OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

[isabella-janssen]

Closes: OCPBUGS-84516

- What I did
This adds a TerminationMessagePolicy of type TerminationMessageFallbackToLogsOnError to the build containers created dynamically.

- How to verify it
The [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError test should pass when the MCO namespace exception is removed, so when tested with openshift/origin#31120.

- Description for the changelog
OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

Summary by CodeRabbit

• Bug Fixes
  • Enhanced build container error reporting and logging by improving termination message handling. Optimized build container initialization with refined volume mount configuration for better system reliability during build operations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-84516, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: OCPBUGS-84516

- What I did
This adds a TerminationMessagePolicy of type TerminationMessageFallbackToLogsOnError to the build containers created dynamically.

- How to verify it
The [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError test should pass when the MCO namespace exception is

- Description for the changelog
OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-84516, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Closes: OCPBUGS-84516

- What I did
This adds a TerminationMessagePolicy of type TerminationMessageFallbackToLogsOnError to the build containers created dynamically.

- How to verify it
The [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError test should pass when the MCO namespace exception is removed, so when tested with openshift/origin#31120.

- Description for the changelog
OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated build pod initialization by adding termination message policy configuration to both the image-build and create-digest-configmap init containers, and explicitly attaching volume mounts to the create-digest-configmap container spec within toBuildahPod().

Changes

Build Pod Initialization Configuration

Layer / File(s)	Summary
Container Spec Updates pkg/controller/build/buildrequest/buildrequest.go	image-build init container now sets TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError; create-digest-configmap init container sets the same policy and adds explicit VolumeMounts: volumeMounts configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	PR modifies only buildrequest.go source file with no Ginkgo test files included or modified.	Clarify if this PR should include test code or if the check is not applicable for source-only changes.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only production code in buildrequest.go without adding or modifying any Ginkgo test names or test declarations.
Microshift Test Compatibility	✅ Passed	The custom check for MicroShift test compatibility is not applicable because no new Ginkgo e2e tests were added; only controller code was modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies controller logic only without adding new Ginkgo e2e tests, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes only add TerminationMessagePolicy and adjust volume mounts without introducing scheduling constraints that would affect topology compatibility.
Ote Binary Stdout Contract	✅ Passed	Pull request modifies only operational controller code to add Kubernetes container specifications, with no process-level entry points or stdout writes that would violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only the controller implementation file to add TerminationMessagePolicy to build pod init containers. No new Ginkgo e2e tests are added, so the custom check is not applicable.
Title check	✅ Passed	The title accurately describes the main change: adding terminationMessagePolicy to build pod containers, which is the primary modification across both init containers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[isabella-janssen]

/payload-job-with-prs periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi openshift/origin#31120

[openshift-ci]

@isabella-janssen: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0a5ce180-47e8-11f1-8c03-0252c16e8dd9-0

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/build/buildrequest/buildrequest.go`:
- Around line 677-685: The create-digest-configmap container is currently given
the full volumeMounts slice (VolumeMounts: volumeMounts) which exposes pull/push
credential secrets unnecessarily; restrict mounts to least privilege by
replacing VolumeMounts: volumeMounts with a dedicated slice containing only the
mount(s) needed to write/read the digest artifact (e.g., create a local variable
like digestVolumeMounts that includes just the digest artifact volume mount and
any minimal tmp/log mounts) and use that in the container spec for the
"create-digest-configmap" container (referencing the container name
"create-digest-configmap", the field VolumeMounts, and the existing volume
definitions used for the digest artifact).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5f907e52-9f63-42ef-a054-aecb0307d0d2

📥 Commits

Reviewing files that changed from the base of the PR and between a7a332d and 3142706.

📒 Files selected for processing (1)

• pkg/controller/build/buildrequest/buildrequest.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restrict create-digest-configmap mounts to least privilege.

VolumeMounts: volumeMounts mounts pull/push credential secrets into this container as well. If this container only needs the digest artifact, this unnecessarily broadens secret exposure.

🔧 Suggested narrowing of mounts

-                   VolumeMounts:             volumeMounts,
+                   VolumeMounts: []corev1.VolumeMount{
+                       {
+                           Name:      "done",
+                           MountPath: "/tmp/done",
+                       },
+                   },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Name: "create-digest-configmap",
	Command: append(command, digestCMScript),
	Image: br.opts.MachineConfig.Spec.OSImageURL,
	Env: env,
	ImagePullPolicy: corev1.PullAlways,
	SecurityContext: securityContext,
	TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
	VolumeMounts: volumeMounts,
	},
	Name: "create-digest-configmap",
	Command: append(command, digestCMScript),
	Image: br.opts.MachineConfig.Spec.OSImageURL,
	Env: env,
	ImagePullPolicy: corev1.PullAlways,
	SecurityContext: securityContext,
	TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
	VolumeMounts: []corev1.VolumeMount{
	{
	Name: "done",
	MountPath: "/tmp/done",
	},
	},
	},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/build/buildrequest/buildrequest.go` around lines 677 - 685,
The create-digest-configmap container is currently given the full volumeMounts
slice (VolumeMounts: volumeMounts) which exposes pull/push credential secrets
unnecessarily; restrict mounts to least privilege by replacing VolumeMounts:
volumeMounts with a dedicated slice containing only the mount(s) needed to
write/read the digest artifact (e.g., create a local variable like
digestVolumeMounts that includes just the digest artifact volume mount and any
minimal tmp/log mounts) and use that in the container spec for the
"create-digest-configmap" container (referencing the container name
"create-digest-configmap", the field VolumeMounts, and the existing volume
definitions used for the digest artifact).

[isabella-janssen]

Editing the mounts is not in the scope of this bug fix. The line is only showing a diff because the formatting changed.

[coderabbitai]

@isabella-janssen, understood — the VolumeMounts line is pre-existing and only appears in the diff due to whitespace realignment from adding TerminationMessagePolicy. This concern is not introduced by your change. I'll drop the suggestion.

Would you like me to open a follow-up GitHub issue to track narrowing the create-digest-configmap volume mounts as a separate security hardening task, or would you prefer to skip that entirely?

[isabella-janssen]

I don't think this suggestion is necessary.

[isabella-janssen]

/verified by @isabella-janssen

See the successful run of : [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError in the rehearsal run in #5993 (comment).

[openshift-ci-robot]

@isabella-janssen: This PR has been marked as verified by @isabella-janssen.

Details

In response to this:

/verified by @isabella-janssen

See the successful run of : [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError in the rehearsal run in #5993 (comment).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

/lgtm

Thanks for the quick fix!

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: djoshy, isabella-janssen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [djoshy,isabella-janssen]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[isabella-janssen]

/test unit

[isabella-janssen]

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19 release-4.18

[openshift-cherrypick-robot]

@isabella-janssen: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19 release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[isabella-janssen]

/jira refresh

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-84516, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 74b5b1b and 2 for PR HEAD 3142706 in total