Periodic sync of OKD samples

[aroyoredhat]

Syncing the latest samples from the library to OKD.

Created using https://github.com/aroyoredhat/trigger-test-samples-build

Summary by CodeRabbit

• Chores
  • Open Liberty updated to version 26.0.0.5 across Java 8, 11, 17, and 21
  • Node.js version 22 now available; version 20 support removed
  • PHP 8.4 added for UBI 10
  • Rails and PostgreSQL deployment container images explicitly configured

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bump Open Liberty ImageStream tags to 26.0.0.5 for Java 8/11/17/21; replace Node.js 20 tags with Node.js 22 variants for UBI8/UBI9; add PHP 8.4 on UBI10 ImageStream tag; set explicit Rails and PostgreSQL container images in deployment templates.

Changes

ImageStream & template updates

Layer / File(s)	Summary
Open Liberty ImageStream tag bump assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json	Bumped spec.tags names to 26.0.0.5-<java>, updated openshift.io/display-name annotations, and updated from.name S2I image references to icr.io/appcafe/open-liberty-s2i:26.0.0.5-<java> for Java 8, 11, 17, 21.
Node.js ImageStream tag replacement assets/operator/okd-x86_64/nodejs/imagestreams/nodejs-centos.json	Removed Node.js 20 tag entries for UBI8/UBI9 (standard and -minimal) and replaced them with Node.js 22 variants for the same UBI combinations.
PHP ImageStream: add 8.4 on UBI10 assets/operator/okd-x86_64/php/imagestreams/php-centos.json	Added 8.4-ubi10 ImageStream tag pointing to registry.access.redhat.com/ubi10/php-84:latest with annotations and referencePolicy.type: Local.
Rails + PostgreSQL Deployment Templates assets/operator/okd-x86_64/rails/templates/rails-pgsql-persistent.json	Set Rails main and init-container image fields to ${NAME}:latest and PostgreSQL container image to postgresql:${POSTGRESQL_VERSION}.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	test/e2e/main_test.go contains 7 fmt.Printf/fmt.Println calls in TestMain and waitForOperator (called from TestMain) at lines 38, 44, 52, 57, 62, 74, 77 which violate the OTE stdout JSON contract.	Replace fmt.Printf/Println with os.Stderr writes or GinkgoWriter; set up log redirection to stderr before any logging in TestMain.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Periodic sync of OKD samples' accurately reflects the main objective of the pull request, which involves syncing the latest samples from the library to OKD. The changes across multiple files (Open Liberty, Rails, Node.js, and PHP imagestreams) are all part of this periodic sync operation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files or test name definitions. All changes are to static OpenShift manifest/configuration JSON files with deterministic values only.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo tests. Test files added use standard Go testing package (func Test* pattern), not Ginkgo BDD framework.
Microshift Test Compatibility	✅ Passed	PR only modifies JSON configuration files (ImageStream and Template manifests), not Ginkgo e2e test files. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are present in this PR; all changes are JSON configuration files (ImageStreams and deployment templates). Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	No topology-incompatible scheduling constraints found in ImageStreams or Rails template. No affinity, nodeSelector, tolerations, or PodDisruptionBudgets affecting SNO/TNF/TNA/HyperShift.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check for IPv6/disconnected network test compatibility does not apply; PR modifies only JSON configuration files for OpenShift resources, not Ginkgo e2e tests.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aroyoredhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [aroyoredhat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json (1)

17-99: ⚠️ Potential issue | 🔴 Critical

The Docker images for Open Liberty 26.0.0.3 do not exist at the specified registry and must be available before merge.

All four referenced images (26.0.0.3-java8, java11, java17, java21) at icr.io/appcafe/open-liberty-s2i are inaccessible and will cause deployment failures. Either push these images to the registry or revert the version references to available images.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json` around
lines 17 - 99, The image stream entries named "26.0.0.3-java8",
"26.0.0.3-java11", "26.0.0.3-java17", and "26.0.0.3-java21" reference
non-existent images in the from.name fields (e.g.
"icr.io/appcafe/open-liberty-s2i:26.0.0.3-java8") and must be fixed; either push
the corresponding images to icr.io with those tags or update each from.name to a
confirmed available tag (or revert the name fields back to the
last-known-working tag) and ensure the display name annotations
(openshift.io/display-name) stay consistent, then verify by doing a docker pull
of each updated from.name.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json`:
- Around line 17-99: The image stream entries named "26.0.0.3-java8",
"26.0.0.3-java11", "26.0.0.3-java17", and "26.0.0.3-java21" reference
non-existent images in the from.name fields (e.g.
"icr.io/appcafe/open-liberty-s2i:26.0.0.3-java8") and must be fixed; either push
the corresponding images to icr.io with those tags or update each from.name to a
confirmed available tag (or revert the name fields back to the
last-known-working tag) and ensure the display name annotations
(openshift.io/display-name) stay consistent, then verify by doing a docker pull
of each updated from.name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7a8aae5f-ff07-4d07-8575-f3ac59b443f6

📥 Commits

Reviewing files that changed from the base of the PR and between eeac6ba and aa6d064.

📒 Files selected for processing (1)

• assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json`:
- Line 29: The Open Liberty ImageStream tag
"icr.io/appcafe/open-liberty-s2i:26.0.0.5-java8" (and the sibling tags for
java11/java17/java21) points to a release affected by CVE-2026-5516; update
these ImageStream entries to reference a fixed release (e.g., change tags to
"26.0.0.6" or later) or annotate the tags to require applying the interim
fix/APAR PH70798 (Liberty fix pack 26.0.0.6+) so consumers will use a remediated
image; locate and update the string constants for
"open-liberty-s2i:26.0.0.5-java8" (and the corresponding java11/java17/java21
tags) in the ImageStream JSON and ensure all tag variants are consistently
updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 140320fa-0769-480f-95dd-b104699080e2

📥 Commits

Reviewing files that changed from the base of the PR and between 48571eb and 7a08d32.

📒 Files selected for processing (4)

• assets/operator/okd-x86_64/nodejs/imagestreams/nodejs-centos.json
• assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json
• assets/operator/okd-x86_64/php/imagestreams/php-centos.json
• assets/operator/okd-x86_64/rails/templates/rails-pgsql-persistent.json

💤 Files with no reviewable changes (1)

• assets/operator/okd-x86_64/nodejs/imagestreams/nodejs-centos.json

✅ Files skipped from review due to trivial changes (1)

• assets/operator/okd-x86_64/php/imagestreams/php-centos.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that the Open Liberty 26.0.0.5 image tags exist in the IBM Container Registry

# Check each of the four Java variant tags
for java_version in java8 java11 java17 java21; do
  echo "Checking icr.io/appcafe/open-liberty-s2i:26.0.0.5-${java_version}..."
  
  # Use skopeo to inspect the image manifest (read-only, no pull required)
  if command -v skopeo &> /dev/null; then
    skopeo inspect docker://icr.io/appcafe/open-liberty-s2i:26.0.0.5-${java_version} --raw 2>&1 | head -5
  else
    # Fallback: attempt a manifest check via Docker registry API
    curl -sL -o /dev/null -w "%{http_code}" \
      "https://icr.io/v2/appcafe/open-liberty-s2i/manifests/26.0.0.5-${java_version}" \
      -H "Accept: application/vnd.docker.distribution.manifest.v2+json"
  fi
  echo ""
done

Repository: openshift/cluster-samples-operator

Length of output: 333

---

🌐 Web query:

Open Liberty 26.0.0.5 release notes security vulnerabilities

💡 Result:

Open Liberty 26.0.0.5 security vulnerabilities (what is explicitly documented/fixed for this release) 1) CVE-2026-5516 (security bypass) - Affected versions: Liberty 22.0.0.11–26.0.0.5. - Affected features: appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0. - Impact summary: remote attacker could bypass security under limited conditions via a timing window. - Fix guidance: apply an interim fix / fix pack containing the fix for APAR PH70798, or upgrade to Liberty Fix Pack 26.0.0.6 or later (targeted availability 3Q2026). [1] 2) CVE-2026-29063 (prototype pollution via “immutable” library) - IBM security bulletin states Liberty is affected when the immutable library is present and specific mpOpenAPI/openapi features are enabled. - Affected versions: 17.0.0.3–26.0.0.3. - This means CVE-2026-29063 is not stated as affecting 26.0.0.5 in that bulletin. [2] 3) Additional vendor/Liberty “security fix” fixes may exist in 26.0.0.5, but the official Open Liberty CVE list pages returned in search results do not provide a 26.0.0.5-specific CVE table in the snippets I retrieved. - Practical next step (from Open Liberty docs): use the vendor “Security vulnerability (CVE) list” and map CVEs to “Version fixed” and affected Liberty features in your environment. [3] What you should do for 26.0.0.5 users (actionable) - If you run appSecurity-3.0/appSecurity-4.0/appSecurity-5.0 and are on Liberty 26.0.0.5, prioritize remediation for CVE-2026-5516 by applying the interim fix / fix pack containing APAR PH70798 or upgrading to 26.0.0.6+. [1] Sources used (key): IBM WebSphere Liberty security bulletin for CVE-2026-5516; IBM WebSphere Liberty security bulletin for CVE-2026-29063; Open Liberty documentation explaining the CVE mapping approach.

Citations:

• 1: https://www.ibm.com/support/pages/node/7273425
• 2: https://www.ibm.com/support/pages/security-bulletin-ibm-websphere-application-server-liberty-which-bundled-ibm-cloud-pak-applications-affected-prototype-pollution-vulnerability-due-immutable-cve-2026-29063
• 3: https://openliberty.io/docs/26.0.0.4/security-vulnerabilities.html

---

OpenLiberty 26.0.0.5 image tags exist, but require CVE-2026-5516 remediation.

• Availability: icr.io/appcafe/open-liberty-s2i:26.0.0.5-java{8,11,17,21} all resolve successfully (manifest returns HTTP 200), so the ImageStream tags shouldn’t break due to missing images.
• Security: Open Liberty 26.0.0.5 is affected by CVE-2026-5516 (security bypass); remediate by applying the interim fix/fix pack containing APAR PH70798 or upgrading to Liberty fix pack 26.0.0.6+ (notably relevant when using appSecurity-3.0/4.0/5.0).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json` at line
29, The Open Liberty ImageStream tag
"icr.io/appcafe/open-liberty-s2i:26.0.0.5-java8" (and the sibling tags for
java11/java17/java21) points to a release affected by CVE-2026-5516; update
these ImageStream entries to reference a fixed release (e.g., change tags to
"26.0.0.6" or later) or annotate the tags to require applying the interim
fix/APAR PH70798 (Liberty fix pack 26.0.0.6+) so consumers will use a remediated
image; locate and update the string constants for
"open-liberty-s2i:26.0.0.5-java8" (and the corresponding java11/java17/java21
tags) in the ImageStream JSON and ensure all tag variants are consistently
updated.

[openshift-ci]

@aroyoredhat: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.