[RHOAIENG-30871] bump the oauth proxy image to RHEL9 and latest

[jstourac]

https://issues.redhat.com/browse/RHOAIENG-30871

Description

How Has This Been Tested?

1. I took the latest ODH nightly build and installed it on my OCP 4.19 cluster
2. Then I amended the subscription CSV replacing the original ODH operator image with my custom build quay.io/jstourac/opendatahub-operator@sha256:32547e3bbc66f91d01c6c5f340f0513688f143919d9b8c4985de9fd1ff76df02
3. Then I created the DSC instance
4. Started a basic workbench and checked which image is used for the oauth proxy registry.redhat.io/openshift4/ose-oauth-proxy-rhel9@sha256:ca21e218e26c46e3c63d926241846f8f307fd4a586cc4b04147da49af6018ef5
5. Logged into the running workbench successfully

We should probably check with the OCP 4.14 as the oldest supported OCP version too.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Chores
  • Updated the OAuth proxy image used in the deployment configuration to a newer version. This change ensures improved compatibility and security with the latest image source. No user-facing features or functionality were altered.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

The changes update the OAuth proxy container image used by the odh-notebook-controller, both in its deployment configuration and in the Go source code constant. The image reference is switched from "ose-oauth-proxy" to "ose-oauth-proxy-rhel9" with updated SHA256 digests and documentation links. No other logic or configuration is altered.

Changes

Cohort / File(s)	Change Summary
Deployment Configuration Update components/odh-notebook-controller/config/manager/manager.yaml	Changed the OAuth proxy image reference from "ose-oauth-proxy" to "ose-oauth-proxy-rhel9" with a new digest in the deployment configuration.
Source Code Constant Update components/odh-notebook-controller/controllers/notebook_oauth.go	Updated the OAuthProxyImage constant and its documentation to use the new "ose-oauth-proxy-rhel9" image and updated the catalog URL.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

approved, lgtm, size/m

Suggested reviewers

• caponetto

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign atheo89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.67%. Comparing base (3469006) to head (d3e1729).

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #669       +/-   ##
===========================================
+ Coverage   57.46%   67.67%   +10.21%     
===========================================
  Files          11        9        -2     
  Lines        3082     2116      -966     
===========================================
- Hits         1771     1432      -339     
+ Misses       1141      555      -586     
+ Partials      170      129       -41     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

components/odh-notebook-controller/controllers/notebook_oauth.go (1)

44-48: Comment text mentions v4.14 AMD64 while the constant now points to a RHEL9 image – please realign the docs

The explanatory comment still claims the digest is “v4.14 image for AMD64”.
Since the reference has been switched to the ose-oauth-proxy-rhel9 repository, the note is potentially misleading and may confuse anyone validating the digest or troubleshooting multi-arch pulls.

- // OAuthProxyImage uses sha256 manifest list digest value of v4.14 image for AMD64 as default …
+ // OAuthProxyImage uses the sha256 digest of the RHEL 9 based OAuth-proxy image (OCP 4.14),
+ // pointing to the multi-arch manifest list. Update this comment when the digest changes.

While touching this, please double-check that the digest (ca21e218…) is indeed the manifest-list and not a single-arch blob; otherwise clusters on non-amd64 hardware will fail to pull the sidecar.

components/odh-notebook-controller/config/manager/manager.yaml (1)

28-29: Deployment arg updated – keep code & manifest versions synchronised going forward

The --oauth-proxy-image argument correctly mirrors the new digest. Note that this value is duplicated in Go (OAuthProxyImage) and here in YAML; any future bump will require touching both places to avoid drift. Consider sourcing the image from a single location (e.g. via an env var or Helm/Kustomize substitution) to reduce maintenance overhead.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3469006 and d3e1729.

📒 Files selected for processing (2)

• components/odh-notebook-controller/config/manager/manager.yaml (1 hunks)
• components/odh-notebook-controller/controllers/notebook_oauth.go (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-06-29T12:32:38.270Z
Learning: The `ci/prow/odh-notebook-controller-unit` test in the opendatahub-io/kubeflow repository is a known flaky test with existing Jira tickets RHOAIENG-15909 and RHOAIENG-15907 tracking the issue. Test failures from this CI job are often not related to code changes and typically pass on rerun.

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-14T11:32:05.952Z
Learning: PR #649 in opendatahub-io/kubeflow partially addressed context.Background() replacement but left 4 instances in Eventually blocks within OAuth-related tests in notebook_controller_test.go that still need to be replaced with the global ctx variable.

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-17T17:37:03.652Z
Learning: Step 6 in the DEPENDENCIES.md file for opendatahub-io/kubeflow refers to updating Go version in the openshift/release repository configuration files at https://github.com/openshift/release/blob/master/ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-main.yaml and https://github.com/openshift/release/blob/master/ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-v1.10-branch.yaml, not the local CI/CD files in the kubeflow repository. The files need updates to the build_root.image_stream_tag.tag from golang-1.23 to golang-1.24 and base_images.ubi_minimal.tag from "8" to "9".

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-17T17:36:30.551Z
Learning: Step 6 of the DEPENDENCIES.md file in opendatahub-io/kubeflow repository requires updating the Go version and UBI version in the external openshift/release repository's CI operator configuration file at ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-master.yaml, specifically updating the build_root.image_stream_tag.tag to use the correct Go version and base_images.ubi_minimal.tag to match the UBI version changes.

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#605
File: components/odh-notebook-controller/controllers/notebook_controller_test.go:1126-1131
Timestamp: 2025-07-02T04:00:16.948Z
Learning: In the opendatahub-io/kubeflow repository's notebook controller tests, OAuth finalizer tests should be streamlined into single test blocks rather than multiple "It" blocks, as checking finalizer removal races with object deletion and is typically unobservable in Kubernetes.

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-17T17:37:03.652Z
Learning: Step 6 in the DEPENDENCIES.md file for opendatahub-io/kubeflow refers to updating Go version in the openshift/release repository configuration files at https://github.com/openshift/release/blob/master/ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-main.yaml and https://github.com/openshift/release/blob/master/ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-v1.10-branch.yaml, not the local CI/CD files in the kubeflow repository.

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-15T19:46:04.900Z
Learning: Prow CI logs for opendatahub-io/notebooks repository follow this URL pattern: HTML page at https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/{repo}/{pr_number}/{job_name}/{job_id} and raw logs at https://storage.googleapis.com/test-platform-results/pr-logs/pull/{repo}/{pr_number}/{job_name}/{job_id}/build-log.txt

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#623
File: components/odh-notebook-controller/controllers/notebook_runtime_test.go:179-179
Timestamp: 2025-06-25T06:54:57.600Z
Learning: In the file `components/odh-notebook-controller/controllers/notebook_runtime_test.go`, there is a suggestion to repurpose `testCase.ConfigMap` as `expectedConfigMap` in the test structure to improve clarity by separating input from expected results. This improvement is deferred to be addressed as part of GitHub issue #634.

📚 Learning: step 6 of the dependencies.md file in opendatahub-io/kubeflow repository requires updating the go ve...

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-17T17:36:30.551Z
Learning: Step 6 of the DEPENDENCIES.md file in opendatahub-io/kubeflow repository requires updating the Go version and UBI version in the external openshift/release repository's CI operator configuration file at ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-master.yaml, specifically updating the build_root.image_stream_tag.tag to use the correct Go version and base_images.ubi_minimal.tag to match the UBI version changes.

Applied to files:

• components/odh-notebook-controller/config/manager/manager.yaml
• components/odh-notebook-controller/controllers/notebook_oauth.go

📚 Learning: step 6 in the dependencies.md file for opendatahub-io/kubeflow refers to updating go version in the ...

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-17T17:37:03.652Z
Learning: Step 6 in the DEPENDENCIES.md file for opendatahub-io/kubeflow refers to updating Go version in the openshift/release repository configuration files at https://github.com/openshift/release/blob/master/ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-main.yaml and https://github.com/openshift/release/blob/master/ci-operator/config/opendatahub-io/kubeflow/opendatahub-io-kubeflow-v1.10-branch.yaml, not the local CI/CD files in the kubeflow repository. The files need updates to the build_root.image_stream_tag.tag from golang-1.23 to golang-1.24 and base_images.ubi_minimal.tag from "8" to "9".

Applied to files:

• components/odh-notebook-controller/controllers/notebook_oauth.go

📚 Learning: pr #649 in opendatahub-io/kubeflow partially addressed context.background() replacement but left 4 i...

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#0
File: :0-0
Timestamp: 2025-07-14T11:32:05.952Z
Learning: PR #649 in opendatahub-io/kubeflow partially addressed context.Background() replacement but left 4 instances in Eventually blocks within OAuth-related tests in notebook_controller_test.go that still need to be replaced with the global ctx variable.

Applied to files:

• components/odh-notebook-controller/controllers/notebook_oauth.go

📚 Learning: in the file `components/odh-notebook-controller/controllers/notebook_runtime_test.go`, there is a su...

Learnt from: jiridanek
PR: opendatahub-io/kubeflow#623
File: components/odh-notebook-controller/controllers/notebook_runtime_test.go:179-179
Timestamp: 2025-06-25T06:54:57.600Z
Learning: In the file `components/odh-notebook-controller/controllers/notebook_runtime_test.go`, there is a suggestion to repurpose `testCase.ConfigMap` as `expectedConfigMap` in the test structure to improve clarity by separating input from expected results. This improvement is deferred to be addressed as part of GitHub issue #634.

Applied to files:

• components/odh-notebook-controller/controllers/notebook_oauth.go

🔇 Additional comments (1)

components/odh-notebook-controller/controllers/notebook_oauth.go (1)

45-48: LGTM on the constant update – matches the image used in the Deployment

OAuthProxyImage now aligns with the RHEL 9 container required by the Deployment manifest. No functional concerns.

[jstourac]

/retest