STOR-2996: Sync gcp pd csi driver operator to legacy subdir

[mpatlasov]

Since PR#562 (which populated legacy/gcp-pd-csi-driver-operator) two PRs merged in openshift/gcp-pd-csi-driver-operator:

• OCPBUGS-87273: Updating ose-gcp-pd-csi-driver-operator-container image to be consistent with ART for 5.0 gcp-pd-csi-driver-operator#190
• OCPBUGS-87867: [5.0] VolumeSnapshot snapshot-c9v52 is not ready within 5m0s… gcp-pd-csi-driver-operator#192

This PR brings corresponding commits to csi-operator repo by command:

$ git subtree pull --prefix=legacy/gcp-pd-csi-driver-operator --squash https://github.com/openshift/gcp-pd-csi-driver-operator main

After that, the PR adds one manual change on the top sync-ing legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift into root Dockerfile.gcp-pd.

https://redhat.atlassian.net/browse/STOR-2996

[openshift-ci-robot]

@mpatlasov: This pull request references STOR-2996 which is a valid jira issue.

Details

In response to this:

Since PR#562 (which populated legacy/gcp-pd-csi-driver-operator) two PRs merged in openshift/gcp-pd-csi-driver-operator:

• OCPBUGS-87273: Updating ose-gcp-pd-csi-driver-operator-container image to be consistent with ART for 5.0 gcp-pd-csi-driver-operator#190
• OCPBUGS-87867: [5.0] VolumeSnapshot snapshot-c9v52 is not ready within 5m0s… gcp-pd-csi-driver-operator#192

This PR brings corresponding commits to csi-operator repo by command:

$ git subtree pull --prefix=legacy/gcp-pd-csi-driver-operator --squash https://github.com/openshift/gcp-pd-csi-driver-operator main

After that, the PR adds one manual change on the top sync-ing legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift into root Dockerfile.gcp-pd.

https://redhat.atlassian.net/browse/STOR-2996

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three Dockerfiles and a CI configuration file are updated to replace Go 1.25 / OpenShift 4.22 base images with Go 1.26 / OpenShift 5.0 equivalents: Dockerfile.gcp-pd, legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift, and legacy/gcp-pd-csi-driver-operator/.ci-operator.yaml. Build steps and packaging remain unchanged. Separately, legacy/gcp-pd-csi-driver-operator/test/e2e/manifest.yaml swaps the VolumeSnapshotStressTestOptions values: NumPods moves from 2 to 5 and NumSnapshots moves from 5 to 2.

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically references the main objective: syncing the GCP PD CSI driver operator to the legacy subdirectory, matching the PR's core purpose of synchronizing upstream changes.
Description check	✅ Passed	The description directly relates to the changeset, explaining the sync operation from upstream PRs, the git subtree pull command used, and the manual Dockerfile synchronization performed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test names (It/Describe/Context/When definitions). Changes are to Dockerfile base images and e2e test configuration parameters only.
Test Structure And Quality	✅ Passed	The PR does not modify any Ginkgo test code (.go files). Changes are: Dockerfile base image updates, CI operator image tags, and e2e test manifest YAML parameters. The custom check for Ginkgo test...
Microshift Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests. It only updates base images in Dockerfiles, CI configuration, and test parameters in manifest.yaml (a configuration file, not test code).
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e test definitions are added in this PR. Changes are limited to base image upgrades and test configuration parameters in manifest files, which do not contain test code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR makes no changes to deployment manifests, operator code, or scheduling constraints. Only base image version updates and test config changes, with no topology-aware scheduling issues introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only infrastructure changes (base image updates, CI config updates, test manifest configuration). No code changes that would violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests. Changes are Dockerfile base image updates, CI config updates, and unit test files (non-Ginkgo). The manifest.yaml file is a YAML configuration file, not a test...
No-Weak-Crypto	✅ Passed	PR contains only configuration and base image version updates; no weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret compa...
Container-Privileges	✅ Passed	PR updates base images (Go 1.25→1.26, OpenShift 4.22→5.0) and test config values; no changes introduce privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or runni...
No-Sensitive-Data-In-Logs	✅ Passed	PR changes Dockerfiles and config files; none contain logging statements that expose sensitive data like passwords, tokens, API keys, or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.gcp-pd (1)

1-10: 🔒 Security & Privacy | 🟠 Major

Add USER directive to run operator as non-root user.

All CSI operator Dockerfiles (including Dockerfile.gcp-pd) lack a USER directive and run as root by default. The gcp-pd-csi-driver-operator binary does not require root privileges—it only manages Kubernetes resources via the CSI operator controller framework. The base image (ocp/5.0:base-rhel9) does not provide a non-root user by default; it is the developer's responsibility to define one.

Add a USER directive before the ENTRYPOINT to run as a non-root user (e.g., USER 65534:65534 for the nobody user, or create a custom unprivileged UID). This aligns with the coding guideline requirement "USER non-root; never run as root" and is a security best practice for OpenShift operators.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.gcp-pd` around lines 1 - 10, The Dockerfile.gcp-pd currently lacks
a USER directive and runs as root by default, which is a security risk. Add a
USER directive before the ENTRYPOINT line to run the gcp-pd-csi-driver-operator
binary as a non-root user. Since the base image ocp/5.0:base-rhel9 does not
provide a non-root user by default, use USER 65534:65534 to run as the nobody
user, or create a custom unprivileged UID if preferred. This ensures the
operator follows the security best practice of running as non-root.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Dockerfile.gcp-pd`:
- Around line 1-10: The Dockerfile.gcp-pd currently lacks a USER directive and
runs as root by default, which is a security risk. Add a USER directive before
the ENTRYPOINT line to run the gcp-pd-csi-driver-operator binary as a non-root
user. Since the base image ocp/5.0:base-rhel9 does not provide a non-root user
by default, use USER 65534:65534 to run as the nobody user, or create a custom
unprivileged UID if preferred. This ensures the operator follows the security
best practice of running as non-root.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f9f95a1f-62c0-4fd8-97b0-583622b23d57

📥 Commits

Reviewing files that changed from the base of the PR and between d768b79 and 3a73113.

📒 Files selected for processing (4)

• Dockerfile.gcp-pd
• legacy/gcp-pd-csi-driver-operator/.ci-operator.yaml
• legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift
• legacy/gcp-pd-csi-driver-operator/test/e2e/manifest.yaml

[mpatlasov]

/retest-required

[mpatlasov]

/test e2e-azure

[jsafrane]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane, mpatlasov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jsafrane,mpatlasov]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mpatlasov]

/verified by @mpatlasov

[openshift-ci-robot]

@mpatlasov: This PR has been marked as verified by @mpatlasov.

Details

In response to this:

/verified by @mpatlasov

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD ad5643a and 2 for PR HEAD 3a73113 in total

[openshift-ci]

@mpatlasov: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.