Skip to content

ROX-33603: Switch to UBI9 base images#19454

Open
mclasmeier wants to merge 20 commits intomasterfrom
mc/ubi9-3
Open

ROX-33603: Switch to UBI9 base images#19454
mclasmeier wants to merge 20 commits intomasterfrom
mc/ubi9-3

Conversation

@mclasmeier
Copy link
Contributor

@mclasmeier mclasmeier commented Mar 17, 2026
edited
Loading

Description

This PR replaces #19437.

This PR switches all base images in the stackrox repo to UBI9. A couple of smaller changes had to be done to account for technical differences between UBI8 and UBI9.

All other changes are required for green CI.

See commit history.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • modified existing tests

No tests added.

How I validated my change

Deploying with

$ roxie deploy -t 4.11.x-380-gb4eff13f93

All pods come up, no startup errors about our save/restore/import-cas flow. Exec'ing into a pod and verifying manually that the operations can be re-run without errors:

❮ kc exec -it deployment/scanner-v4-indexer -- /bin/sh
sh-5.1$ restore-all-dir-contents 
sh-5.1$ restore-all-dir-contents 
sh-5.1$ find /.init-dirs/etc/pki/ca-trust/
/.init-dirs/etc/pki/ca-trust/
/.init-dirs/etc/pki/ca-trust/source
/.init-dirs/etc/pki/ca-trust/source/README
/.init-dirs/etc/pki/ca-trust/source/anchors
/.init-dirs/etc/pki/ca-trust/source/blocklist
/.init-dirs/etc/pki/ca-trust/source/ca-bundle.legacy.crt
sh-5.1$ import-additional-cas 
Setting up CA trust store in container
Looking for certificates in '/usr/local/share/ca-certificates'
No certificates found in /usr/local/share/ca-certificates
Looking for certificates in '/etc/pki/injected-ca-trust'
'/etc/pki/injected-ca-trust/tls-ca-bundle.pem' -> '/etc/pki/ca-trust/source/anchors/tls-ca-bundle.pem'
Updating CA trust
Done setting up CA trust store in container

sh-5.1$ import-additional-cas 
Setting up CA trust store in container
Looking for certificates in '/usr/local/share/ca-certificates'
No certificates found in /usr/local/share/ca-certificates
Looking for certificates in '/etc/pki/injected-ca-trust'
'/etc/pki/injected-ca-trust/tls-ca-bundle.pem' -> '/etc/pki/ca-trust/source/anchors/tls-ca-bundle.pem'
Updating CA trust
Done setting up CA trust store in container

sh-5.1$ restore-all-dir-contents 
sh-5.1$ import-additional-cas 
Setting up CA trust store in container
Looking for certificates in '/usr/local/share/ca-certificates'
No certificates found in /usr/local/share/ca-certificates
Looking for certificates in '/etc/pki/injected-ca-trust'
'/etc/pki/injected-ca-trust/tls-ca-bundle.pem' -> '/etc/pki/ca-trust/source/anchors/tls-ca-bundle.pem'
Updating CA trust
Done setting up CA trust store in container

sh-5.1$

@mclasmeier mclasmeier requested review from a team and rhacs-bot as code owners March 17, 2026 10:56
@mclasmeier mclasmeier requested review from GrimmiMeloni and removed request for a team March 17, 2026 10:56
@rhacs-bot rhacs-bot requested a review from a team March 17, 2026 10:56
@mclasmeier mclasmeier marked this pull request as draft March 17, 2026 10:56
sourcery-ai[bot]
sourcery-ai bot reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @github-actions[bot], your pull request is larger than the review limit of 150000 diff characters

@mclasmeier
Copy link
Contributor Author

mclasmeier commented Mar 17, 2026

/retest

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 17, 2026
edited
Loading

Images are ready for the commit at b4eff13.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-380-gb4eff13f93.

@mclasmeier mclasmeier removed request for a team, GrimmiMeloni and rhacs-bot March 17, 2026 11:23
@codecov
Copy link

codecov bot commented Mar 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.25%. Comparing base (2b34e97) to head (b4eff13).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19454      +/-   ##
==========================================
- Coverage   49.25%   49.25%   -0.01%     
==========================================
  Files        2725     2725              
  Lines      205582   205582              
==========================================
- Hits       101268   101262       -6     
- Misses      96780    96783       +3     
- Partials     7534     7537       +3
Flag Coverage Δ
go-unit-tests 49.25% <100.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mclasmeier mclasmeier force-pushed the mc/ubi9-3 branch 2 times, most recently from ae55e5e to df5f220 Compare March 18, 2026 09:17
@mclasmeier mclasmeier changed the title Mc/ubi9 3 ROX-33603: Switch to UBI9 base images Mar 18, 2026
@mclasmeier mclasmeier marked this pull request as ready for review March 18, 2026 10:31
sourcery-ai[bot]
sourcery-ai bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @mclasmeier, your pull request is larger than the review limit of 150000 diff characters

@mclasmeier mclasmeier mentioned this pull request Mar 18, 2026
Draft
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ai-review area/ci area/helm area/operator area/postgres area/scanner konflux-build Run Konflux in PR. Push commit to trigger it.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mclasmeier @rhacs-bot