WIP: Smoke test HAProxy 3.2.19 RPM#792
Conversation
|
Skipping CI for Draft Pull Request. |
|
FYI this is a "vanilla" 3.2 smoke test PR - just to get some green CI runs before integrating HAProxy 3.2 with the sidecar architecture. /assign @jcmoraisjr |
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
WalkthroughThe Dockerfile for the OpenShift router updates the HAProxy package installed during image build from ChangesHAProxy package update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Suggested labels
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/router/haproxy/Dockerfile.ocp`:
- Line 3: The RUN instruction that installs
haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm must perform package cache cleanup
in the same layer; update the RUN that currently calls "yum install -y
https://.../haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm" to chain the install
with cache cleanup (e.g., run yum clean all and remove yum caches) in the same
command so no package manager metadata remains in the final image.
- Line 3: The RUN line in Dockerfile.ocp that installs the RPM from a mutable
GitHub branch (the existing RUN yum install ... refs/heads/master URL) must be
replaced with an immutable, verified artifact: point to a pinned artifact URL
(digest or internal Brew/registry artifact) and verify its integrity before
install (e.g., fetch the RPM by digest/checksum or GPG signature, validate
checksum/signature, then run yum install from the verified local file). Ensure
the RPM source is not a branch URL and include checksum or signature validation
steps so the container build only consumes a pinned, trusted package.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: d5e60100-d267-4eaa-9a00-e268af5564b5
📒 Files selected for processing (1)
images/router/haproxy/Dockerfile.ocp
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
♻️ Duplicate comments (2)
images/router/haproxy/Dockerfile.ocp (2)
3-5:⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy liftUse an immutable, verified RPM source instead of a mutable GitHub branch URL.
Line 3 installs an RPM from
refs/heads/master, which is mutable and not integrity-checked. If that artifact changes upstream, the build can silently consume untrusted content, including RPM scriptlets executed during install.🔒 Recommended hardening change
-RUN curl -fLo /tmp/haproxy32.rpm https://github.com/gcs278/openshift-hacks/raw/refs/heads/master/haproxy-builds/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm && \ - yum install -y /tmp/haproxy32.rpm && \ - rm -f /tmp/haproxy32.rpm +RUN curl -fsSL -o /tmp/haproxy32.rpm https://<immutable-artifact-url>/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm && \ + echo "<sha256> /tmp/haproxy32.rpm" | sha256sum -c - && \ + yum install -y /tmp/haproxy32.rpm && \ + rm -f /tmp/haproxy32.rpm && \ + yum clean allAs per coding guidelines, container artifacts should follow immutable pinning principles: "non-RH images: pin by digest".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/router/haproxy/Dockerfile.ocp` around lines 3 - 5, The RUN step that curls an RPM from a mutable GitHub branch (the line starting with "RUN curl -fLo /tmp/haproxy32.rpm ... refs/heads/master") must be replaced with an immutable, verified artifact fetch: point the download to a pinned release URL (tag or commit SHA) or a trusted registry with a digest, and verify integrity before install (e.g., check a SHA256 checksum or GPG signature of haproxy32.rpm) instead of relying on refs/heads/master; update the RUN command to download the pinned URL, validate the file, then install and remove it.Source: Coding guidelines
3-5:⚠️ Potential issue | 🟠 Major | ⚡ Quick winClean yum metadata in the same layer as the RPM install.
The
yum installdoes not runyum clean allin the same RUN layer, so cache and metadata remain in that layer and bloat the final image.🧹 Proposed fix
RUN curl -fLo /tmp/haproxy32.rpm https://github.com/gcs278/openshift-hacks/raw/refs/heads/master/haproxy-builds/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm && \ yum install -y /tmp/haproxy32.rpm && \ - rm -f /tmp/haproxy32.rpm + rm -f /tmp/haproxy32.rpm && \ + yum clean allAs per coding guidelines: "No package manager cache in final layer".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/router/haproxy/Dockerfile.ocp` around lines 3 - 5, The RUN layer that downloads and installs /tmp/haproxy32.rpm leaves yum metadata behind; modify the RUN that currently runs curl && yum install -y /tmp/haproxy32.rpm && rm -f /tmp/haproxy32.rpm to also run the yum cleanup (e.g., yum clean all && rm -rf /var/cache/yum or equivalent) in the same RUN chain so package manager cache/metadata are removed before the layer is committed; target the RUN instruction that handles /tmp/haproxy32.rpm in Dockerfile.ocp to implement this change.Sources: Coding guidelines, Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@images/router/haproxy/Dockerfile.ocp`:
- Around line 3-5: The RUN step that curls an RPM from a mutable GitHub branch
(the line starting with "RUN curl -fLo /tmp/haproxy32.rpm ...
refs/heads/master") must be replaced with an immutable, verified artifact fetch:
point the download to a pinned release URL (tag or commit SHA) or a trusted
registry with a digest, and verify integrity before install (e.g., check a
SHA256 checksum or GPG signature of haproxy32.rpm) instead of relying on
refs/heads/master; update the RUN command to download the pinned URL, validate
the file, then install and remove it.
- Around line 3-5: The RUN layer that downloads and installs /tmp/haproxy32.rpm
leaves yum metadata behind; modify the RUN that currently runs curl && yum
install -y /tmp/haproxy32.rpm && rm -f /tmp/haproxy32.rpm to also run the yum
cleanup (e.g., yum clean all && rm -rf /var/cache/yum or equivalent) in the same
RUN chain so package manager cache/metadata are removed before the layer is
committed; target the RUN instruction that handles /tmp/haproxy32.rpm in
Dockerfile.ocp to implement this change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: c88616bc-de9b-422c-a972-793668d3b076
📒 Files selected for processing (1)
images/router/haproxy/Dockerfile.ocp
|
/test ? |
|
/test e2e-metal-ipi-ovn-dualstack |
|
/test ? |
|
/test e2e-metal-ipi-ovn-dualstack |
|
/retest |
b83f1e1 to
2268fb3
Compare
|
We've typically done some aggregate E2E to expose any flakes in the past with new HAProxy versions: /payload-aggregate periodic-ci-openshift-release-master-ci-5.0-e2e-aws-ovn 5 |
|
@gcs278: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command |
|
whoops I forgot to start the perf tests: |
image approach (no sidecar yet) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2268fb3 to
d30e595
Compare
|
/test e2e-metal-ipi-ovn-dualstack |
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
|
fips failed Metal has a install failure, that is a bit weird: |
|
FIPs seems unrelated to promethesus failure: /test e2e-aws-fips Metal seems to be permafailing on installation. Not sure why. |
|
claude says metal is infra failure: /test e2e-metal-ipi-ovn-router |
|
Another perf & scale run, and comparing to difference baselines:
Still showing up to 12-15% regression in encrypt. This is above our general threshold (~5%) for concern. Something we should probably look into. CC @rhamini3 @jcmoraisjr |
|
FIPs has failed again on a different issue, but neither seem related to haproxy ingress: /test e2e-aws-fips Metal still has an install failure: |
|
/test okd-scos-images |
|
unrelated failures, and okd images should be resolved now: |
|
/test okd-scos-images |
|
/test e2e-metal-ipi-ovn-dualstack |
|
@gcs278: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
unrelated |
|
/payload-job periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-upgrade |
|
@gcs278: An error was encountered. No known errors were detected, please see the full error message for details. Full error message.
could not check if the user gcs278 is trusted for pull request openshift/router#792: error checking gcs278 for trust: error in IsMember(openshift): net/http: request canceled (Client.Timeout or context cancellation while reading body)
Please contact an administrator to resolve this issue. |
|
/payload-job periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-upgrade |
|
@gcs278: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/e9818400-81e1-11f1-8065-a9274e66889a-0 |
Summary
Smoke test for HAProxy 3.2.19 in the monolithic (non-sidecar) router model.
The
haproxy32-3.2.19RPM is already available in the yum repo but is currently unused. This PR switches the monolithic router image to installhaproxy32instead ofhaproxy28, allowing us to smoke test HAProxy 3.2 in CI before it is formally adopted.Summary by CodeRabbit