Skip to content

Periodic sync of OKD samples #683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aroyoredhat wants to merge 1 commit into
base: main
Choose a base branch
from
+36 −141
Open

Periodic sync of OKD samples #683

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 0 additions & 126 deletions assets/operator/okd-x86_64/nodejs/imagestreams/nodejs-centos.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,48 +13,6 @@
"local": false
},
"tags": [
{
"name": "20-ubi8",
"annotations": {
"description": "Build and run Node.js 20 applications on UBI 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/20/README.md.",
"iconClass": "icon-nodejs",
"openshift.io/display-name": "Node.js 20 (UBI 8)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"sampleRepo": "https://github.com/sclorg/nodejs-ex.git",
"tags": "builder,nodejs",
"version": "20"
},
"from": {
"kind": "DockerImage",
"name": "registry.access.redhat.com/ubi8/nodejs-20:latest"
},
"generation": null,
"importPolicy": {},
"referencePolicy": {
"type": "Local"
}
},
{
"name": "20-minimal-ubi8",
"annotations": {
"description": "Build and run Node.js 20-minimal applications on UBI 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/20-minimal/README.md.",
"iconClass": "icon-nodejs",
"openshift.io/display-name": "Node.js 20-minimal (UBI 8)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"sampleRepo": "https://github.com/sclorg/nodejs-ex.git",
"tags": "builder,nodejs",
"version": "20-minimal"
},
"from": {
"kind": "DockerImage",
"name": "registry.access.redhat.com/ubi8/nodejs-20-minimal:latest"
},
"generation": null,
"importPolicy": {},
"referencePolicy": {
"type": "Local"
}
},
{
"name": "22-ubi8",
"annotations": {
Expand Down Expand Up @@ -97,48 +55,6 @@
"type": "Local"
}
},
{
"name": "20-ubi9",
"annotations": {
"description": "Build and run Node.js 20 applications on UBI 9. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/20/README.md.",
"iconClass": "icon-nodejs",
"openshift.io/display-name": "Node.js 20 (UBI 9)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"sampleRepo": "https://github.com/sclorg/nodejs-ex.git",
"tags": "builder,nodejs",
"version": "20"
},
"from": {
"kind": "DockerImage",
"name": "registry.access.redhat.com/ubi9/nodejs-20:latest"
},
"generation": null,
"importPolicy": {},
"referencePolicy": {
"type": "Local"
}
},
{
"name": "20-minimal-ubi9",
"annotations": {
"description": "Build and run Node.js 20-minimal applications on UBI 9. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/20-minimal/README.md.",
"iconClass": "icon-nodejs",
"openshift.io/display-name": "Node.js 20-minimal (UBI 9)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"sampleRepo": "https://github.com/sclorg/nodejs-ex.git",
"tags": "builder,nodejs",
"version": "20-minimal"
},
"from": {
"kind": "DockerImage",
"name": "registry.access.redhat.com/ubi9/nodejs-20-minimal:latest"
},
"generation": null,
"importPolicy": {},
"referencePolicy": {
"type": "Local"
}
},
{
"name": "22-ubi9",
"annotations": {
Expand Down Expand Up @@ -223,27 +139,6 @@
"type": "Local"
}
},
{
"name": "20-ubi8-minimal",
"annotations": {
"description": "Build and run Node.js 20-minimal applications on UBI 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/20-minimal/README.md.",
"iconClass": "icon-nodejs",
"openshift.io/display-name": "Node.js 20-minimal (UBI 8)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"sampleRepo": "https://github.com/sclorg/nodejs-ex.git",
"tags": "builder,nodejs",
"version": "20-minimal"
},
"from": {
"kind": "DockerImage",
"name": "registry.access.redhat.com/ubi8/nodejs-20-minimal:latest"
},
"generation": null,
"importPolicy": {},
"referencePolicy": {
"type": "Local"
}
},
{
"name": "22-ubi8-minimal",
"annotations": {
Expand All @@ -265,27 +160,6 @@
"type": "Local"
}
},
{
"name": "20-ubi9-minimal",
"annotations": {
"description": "Build and run Node.js 20-minimal applications on UBI 9. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/20-minimal/README.md.",
"iconClass": "icon-nodejs",
"openshift.io/display-name": "Node.js 20-minimal (UBI 9)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"sampleRepo": "https://github.com/sclorg/nodejs-ex.git",
"tags": "builder,nodejs",
"version": "20-minimal"
},
"from": {
"kind": "DockerImage",
"name": "registry.access.redhat.com/ubi9/nodejs-20-minimal:latest"
},
"generation": null,
"importPolicy": {},
"referencePolicy": {
"type": "Local"
}
},
{
"name": "22-ubi9-minimal",
"annotations": {
Expand Down
24 changes: 12 additions & 12 deletions assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,19 @@
},
"tags": [
{
"name": "26.0.0.2-java8",
"name": "26.0.0.5-java8",
"annotations": {
"description": "Build and run Open Liberty applications on Red Hat Universal Base Image 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/OpenLiberty/open-liberty-s2i/blob/main/README.md.",
"iconClass": "icon-openliberty",
"openshift.io/display-name": "Open Liberty 26.0.0.2 with Java 8",
"openshift.io/display-name": "Open Liberty 26.0.0.5 with Java 8",
"openshift.io/provider-display-name": "IBM",
"sampleRepo": "https://github.com/openshift/openshift-jee-sample.git",
"supports": "jee,java",
"tags": "builder,openliberty,java"
},
"from": {
"kind": "DockerImage",
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.2-java8"
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.5-java8"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that the Open Liberty 26.0.0.5 image tags exist in the IBM Container Registry

# Check each of the four Java variant tags
for java_version in java8 java11 java17 java21; do
  echo "Checking icr.io/appcafe/open-liberty-s2i:26.0.0.5-${java_version}..."
  
  # Use skopeo to inspect the image manifest (read-only, no pull required)
  if command -v skopeo &> /dev/null; then
    skopeo inspect docker://icr.io/appcafe/open-liberty-s2i:26.0.0.5-${java_version} --raw 2>&1 | head -5
  else
    # Fallback: attempt a manifest check via Docker registry API
    curl -sL -o /dev/null -w "%{http_code}" \
      "https://icr.io/v2/appcafe/open-liberty-s2i/manifests/26.0.0.5-${java_version}" \
      -H "Accept: application/vnd.docker.distribution.manifest.v2+json"
  fi
  echo ""
done

Repository: openshift/cluster-samples-operator

Length of output: 333

🌐 Web query:

Open Liberty 26.0.0.5 release notes security vulnerabilities

💡 Result:

Open Liberty 26.0.0.5 security vulnerabilities (what is explicitly documented/fixed for this release) 1) CVE-2026-5516 (security bypass) - Affected versions: Liberty 22.0.0.11–26.0.0.5. - Affected features: appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0. - Impact summary: remote attacker could bypass security under limited conditions via a timing window. - Fix guidance: apply an interim fix / fix pack containing the fix for APAR PH70798, or upgrade to Liberty Fix Pack 26.0.0.6 or later (targeted availability 3Q2026). [1] 2) CVE-2026-29063 (prototype pollution via “immutable” library) - IBM security bulletin states Liberty is affected when the immutable library is present and specific mpOpenAPI/openapi features are enabled. - Affected versions: 17.0.0.3–26.0.0.3. - This means CVE-2026-29063 is not stated as affecting 26.0.0.5 in that bulletin. [2] 3) Additional vendor/Liberty “security fix” fixes may exist in 26.0.0.5, but the official Open Liberty CVE list pages returned in search results do not provide a 26.0.0.5-specific CVE table in the snippets I retrieved. - Practical next step (from Open Liberty docs): use the vendor “Security vulnerability (CVE) list” and map CVEs to “Version fixed” and affected Liberty features in your environment. [3] What you should do for 26.0.0.5 users (actionable) - If you run appSecurity-3.0/appSecurity-4.0/appSecurity-5.0 and are on Liberty 26.0.0.5, prioritize remediation for CVE-2026-5516 by applying the interim fix / fix pack containing APAR PH70798 or upgrading to 26.0.0.6+. [1] Sources used (key): IBM WebSphere Liberty security bulletin for CVE-2026-5516; IBM WebSphere Liberty security bulletin for CVE-2026-29063; Open Liberty documentation explaining the CVE mapping approach.

Citations:

OpenLiberty 26.0.0.5 image tags exist, but require CVE-2026-5516 remediation.

  • Availability: icr.io/appcafe/open-liberty-s2i:26.0.0.5-java{8,11,17,21} all resolve successfully (manifest returns HTTP 200), so the ImageStream tags shouldn’t break due to missing images.
  • Security: Open Liberty 26.0.0.5 is affected by CVE-2026-5516 (security bypass); remediate by applying the interim fix/fix pack containing APAR PH70798 or upgrading to Liberty fix pack 26.0.0.6+ (notably relevant when using appSecurity-3.0/4.0/5.0).
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/operator/okd-x86_64/openliberty/imagestreams/openliberty.json` at line
29, The Open Liberty ImageStream tag
"icr.io/appcafe/open-liberty-s2i:26.0.0.5-java8" (and the sibling tags for
java11/java17/java21) points to a release affected by CVE-2026-5516; update
these ImageStream entries to reference a fixed release (e.g., change tags to
"26.0.0.6" or later) or annotate the tags to require applying the interim
fix/APAR PH70798 (Liberty fix pack 26.0.0.6+) so consumers will use a remediated
image; locate and update the string constants for
"open-liberty-s2i:26.0.0.5-java8" (and the corresponding java11/java17/java21
tags) in the ImageStream JSON and ensure all tag variants are consistently
updated.

},
"generation": null,
"importPolicy": {},
Expand All @@ -35,19 +35,19 @@
}
},
{
"name": "26.0.0.2-java11",
"name": "26.0.0.5-java11",
"annotations": {
"description": "Build and run Open Liberty applications on Red Hat Universal Base Image 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/OpenLiberty/open-liberty-s2i/blob/main/README.md.",
"iconClass": "icon-openliberty",
"openshift.io/display-name": "Open Liberty 26.0.0.2 with Java 11",
"openshift.io/display-name": "Open Liberty 26.0.0.5 with Java 11",
"openshift.io/provider-display-name": "IBM",
"sampleRepo": "https://github.com/openshift/openshift-jee-sample.git",
"supports": "jee,java",
"tags": "builder,openliberty,java"
},
"from": {
"kind": "DockerImage",
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.2-java11"
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.5-java11"
},
"generation": null,
"importPolicy": {},
Expand All @@ -56,19 +56,19 @@
}
},
{
"name": "26.0.0.2-java17",
"name": "26.0.0.5-java17",
"annotations": {
"description": "Build and run Open Liberty applications on Red Hat Universal Base Image 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/OpenLiberty/open-liberty-s2i/blob/main/README.md.",
"iconClass": "icon-openliberty",
"openshift.io/display-name": "Open Liberty 26.0.0.2 with Java 17",
"openshift.io/display-name": "Open Liberty 26.0.0.5 with Java 17",
"openshift.io/provider-display-name": "IBM",
"sampleRepo": "https://github.com/openshift/openshift-jee-sample.git",
"supports": "jee,java",
"tags": "builder,openliberty,java"
},
"from": {
"kind": "DockerImage",
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.2-java17"
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.5-java17"
},
"generation": null,
"importPolicy": {},
Expand All @@ -77,19 +77,19 @@
}
},
{
"name": "26.0.0.2-java21",
"name": "26.0.0.5-java21",
"annotations": {
"description": "Build and run Open Liberty applications on Red Hat Universal Base Image 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/OpenLiberty/open-liberty-s2i/blob/main/README.md.",
"iconClass": "icon-openliberty",
"openshift.io/display-name": "Open Liberty 26.0.0.2 with Java 21",
"openshift.io/display-name": "Open Liberty 26.0.0.5 with Java 21",
"openshift.io/provider-display-name": "IBM",
"sampleRepo": "https://github.com/openshift/openshift-jee-sample.git",
"supports": "jee,java",
"tags": "builder,openliberty,java"
},
"from": {
"kind": "DockerImage",
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.2-java21"
"name": "icr.io/appcafe/open-liberty-s2i:26.0.0.5-java21"
},
"generation": null,
"importPolicy": {},
Expand Down
21 changes: 21 additions & 0 deletions assets/operator/okd-x86_64/php/imagestreams/php-centos.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,27 @@
"type": "Local"
}
},
{
"name": "8.4-ubi10",
"annotations": {
"description": "Build and run PHP 8.4 applications on UBI 10. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-php-container/blob/master/8.4/README.md.",
"iconClass": "icon-php",
"openshift.io/display-name": "PHP 8.4 (UBI 10)",
"openshift.io/provider-display-name": "Red Hat, Inc.",
"sampleRepo": "https://github.com/sclorg/cakephp-ex.git",
"tags": "builder,php",
"version": "8.4"
},
"from": {
"kind": "DockerImage",
"name": "registry.access.redhat.com/ubi10/php-84:latest"
},
"generation": null,
"importPolicy": {},
"referencePolicy": {
"type": "Local"
}
},
{
"name": "latest",
"annotations": {
Expand Down
6 changes: 3 additions & 3 deletions assets/operator/okd-x86_64/rails/templates/rails-pgsql-persistent.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@
"value": "${RAILS_ENV}"
}
],
"image": " ",
"image": "${NAME}:latest",
"livenessProbe": {
"httpGet": {
"path": "/articles",
Expand Down Expand Up @@ -350,7 +350,7 @@
"value": "${RAILS_ENV}"
}
],
"image": " ",
"image": "${NAME}:latest",
"name": "ruby-init-container"
}
]
Expand Down Expand Up @@ -460,7 +460,7 @@
"value": "${POSTGRESQL_SHARED_BUFFERS}"
}
],
"image": " ",
"image": "postgresql:${POSTGRESQL_VERSION}",
"livenessProbe": {
"exec": {
"command": [
Expand Down