OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

[isabella-janssen]

Closes: OCPBUGS-84516

- What I did
This adds a TerminationMessagePolicy of type TerminationMessageFallbackToLogsOnError to the build containers created dynamically.

- How to verify it
The [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError test should pass when the MCO namespace exception is removed, so when tested with openshift/origin#31120.

- Description for the changelog
OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

Summary by CodeRabbit

• Bug Fixes
  • Enhanced build container error reporting and logging by improving termination message handling. Optimized build container initialization with refined volume mount configuration for better system reliability during build operations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-84516, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: OCPBUGS-84516

- What I did
This adds a TerminationMessagePolicy of type TerminationMessageFallbackToLogsOnError to the build containers created dynamically.

- How to verify it
The [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError test should pass when the MCO namespace exception is

- Description for the changelog
OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-84516, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Closes: OCPBUGS-84516

- What I did
This adds a TerminationMessagePolicy of type TerminationMessageFallbackToLogsOnError to the build containers created dynamically.

- How to verify it
The [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError test should pass when the MCO namespace exception is removed, so when tested with openshift/origin#31120.

- Description for the changelog
OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated build pod initialization by adding termination message policy configuration to both the image-build and create-digest-configmap init containers, and explicitly attaching volume mounts to the create-digest-configmap container spec within toBuildahPod().

Changes

Build Pod Initialization Configuration

Layer / File(s)	Summary
Container Spec Updates pkg/controller/build/buildrequest/buildrequest.go	image-build init container now sets TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError; create-digest-configmap init container sets the same policy and adds explicit VolumeMounts: volumeMounts configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	PR modifies only buildrequest.go source file with no Ginkgo test files included or modified.	Clarify if this PR should include test code or if the check is not applicable for source-only changes.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only production code in buildrequest.go without adding or modifying any Ginkgo test names or test declarations.
Microshift Test Compatibility	✅ Passed	The custom check for MicroShift test compatibility is not applicable because no new Ginkgo e2e tests were added; only controller code was modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies controller logic only without adding new Ginkgo e2e tests, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes only add TerminationMessagePolicy and adjust volume mounts without introducing scheduling constraints that would affect topology compatibility.
Ote Binary Stdout Contract	✅ Passed	Pull request modifies only operational controller code to add Kubernetes container specifications, with no process-level entry points or stdout writes that would violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only the controller implementation file to add TerminationMessagePolicy to build pod init containers. No new Ginkgo e2e tests are added, so the custom check is not applicable.
Title check	✅ Passed	The title accurately describes the main change: adding terminationMessagePolicy to build pod containers, which is the primary modification across both init containers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[isabella-janssen]

/payload-job-with-prs periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi openshift/origin#31120

[openshift-ci]

@isabella-janssen: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0a5ce180-47e8-11f1-8c03-0252c16e8dd9-0

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/build/buildrequest/buildrequest.go`:
- Around line 677-685: The create-digest-configmap container is currently given
the full volumeMounts slice (VolumeMounts: volumeMounts) which exposes pull/push
credential secrets unnecessarily; restrict mounts to least privilege by
replacing VolumeMounts: volumeMounts with a dedicated slice containing only the
mount(s) needed to write/read the digest artifact (e.g., create a local variable
like digestVolumeMounts that includes just the digest artifact volume mount and
any minimal tmp/log mounts) and use that in the container spec for the
"create-digest-configmap" container (referencing the container name
"create-digest-configmap", the field VolumeMounts, and the existing volume
definitions used for the digest artifact).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5f907e52-9f63-42ef-a054-aecb0307d0d2

📥 Commits

Reviewing files that changed from the base of the PR and between a7a332d and 3142706.

📒 Files selected for processing (1)

• pkg/controller/build/buildrequest/buildrequest.go

[isabella-janssen]

/verified by @isabella-janssen

See the successful run of : [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError in the rehearsal run in #5993 (comment).

[openshift-ci-robot]

@isabella-janssen: This PR has been marked as verified by @isabella-janssen.

Details

In response to this:

/verified by @isabella-janssen

See the successful run of : [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError in the rehearsal run in #5993 (comment).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

/lgtm

Thanks for the quick fix!

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: djoshy, isabella-janssen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [djoshy,isabella-janssen]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[isabella-janssen]

/test unit

[isabella-janssen]

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19 release-4.18

[openshift-cherrypick-robot]

@isabella-janssen: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19 release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[isabella-janssen]

/jira refresh

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-84516, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 74b5b1b and 2 for PR HEAD 3142706 in total

[isabella-janssen]

/retest-required

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 48d0c9d and 1 for PR HEAD 3142706 in total

[isabella-janssen]

/test e2e-gcp-op-ocl-part1

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 4fe82f9 and 0 for PR HEAD 3142706 in total

[openshift-ci]

@isabella-janssen: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@isabella-janssen: Jira Issue OCPBUGS-84516: Some pull requests linked via external trackers have merged:

• openshift/machine-config-operator#5993

The following pull request, linked via external tracker, has not merged:

• openshift/origin#31120 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-84516 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Closes: OCPBUGS-84516

- What I did
This adds a TerminationMessagePolicy of type TerminationMessageFallbackToLogsOnError to the build containers created dynamically.

- How to verify it
The [Monitor:termination-message-policy][sig-arch] all containers in ns/openshift-machine-config-operator must have terminationMessagePolicy=FallbackToLogsOnError test should pass when the MCO namespace exception is removed, so when tested with openshift/origin#31120.

- Description for the changelog
OCPBUGS-84516: Add terminationMessagePolicy to build pod containers

Summary by CodeRabbit

• Bug Fixes
• Enhanced build container error reporting and logging by improving termination message handling. Optimized build container initialization with refined volume mount configuration for better system reliability during build operations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@isabella-janssen: new pull request created: #6012

Details

In response to this:

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19 release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.