NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10

[PillaiManish]

Summary

Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
registry.redhat.io UBI10 for native RHCOS10 compatibility.

Dockerfile	Builder: Before	Builder: After	Runtime: Before	Runtime: After
Dockerfile.openshift	ocp/builder:rhel-9-golang-1.24-openshift-4.20	ubi10/go-toolset:10.1	ocp/4.20:base-rhel9	ubi10:10.1
Dockerfile.bats	ocp/builder:rhel-9-golang-1.24-openshift-4.20	ubi10/go-toolset:10.1	src (unchanged)	src (unchanged)
Dockerfile.e2eprovider	ocp/builder:rhel-9-golang-1.24-openshift-4.20	ubi10/go-toolset:10.1	ocp/4.20:base-rhel9	ubi10:10.1

All images move from registry.ci.openshift.org → registry.redhat.io.

Prerequisite

PR1 (rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.

[openshift-ci-robot]

@PillaiManish: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
registry.redhat.io UBI10 for native RHCOS10 compatibility.

Dockerfile	Builder: Before	Builder: After	Runtime: Before	Runtime: After
Dockerfile.openshift	ocp/builder:rhel-9-golang-1.24-openshift-4.20	ubi10/go-toolset:10.1	ocp/4.20:base-rhel9	ubi10:10.1
Dockerfile.bats	ocp/builder:rhel-9-golang-1.24-openshift-4.20	ubi10/go-toolset:10.1	src (unchanged)	src (unchanged)
Dockerfile.e2eprovider	ocp/builder:rhel-9-golang-1.24-openshift-4.20	ubi10/go-toolset:10.1	ocp/4.20:base-rhel9	ubi10:10.1

All images move from registry.ci.openshift.org → registry.redhat.io.

Prerequisite

PR1 (rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Replaced OpenShift CI base images with Red Hat UBI10 images in three Dockerfiles (builder → registry.redhat.io/ubi10/go-toolset:10.1, runtime → registry.redhat.io/ubi10:10.1 where applicable), added USER 0 in builder stages, and added a migration document for RHCOS10/UBI10.

Changes

Cohort / File(s)	Summary
Dockerfile updates Dockerfile.bats, Dockerfile.e2eprovider, Dockerfile.openshift	Updated builder stage base to registry.redhat.io/ubi10/go-toolset:10.1 and added USER 0 in builder stages. Switched runtime base to registry.redhat.io/ubi10:10.1 in Dockerfile.e2eprovider and Dockerfile.openshift. Dockerfile.openshift adds dnf install of util-linux and ca-certificates (with cleanup) before copying the binary.
Documentation docs/rhcos10-ubi10-migration.md	Added migration guide detailing image mappings, per-Dockerfile substitutions, unchanged files list, test matrix, and CI/build validation checklist for RHCOS10 → UBI10 migration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: PillaiManish
Once this PR has been reviewed and has the lgtm label, please assign gnufied for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[PillaiManish]

/test e2e-azure-rhcos10-fips e2e-azure-rhcos10

[PillaiManish]

/retest

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.bats (1)

39-43: ⚠️ Potential issue | 🟠 Major

Update Azure CLI installation to use RHEL10 packages.

Microsoft provides RHEL10-compatible packages at rhel/10/packages-microsoft-prod.rpm (verified available). The current reference to rhel/9/packages-microsoft-prod.rpm should be updated to match the runtime environment and ensure compatibility:

Suggested fix

RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc && \
    dnf install -y https://packages.microsoft.com/config/rhel/10/packages-microsoft-prod.rpm && \
    mv /etc/yum.repos.d/microsoft-prod.repo /etc/yum.repos.art/ci/ && \
    dnf install -y azure-cli && \
    dnf clean all

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.bats` around lines 39 - 43, The Dockerfile RUN block installs
Microsoft packages for RHEL9; update the package URL to the RHEL10 package
(replace
"https://packages.microsoft.com/config/rhel/9/packages-microsoft-prod.rpm" with
the RHEL10 equivalent) so the RUN command that imports the Microsoft key and
installs the packages (the RUN line that calls rpm --import and dnf install -y
...) uses rhel/10; leave the subsequent mv of
/etc/yum.repos.d/microsoft-prod.repo and the dnf install -y azure-cli and dnf
clean all steps unchanged.

🧹 Nitpick comments (1)

docs/rhcos10-ubi10-migration.md (1)

26-29: Add language identifier to fenced code block.

Per markdownlint MD040, fenced code blocks should specify a language for proper syntax highlighting.

📝 Suggested fix

-```
+```text
 registry.ci.openshift.org/ocp/builder:rhel-9-golang-*  →  registry.redhat.io/ubi10/go-toolset:10.1
 registry.ci.openshift.org/ocp/4.20:base-rhel9           →  registry.redhat.io/ubi10:10.1

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/rhcos10-ubi10-migration.md around lines 26 - 29, The fenced code block
containing the two registry lines
("registry.ci.openshift.org/ocp/builder:rhel-9-golang-*" and
"registry.ci.openshift.org/ocp/4.20:base-rhel9") needs a language identifier for
markdownlint MD040; update the opening fence from totext (leave the
content and closing fence unchanged) so the block becomes text ... to
enable proper syntax highlighting.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @docs/rhcos10-ubi10-migration.md:

• Around line 35-56: Update the documented "Before" image tags to match the
  actual previous images (replace occurrences of 4.20 with 4.22 and
  golang-1.24 with golang-1.25) so the tables for Dockerfile.e2eprovider,
  Dockerfile.bats and the primary Dockerfile reflect the true originals; ensure
  the same replacements are applied to all three tables and any inline mentions
  (e.g., the builder strings like
  registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20) so
  they read
  registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 where
  appropriate.

---

Outside diff comments:
In @Dockerfile.bats:

• Around line 39-43: The Dockerfile RUN block installs Microsoft packages for
  RHEL9; update the package URL to the RHEL10 package (replace
  "https://packages.microsoft.com/config/rhel/9/packages-microsoft-prod.rpm" with
  the RHEL10 equivalent) so the RUN command that imports the Microsoft key and
  installs the packages (the RUN line that calls rpm --import and dnf install -y
  ...) uses rhel/10; leave the subsequent mv of
  /etc/yum.repos.d/microsoft-prod.repo and the dnf install -y azure-cli and dnf
  clean all steps unchanged.

---

Nitpick comments:
In @docs/rhcos10-ubi10-migration.md:

• Around line 26-29: The fenced code block containing the two registry lines
  ("registry.ci.openshift.org/ocp/builder:rhel-9-golang-*" and
  "registry.ci.openshift.org/ocp/4.20:base-rhel9") needs a language identifier for
  markdownlint MD040; update the opening fence from totext (leave the
  content and closing fence unchanged) so the block becomes text ... to
  enable proper syntax highlighting.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `260f4dfe-d301-486b-bda8-104c4e8a161b`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 85e2d4c862bd9367b97f36aa1b19570d5961c8a1 and 4bbae6fd0e84991c6fbd3cdef2f01c37a01bb99b.

</details>

<details>
<summary>📒 Files selected for processing (4)</summary>

* `Dockerfile.bats`
* `Dockerfile.e2eprovider`
* `Dockerfile.openshift`
* `docs/rhcos10-ubi10-migration.md`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Documentation version numbers appear stale.

The "Before" column references 4.20 and golang-1.24, but the AI summary indicates the actual previous images were 4.22 and golang-1.25. Ensure the documentation accurately reflects the versions being replaced to avoid confusion during reviews.

📝 Suggested fix

-| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` |
-| Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` |
+| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22` | `registry.redhat.io/ubi10/go-toolset:10.1` |
+| Runtime | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10:10.1` |

Apply similar updates to the other Dockerfile tables.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/rhcos10-ubi10-migration.md` around lines 35 - 56, Update the documented
"Before" image tags to match the actual previous images (replace occurrences of
`4.20` with `4.22` and `golang-1.24` with `golang-1.25`) so the tables for
Dockerfile.e2eprovider, Dockerfile.bats and the primary Dockerfile reflect the
true originals; ensure the same replacements are applied to all three tables and
any inline mentions (e.g., the builder strings like
`registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20`) so
they read
`registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22` where
appropriate.

[PillaiManish]

/test e2e-azure-rhcos10-fips e2e-azure-rhcos10

[openshift-ci]

@PillaiManish: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/fips-image-scan-driver	4bbae6f	link	true	/test fips-image-scan-driver
ci/prow/e2e-azure-rhcos10-fips	4bbae6f	link	false	/test e2e-azure-rhcos10-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.