Bump default certsuite version to v5.5.9

[rajchiluveru]

SUMMARY
Bump default certsuite version to v5.5.9

ISSUE TYPE
Bump version

Tests
TestBos2Workload: certsuite-green certsuite-green:ansible_extravars=kbpc_version:v5.5.9

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumped the kbpc_version default in roles/k8s_best_practices_certsuite/defaults/main.yml from v5.5.8 to v5.5.9.

Changes

Cohort / File(s)	Summary
Certsuite defaults version bump roles/k8s_best_practices_certsuite/defaults/main.yml	Update kbpc_version: v5.5.8 → v5.5.9

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Bump default certsuite version to v5.5.8 #779 — Previous kbpc_version bump (v5.5.7→v5.5.8) in the same defaults file.
• Bump certsuite to v5.5.2 #665 — Updates the same kbpc_version variable in the same file.
• Increase default certsuite version to v5.5.5 #720 — Similar kbpc_version bump (v5.5.4→v5.5.5) in the same defaults file.

Suggested reviewers

• ramperher
• manurodriguez

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly and accurately states the primary change—bumping the default certsuite to v5.5.9—and directly matches the changeset (kbpc_version in roles/k8s_best_practices_certsuite/defaults/main.yml). It is concise, specific, and suitable for quick history scanning.
Description Check	✅ Passed	The PR description clearly restates the objective to bump the certsuite version to v5.5.9 and includes relevant test notes, which directly relate to the single-file change in the changeset. It is on-topic and sufficient for this simple version bump.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch certsuite_5.5.9

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[softwarefactory-project-zuul]

Build succeeded.
https://softwarefactory-project.io/zuul/t/local/buildset/acda03a2f6f747fa9422127a12bb59f9

✔️ dci-rpm-build-el8 SUCCESS in 2m 50s
✔️ dci-rpm-build-el9 SUCCESS in 2m 26s

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

roles/k8s_best_practices_certsuite/defaults/main.yml (1)

2-2: Optional: consider enabling commit SHA pinning for reproducibility.

If feasible, set kbpc_check_commit_sha: true (or wire a SHA input) to guard against retag issues and ensure deterministic pulls. Happy to follow up in a separate PR.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ac65180 and f871930.

📒 Files selected for processing (1)

• roles/k8s_best_practices_certsuite/defaults/main.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Sanity Check (stable-2.18)
• GitHub Check: Ansible-lint Check
• GitHub Check: Sanity Check (stable-2.9)

🔇 Additional comments (1)

roles/k8s_best_practices_certsuite/defaults/main.yml (1)

3-3: LGTM: Version bump to v5.5.9 matches an upstream tag.

The certsuite repo has a signed tag v5.5.9 dated Sep 16, 2025; pulling specific tags is documented, so this default looks good. (github.com)

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Quick publish check for images/tags before merge.

Please verify that both images exist with tag v5.5.9 to avoid CI breakage:

• quay.io/redhat-best-practices-for-k8s/certsuite:v5.5.9
• quay.io/redhat-best-practices-for-k8s/certsuite-probe:v5.5.9

Run this script:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

TAG="v5.5.9"
NS="redhat-best-practices-for-k8s"

# GitHub tag exists?
echo "Checking GitHub tag ${TAG}..."
curl -fsSL "https://api.github.com/repos/${NS}/certsuite/tags" | jq -r '.[].name' | grep -Fx "${TAG}"

# Quay image tags
for IMG in certsuite certsuite-probe; do
  echo "Checking Quay tag for ${IMG}:${TAG}..."
  curl -fsSL "https://quay.io/api/v1/repository/${NS}/${IMG}/tag/?specificTag=${TAG}" | jq -e '.tags | map(.name=="'"${TAG}"'") | any'
done

echo "All checks passed."

Length of output: 137

---

Quick publish check — certsuite-probe:v5.5.9 missing on Quay

GitHub tag v5.5.9 exists; quay.io/redhat-best-practices-for-k8s/certsuite:v5.5.9 is present; quay.io/redhat-best-practices-for-k8s/certsuite-probe:v5.5.9 is absent — merging will break CI.

File: roles/k8s_best_practices_certsuite/defaults/main.yml (line 3: kbpc_version: v5.5.9)

Actions:

• Push certsuite-probe:v5.5.9 to quay.
• Or update kbpc_version to a tag that exists for both images.
• Or change CI to pull an available probe tag.

🤖 Prompt for AI Agents

In roles/k8s_best_practices_certsuite/defaults/main.yml around line 3,
kbpc_version is set to v5.5.9 but the companion image certsuite-probe:v5.5.9 is
missing on Quay; either push the missing certsuite-probe:v5.5.9 image to quay OR
change kbpc_version to a tag that exists for both images (verify available tags
on quay.io/redhat-best-practices-for-k8s for certsuite and certsuite-probe and
pick a matching tag), then update this file to that verified tag so CI pulls a
tag present for both images.

[dcibot]

from change #783:

• SUCCESS https://www.distributed-ci.io/jobs/37241d14-d75a-4a8b-8440-7a423b2b4146/jobStates

[ramperher]

LGTM