NO-ISSUE: [master] Bump OCP versions: 4.20, 4.22, 4.21, 5.0, 4.18, 4.16, 4.19

[danmanor]

OpenShift updates: 4.19.33-multi -> 4.19.34-multi, 4.20.24 -> 4.20.26, 4.21.19-multi -> 4.21.21-multi, 4.19.33 -> 4.19.34, 4.16.63-multi -> 4.16.64-multi, 4.16.63 -> 4.16.64, 4.18.43-multi -> 4.18.44-multi, 4.21.19 -> 4.21.21, 4.20.24-multi -> 4.20.26-multi, 4.22.0-multi -> 4.22.2-multi, 4.22.0 -> 4.22.2, 4.18.43 -> 4.18.44
RHCOS updates: 4.22.0 -> 5.0.0-ec.3

/test edge-e2e-metal-assisted-4-20 edge-e2e-metal-assisted-4-22 edge-e2e-metal-assisted-4-21 edge-e2e-metal-assisted-5-0 edge-e2e-metal-assisted-4-18 edge-e2e-metal-assisted-4-16 edge-e2e-metal-assisted-4-19
/cc @rccrdpccl @gamli75

Summary by CodeRabbit

• Chores
  • Updated OS image references for OpenShift versions 4.16 through 4.22 to the latest available builds
  • Configured pre-release image support for OpenShift 5.0 across multiple CPU architectures (x86_64, arm64, ppc64le, s390x)

[openshift-ci-robot]

@danmanor: This pull request explicitly references no jira issue.

Details

In response to this:

OpenShift updates: 4.19.33-multi -> 4.19.34-multi, 4.20.24 -> 4.20.26, 4.21.19-multi -> 4.21.21-multi, 4.19.33 -> 4.19.34, 4.16.63-multi -> 4.16.64-multi, 4.16.63 -> 4.16.64, 4.18.43-multi -> 4.18.44-multi, 4.21.19 -> 4.21.21, 4.20.24-multi -> 4.20.26-multi, 4.22.0-multi -> 4.22.2-multi, 4.22.0 -> 4.22.2, 4.18.43 -> 4.18.44
RHCOS updates: 4.22.0 -> 5.0.0-ec.3

/test edge-e2e-metal-assisted-4-20 edge-e2e-metal-assisted-4-22 edge-e2e-metal-assisted-4-21 edge-e2e-metal-assisted-5-0 edge-e2e-metal-assisted-4-18 edge-e2e-metal-assisted-4-16 edge-e2e-metal-assisted-4-19
/cc @rccrdpccl @gamli75

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Two sets of artifact version updates are propagated across all deployment manifests: the OpenShift 5.0 RHCOS ISO URLs are corrected from reused 4.22/4.22.0 paths to pre-release/5.0.0-ec.3 paths for all CPU architectures, and release image tags are bumped for OCP 4.16 through 4.22 across x86_64, arm64, and multi-arch entries.

Changes

OS Image and Release Image Version Updates

Layer / File(s)	Summary
OCP 5.0 RHCOS ISO URL correction data/default_os_images.json, config/manager/manager.yaml, config/samples/agent-install.openshift.io_v1beta1_agentserviceconfig.yaml, deploy/olm-catalog/manifests/assisted-service-operator.clusterserviceversion.yaml, deploy/podman/configmap.yml, openshift/template.yaml	The openshift_version: "5.0" entries for all CPU architectures (x86_64, arm64, ppc64le, s390x) have their ISO url values changed from rhcos/4.22/4.22.0 paths to rhcos/pre-release/5.0.0-ec.3 paths. The change is applied consistently in the canonical JSON data file and all downstream manifest copies.
Release image tag bumps for OCP 4.16–4.22 data/default_release_images.json, deploy/podman/configmap.yml, openshift/template.yaml	url and version fields are advanced for six OpenShift versions: 4.16 (63→64), 4.18 (43→44), 4.19 (33→34), 4.20 (24→26), 4.21 (19→21), and 4.22 (0→2), covering x86_64, arm64, and multi-arch entries. The default: true marker on the 4.22 multi entry is preserved on the bumped version.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

kind/dependency-change, size/L

Suggested reviewers

• gamli75

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	PR introduces logging of sensitive OS image data. Line 178 in cmd/operator/main.go logs: setupLog.Error(fmt.Errorf("OS images (%v) specified in %s are not valid", osImages, ...) where osImages co...	Remove sensitive data from logs. Replace osImages with a redacted or truncated representation that doesn't expose full URLs, versions, or architecture details in error messages.
Description check	⚠️ Warning	The description lacks the structured format required by the template. It is missing the checkbox sections for issue type, environment impact, testing methodology, and the reviewer checklist, making it incomplete.	Fill out all required template sections including issue type checkboxes, environment impact, testing methodology checkboxes, and reviewer checklist items.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change as a version bump for multiple OCP versions (4.16-4.22, 5.0) and RHCOS, which aligns with the changeset updating release and OS image versions across multiple configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only configuration/data/deployment files (manager.yaml, sample configs, JSON data files, CLusterServiceVersion, ConfigMap, template.yaml), not test files. No Ginkgo test names are intro...
Test Structure And Quality	✅ Passed	PR contains only configuration and data files (YAML/JSON), not Ginkgo test code. Custom check for test structure/quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR only updates OpenShift/RHCOS version configuration in YAML and JSON files; no new Ginkgo e2e tests are added, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR updates OpenShift and RHCOS versions in configuration files only. No new Ginkgo e2e tests are added, so the SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR updates only image versions and URLs in configuration files and environment variables. No deployment manifests, operators, or controllers with problematic scheduling constraints were added...
Ote Binary Stdout Contract	✅ Passed	PR modifies only configuration and data files (YAML, JSON) with no code changes, no main/init/TestMain functions, and no stdout write operations to check.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR; all changes are configuration and manifest file updates (YAML/JSON) with version/image references. Check not applicable.
No-Weak-Crypto	✅ Passed	PR modifies only configuration/data files with image versions and URLs; no weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure secret comparison...
Container-Privileges	✅ Passed	Comprehensive security check found no privileged container configurations. All modified files contain only version/image URL updates with no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADM...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danmanor

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danmanor]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (2)

config/manager/manager.yaml (1)

59-77: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoff

Security context improvements recommended.

While not introduced by this PR, the manager container is missing:

• Resource limits (cpu, memory)
• runAsNonRoot: true
• Capability dropping (drop: [ALL])

As per path instructions, Kubernetes manifests should enforce these security best practices.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/manager/manager.yaml` around lines 59 - 77, The manager container's
securityContext block is missing critical security hardening settings. Add
`runAsNonRoot: true` and a `capabilities` section with `drop: [ALL]` to the
existing securityContext configuration that currently has
allowPrivilegeEscalation and readOnlyRootFilesystem settings. Additionally, the
resources section contains requests for cpu and memory but is missing
corresponding limits for both cpu and memory under a limits subsection, which
should be added at the same level as the requests configuration to enforce
resource constraints.

Source: Path instructions

deploy/olm-catalog/manifests/assisted-service-operator.clusterserviceversion.yaml (1)

946-952: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoff

Security context improvements recommended.

The manager container in the CSV deployment spec (similar to manager.yaml) is missing resource limits, runAsNonRoot: true, and capability dropping. As per path instructions, these should be enforced for operator workloads.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deploy/olm-catalog/manifests/assisted-service-operator.clusterserviceversion.yaml`
around lines 946 - 952, The securityContext block in the manager container is
missing two important security configurations: add `runAsNonRoot: true` to
prevent the container from running as root, and add a `capabilities` field with
`drop: ["ALL"]` to remove all Linux capabilities. Additionally, the resources
section currently only defines requests but is missing limits; add a `limits`
subsection under resources with appropriate cpu and memory limits to match the
security posture of the manager.yaml configuration. These additions should be
made directly in the securityContext and resources sections of the manager
container specification in the deployment spec.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@config/manager/manager.yaml`:
- Around line 59-77: The manager container's securityContext block is missing
critical security hardening settings. Add `runAsNonRoot: true` and a
`capabilities` section with `drop: [ALL]` to the existing securityContext
configuration that currently has allowPrivilegeEscalation and
readOnlyRootFilesystem settings. Additionally, the resources section contains
requests for cpu and memory but is missing corresponding limits for both cpu and
memory under a limits subsection, which should be added at the same level as the
requests configuration to enforce resource constraints.

In
`@deploy/olm-catalog/manifests/assisted-service-operator.clusterserviceversion.yaml`:
- Around line 946-952: The securityContext block in the manager container is
missing two important security configurations: add `runAsNonRoot: true` to
prevent the container from running as root, and add a `capabilities` field with
`drop: ["ALL"]` to remove all Linux capabilities. Additionally, the resources
section currently only defines requests but is missing limits; add a `limits`
subsection under resources with appropriate cpu and memory limits to match the
security posture of the manager.yaml configuration. These additions should be
made directly in the securityContext and resources sections of the manager
container specification in the deployment spec.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ae04857a-09a1-4f03-bba5-b703b48914ac

📥 Commits

Reviewing files that changed from the base of the PR and between 08dd374 and c303370.

📒 Files selected for processing (7)

• config/manager/manager.yaml
• config/samples/agent-install.openshift.io_v1beta1_agentserviceconfig.yaml
• data/default_os_images.json
• data/default_release_images.json
• deploy/olm-catalog/manifests/assisted-service-operator.clusterserviceversion.yaml
• deploy/podman/configmap.yml
• openshift/template.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.34%. Comparing base (08dd374) to head (c303370).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #10506   +/-   ##
=======================================
  Coverage   44.33%   44.34%           
=======================================
  Files         423      423           
  Lines       73512    73512           
=======================================
+ Hits        32595    32597    +2     
+ Misses      37985    37984    -1     
+ Partials     2932     2931    -1     

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@danmanor: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agent-compact-ipv4	c303370	link	true	/test e2e-agent-compact-ipv4
ci/prow/edge-verify-generated-code	c303370	link	true	/test edge-verify-generated-code
ci/prow/verify-generated-code	c303370	link	true	/test verify-generated-code
ci/prow/e2e-agent-compact-ipv4-iso-no-registry	c303370	link	false	/test e2e-agent-compact-ipv4-iso-no-registry

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.