Ensure oauth-proxy ImageStream is detected eventually (#2340)

* Ensure oauth-proxy ImageStream is detected eventually

* move the detectOAuthProxyImageStream function out of
  `autoDetectCapabilities`'s `firstRun.Do` block

* introduce a check to prevent needless api calls if
  `openshift-oauth-proxy-image` is already digest-based (assuming
  detection has occured)

Signed-off-by: Bram Verschueren <verschueren.bram@gmail.com>

* Protect OpenShiftOauthProxyImage with mutex

Signed-off-by: Bram Verschueren <verschueren.bram@gmail.com>

---------

Signed-off-by: Bram Verschueren <verschueren.bram@gmail.com>

apis/v1/jaeger_types.go

@@ -57,6 +57,9 @@ const (
 	// FlagAuthDelegatorAvailability represents the 'auth-delegator-available' flag.
 	FlagAuthDelegatorAvailability = "auth-delegator-available"
 
+	// FlagOpenShiftOauthProxyImage represents the 'openshift-oauth-proxy-image' flag.
+	FlagOpenShiftOauthProxyImage = "openshift-oauth-proxy-image"
+
 	// IngressSecurityNone disables any form of security for ingress objects (default)
 	IngressSecurityNone IngressSecurityType = ""
 

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/google/gnostic-models v0.6.8
 	github.com/google/go-cmp v0.5.9
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/openshift/api v0.0.0-20230213202419-42edf4f1d905
+	github.com/openshift/api v0.0.0-20230915112357-693d4b64813c
 	github.com/openshift/elasticsearch-operator v0.0.0-20230209095209-2403ff186a1c
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/operator-framework/operator-lib v0.11.1-0.20230607132417-ecb9be488378
@@ -32,10 +32,10 @@ require (
 	go.uber.org/zap v1.25.0
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	google.golang.org/grpc v1.57.0
-	k8s.io/api v0.28.1
-	k8s.io/apimachinery v0.28.1
-	k8s.io/client-go v0.28.1
-	k8s.io/component-base v0.28.1
+	k8s.io/api v0.28.2
+	k8s.io/apimachinery v0.28.2
+	k8s.io/client-go v0.28.2
+	k8s.io/component-base v0.28.2
 	sigs.k8s.io/controller-runtime v0.16.1
 )
 
@@ -72,6 +72,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/openshift/library-go v0.0.0-20231003133513-3a0c1fc00519 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.16.0 // indirect
@@ -103,10 +104,10 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.28.0 // indirect
+	k8s.io/apiextensions-apiserver v0.28.2 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

go.sum

@@ -225,8 +225,12 @@ github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/openshift/api v0.0.0-20230213202419-42edf4f1d905 h1:f+W57UXpRIJeZIh9lGLIPix/YxdFDBgHDGo0OkIgQw0=
 github.com/openshift/api v0.0.0-20230213202419-42edf4f1d905/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4=
+github.com/openshift/api v0.0.0-20230915112357-693d4b64813c h1:ro/BvvpAikMoZc/fsxJN6jxmK+4uIbdNIK9nwaFQ5xo=
+github.com/openshift/api v0.0.0-20230915112357-693d4b64813c/go.mod h1:NFgA+laiQtptmjsp1trDnGqjV62nYzlUfQ6P5I9oqXA=
 github.com/openshift/elasticsearch-operator v0.0.0-20230209095209-2403ff186a1c h1:634+wE/JdH3vRZsezq0ZP96/dhyzvxF1oL0PooadSxw=
 github.com/openshift/elasticsearch-operator v0.0.0-20230209095209-2403ff186a1c/go.mod h1:XqvnrVfp9t5hZtlSIRd5yh2SIMS97Uv9mbGyiKassmE=
+github.com/openshift/library-go v0.0.0-20231003133513-3a0c1fc00519 h1:i4tHhSfvDj0g0rmD6nHE+FtdLFEQyDWbkuRi8xs5SQ8=
+github.com/openshift/library-go v0.0.0-20231003133513-3a0c1fc00519/go.mod h1:hl8bxWuFMM72N4YH7FKLGWtYhDz/A0xwvaa8Yr5fxYU=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/operator-framework/operator-lib v0.11.1-0.20230607132417-ecb9be488378 h1:g7JRKMQt/VAzVGUYbiAXwL6YCdQQkGI4nIfMVG6kU6c=
@@ -686,20 +690,32 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108=
 k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg=
+k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw=
+k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg=
 k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E=
 k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE=
+k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU=
+k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg=
 k8s.io/apimachinery v0.28.1 h1:EJD40og3GizBSV3mkIoXQBsws32okPOy+MkRyzh6nPY=
 k8s.io/apimachinery v0.28.1/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
+k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ=
+k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU=
 k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8=
 k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE=
+k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY=
+k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY=
 k8s.io/component-base v0.28.1 h1:LA4AujMlK2mr0tZbQDZkjWbdhTV5bRyEyAFe0TJxlWg=
 k8s.io/component-base v0.28.1/go.mod h1:jI11OyhbX21Qtbav7JkhehyBsIRfnO8oEgoAR12ArIU=
+k8s.io/component-base v0.28.2 h1:Yc1yU+6AQSlpJZyvehm/NkJBII72rzlEsd6MkBQ+G0E=
+k8s.io/component-base v0.28.2/go.mod h1:4IuQPQviQCg3du4si8GpMrhAIegxpsgPngPRR/zWpzc=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
 k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

pkg/autodetect/main.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	osimagev1 "github.com/openshift/api/image/v1"
+	imagereference "github.com/openshift/library-go/pkg/image/reference"
 	"github.com/spf13/viper"
 	"go.opentelemetry.io/otel"
 	authenticationapi "k8s.io/api/authentication/v1"
@@ -96,12 +97,11 @@ func (b *Background) autoDetectCapabilities() {
 			// the platform won't change during the execution of the operator, need to run it only once
 			b.detectPlatform(ctx, apiList)
 
-			b.detectOAuthProxyImageStream(ctx)
-
 			// the version of the APIs provided by the platform will not change
 			b.detectCronjobsVersion(ctx)
 			b.detectAutoscalingVersion(ctx)
 		})
+		b.detectOAuthProxyImageStream(ctx)
 		b.detectElasticsearch(ctx, apiList)
 		b.detectKafka(ctx, apiList)
 	}
@@ -222,7 +222,7 @@ func (b *Background) detectOAuthProxyImageStream(ctx context.Context) {
 	ctx, span := tracer.Start(ctx, "detectOAuthProxyImageStream")
 	defer span.End()
 
-	if OperatorConfiguration.GetPlatform() == OpenShiftPlatform {
+	if OperatorConfiguration.GetPlatform() != OpenShiftPlatform {
 		log.Log.V(-1).Info(
 			"Not running on OpenShift, so won't configure OAuthProxy imagestream.",
 		)
@@ -240,13 +240,27 @@ func (b *Background) detectOAuthProxyImageStream(ctx context.Context) {
 		return
 	}
 
+	// if the image is already digest-based no need to get the reference from an ImageStream
+	currImage := OperatorConfiguration.GetOautProxyImage()
+	currImageReference, err := imagereference.Parse(currImage)
+	if err == nil {
+		if currImageReference.ID != "" {
+			log.Log.V(6).Info(
+				"OAuthProxy Image already digest-based",
+				"namespace", imageStreamNamespace,
+				"name", imageStreamName,
+			)
+			return
+		}
+	}
+
 	imageStream := &osimagev1.ImageStream{}
 	namespacedName := types.NamespacedName{
 		Name:      imageStreamName,
 		Namespace: imageStreamNamespace,
 	}
 
-	if err := b.cl.Get(ctx, namespacedName, imageStream); err != nil {
+	if err = b.cl.Get(ctx, namespacedName, imageStream); err != nil {
 		log.Log.Error(
 			err,
 			"Failed to obtain OAuthProxy ImageStream",
@@ -286,7 +300,7 @@ func (b *Background) detectOAuthProxyImageStream(ctx context.Context) {
 
 	image := imageStream.Status.Tags[0].Items[0].DockerImageReference
 
-	viper.Set("openshift-oauth-proxy-image", image)
+	OperatorConfiguration.SetOautProxyImage(image)
 	log.Log.Info(
 		"Updated OAuth Proxy image flag",
 		"image", image,

pkg/autodetect/operatorconfig.go

@@ -221,3 +221,17 @@ func (c *operatorConfigurationWrapper) IsAuthDelegatorAvailable() bool {
 func (c *operatorConfigurationWrapper) IsAuthDelegatorSet() bool {
 	return c.GetAuthDelegator() != AuthDelegatorAvailabilityUnknown
 }
+
+func (c *operatorConfigurationWrapper) SetOautProxyImage(image string) {
+	c.mu.Lock()
+	viper.Set(v1.FlagOpenShiftOauthProxyImage, image)
+	c.mu.Unlock()
+}
+
+func (c *operatorConfigurationWrapper) GetOautProxyImage() string {
+	c.mu.RLock()
+	image := viper.GetString(v1.FlagOpenShiftOauthProxyImage)
+	c.mu.RUnlock()
+
+	return image
+}

pkg/cmd/start/main.go

@@ -28,7 +28,7 @@ func AddFlags(cmd *cobra.Command) {
 	cmd.Flags().String("jaeger-spark-dependencies-image", "ghcr.io/jaegertracing/spark-dependencies/spark-dependencies", "The Docker image for the Spark Dependencies Job")
 	cmd.Flags().String("jaeger-es-index-cleaner-image", "jaegertracing/jaeger-es-index-cleaner", "The Docker image for the Jaeger Elasticsearch Index Cleaner")
 	cmd.Flags().String("jaeger-es-rollover-image", "jaegertracing/jaeger-es-rollover", "The Docker image for the Jaeger Elasticsearch Rollover")
-	cmd.Flags().String("openshift-oauth-proxy-image", "quay.io/openshift/origin-oauth-proxy:4.12", "The Docker image location definition for the OpenShift OAuth Proxy")
+	cmd.Flags().String(v1.FlagOpenShiftOauthProxyImage, "quay.io/openshift/origin-oauth-proxy:4.12", "The Docker image location definition for the OpenShift OAuth Proxy")
 	cmd.Flags().String("openshift-oauth-proxy-imagestream-ns", "", "The namespace for the OpenShift OAuth Proxy imagestream")
 	cmd.Flags().String("openshift-oauth-proxy-imagestream-name", "", "The name for the OpenShift OAuth Proxy imagestream")
 	cmd.Flags().String("platform", v1.FlagPlatformAutoDetect, "The target platform the operator will run. Possible values: 'kubernetes', 'openshift', 'auto-detect'")

pkg/inject/oauth_proxy.go

@@ -90,7 +90,7 @@ func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
 	sort.Strings(args)
 
 	return corev1.Container{
-		Image:        viper.GetString("openshift-oauth-proxy-image"),
+		Image:        viper.GetString(v1.FlagOpenShiftOauthProxyImage),
 		Name:         "oauth-proxy",
 		Args:         args,
 		VolumeMounts: volumeMounts,