Periodic sync of supported OCP samples

[aroyoredhat]

Syncing the latest supported OCP samples from the library.

Created using https://github.com/aroyoredhat/trigger-test-samples-build

Summary by CodeRabbit

• Bug Fixes

  • Fixed missing container image references in Rails deployment templates across all architectures.

• Chores

  • Updated Node.js to version 22 (removed version 20 support).
  • Added PHP 8.4 support on UBI 10; updated default to PHP 8.4.
  • Added Perl 5.32 on UBI 8.
  • Updated Python runtimes: removed 3.11 and 3.12 on UBI 8; removed 3.11 on UBI 9.

[coderabbitai]

Walkthrough

Set explicit images in rails-pgsql templates and update ImageStream tag sets: Node.js 20-* → 22-*, add PHP 8.4-ubi10 and repoint latest, add Perl 5.32-ubi8, and remove specific Python UBI tag entries across architecture-specific manifests.

Changes

Container Image Template Variables

Layer / File(s)	Summary
Rails & PostgreSQL Image Configuration assets/operator/ocp-aarch64/rails/templates/rails-pgsql-persistent.json, assets/operator/ocp-ppc64le/rails/templates/rails-pgsql-persistent.json, assets/operator/ocp-s390x/rails/templates/rails-pgsql-persistent.json, assets/operator/ocp-x86_64/rails/templates/rails-pgsql-persistent.json	spec.template.spec.containers[0].image set to ${NAME}:latest for Rails main container and initContainers[0].image set to ${NAME}:latest; PostgreSQL container image set to postgresql:${POSTGRESQL_VERSION} across all four templates.

ImageStream Tag Updates

Layer / File(s)	Summary
Node.js ImageStream tag replacements assets/operator/ocp-aarch64/nodejs/imagestreams/nodejs-rhel-aarch64.json, assets/operator/ocp-ppc64le/nodejs/imagestreams/nodejs-rhel.json, assets/operator/ocp-s390x/nodejs/imagestreams/nodejs-rhel.json, assets/operator/ocp-x86_64/nodejs/imagestreams/nodejs-rhel.json	Removed Node.js 20-* UBI8/UBI9 (including -minimal) tag entries and replaced/shifted them to Node.js 22-* variants; added 22 UBI10 tags on x86_64 where applicable; latest continues to reference a 22-ubi9 tag where present.
PHP ImageStream 8.4 addition and latest repointing assets/operator/ocp-aarch64/php/imagestreams/php-rhel-aarch64.json, assets/operator/ocp-ppc64le/php/imagestreams/php-rhel.json, assets/operator/ocp-s390x/php/imagestreams/php-rhel.json, assets/operator/ocp-x86_64/php/imagestreams/php-rhel.json	Added 8.4-ubi10 ImageStreamTag entries pointing to registry.redhat.io/ubi10/php-84:latest and updated the latest ImageStreamTag metadata/from to reference 8.4-ubi10 (PHP 8.4).
Perl ImageStream 5.32-ubi8 additions assets/operator/ocp-aarch64/perl/imagestreams/perl-rhel-aarch64.json, assets/operator/ocp-ppc64le/perl/imagestreams/perl-rhel.json, assets/operator/ocp-s390x/perl/imagestreams/perl-rhel.json, assets/operator/ocp-x86_64/perl/imagestreams/perl-rhel.json	Inserted 5.32-ubi8 ImageStream tag entries referencing registry.redhat.io/ubi8/perl-532:latest with referencePolicy.type: Local across architectures.
Python ImageStream tag removals assets/operator/ocp-aarch64/python/imagestreams/python-rhel-aarch64.json, assets/operator/ocp-ppc64le/python/imagestreams/python-rhel.json, assets/operator/ocp-s390x/python/imagestreams/python-rhel.json, assets/operator/ocp-x86_64/python/imagestreams/python-rhel.json	Removed specific UBI tag entries (3.11-ubi8, 3.12-ubi8, 3.11-ubi9) so the spec.tags arrays transition to the next UBI tag entries (e.g., 3.9-ubi9, 3.12-ubi9).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	This repository uses standard Go testing (testing.T), not Ginkgo framework. No Ginkgo imports, Describe/It blocks, or gomega assertions found anywhere in the codebase.	Clarify if check applies only to Ginkgo tests, or should be adapted for standard Go test patterns using testing.T and subtests.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Periodic sync of supported OCP samples' accurately describes the main change: updating OpenShift Container Platform samples templates and imagestreams across multiple architectures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests; uses standard Go testing framework with stable, descriptive test names only.
Microshift Test Compatibility	✅ Passed	This PR adds no new Ginkgo e2e tests. It only modifies JSON asset files (OpenShift templates and imagestream definitions), so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; only JSON configuration files (templates and imagestreams) are modified.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies OpenShift sample templates and ImageStreams (container images and tags). No scheduling constraints, operator code, or deployment manifests changed.
Ote Binary Stdout Contract	✅ Passed	PR contains only JSON configuration file changes (20 OpenShift manifests); no Go source code, test code, or executable code is modified, making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR contains no new Ginkgo e2e tests. It only updates JSON templates and imagestream configuration files for OCP samples, so the IPv6/disconnected network compatibility check is not applicable.
No-Weak-Crypto	✅ Passed	PR modifies only JSON configuration files (OpenShift templates/ImageStreams), not source code; no cryptographic implementations, algorithms, or secret comparisons present.
Container-Privileges	✅ Passed	No privileged containers, host access, SYS_ADMIN, allowPrivilegeEscalation, or root containers detected in PR. Changes limited to image references and tag updates.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only JSON configuration/manifest files with no logging statements, no code files, and no exposure of actual sensitive data; uses proper variable references for secrets.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aroyoredhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [aroyoredhat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/operator/ocp-aarch64/php/imagestreams/php-rhel-aarch64.json`:
- Around line 166-176: Verify that the backing image referenced by the PHP 8.4
(Latest) imagestream is actually available and pullable: check
registry.redhat.io for registry.redhat.io/ubi10/php-84:latest and attempt a
docker/podman pull (using Red Hat credentials if required); if the image is
missing or not accessible, update the imagestream "from.name" value (currently
"8.4-ubi10") to a valid ImageStreamTag or explicit image reference that exists,
or add a note in the imagestream metadata documenting that Red Hat registry
credentials are required and provide the correct pullspec to avoid deployment
failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 61022e20-2acf-4d92-b17b-3e93898b2550

📥 Commits

Reviewing files that changed from the base of the PR and between e4a284d and 7a9f263.

📒 Files selected for processing (12)

• assets/operator/ocp-aarch64/nodejs/imagestreams/nodejs-rhel-aarch64.json
• assets/operator/ocp-aarch64/php/imagestreams/php-rhel-aarch64.json
• assets/operator/ocp-aarch64/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-ppc64le/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-ppc64le/php/imagestreams/php-rhel.json
• assets/operator/ocp-ppc64le/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-s390x/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-s390x/php/imagestreams/php-rhel.json
• assets/operator/ocp-s390x/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-x86_64/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-x86_64/php/imagestreams/php-rhel.json
• assets/operator/ocp-x86_64/rails/templates/rails-pgsql-persistent.json

💤 Files with no reviewable changes (4)

• assets/operator/ocp-ppc64le/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-s390x/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-x86_64/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-aarch64/nodejs/imagestreams/nodejs-rhel-aarch64.json

[aroyoredhat]

/retest-required

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/operator/ocp-ppc64le/perl/imagestreams/perl-rhel.json`:
- Line 50: The image entry "registry.redhat.io/ubi8/perl-532:latest" currently
shows as reachable at the manifest endpoint but requires authenticated pulls
(anonymous returns 401); update the image accessibility check and documentation
to require verifying an authenticated pull: log into registry.redhat.io (e.g.,
podman login or skopeo login), then run podman pull or skopeo inspect against
registry.redhat.io/ubi8/perl-532:latest to confirm success, and annotate the
asset (or README) to state that a valid Red Hat pull secret/credentials are
required for deployment (include the existing README link
https://github.com/sclorg/s2i-perl-container/blob/master/5.32/README.md as
reference).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f171a372-d6b0-4e4e-b2d3-d35a949a2e78

📥 Commits

Reviewing files that changed from the base of the PR and between 7a9f263 and f0e2efb.

📒 Files selected for processing (20)

• assets/operator/ocp-aarch64/nodejs/imagestreams/nodejs-rhel-aarch64.json
• assets/operator/ocp-aarch64/perl/imagestreams/perl-rhel-aarch64.json
• assets/operator/ocp-aarch64/php/imagestreams/php-rhel-aarch64.json
• assets/operator/ocp-aarch64/python/imagestreams/python-rhel-aarch64.json
• assets/operator/ocp-aarch64/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-ppc64le/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-ppc64le/perl/imagestreams/perl-rhel.json
• assets/operator/ocp-ppc64le/php/imagestreams/php-rhel.json
• assets/operator/ocp-ppc64le/python/imagestreams/python-rhel.json
• assets/operator/ocp-ppc64le/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-s390x/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-s390x/perl/imagestreams/perl-rhel.json
• assets/operator/ocp-s390x/php/imagestreams/php-rhel.json
• assets/operator/ocp-s390x/python/imagestreams/python-rhel.json
• assets/operator/ocp-s390x/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-x86_64/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-x86_64/perl/imagestreams/perl-rhel.json
• assets/operator/ocp-x86_64/php/imagestreams/php-rhel.json
• assets/operator/ocp-x86_64/python/imagestreams/python-rhel.json
• assets/operator/ocp-x86_64/rails/templates/rails-pgsql-persistent.json

💤 Files with no reviewable changes (8)

• assets/operator/ocp-ppc64le/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-s390x/python/imagestreams/python-rhel.json
• assets/operator/ocp-s390x/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-aarch64/python/imagestreams/python-rhel-aarch64.json
• assets/operator/ocp-aarch64/nodejs/imagestreams/nodejs-rhel-aarch64.json
• assets/operator/ocp-ppc64le/python/imagestreams/python-rhel.json
• assets/operator/ocp-x86_64/nodejs/imagestreams/nodejs-rhel.json
• assets/operator/ocp-x86_64/python/imagestreams/python-rhel.json

✅ Files skipped from review due to trivial changes (1)

• assets/operator/ocp-aarch64/perl/imagestreams/perl-rhel-aarch64.json

🚧 Files skipped from review as they are similar to previous changes (8)

• assets/operator/ocp-ppc64le/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-x86_64/php/imagestreams/php-rhel.json
• assets/operator/ocp-s390x/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-aarch64/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-x86_64/rails/templates/rails-pgsql-persistent.json
• assets/operator/ocp-ppc64le/php/imagestreams/php-rhel.json
• assets/operator/ocp-s390x/php/imagestreams/php-rhel.json
• assets/operator/ocp-aarch64/php/imagestreams/php-rhel-aarch64.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the Perl 5.32 UBI8 container image is available

echo "Checking if the Perl 5.32 UBI8 image is accessible..."

# Use skopeo to inspect the image manifest without pulling
skopeo inspect docker://registry.redhat.io/ubi8/perl-532:latest --format "Image exists: {{.Name}}:{{.Tag}}, Digest: {{.Digest}}" || echo "ERROR: Image not accessible"

Repository: openshift/cluster-samples-operator

Length of output: 223

---

🏁 Script executed:

#!/bin/bash
# Verify the documentation URL is accessible

echo "Checking README URL..."
curl -sL -w "\nHTTP Status: %{http_code}\n" -o /dev/null "https://github.com/sclorg/s2i-perl-container/blob/master/5.32/README.md"

Repository: openshift/cluster-samples-operator

Length of output: 119

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo_root="."
img="registry.redhat.io/ubi8/perl-532:latest"
file="assets/operator/ocp-ppc64le/perl/imagestreams/perl-rhel.json"

echo "== File snippet (around $file:50) =="
nl -ba "$file" | sed -n '40,60p'

echo "== Repo-wide references to the image tag =="
rg -n --fixed-string "$img" . || true

echo "== Direct registry manifest probe (no auth) =="
# This will typically return 401 (auth required) or 404 (not found). Both are useful signals.
# For consistency, try both `latest` and `v2/.../manifests/latest`.
url="https://registry.redhat.io/v2/ubi8/perl-532/manifests/latest"
curl -sS -o /dev/null -D - -w "HTTP_CODE=%{http_code}\n" "$url" || true

Repository: openshift/cluster-samples-operator

Length of output: 231

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="assets/operator/ocp-ppc64le/perl/imagestreams/perl-rhel.json"
img="registry.redhat.io/ubi8/perl-532:latest"

echo "== JSON snippet around referenced line (approx 45-55) =="
sed -n '45,55p' "$file" || true

echo
echo "== Repo-wide references to the exact image string =="
if command -v rg >/dev/null 2>&1; then
  rg -n --fixed-string "$img" . || true
else
  grep -RIn --fixed-string "$img" . || true
fi

echo
echo "== Direct registry manifest probe (no auth) =="
url="https://registry.redhat.io/v2/ubi8/perl-532/manifests/latest"
# Capture status line + any error body (short) to distinguish 404 vs 401 vs others.
curl -sS -D - \
  -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  --max-time 30 \
  "$url" | head -n 40 || true

Repository: openshift/cluster-samples-operator

Length of output: 1448

---

🌐 Web query:

Does registry.redhat.io/ubi8/perl-532:latest exist (UBI8 Perl 5.32 image tag), and what is the correct tag name?

💡 Result:

Yes, the ubi8/perl-532 image exists in the Red Hat container registry [1][2][3]. The correct image path to use is registry.redhat.io/ubi8/perl-532 [1][2]. For container images, the "latest" tag is frequently used to point to the most recent version of an image stream [2]. While you can use registry.redhat.io/ubi8/perl-532:latest, Red Hat container images are also frequently versioned with specific release tags to ensure build reproducibility [1][4][5][6]. You can verify the specific tags available for this image by consulting the Red Hat Ecosystem Catalog or by using container CLI tools to inspect the repository [2][7].

Citations:

• 1: https://access.redhat.com/errata/RHBA-2025:8445
• 2: https://catalog.redhat.com/en/software/containers/ubi8/perl-532/61f7a138ba9e057a1e43ca6a
• 3: https://ftp.redhat.com/pub/redhat/containers/ubi8/
• 4: https://access.redhat.com/errata/RHBA-2025:2759
• 5: https://access.redhat.com/errata/RHBA-2025:0800
• 6: https://access.redhat.com/errata/RHBA-2023:4550
• 7: https://access.redhat.com/articles/4238681

---

Update image accessibility check: confirm pull with registry auth (401 ≠ missing)

• registry.redhat.io/ubi8/perl-532:latest resolves at the manifest endpoint, but anonymous access returns 401 UNAUTHORIZED (Bearer auth required), so deployment success depends on having valid pull credentials/pull secret.
• README link https://github.com/sclorg/s2i-perl-container/blob/master/5.32/README.md returns HTTP 200.

Suggested follow-up check: run the pull/inspect after logging in (e.g., podman login registry.redhat.io or skopeo login ... with appropriate credentials), then confirm podman pull registry.redhat.io/ubi8/perl-532:latest (or skopeo inspect ...) succeeds.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/operator/ocp-ppc64le/perl/imagestreams/perl-rhel.json` at line 50, The
image entry "registry.redhat.io/ubi8/perl-532:latest" currently shows as
reachable at the manifest endpoint but requires authenticated pulls (anonymous
returns 401); update the image accessibility check and documentation to require
verifying an authenticated pull: log into registry.redhat.io (e.g., podman login
or skopeo login), then run podman pull or skopeo inspect against
registry.redhat.io/ubi8/perl-532:latest to confirm success, and annotate the
asset (or README) to state that a valid Red Hat pull secret/credentials are
required for deployment (include the existing README link
https://github.com/sclorg/s2i-perl-container/blob/master/5.32/README.md as
reference).

[openshift-ci]

@aroyoredhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws	f0e2efb	link	true	/test e2e-aws
ci/prow/unit	f0e2efb	link	true	/test unit
ci/prow/e2e-aws-ovn-image-ecosystem	f0e2efb	link	true	/test e2e-aws-ovn-image-ecosystem

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.