Skip to content

NE-2218: Build images for haproxy 2.8 and 3.2#81286

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
jcmoraisjr:NE-2218-haproxy-images
Jul 1, 2026
Merged

NE-2218: Build images for haproxy 2.8 and 3.2#81286
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
jcmoraisjr:NE-2218-haproxy-images

Conversation

@jcmoraisjr

@jcmoraisjr jcmoraisjr commented Jun 30, 2026

Copy link
Copy Markdown
Member

Build new images for HAProxy 2.8 and HAProxy 3.2. These are new images split from the router, added as a sidecar of the router pod.

https://redhat.atlassian.net/browse/NE-2218

Summary by CodeRabbit

This PR updates OpenShift CI router configuration to produce additional HAProxy-specific router image variants for HAProxy 2.8 and 3.2. It adds two new build entries wired to images/router/haproxy28/Dockerfile.ocp and images/router/haproxy32/Dockerfile.ocp, generating image targets haproxy-router-haproxy28 and haproxy-router-haproxy32 across the router master and supported release streams (4.23, 5.0, 5.1).

It also extends the OKD SCOS router configuration (openshift-router-master__okd-scos.yaml) to build these same HAProxy 2.8/3.2 variants for the origin_scos-4.22 base, and updates the image mirroring config (core-services/image-mirroring/openshift/mapping_origin_scos-4_22) to map the new 4.22 tags to the corresponding quay.io/openshift/origin-haproxy-router-haproxy28:4.22.0 and ...haproxy32:4.22.0 images.

CI workflow notes from the openshift-ci-robot/job rehearsal include validation of Jira NE-2218 and requests to rehearse image-related jobs (notably router release image builds/verify/unit flows for 4.23 and 5.0, plus OKD SCOS images).

Build new images for HAProxy 2.8 and HAProxy 3.2. These are new images
split from the router, added as a sidecar of the router pod.

https://redhat.atlassian.net/browse/NE-2218
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 30, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@jcmoraisjr: This pull request references NE-2218 which is a valid jira issue.

Details

In response to this:

Build new images for HAProxy 2.8 and HAProxy 3.2. These are new images split from the router, added as a sidecar of the router pod.

https://redhat.atlassian.net/browse/NE-2218

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 213aa79d-f37d-4906-827b-5da46e5f03d5

📥 Commits

Reviewing files that changed from the base of the PR and between 16c31d4 and 4a429bc.

⛔ Files ignored due to path filters (8)
  • ci-operator/jobs/openshift/router/openshift-router-master-postsubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/router/openshift-router-master-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/router/openshift-router-release-4.23-postsubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/router/openshift-router-release-4.23-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/router/openshift-router-release-5.0-postsubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/router/openshift-router-release-5.0-presubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/router/openshift-router-release-5.1-postsubmits.yaml is excluded by !ci-operator/jobs/**
  • ci-operator/jobs/openshift/router/openshift-router-release-5.1-presubmits.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (6)
  • ci-operator/config/openshift/router/openshift-router-master.yaml
  • ci-operator/config/openshift/router/openshift-router-master__okd-scos.yaml
  • ci-operator/config/openshift/router/openshift-router-release-4.23.yaml
  • ci-operator/config/openshift/router/openshift-router-release-5.0.yaml
  • ci-operator/config/openshift/router/openshift-router-release-5.1.yaml
  • core-services/image-mirroring/openshift/mapping_origin_scos-4_22
✅ Files skipped from review due to trivial changes (2)
  • core-services/image-mirroring/openshift/mapping_origin_scos-4_22
  • ci-operator/config/openshift/router/openshift-router-release-5.1.yaml
🚧 Files skipped from review as they are similar to previous changes (4)
  • ci-operator/config/openshift/router/openshift-router-master__okd-scos.yaml
  • ci-operator/config/openshift/router/openshift-router-release-5.0.yaml
  • ci-operator/config/openshift/router/openshift-router-master.yaml
  • ci-operator/config/openshift/router/openshift-router-release-4.23.yaml

Walkthrough

OpenShift router CI configs add haproxy-router-haproxy28 and haproxy-router-haproxy32 image items, and SCOS image mirroring adds matching origin_scos-4.22 mappings for those targets.

Changes

Router HAProxy image variants

Layer / File(s) Summary
CI image items
ci-operator/config/openshift/router/openshift-router-master.yaml, ci-operator/config/openshift/router/openshift-router-master__okd-scos.yaml, ci-operator/config/openshift/router/openshift-router-release-4.23.yaml, ci-operator/config/openshift/router/openshift-router-release-5.0.yaml, ci-operator/config/openshift/router/openshift-router-release-5.1.yaml
Each router config adds images.items entries for images/router/haproxy28/Dockerfile.ocp and images/router/haproxy32/Dockerfile.ocp, producing haproxy-router-haproxy28 and haproxy-router-haproxy32 targets.
SCOS image mapping
core-services/image-mirroring/openshift/mapping_origin_scos-4_22
The origin_scos-4.22 mapping adds entries for quay.io/openshift/ci:origin_scos-4.22_haproxy-router-haproxy28 and ...-haproxy32 to the corresponding quay.io/openshift/origin-haproxy-router-haproxy28:4.22.0 and ...-haproxy32:4.22.0 images.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: rehearsals-ack

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding build images for HAProxy 2.8 and 3.2.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only router/image-mirroring YAML configs changed; no Go/Ginkgo test titles were added or modified.
Test Structure And Quality ✅ Passed PR only updates CI image config and mirroring YAML; no Ginkgo test code or test logic was changed, so this check is not applicable.
Microshift Test Compatibility ✅ Passed The PR only adds CI image/job YAML entries; no new Ginkgo e2e test code or MicroShift-unsafe test logic was introduced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The PR only edits ci-operator/image-mirroring YAML; no Go/Ginkgo tests were added, so there’s no new SNO compatibility risk to assess.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: Only CI image-build and image-mirroring YAML changed; no deployment manifests, operator code, or controller scheduling logic was modified.
Ote Binary Stdout Contract ✅ Passed Only CI YAML and image-mirroring config files changed; no Go/binary process code or stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Touched files only add image-build and mirroring YAML entries; no Ginkgo tests or network code were added.
No-Weak-Crypto ✅ Passed Touched files are CI/mirroring YAML only; scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed Edited configs only add new image targets; no privileged, hostPID/Network/IPC, allowPrivilegeEscalation, or SYS_ADMIN settings appear in the changed manifests.
No-Sensitive-Data-In-Logs ✅ Passed Changed files are CI/mirroring YAML only; scans found no passwords/tokens/PII or other sensitive data in added lines.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 30, 2026
@openshift-ci openshift-ci Bot requested review from bentito and rfredette June 30, 2026 17:29
@gcs278

gcs278 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/pj-rehearse pull-ci-openshift-router-release-5.0-images

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@gcs278: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@gcs278

gcs278 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/pj-rehearse pull-ci-openshift-router-release-4.23-images

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@gcs278: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@gcs278

gcs278 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

There isn't any reason we need to run any of the real CI jobs - these images are no-ops, but I guess it doesn't hurt to run the verify and unit tests:

/pj-rehearse pull-ci-openshift-router-release-4.23-unit
/pj-rehearse pull-ci-openshift-router-release-4.23-verify
/pj-rehearse pull-ci-openshift-router-release-4.23-verify-deps

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@gcs278: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@gcs278: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command.

1 similar comment
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@gcs278: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command.

@gcs278

gcs278 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The okd-scos jobs on master (okd-scos-e2e-aws-ovn, okd-scos-images in presubmits, and okd-scos-images in postsubmits) have images/router/haproxy/Dockerfile.ocp in sparse_checkout_files but are missing the new haproxy28/ and haproxy32/ Dockerfiles. Should we add the new images there too?

@jcmoraisjr jcmoraisjr force-pushed the NE-2218-haproxy-images branch from 809c15b to 16c31d4 Compare July 1, 2026 12:23
@jcmoraisjr

Copy link
Copy Markdown
Member Author

The okd-scos jobs on master ... are missing the new haproxy28/ and haproxy32/ Dockerfiles. Should we add the new images there too?

Good catch. Those files are updated via make jobs and I made them to add haproxy28/32 changing openshift-router-master__okd-scos.yaml as you can see in diff. Does this change make sense?

@gcs278

gcs278 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

/pj-rehearse pull-ci-openshift-router-master-okd-scos-images

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@gcs278: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@gcs278

gcs278 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@jcmoraisjr might want to check the failure here:

ERROR: run 'make openshift-image-mirror-mappings' if the promote tags to the ocp or origin namespaces are changed in the pull request

@jcmoraisjr jcmoraisjr force-pushed the NE-2218-haproxy-images branch from 16c31d4 to 4a429bc Compare July 1, 2026 13:41
@jcmoraisjr

Copy link
Copy Markdown
Member Author

ERROR: run 'make openshift-image-mirror-mappings' if ...

Yea in fact I missed this one, just ran and pushed the update.

@openshift-ci openshift-ci Bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@gcs278

gcs278 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

So I wonder if this origin_scos-4.22_base-stream9 is why the okd images job was failing on openshift/router#792:

  - build_args:
    - name: TAGS
      value: scos
    dockerfile_path: images/router/base/Dockerfile.ocp
    from: origin_scos-4.22_base-stream9
    to: haproxy-router-base

/pj-rehearse pull-ci-openshift-router-master-okd-scos-images

@jcmoraisjr if this fails to find the new HAProxy 32 RPM, maybe we should try bumping to 5.0? Let's wait and see.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@gcs278: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@gcs278

gcs278 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@jcmoraisjr can we try bumping okd-scos-images to 5.0 as a test? it's not finding the haproxy32 RPM as I suspected:
Error: Unable to find a match: haproxy32

@gcs278

gcs278 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

NVM @jcmoraisjr sorry i just saw your message

@jcmoraisjr jcmoraisjr force-pushed the NE-2218-haproxy-images branch from 4a429bc to 809c15b Compare July 1, 2026 14:21
@jcmoraisjr

Copy link
Copy Markdown
Member Author

@jcmoraisjr can we try bumping okd-scos-images to 5.0 as a test? it's not finding the haproxy32 RPM as I suspected:
Error: Unable to find a match: haproxy32

It seems we cannot change its version manually without impacting other builds, so reverting the OKD related changes for now as we talked, let's followup with them and add another PR after that.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@jcmoraisjr: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-router-master-e2e-agnostic openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-e2e-aws-fips openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-e2e-aws-serial-1of2 openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-e2e-aws-serial-2of2 openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-e2e-metal-ipi-ovn-dualstack openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-e2e-metal-ipi-ovn-ipv6 openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-e2e-metal-ipi-ovn-router openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-e2e-upgrade openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-fips-image-scan-haproxy-router openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-images openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-okd-scos-e2e-aws-ovn openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-okd-scos-images openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-perfscale-aws-fips-ingress-perf openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-perfscale-aws-ingress-perf openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-unit openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-verify openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-master-verify-deps openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-agnostic openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-aws-fips openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-aws-serial-1of2 openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-aws-serial-2of2 openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-metal-ipi-ovn-dualstack openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-metal-ipi-ovn-ipv6 openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-metal-ipi-ovn-router openshift/router presubmit Ci-operator config changed
pull-ci-openshift-router-release-5.0-e2e-upgrade openshift/router presubmit Ci-operator config changed

A total of 62 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@jcmoraisjr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/openshift/router/master/okd-scos-images 4a429bc link unknown /pj-rehearse pull-ci-openshift-router-master-okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gcs278

gcs278 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

I think we can move forward while we fix the existing OKD issue.

As a side note: you can post PRs with using your openshift/api development branch (jcmoraisjr/api) to vendor the FG and API to get early reviews, and early CI coverage using these new images. I do this often because the API review can be slow.

You can apply the /pj-rehearse ack label when you are ready. That's acknowledging that you tested the impact on CI of this change. I ran the pull-ci-openshift-router-release-5.0-images jobs to make sure the images are building. I don't think we need to run a full CI jobs (like e2e-aws-ovn), as no logic/deployment/code is using the new images, they are NO-OPs until you have the implementation PR ready. So it feels pretty safe.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278, jcmoraisjr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jcmoraisjr

Copy link
Copy Markdown
Member Author

@gcs278 Thanks for all the help with tests and reviews on this PR. I think we're good to move forward.

/pj-rehearse ack

you can post PRs with using your openshift/api development branch

Sure that's the plan, the idea is to make this as soon as FG is merged (just missing CI) so I can rebase the API and vendor that branch having both changes - or otherwise creating another branch having both changes in case FG PR insists to fail.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@jcmoraisjr: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 1, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 2cf8ceb into openshift:main Jul 1, 2026
19 checks passed
@jcmoraisjr jcmoraisjr deleted the NE-2218-haproxy-images branch July 1, 2026 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants