:
items:
- key: ocp-4.13-epel-9.repo
path: ocp-4.13-epel-9.repo
name: base-repos
name: repos
- name: key
secret:
secretName: mirror.openshift.com
- name: mirror-enterprise-basic-auth
secret:
defaultMode: 420
secretName: mirror-enterprise-basic-auth
- emptyDir: {}
name: cache
- emptyDir: {}
name: run
---

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Harden the new base-4-13-epel-9 Deployment in the generator before merge.

Line 126 introduces a new Deployment that still lacks required container/pod hardening and operability controls (allowPrivilegeEscalation: false, runAsNonRoot, readOnlyRootFilesystem, dropping ALL capabilities, resource limits, readiness/liveness probes, and explicit automountServiceAccountToken: false unless required). Since this file is generated, update the generator template and regenerate these manifests.

Suggested manifest shape for the generated Deployment 
 spec:
   template:
     spec:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: mirror
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop: ["ALL"]
         resources:
           requests:
             memory: 500Mi
+          limits:
+            cpu: "1"
+            memory: 1Gi
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080

As per coding guidelines, Kubernetes manifests must include hardened securityContext, resource limits, probes, and automountServiceAccountToken: false unless needed.

🧰 Tools
🪛 Checkov (3.2.530)

[medium] 126-202: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 126-202: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.13.yaml`
around lines 126 - 202, The Deployment base-4-13-epel-9 and its mirror container
lack required security hardening controls. Update the generator template that
produces this manifest to add: a securityContext with allowPrivilegeEscalation
set to false, runAsNonRoot set to true, readOnlyRootFilesystem set to true, and
capabilities dropping ALL; add resource limits alongside the existing memory
request; add readiness and liveness probes for the mirror container; and set
automountServiceAccountToken to false at the pod spec level unless the service
account token is explicitly required. After updating the generator template,
regenerate the manifest to apply these hardening controls.

Sources: Coding guidelines, Linters/SAST tools

Comment thread clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.19.yaml
Comment on lines +126 to +202
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
keel.sh/matchTag: 'true'
keel.sh/policy: force
keel.sh/pollSchedule: '@every 5m'
keel.sh/trigger: poll
labels:
app: base-4-19-epel-9
name: base-4-19-epel-9
namespace: ocp
spec:
replicas: 2
selector:
matchLabels:
app: base-4-19-epel-9
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
labels:
app: base-4-19-epel-9
spec:
containers:
- command:
- content-mirror
- --path=/tmp/config
- --max-size=5g
- --timeout=30m
- /tmp/repos
- /tmp/key
- /tmp/mirror-enterprise-basic-auth
image: quay-proxy.ci.openshift.org/openshift/ci:ci_content-mirror_latest
imagePullPolicy: Always
name: mirror
ports:
- containerPort: 8080
name: http
resources:
requests:
memory: 500Mi
volumeMounts:
- mountPath: /tmp/repos
name: repos
readOnly: true
- mountPath: /tmp/key
name: key
readOnly: true
- mountPath: /tmp/mirror-enterprise-basic-auth
name: mirror-enterprise-basic-auth
readOnly: true
- mountPath: /tmp/cache
name: cache
workingDir: /tmp/repos
nodeSelector:
kubernetes.io/arch: amd64
kubernetes.io/os: linux
volumes:
- configMap:
items:
- key: ocp-4.19-epel-9.repo
path: ocp-4.19-epel-9.repo
name: base-repos
name: repos
- name: key
secret:
secretName: mirror.openshift.com
- name: mirror-enterprise-basic-auth
secret:
defaultMode: 420
secretName: mirror-enterprise-basic-auth
- emptyDir: {}
name: cache
- emptyDir: {}
name: run
---

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Harden the new EPEL mirror Deployment in the generator template.

Line 126 introduces a new Deployment without the baseline manifest controls (securityContext hardening, container resources.limits, and liveness/readiness probes). Because this file is generated, apply the fix in hack/generators/release-controllers/content/art_rpm_mirroring_services.py so all generated mirror Deployments inherit it.

As per coding guidelines, Kubernetes/OpenShift manifests must set runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, drop ALL capabilities, and define resource limits plus readiness/liveness probes.

🧰 Tools
🪛 Checkov (3.2.530)

[medium] 126-202: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 126-202: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-4.19.yaml`
around lines 126 - 202, The Deployment for base-4-19-epel-9 in the generated
manifest file lacks required security hardening controls including
securityContext settings, resource limits, and health probes. Since this file is
generated from the template, locate the generator file at
hack/generators/release-controllers/content/art_rpm_mirroring_services.py and
update it to add the missing security controls to all generated mirror
Deployments. The fixes must include: adding securityContext with runAsNonRoot
true, readOnlyRootFilesystem true, and allowPrivilegeEscalation false to both
the pod and container specs; dropping ALL capabilities in securityContext;
defining resources.limits for cpu and memory in the container; and adding both
livenessProbe and readinessProbe to the mirror container. Ensure these controls
are applied in the template so they are inherited by all generated mirror
Deployments.

Source: Coding guidelines

Comment thread clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.1.yaml
Comment on lines +28 to +104
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
keel.sh/matchTag: 'true'
keel.sh/policy: force
keel.sh/pollSchedule: '@every 5m'
keel.sh/trigger: poll
labels:
app: base-5-1
name: base-5-1
namespace: ocp
spec:
replicas: 2
selector:
matchLabels:
app: base-5-1
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
labels:
app: base-5-1
spec:
containers:
- command:
- content-mirror
- --path=/tmp/config
- --max-size=5g
- --timeout=30m
- /tmp/repos
- /tmp/key
- /tmp/mirror-enterprise-basic-auth
image: quay-proxy.ci.openshift.org/openshift/ci:ci_content-mirror_latest
imagePullPolicy: Always
name: mirror
ports:
- containerPort: 8080
name: http
resources:
requests:
memory: 500Mi
volumeMounts:
- mountPath: /tmp/repos
name: repos
readOnly: true
- mountPath: /tmp/key
name: key
readOnly: true
- mountPath: /tmp/mirror-enterprise-basic-auth
name: mirror-enterprise-basic-auth
readOnly: true
- mountPath: /tmp/cache
name: cache
workingDir: /tmp/repos
nodeSelector:
kubernetes.io/arch: amd64
kubernetes.io/os: linux
volumes:
- configMap:
items:
- key: ocp-5.1-default.repo
path: ocp-5.1-default.repo
name: base-repos
name: repos
- name: key
secret:
secretName: mirror.openshift.com
- name: mirror-enterprise-basic-auth
secret:
defaultMode: 420
secretName: mirror-enterprise-basic-auth
- emptyDir: {}
name: cache
- emptyDir: {}
name: run
---

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Harden the generated content-mirror Deployment baseline before adding more 5.1 workloads.

These new Deployment specs still omit pod/container securityContext, explicit resource limits, and liveness/readiness probes. That keeps default privilege/runtime behavior across every newly generated mirror workload. Please fix this in hack/generators/release-controllers/content/art_rpm_mirroring_services.py and regenerate, rather than patching generated YAML directly.

As per coding guidelines, Kubernetes manifests should set non-root/no-privilege-escalation security context, drop unnecessary capabilities, define limits, and include readiness/liveness probes.

🧰 Tools
🪛 Checkov (3.2.530)

[medium] 28-104: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 28-104: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clusters/build-clusters/build-shared/release-controller/rpms-ocp-5.1.yaml`
around lines 28 - 104, The generated Kubernetes Deployment manifest lacks
security hardening including securityContext settings, explicit resource limits,
and health check probes. Rather than patching this YAML directly, update the
generator script in
hack/generators/release-controllers/content/art_rpm_mirroring_services.py to
include these configurations in the baseline template. Add a
non-root/no-privilege-escalation securityContext at both pod and container level
in the generated templates, define resource limits alongside the existing memory
requests, and include appropriate liveness and readiness probes for the mirror
service. After updating the generator, regenerate the YAML manifests to apply
these hardening measures across all newly generated mirror workloads.

Sources: Coding guidelines, Linters/SAST tools

Comment thread core-services/release-controller/_repos/ocp-5.1-rhel102.repo
Comment on lines +1 to +88
[rhel-10.2-baseos]
name = rhel-10.2-baseos
baseurl = https://cdn.redhat.com/content/e4s/rhel10/10.2/x86_64/baseos/os/
enabled = 1
gpgkey = https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted
sslverify = false
gpgcheck = 0
# https://projects.engineering.redhat.com/browse/RCM-65421
sslclientkey = /tmp/key/rh-cdn.pem
sslclientcert = /tmp/key/rh-cdn.pem
failovermethod = priority
skip_if_unavailable = true

[rhel-10.2-appstream]
name = rhel-10.2-appstream
baseurl = https://cdn.redhat.com/content/e4s/rhel10/10.2/x86_64/appstream/os/
enabled = 1
gpgkey = https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted
sslverify = false
gpgcheck = 0
# https://projects.engineering.redhat.com/browse/RCM-65421
sslclientkey = /tmp/key/rh-cdn.pem
sslclientcert = /tmp/key/rh-cdn.pem
failovermethod = priority
skip_if_unavailable = true

[rhel-10.2-nfv]
name = rhel-10.2-nfv
baseurl = https://cdn.redhat.com/content/e4s/rhel10/10.2/x86_64/nfv/os/
enabled = 1
gpgkey = https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted
sslverify = false
gpgcheck = 0
# https://projects.engineering.redhat.com/browse/RCM-65421
sslclientkey = /tmp/key/rh-cdn.pem
sslclientcert = /tmp/key/rh-cdn.pem
failovermethod = priority
skip_if_unavailable = true

[rhel-10.2-highavailability]
name = rhel-10.2-highavailability
baseurl = https://cdn.redhat.com/content/e4s/rhel10/10.2/x86_64/highavailability/os/
enabled = 1
gpgkey = https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted
sslverify = false
gpgcheck = 0
# https://projects.engineering.redhat.com/browse/RCM-65421
sslclientkey = /tmp/key/rh-cdn.pem
sslclientcert = /tmp/key/rh-cdn.pem
failovermethod = priority
skip_if_unavailable = true

[rhel-10.2-fast-datapath]
name = rhel-10.2-fast-datapath
baseurl = https://cdn.redhat.com/content/dist/layered/rhel10/x86_64/fast-datapath/os/
enabled = 1
gpgkey = https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted
sslverify = false
gpgcheck = 0
sslclientkey = /tmp/key/rh-cdn.pem
sslclientcert = /tmp/key/rh-cdn.pem
failovermethod = priority

[rhel-10.2-server-ose-5.0]
name = rhel-10.2-server-ose-5.0
baseurl = https://openshift-mirror-list.ci-systems.workers.dev/enterprise/reposync/5.0/rhel-10-server-ose-rpms/
enabled = 1
gpgkey = https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted
sslverify = false
gpgcheck = 0
username_file = /tmp/mirror-enterprise-basic-auth/username
password_file = /tmp/mirror-enterprise-basic-auth/password
failovermethod = priority
skip_if_unavailable = true

[rhel-10.2-early-kernel]
name = rhel-10.2-early-kernel
baseurl = https://openshift-mirror-list.ci-systems.workers.dev/enterprise/reposync/5.0/rhel-102-early-kernel/
enabled = 1
gpgkey = https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted
sslverify = false
gpgcheck = 0
username_file = /tmp/mirror-enterprise-basic-auth/username
password_file = /tmp/mirror-enterprise-basic-auth/password
failovermethod = priority
skip_if_unavailable = true
# For iptables, see https://github.com/coreos/rhel-coreos-config/issues/254
includepkgs = kernel,kernel-*,iptables,iptables-*

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Critical security posture degradation: TLS and package verification disabled.

Every repository stanza disables both TLS certificate verification (sslverify = false) and RPM signature checking (gpgcheck = 0). This combination exposes the CI infrastructure to:

  • MITM attacks that can inject malicious RPM content during transport
  • Installation of unsigned or tampered packages without detection
  • Compromise of build containers and test environments

If these settings are required due to infrastructure constraints (e.g., internal CA issues or mirror proxy behavior), document the justification in comments and implement compensating controls such as:

  • Network-level restrictions limiting access to trusted mirror endpoints
  • Post-installation integrity verification
  • Isolated build environments with limited blast radius

Otherwise, enable both sslverify = 1 and gpgcheck = 1.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@core-services/release-controller/_repos/ocp-5.1-rhel102.repo` around lines 1
- 88, All repository stanzas in the file (rhel-10.2-baseos, rhel-10.2-appstream,
rhel-10.2-nfv, rhel-10.2-highavailability, rhel-10.2-fast-datapath,
rhel-10.2-server-ose-5.0, and rhel-10.2-early-kernel) have both sslverify
disabled and gpgcheck disabled, creating a critical security vulnerability.
Change sslverify from false to 1 and gpgcheck from 0 to 1 across all repository
stanzas. If these restrictive settings are required due to infrastructure
constraints such as internal CA issues, document the specific justification with
comments explaining why and what compensating controls are in place (such as
network-level access restrictions or post-installation integrity verification),
rather than leaving the security settings disabled without explanation.

@openshift-ci

openshift-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@stephenfin: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/openshift/installer/main/e2e-openstack-ovn 14f3833 link unknown /pj-rehearse pull-ci-openshift-installer-main-e2e-openstack-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@stephenfin

stephenfin commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

/hold

Let's get #80542 in first, and we'll rebase this on top then to allow us to do rehearsals.

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@mandre mandre Awaiting requested review from mandre

@deads2k deads2k Awaiting requested review from deads2k

@deepsm007 deepsm007 Awaiting requested review from deepsm007

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stephenfin @openshift-ci-robot