From 2752c18cd6e1782fd622fc4cda84220ae96d10ab Mon Sep 17 00:00:00 2001
From: PillaiManish <manpilla@redhat.com>
Date: Fri, 27 Mar 2026 00:34:19 +0530
Subject: [PATCH 1/2] UPSTREAM: <carry>: Migrate base images from UBI9 to UBI10
 for RHCOS10

Update all container base images from UBI9 to UBI10 to align with the
RHCOS10 host OS. Moves registry from registry.access.redhat.com to
registry.redhat.io.

Changes:
- ubi9/ubi-minimal:9.6 -> ubi10/ubi-minimal:10.1 (4 primary images)
- ubi9/ubi:9.5 -> ubi10/ubi:10.1 (scorecard-untar)
- ubi9/ubi-minimal:latest -> ubi10/ubi-minimal:latest (2 CI dockerfiles)
- release/helm/Dockerfile: replace OCP CI RHEL9 builder and base-rhel9
  runtime with ubi10/go-toolset:10.1 (builder, USER root) and ubi10:10.1
- ci/tests/e2e-helm.sh: update metrics curl pod from ubi9 to ubi10

Made-with: Cursor
---
 .../compliance/rhcos10/PR2-ubi10-migration.md | 87 +++++++++++++++++++
 ci/dockerfiles/go-e2e.Dockerfile              |  2 +-
 ci/dockerfiles/scorecard-proxy.Dockerfile     |  2 +-
 ci/tests/e2e-helm.sh                          |  2 +-
 images/custom-scorecard-tests/Dockerfile      |  2 +-
 images/helm-operator/Dockerfile               |  2 +-
 images/operator-sdk/Dockerfile                |  2 +-
 images/scorecard-test/Dockerfile              |  2 +-
 images/scorecard-untar/Dockerfile             |  2 +-
 release/helm/Dockerfile                       |  5 +-
 10 files changed, 98 insertions(+), 10 deletions(-)
 create mode 100644 .work/compliance/rhcos10/PR2-ubi10-migration.md

diff --git a/.work/compliance/rhcos10/PR2-ubi10-migration.md b/.work/compliance/rhcos10/PR2-ubi10-migration.md
new file mode 100644
index 000000000..b39e1127f
--- /dev/null
+++ b/.work/compliance/rhcos10/PR2-ubi10-migration.md
@@ -0,0 +1,87 @@
+# PR2: RHCOS10 — Migrate Base Images from UBI9 to UBI10
+
+## Purpose
+
+Migrate all container base images from UBI9 to UBI10 to align with the RHCOS10 host OS.
+This is the follow-up to PR1 (`rhcos10-ubi9-compat-test`), which validated that UBI9 images
+run on RHCOS10 nodes. This PR adopts UBI10 as the native base for RHCOS10 deployments.
+
+## Changes
+
+### Registry change
+
+All images move from the unauthenticated public registry to the authenticated Red Hat registry:
+
+```
+registry.access.redhat.com  →  registry.redhat.io
+```
+
+### UBI minimal images (pinned version)
+
+`ubi9/ubi-minimal:9.6` → `ubi10/ubi-minimal:10.1`
+
+| Dockerfile | Before | After |
+|---|---|---|
+| `images/helm-operator/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` |
+| `images/operator-sdk/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` |
+| `images/scorecard-test/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` |
+| `images/custom-scorecard-tests/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` |
+
+### Full UBI image (pinned version)
+
+`ubi9/ubi:9.5` → `ubi10/ubi:10.1`
+
+| Dockerfile | Before | After |
+|---|---|---|
+| `images/scorecard-untar/Dockerfile` | `registry.access.redhat.com/ubi9/ubi:9.5` | `registry.redhat.io/ubi10/ubi:10.1` |
+
+### UBI minimal images (floating latest tag)
+
+`ubi9/ubi-minimal:latest` → `ubi10/ubi-minimal:latest`
+
+| Dockerfile | Before | After |
+|---|---|---|
+| `ci/dockerfiles/go-e2e.Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:latest` | `registry.redhat.io/ubi10/ubi-minimal:latest` |
+| `ci/dockerfiles/scorecard-proxy.Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:latest` | `registry.redhat.io/ubi10/ubi-minimal:latest` |
+
+### OCP product image (release/helm/Dockerfile)
+
+Previously used OCP CI registry images pinned to RHEL9. Replaced with publicly available Red Hat registry images:
+
+| Stage | Before | After |
+|---|---|---|
+| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22` | `registry.redhat.io/ubi10/go-toolset:10.1` |
+| Runtime | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10:10.1` |
+
+### E2E test curl pod (ci/tests/e2e-helm.sh)
+
+The metrics verification step spins up a temporary `kubectl run` pod using a UBI image to curl the metrics endpoint. Updated from UBI9 to UBI10:
+
+```
+registry.access.redhat.com/ubi9/ubi-minimal:latest
+→
+registry.redhat.io/ubi10/ubi-minimal:latest
+```
+
+## Files NOT Changed
+
+| File | Reason |
+|---|---|
+| `release/helm/upstream.Dockerfile` | Uses `ubi8/ubi-minimal` — separate RHEL8 lineage, unrelated to this migration |
+| `ci/dockerfiles/builder.Dockerfile` | Uses `openshift/origin-release:golang-1.13` — legacy, not RHEL9-specific |
+| `.ci-operator.yaml` | Build root (`rhel-9-release-golang-1.24-openshift-4.22`) is managed by OCP CI team in `openshift/release` |
+
+## Test Plan
+
+- [ ] All images build successfully against `ubi10` base
+- [ ] `release/helm/Dockerfile` builds successfully with `go-toolset:10.1` as builder
+- [ ] CI jobs pass on RHCOS10 cluster nodes with UBI10 base images
+- [ ] `microdnf` commands in `images/operator-sdk/Dockerfile` work under UBI10
+- [ ] E2e metrics check passes with UBI10 curl pod (`ci/tests/e2e-helm.sh`)
+- [ ] No regressions observed compared to UBI9 baseline (PR1)
+
+## References
+
+- [Red Hat UBI10 Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/ubi/66f2b46b122803e4937d11ae)
+- [Red Hat UBI10 Minimal Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/ubi-minimal)
+- PR1 baseline: `.work/compliance/rhcos10/PR1-ubi9-compat-test.md`
diff --git a/ci/dockerfiles/go-e2e.Dockerfile b/ci/dockerfiles/go-e2e.Dockerfile
index 7ce45878e..9c7894ca2 100644
--- a/ci/dockerfiles/go-e2e.Dockerfile
+++ b/ci/dockerfiles/go-e2e.Dockerfile
@@ -2,7 +2,7 @@ FROM osdk-builder as builder
 
 RUN ci/tests/scaffolding/e2e-go-scaffold.sh
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+FROM registry.redhat.io/ubi10/ubi-minimal:latest
 
 ENV OPERATOR=/usr/local/bin/memcached-operator \
     USER_UID=1001 \
diff --git a/ci/dockerfiles/scorecard-proxy.Dockerfile b/ci/dockerfiles/scorecard-proxy.Dockerfile
index a1193e5b2..c27457281 100644
--- a/ci/dockerfiles/scorecard-proxy.Dockerfile
+++ b/ci/dockerfiles/scorecard-proxy.Dockerfile
@@ -2,7 +2,7 @@ FROM osdk-builder as builder
 
 RUN ci/tests/scaffolding/scorecard-proxy-scaffold.sh
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+FROM registry.redhat.io/ubi10/ubi-minimal:latest
 
 ENV PROXY=/usr/local/bin/scorecard-proxy \
     USER_UID=1001 \
diff --git a/ci/tests/e2e-helm.sh b/ci/tests/e2e-helm.sh
index c325bac2f..d35ac2f0e 100755
--- a/ci/tests/e2e-helm.sh
+++ b/ci/tests/e2e-helm.sh
@@ -71,7 +71,7 @@ EOF
     token=$(kubectl get secret service-account-secret -o jsonpath={.data.token} | base64 -d)
 
     # verify that the metrics endpoint exists
-    if ! timeout 1m bash -c -- "until kubectl run --attach --rm --restart=Never test-metrics --image=registry.access.redhat.com/ubi9/ubi-minimal:latest -n memcached-operator-system --overrides='{\"spec\":{\"securityContext\":{\"runAsNonRoot\": true, \"capabilities\": {\"drop\": [\"ALL\"]}, \"allowPrivelegeEscalation\": false, \"seccompProfile\": {\"type\": \"RuntimeDefault\"}}}}' -- curl -sfkH \"Authorization: Bearer ${token}\" https://memcached-operator-controller-manager-metrics-service:8443/metrics; do sleep 1; done";
+    if ! timeout 1m bash -c -- "until kubectl run --attach --rm --restart=Never test-metrics --image=registry.redhat.io/ubi10/ubi-minimal:latest -n memcached-operator-system --overrides='{\"spec\":{\"securityContext\":{\"runAsNonRoot\": true, \"capabilities\": {\"drop\": [\"ALL\"]}, \"allowPrivelegeEscalation\": false, \"seccompProfile\": {\"type\": \"RuntimeDefault\"}}}}' -- curl -sfkH \"Authorization: Bearer ${token}\" https://memcached-operator-controller-manager-metrics-service:8443/metrics; do sleep 1; done";
     then
         echo "Failed to verify that metrics endpoint exists"
         kubectl describe pods
diff --git a/images/custom-scorecard-tests/Dockerfile b/images/custom-scorecard-tests/Dockerfile
index 1721c5111..709bbbed6 100644
--- a/images/custom-scorecard-tests/Dockerfile
+++ b/images/custom-scorecard-tests/Dockerfile
@@ -17,7 +17,7 @@ COPY . .
 RUN GOOS=linux GOARCH=$TARGETARCH make build/custom-scorecard-tests
 
 # Final image.
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1
 
 ENV HOME=/opt/custom-scorecard-tests \
     USER_NAME=custom-scorecard-tests \
diff --git a/images/helm-operator/Dockerfile b/images/helm-operator/Dockerfile
index bd779c4d4..adb3acf5c 100644
--- a/images/helm-operator/Dockerfile
+++ b/images/helm-operator/Dockerfile
@@ -17,7 +17,7 @@ COPY . .
 RUN GOOS=linux GOARCH=$TARGETARCH make build/helm-operator
 
 # Final image.
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1
 
 ENV HOME=/opt/helm \
     USER_NAME=helm \
diff --git a/images/operator-sdk/Dockerfile b/images/operator-sdk/Dockerfile
index e5ad44407..fc567ab96 100644
--- a/images/operator-sdk/Dockerfile
+++ b/images/operator-sdk/Dockerfile
@@ -17,7 +17,7 @@ COPY . .
 RUN GOOS=linux GOARCH=$TARGETARCH make build/operator-sdk
 
 # Final image.
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1
 
 ARG TARGETARCH
 RUN microdnf install -y make gcc which tar gzip
diff --git a/images/scorecard-test/Dockerfile b/images/scorecard-test/Dockerfile
index 3aac7dcfc..6ac02bf67 100644
--- a/images/scorecard-test/Dockerfile
+++ b/images/scorecard-test/Dockerfile
@@ -17,7 +17,7 @@ COPY . .
 RUN GOOS=linux GOARCH=$TARGETARCH make build/scorecard-test
 
 # Final image.
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1
 
 ENV HOME=/opt/scorecard-test \
     USER_NAME=scorecard-test \
diff --git a/images/scorecard-untar/Dockerfile b/images/scorecard-untar/Dockerfile
index d0995596f..d457d8fa5 100644
--- a/images/scorecard-untar/Dockerfile
+++ b/images/scorecard-untar/Dockerfile
@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi9/ubi:9.5
+FROM registry.redhat.io/ubi10/ubi:10.1
 
 ## Create a new non-root user to run as
 ENV HOME=/opt/scorecard-untar \
diff --git a/release/helm/Dockerfile b/release/helm/Dockerfile
index c39cfd1ec..445057ccb 100644
--- a/release/helm/Dockerfile
+++ b/release/helm/Dockerfile
@@ -1,14 +1,15 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS builder
+FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder
 
 ENV GO111MODULE=on \
     GOFLAGS=-mod=vendor
 
 # we need to patch the Makefile prior to building
+USER root
 COPY . /go/src/github.com/operator-framework/operator-sdk
 RUN cd /go/src/github.com/operator-framework/operator-sdk \
  && make -f ci/prow.Makefile patch build
 
-FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
+FROM registry.redhat.io/ubi10:10.1
 
 ENV HOME=/opt/helm \
     USER_NAME=helm \

From 7bc606b64032c9c84b2ef54032d57b27a2860410 Mon Sep 17 00:00:00 2001
From: Manish Pillai <manpilla@redhat.com>
Date: Thu, 16 Apr 2026 10:29:21 +0530
Subject: [PATCH 2/2] Change base image to ubi-minimal:10.1

---
 release/helm/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release/helm/Dockerfile b/release/helm/Dockerfile
index 445057ccb..de9bf66d6 100644
--- a/release/helm/Dockerfile
+++ b/release/helm/Dockerfile
@@ -9,7 +9,7 @@ COPY . /go/src/github.com/operator-framework/operator-sdk
 RUN cd /go/src/github.com/operator-framework/operator-sdk \
  && make -f ci/prow.Makefile patch build
 
-FROM registry.redhat.io/ubi10:10.1
+FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1
 
 ENV HOME=/opt/helm \
     USER_NAME=helm \