WIP: Smoke test HAProxy 3.2.19 RPM

[gcs278]

Summary

Smoke test for HAProxy 3.2.19 in the monolithic (non-sidecar) router model.

The haproxy32-3.2.19 RPM is already available in the yum repo but is currently unused. This PR switches the monolithic router image to install haproxy32 instead of haproxy28, allowing us to smoke test HAProxy 3.2 in CI before it is formally adopted.

• Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=70996258
• Epic: https://redhat.atlassian.net/browse/NE-2220

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[gcs278]

FYI this is a "vanilla" 3.2 smoke test PR - just to get some green CI runs before integrating HAProxy 3.2 with the sidecar architecture.

/assign @jcmoraisjr

[coderabbitai]

Walkthrough

The Dockerfile for the OpenShift router updates the HAProxy package installed during image build from haproxy28 to haproxy32.

Changes

HAProxy package update

Layer / File(s)	Summary
Package install switch images/router/haproxy/Dockerfile.ocp	INSTALL_PKGS replaces haproxy28 with haproxy32.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

jira/valid-reference

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the change to smoke test HAProxy 3.2.19 RPMs and matches the PR’s purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Only images/router/haproxy/Dockerfile.ocp changed; no Ginkgo tests or titles were added or modified.
Test Structure And Quality	✅ Passed	No Ginkgo-based tests were added or modified; the touched tests are standard Go tests using t.Run/t.Cleanup, so this check is not applicable.
Microshift Test Compatibility	✅ Passed	Only images/router/haproxy/Dockerfile.ocp changed; no Ginkgo tests or MicroShift-sensitive APIs/features were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only touches the HAProxy Dockerfile/package selection; no new Ginkgo/e2e tests or SNO-unsafe assumptions were added.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR only swaps haproxy28 for haproxy32 in a Dockerfile; no affinity, replicas, node selectors, or topology-aware scheduling logic was added.
Ote Binary Stdout Contract	✅ Passed	PASS: PR only changes the HAProxy router Dockerfile to install haproxy32; no process-level code or stdout writes were added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only changes the HAProxy Dockerfile package from haproxy28 to haproxy32; no Ginkgo e2e tests or networking code were added, so the check is not applicable.
No-Weak-Crypto	✅ Passed	The PR only swaps haproxy28 to haproxy32; no new MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret-comparison code was added.
Container-Privileges	✅ Passed	Only images/router/haproxy/Dockerfile.ocp changed; it bumps haproxy28 to haproxy32 and keeps USER 1001 with no privileged settings.
No-Sensitive-Data-In-Logs	✅ Passed	Only change is haproxy28→haproxy32 in Dockerfile; no logging code or sensitive-data exposure was added.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/router/haproxy/Dockerfile.ocp`:
- Line 3: The RUN instruction that installs
haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm must perform package cache cleanup
in the same layer; update the RUN that currently calls "yum install -y
https://.../haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm" to chain the install
with cache cleanup (e.g., run yum clean all and remove yum caches) in the same
command so no package manager metadata remains in the final image.
- Line 3: The RUN line in Dockerfile.ocp that installs the RPM from a mutable
GitHub branch (the existing RUN yum install ... refs/heads/master URL) must be
replaced with an immutable, verified artifact: point to a pinned artifact URL
(digest or internal Brew/registry artifact) and verify its integrity before
install (e.g., fetch the RPM by digest/checksum or GPG signature, validate
checksum/signature, then run yum install from the verified local file). Ensure
the RPM source is not a branch URL and include checksum or signature validation
steps so the container build only consumes a pinned, trusted package.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d5e60100-d267-4eaa-9a00-e268af5564b5

📥 Commits

Reviewing files that changed from the base of the PR and between a86164c and 09017b0.

📒 Files selected for processing (1)

• images/router/haproxy/Dockerfile.ocp

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clean yum metadata in the same layer as the RPM install

The first yum install (Line 3) does not run yum clean all in the same RUN layer, so cache/metadata remain in that layer and bloat the final image. Move cleanup into the same command chain.
As per coding guidelines: "No package manager cache in final layer".

🧰 Tools

🪛 Trivy (0.69.3)

[error] 3-3: 'yum clean all' missing

'yum clean all' is missed: yum install -y https://github.com/gcs278/openshift-hacks/raw/refs/heads/master/haproxy-builds/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm

Rule: DS-0015

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/router/haproxy/Dockerfile.ocp` at line 3, The RUN instruction that
installs haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm must perform package cache
cleanup in the same layer; update the RUN that currently calls "yum install -y
https://.../haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm" to chain the install
with cache cleanup (e.g., run yum clean all and remove yum caches) in the same
command so no package manager metadata remains in the final image.

Sources: Coding guidelines, Linters/SAST tools

---

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Use an immutable, verified RPM source instead of a mutable GitHub branch URL

Line 3 installs an RPM from refs/heads/master, which is mutable and not integrity-checked. If that artifact changes upstream, the build can silently consume untrusted content (including RPM scriptlets executed during install). Use an immutable source (e.g., internal Brew/registry artifact) and verify checksum/signature before install.
As per coding guidelines, container artifacts should follow immutable pinning principles: "non-RH images: pin by digest".

Suggested hardening change

-RUN yum install -y https://github.com/gcs278/openshift-hacks/raw/refs/heads/master/haproxy-builds/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm
+RUN curl -fsSL -o /tmp/haproxy32.rpm https://<immutable-artifact-url>/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm && \
+    echo "<sha256>  /tmp/haproxy32.rpm" | sha256sum -c - && \
+    yum install -y /tmp/haproxy32.rpm && \
+    rm -f /tmp/haproxy32.rpm && \
+    yum clean all

🧰 Tools

🪛 Trivy (0.69.3)

[error] 3-3: 'yum clean all' missing

'yum clean all' is missed: yum install -y https://github.com/gcs278/openshift-hacks/raw/refs/heads/master/haproxy-builds/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm

Rule: DS-0015

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/router/haproxy/Dockerfile.ocp` at line 3, The RUN line in
Dockerfile.ocp that installs the RPM from a mutable GitHub branch (the existing
RUN yum install ... refs/heads/master URL) must be replaced with an immutable,
verified artifact: point to a pinned artifact URL (digest or internal
Brew/registry artifact) and verify its integrity before install (e.g., fetch the
RPM by digest/checksum or GPG signature, validate checksum/signature, then run
yum install from the verified local file). Ensure the RPM source is not a branch
URL and include checksum or signature validation steps so the container build
only consumes a pinned, trusted package.

Source: Coding guidelines

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from jcmoraisjr. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

♻️ Duplicate comments (2)

images/router/haproxy/Dockerfile.ocp (2)

3-5: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Use an immutable, verified RPM source instead of a mutable GitHub branch URL.

Line 3 installs an RPM from refs/heads/master, which is mutable and not integrity-checked. If that artifact changes upstream, the build can silently consume untrusted content, including RPM scriptlets executed during install.

🔒 Recommended hardening change

-RUN curl -fLo /tmp/haproxy32.rpm https://github.com/gcs278/openshift-hacks/raw/refs/heads/master/haproxy-builds/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm && \
-    yum install -y /tmp/haproxy32.rpm && \
-    rm -f /tmp/haproxy32.rpm
+RUN curl -fsSL -o /tmp/haproxy32.rpm https://<immutable-artifact-url>/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm && \
+    echo "<sha256>  /tmp/haproxy32.rpm" | sha256sum -c - && \
+    yum install -y /tmp/haproxy32.rpm && \
+    rm -f /tmp/haproxy32.rpm && \
+    yum clean all

As per coding guidelines, container artifacts should follow immutable pinning principles: "non-RH images: pin by digest".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/router/haproxy/Dockerfile.ocp` around lines 3 - 5, The RUN step that
curls an RPM from a mutable GitHub branch (the line starting with "RUN curl -fLo
/tmp/haproxy32.rpm ... refs/heads/master") must be replaced with an immutable,
verified artifact fetch: point the download to a pinned release URL (tag or
commit SHA) or a trusted registry with a digest, and verify integrity before
install (e.g., check a SHA256 checksum or GPG signature of haproxy32.rpm)
instead of relying on refs/heads/master; update the RUN command to download the
pinned URL, validate the file, then install and remove it.

Source: Coding guidelines

---

3-5: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clean yum metadata in the same layer as the RPM install.

The yum install does not run yum clean all in the same RUN layer, so cache and metadata remain in that layer and bloat the final image.

🧹 Proposed fix

 RUN curl -fLo /tmp/haproxy32.rpm https://github.com/gcs278/openshift-hacks/raw/refs/heads/master/haproxy-builds/haproxy32-3.2.19-1.rhaos4.23.el9.x86_64.rpm && \
     yum install -y /tmp/haproxy32.rpm && \
-    rm -f /tmp/haproxy32.rpm
+    rm -f /tmp/haproxy32.rpm && \
+    yum clean all

As per coding guidelines: "No package manager cache in final layer".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/router/haproxy/Dockerfile.ocp` around lines 3 - 5, The RUN layer that
downloads and installs /tmp/haproxy32.rpm leaves yum metadata behind; modify the
RUN that currently runs curl && yum install -y /tmp/haproxy32.rpm && rm -f
/tmp/haproxy32.rpm to also run the yum cleanup (e.g., yum clean all && rm -rf
/var/cache/yum or equivalent) in the same RUN chain so package manager
cache/metadata are removed before the layer is committed; target the RUN
instruction that handles /tmp/haproxy32.rpm in Dockerfile.ocp to implement this
change.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@images/router/haproxy/Dockerfile.ocp`:
- Around line 3-5: The RUN step that curls an RPM from a mutable GitHub branch
(the line starting with "RUN curl -fLo /tmp/haproxy32.rpm ...
refs/heads/master") must be replaced with an immutable, verified artifact fetch:
point the download to a pinned release URL (tag or commit SHA) or a trusted
registry with a digest, and verify integrity before install (e.g., check a
SHA256 checksum or GPG signature of haproxy32.rpm) instead of relying on
refs/heads/master; update the RUN command to download the pinned URL, validate
the file, then install and remove it.
- Around line 3-5: The RUN layer that downloads and installs /tmp/haproxy32.rpm
leaves yum metadata behind; modify the RUN that currently runs curl && yum
install -y /tmp/haproxy32.rpm && rm -f /tmp/haproxy32.rpm to also run the yum
cleanup (e.g., yum clean all && rm -rf /var/cache/yum or equivalent) in the same
RUN chain so package manager cache/metadata are removed before the layer is
committed; target the RUN instruction that handles /tmp/haproxy32.rpm in
Dockerfile.ocp to implement this change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c88616bc-de9b-422c-a972-793668d3b076

📥 Commits

Reviewing files that changed from the base of the PR and between 09017b0 and 3acfa51.

📒 Files selected for processing (1)

• images/router/haproxy/Dockerfile.ocp

[gcs278]

/test ?

[gcs278]

/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-ovn-ipv6
/test e2e-metal-ipi-ovn-router
/test okd-scos-e2e-aws-ovn
/test perfscale-aws-fips-ingress-perf
/test perfscale-aws-ingress-perf

[gcs278]

CI is looking very good. One failure on The HAProxy router converges when multiple routers are writing conflicting status, but that is that very flaky in other CI jobs.

I call it good, but I'll spin more more time:
/test all

[gcs278]

/test ?

[gcs278]

/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-ovn-ipv6
/test e2e-metal-ipi-ovn-router
/test okd-scos-e2e-aws-ovn
/test perfscale-aws-fips-ingress-perf
/test perfscale-aws-ingress-perf

[gcs278]

/retest

[gcs278]

Early Perf & Scale Results of (non-FIP): here

And Fips: here (Note: This is comparing FIPs to non-FIPs which isn't a fair comparison, we need to get a FIPs baseline run, but I'm not sure how/where to identify that).

[gcs278]

We've typically done some aggregate E2E to expose any flakes in the past with new HAProxy versions:

/payload-aggregate periodic-ci-openshift-release-master-ci-5.0-e2e-aws-ovn 5

[openshift-ci]

@gcs278: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[openshift-ci]

@gcs278: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-images	2268fb3	link	true	/test okd-scos-images
ci/prow/e2e-agnostic	2268fb3	link	true	/test e2e-agnostic

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.