fix: spec-first official ocp input import for 4.11–4.22

[deepsm007]

Official ocp/4.11–4.22 inputs resolve from stable: in the job ns, then spec/status @sha256 on the source IS, with LocalTagReferencePolicy for pipeline tags. Legacy streams (4.23, 5.0) keep quay-proxy + Source policy.

https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-api-2854-openshift-installer-10566-openshift-origin-31211-openshift-machine-config-operator-6076-ci-5.0-e2e-aws-ovn-techpreview-serial-3of3/2060029597415641088#1:build-log.txt%3A150-157

dependent on #5216
/hold

Overview

This PR changes how ci-operator resolves and imports official OpenShift Container Platform (OCP) base images for versions 4.11–4.22 to a spec-first flow: prefer a job-namespace stable: ImageStream, otherwise prefer the source ImageStream spec/status digest (@sha256), and create pipeline ImageStreamTags that reference the digest (LocalTagReferencePolicy). Legacy streams (4.23 and 5.0) remain on the existing quay-proxy SourceTagReferencePolicy. The change depends on PR #5216.

Affected component and runtime behavior

• Component: ci-operator (image resolution / input import).
• Behavior changes:
  • For OCP 4.11–4.22:
    • Look for stable: in the job namespace first.
    • If not found, read the source ImageStream spec/status and import by digest (@sha256) when available.
    • Create pipeline ImageStreamTag entries with LocalTagReferencePolicy so pipeline tags point at the resolved digest (improves determinism).
    • Avoid fallback to quay-proxy pull-through when official-input semantics apply.
  • For legacy streams (4.23 and 5.0): unchanged — continue using quay-proxy with SourceTagReferencePolicy.

Key implementation notes

• input_image_tag.go
  • Refactors run() to compute the ImageStreamTag From, ReferencePolicy, and source pull spec across three cases (external, cluster-bot, official).
  • Adds resolveOfficialImport that delegates to utils.ResolveOfficialInputFrom and chooses LocalTagReferencePolicy for resolved official inputs.
  • metrics.TagImportEvent now records the computed source pull spec.
• utils/image.go
  • Introduces exported helpers: ResolveOfficialInputFrom, OfficialImageTagFrom, and FindSpecTag.
  • ImageDigestFor now validates spec presence and surfaces errors when a tag is absent; spec-tag lookups are exposed via FindSpecTag.
  • ResolveOfficialInputFrom implements the "stable first" job-namespace lookup, source ImageStream loading when needed, and Quay fallback.
• release/snapshot.go
  • Consolidates and reuses source ImageStream resolution for snapshot creation and centralizes per-tag import-source selection into snapshotImportSource.
• Tests and CI
  • Adds unit tests covering spec-first resolution, stable-first behavior, legacy fallback, ImageDigestFor edge cases, and snapshotImportSource.
  • Updates an e2e multi-stage test to assert "latest" (4.18) in integration-releases.yaml.
  • Author ran e2e; PR references CI logs demonstrating behavior.

Practical impact for CI users and operators

• Jobs targeting OCP 4.11–4.22 will prefer importing inputs by digest (via job-namespace stable: or source ImageStream spec/status), improving reproducibility and reducing reliance on quay-proxy.
• Existing behavior for legacy streams is preserved.
• Operators should merge PR #5216 alongside this change to ensure the new resolution path functions as intended.

Meta / workflow notes

• The PR was held pending a dependent PR (#5216) and later unheld.
• Reviewed and approved (/lgtm) by danilo-gemoli and hector-vido; author triggered end-to-end tests.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 64f01cd4-da3d-4388-a9f3-af52708f9b58

📥 Commits

Reviewing files that changed from the base of the PR and between 3a4eff9 and e6dd6dc.

📒 Files selected for processing (7)

• pkg/steps/input_image_tag.go
• pkg/steps/input_image_tag_test.go
• pkg/steps/release/snapshot.go
• pkg/steps/release/snapshot_test.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go
• test/e2e/multi-stage/integration-releases.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• pkg/steps/release/snapshot.go
• pkg/steps/release/snapshot_test.go
• pkg/steps/input_image_tag_test.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go
• pkg/steps/input_image_tag.go

---

📝 Walkthrough

Walkthrough

Adds official OCP image resolution helpers, uses them to compute ImageStreamTag From/reference policy/source pull spec in InputImageTagStep, reuses source resolution in snapshotStream, and adds unit tests plus an e2e release-version update.

Changes

Official image resolution and reference policy handling

Layer / File(s)	Summary
Official image utilities pkg/steps/utils/image.go	ImageDigestFor uses hasSpecTag; findSpecTag exported as FindSpecTag. Added OfficialImageTagFrom and ResolveOfficialInputFrom implementing stable-first, spec/status, and Quay fallback resolution.
Official image utilities tests pkg/steps/utils/image_test.go	Imports extended; TestResolveOfficialInputFrom validates spec Docker, spec ImageStreamImage, Quay fallback, and stable-first cases. Added tests for spec-tag-without-From and missing-tag error handling.
InputImageTagStep integration pkg/steps/input_image_tag.go	Inputs() sets s.imageName for non-external/non-cluster-bot. run() precomputes from, refPolicy, and sourcePullSpec across external, cluster-bot, and official-import branches (via resolveOfficialImport). ImageStreamTag uses computed From and ReferencePolicy; metrics record the computed sourcePullSpec.
InputImageTagStep tests pkg/steps/input_image_tag_test.go	Added TestInputImageTagStepOfficialSpec, TestInputImageTagStepLegacyStream, and TestInputImageTagStepStableFirst covering digest-based spec, legacy Quay inputs, and stable-tag precedence.
SnapshotStream optimization pkg/steps/release/snapshot.go	snapshotStream reuses a shared source *ImageStream across tags (eager for non-cluster-bot, lazy for cluster-bot) and extracts snapshotImportSource to derive per-tag From with skipping logic.
SnapshotStream tests pkg/steps/release/snapshot_test.go	Added TestSnapshotImportSource table-driven tests for consolidated spec, quay fallback, non-consolidated spec resolution, and default quay float behavior.
E2E update test/e2e/multi-stage/integration-releases.yaml	Updated latest and latest-cli verification steps to expect release version 4.18.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels:

• lgtm

Suggested reviewers:

• danilo-gemoli

🚥 Pre-merge checks | ✅ 14 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 31.58% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Go Error Handling	⚠️ Warning	Error from waitForTagInSpec at line 129 of input_image_tag.go is not wrapped with %w; fmt.Errorf discards the original error instead of preserving it.	Replace fmt.Errorf("failed to wait for the tag...") with fmt.Errorf("failed to wait for the tag...%w", err) to wrap the error with context.
Test Structure And Quality	❓ Inconclusive	Custom check specifies Ginkgo test structure requirements, but this PR contains traditional Go tests using testing.T, not Ginkgo framework. Check instructions are misaligned with actual test code.	Clarify if check applies to Ginkgo tests only or traditional Go tests. If traditional tests: add meaningful error messages to assertions per criteria #4.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: implementing spec-first official OCP input import resolution for OpenShift versions 4.11–4.22, which is the primary focus across the modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Coverage For New Features	✅ Passed	All new exported functions have dedicated or indirect test coverage. Pure functions tested. Regression tests added for bug fixes. Table-driven tests used appropriately.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests. All tests use standard Go testing.T framework with static, deterministic names that never contain dynamic information.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR contains only standard Go unit tests (testing.T) and YAML pipeline config updates.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; PR only adds Go unit tests and updates YAML test config version values.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI build infrastructure (image resolution, snapshot logic) with no deployment manifests or scheduling constraints affecting SNO/Two-Node/HyperShift topologies.
Ote Binary Stdout Contract	✅ Passed	Library packages with no stdout writes, no fmt.Print/os.Stdout/klog violations, and no process-level functions that could corrupt OTE binary JSON output.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests (func Test*) and test config updates, no Ginkgo e2e tests found. Check is not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in PR changes.
Container-Privileges	✅ Passed	No K8s/container manifests with privileged settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, runAsUser:0) were added or modified in this PR.
No-Sensitive-Data-In-Logs	✅ Passed	PR adds logging for operational infrastructure data only (image streams, pull specifications, tags). No passwords, tokens, API keys, PII, session IDs, or customer data are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/steps/input_image_tag_test.go (1)

255-309: 💤 Low value

Consider adding examineStep to verify Inputs() return value for stable-first scenario.

Unlike TestInputImageTagStepOfficialSpec and TestInputImageTagStepLegacyStream, this test doesn't call examineStep to validate the Inputs() behavior. For stable-first resolution, Inputs() returns "target-namespace/stable:cli" as the input definition—verifying this matches expectations would strengthen coverage.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/input_image_tag_test.go` around lines 255 - 309,
TestInputImageTagStepStableFirst is missing a call to examineStep to assert the
Inputs() return for the stable-first case; add an examineStep invocation against
the created step (iits) before executeStep that checks iits.Inputs() (or
Inputs()) returns the expected input definition "target-namespace/stable:cli"
(matching jobspec.Namespace() + "/stable:cli") so this test validates the
Inputs() behavior like the other tests (e.g.,
TestInputImageTagStepOfficialSpec).

pkg/steps/input_image_tag.go (1)

86-111: 💤 Low value

Consider caching all resolveOfficialImport results to avoid duplicate API calls.

resolveOfficialImport is called in both Inputs() (line 64) and run() (line 107). Each call invokes ResolveOfficialInputFrom, which performs Get operations against the cluster for stable/source ImageStreams. Since Inputs() only stores pullSpec in s.imageName, run() must call again to get from and refPolicy.

Could cache all four return values in struct fields during the first call.

Also applies to: 157-171

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/input_image_tag.go` around lines 86 - 111, Cache the results of
resolveOfficialImport to avoid duplicate cluster API calls: add struct fields on
the step (e.g., cachedFrom *coreapi.ObjectReference, cachedRefPolicy
imagev1.TagReferencePolicyType, cachedSourcePullSpec string, cachedResolveErr
error) and change Inputs() and run() to call a small helper (or
resolveOfficialImport wrapper) that returns the cached values if present,
otherwise calls resolveOfficialImport once, stores
from/refPolicy/sourcePullSpec/error into those fields (and sets s.imageName =
sourcePullSpec if needed) and returns them; update both calls
(resolveOfficialImport usage in Inputs() and in run(), and the other occurrence
around the 157-171 region) to use the cached fields so subsequent invocations
reuse the stored from/refPolicy/sourcePullSpec instead of performing additional
Get operations.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/steps/release/snapshot.go`:
- Around line 85-91: Add unit tests covering the refactored source-resolution
branches around the source imagestream handling: create table-driven tests for
the code path that checks api.IsCreatedForClusterBotJob(sourceNamespace) (test
both true — where no client.Get call should occur and source remains nil — and
false — where client.Get is invoked and you assert success and failure
behaviors), plus tests exercising the prefetch vs lazy-fetch and the
consolidated official-resolution behavior that follow this block; target the
function containing the source variable and client.Get call (the snapshot/stream
resolution code in pkg/steps/release/snapshot.go) and use a fake
ctrlruntimeclient to simulate Get returning the ImageStream or an error so
regression cases fail without the fix.

---

Nitpick comments:
In `@pkg/steps/input_image_tag_test.go`:
- Around line 255-309: TestInputImageTagStepStableFirst is missing a call to
examineStep to assert the Inputs() return for the stable-first case; add an
examineStep invocation against the created step (iits) before executeStep that
checks iits.Inputs() (or Inputs()) returns the expected input definition
"target-namespace/stable:cli" (matching jobspec.Namespace() + "/stable:cli") so
this test validates the Inputs() behavior like the other tests (e.g.,
TestInputImageTagStepOfficialSpec).

In `@pkg/steps/input_image_tag.go`:
- Around line 86-111: Cache the results of resolveOfficialImport to avoid
duplicate cluster API calls: add struct fields on the step (e.g., cachedFrom
*coreapi.ObjectReference, cachedRefPolicy imagev1.TagReferencePolicyType,
cachedSourcePullSpec string, cachedResolveErr error) and change Inputs() and
run() to call a small helper (or resolveOfficialImport wrapper) that returns the
cached values if present, otherwise calls resolveOfficialImport once, stores
from/refPolicy/sourcePullSpec/error into those fields (and sets s.imageName =
sourcePullSpec if needed) and returns them; update both calls
(resolveOfficialImport usage in Inputs() and in run(), and the other occurrence
around the 157-171 region) to use the cached fields so subsequent invocations
reuse the stored from/refPolicy/sourcePullSpec instead of performing additional
Get operations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 97408c05-2078-4eed-9b7d-c2c29be2a48b

📥 Commits

Reviewing files that changed from the base of the PR and between 7b6e7b8 and dc4401b.

📒 Files selected for processing (5)

• pkg/steps/input_image_tag.go
• pkg/steps/input_image_tag_test.go
• pkg/steps/release/snapshot.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go

[deepsm007]

/hold for dependent PR to merge

[danilo-gemoli]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[deepsm007]

/test e2e

[deepsm007]

/unhold

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/steps/input_image_tag.go (1)

154-168: 💤 Low value

Consider wrapping the error for better context.

When ResolveOfficialInputFrom fails, wrapping the error here provides immediate context about which base image was being resolved.

Proposed fix

 func (s *inputImageTagStep) resolveOfficialImport(ctx context.Context) (*coreapi.ObjectReference, imagev1.TagReferencePolicyType, string, error) {
 	from, ok, err := utils.ResolveOfficialInputFrom(ctx, s.client, s.jobSpec.Namespace(), s.config.BaseImage)
 	if err != nil {
-		return nil, imagev1.SourceTagReferencePolicy, "", err
+		return nil, imagev1.SourceTagReferencePolicy, "", fmt.Errorf("resolving %s: %w", s.config.BaseImage.ISTagName(), err)
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/input_image_tag.go` around lines 154 - 168, In
resolveOfficialImport, wrap the error returned from
utils.ResolveOfficialInputFrom to add context about which base image failed to
resolve (include s.config.BaseImage and/or namespace); replace the bare return
of err with a wrapped error (e.g. using fmt.Errorf("resolve official input for
base image %s: %w", s.config.BaseImage, err) or errors.Wrap) so callers of
resolveOfficialImport can see which image caused the failure.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/steps/input_image_tag.go`:
- Around line 104-107: The call to s.resolveOfficialImport(...) returns an error
that is currently returned raw; update the error handling to wrap the error with
contextual information (e.g., include the import attempt and relevant
identifiers) before returning, matching the wrapping style used elsewhere in
this file (see other returns around lines 80/125/135); locate the call to
s.resolveOfficialImport in the InputImageTag step and replace the plain "return
err" with a wrapped error (using the same error-wrapping utility/pattern used in
this package) that mentions resolveOfficialImport and the image/import being
resolved.

---

Nitpick comments:
In `@pkg/steps/input_image_tag.go`:
- Around line 154-168: In resolveOfficialImport, wrap the error returned from
utils.ResolveOfficialInputFrom to add context about which base image failed to
resolve (include s.config.BaseImage and/or namespace); replace the bare return
of err with a wrapped error (e.g. using fmt.Errorf("resolve official input for
base image %s: %w", s.config.BaseImage, err) or errors.Wrap) so callers of
resolveOfficialImport can see which image caused the failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 91703885-88d2-446a-b555-8ae10270c9d6

📥 Commits

Reviewing files that changed from the base of the PR and between dc4401b and 9884a79.

📒 Files selected for processing (5)

• pkg/steps/input_image_tag.go
• pkg/steps/input_image_tag_test.go
• pkg/steps/release/snapshot.go
• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/steps/utils/image.go
• pkg/steps/utils/image_test.go
• pkg/steps/release/snapshot.go
• pkg/steps/input_image_tag_test.go

[deepsm007]

/test e2e

[hector-vido]

/lgtm

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD e89b8e9 and 2 for PR HEAD 84bb536 in total

[openshift-ci]

@deepsm007: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e	84bb536	link	true	/test e2e
ci/prow/lint	3a4eff9	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bradmwilliams]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bradmwilliams, danilo-gemoli, deepsm007, hector-vido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danilo-gemoli,deepsm007,hector-vido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

/test e2e

[deepsm007]

/override ci/prow/images

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/images

Details

In response to this:

/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD e89b8e9 and 2 for PR HEAD e6dd6dc in total