New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HOSTEDCP-591: Amend OLM catalog IS according to OpenShiftImageRegistryOverrides #2947
HOSTEDCP-591: Amend OLM catalog IS according to OpenShiftImageRegistryOverrides #2947
Conversation
2897fc6
to
482a316
Compare
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
c0aa4fa
to
d830010
Compare
d830010
to
baf49c7
Compare
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments, thx!
control-plane-operator/controllers/hostedcontrolplane/olm/params.go
Outdated
Show resolved
Hide resolved
control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
Outdated
Show resolved
Hide resolved
control-plane-operator/controllers/hostedcontrolplane/olm/catalogs.go
Outdated
Show resolved
Hide resolved
catalogWithOverride := make(map[string]string) | ||
for name, image := range catalogToImage { | ||
for registrySource, registryDest := range openShiftImageRegistryOverrides { | ||
if strings.Contains(image, registrySource) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of doing a string check, I'd rather parse the image ref and match the registry exactly, using reference.Parse() from
func Parse(spec string) (DockerImageReference, error) { |
then replace the registry in the reference object
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit ambiguous: reference.Parse("registry.redhat.io/redhat/redhat-operator-index:v4.14")
will return a DockerImageReference where Registry=registry.redhat.io
and Namespace=redhat
but (probably) we don't want to replace just the registry forcing the customers to keep using the same namespace in their mirrored registry.
And indeed in the cmd help of the control-plane-operator (see: https://github.com/openshift/hypershift/blob/main/control-plane-operator/main.go#L177 ) we say:
Images before being applied are scanned for the source registry string and if found the string is replaced with the destination registry string.
which is exactly what is done in:
hypershift/support/releaseinfo/registry_image_content_policies.go
Lines 26 to 28 in 068f642
if strings.Contains(image, registrySource) { | |
for _, registryReplacement := range registryDest { | |
image = strings.Replace(image, registrySource, registryReplacement, 1) |
I'm not directly calling that method since here we lack the
pullSecret
that is used to validate the replacement upfront, but at least the implementation is coherent.
baf49c7
to
01b4580
Compare
/approve |
control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
Outdated
Show resolved
Hide resolved
Amend the image address used for the imageStreams used for the OLM catalog source according to the value of OpenShiftImageRegistryOverrides as genetically used in the control plane operator in order to handle the disconnected use case. This will implicitly assume that the images used for the 4 default OLM catalogs got mirrored to the internal registry using the original name and tag. An annotation based escape mechanism is also defined: the owner of the hostedcluster will be able to inject custom addresses (only by digest) for the catalog images. In that case the imageStream mechanism is completely skipped and the catalog deployments are directly with the values in the annotations. It will be completely up to the user to manually refresh them when the internal mirror will get refreshed. Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
01b4580
to
5af4213
Compare
/test e2e-aws |
/test e2e-kubevirt-aws-ovn |
Updating the title so the Jira ticket is linked and the label is added. This is going to be required soon "DPTP will be adding the requirement of PRs having a jira/valid-reference label for a PR to merge. Currently PRs will get this label added automatically by referencing a Jira in their title...". /retitle HOSTEDCP-591: Amend OLM catalog IS according to OpenShiftImageRegistryOverrides |
@tiraboschi: This pull request references HOSTEDCP-591 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bryan-cox, csrwng, tiraboschi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@tiraboschi: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
With openshift#2947 we introduced a mechanism to amend the OLM catalog ImageStream according to OpenShiftImageRegistryOverrides that are always automatically initializaed according to any ImageContentSourcePolicy (ICSP) or any ImageDigestMirrorSet (IDMS) instance from an OpenShift management cluster. But assuming that the whole default OLM catalogs got properly mirrored to a different registry just because an ICSP is there on the management cluster is overblown. Let's make this optional introducing an additional annotation to opt-in only if really needed, if not let's continue pointing the catalogs imagestream to the public registry. Automatically mirror the 5 involved annotations from the HC CR to the HCO one. Fixes: https://issues.redhat.com/browse/OCPBUGS-18720 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
With openshift#2947 we introduced a mechanism to amend the OLM catalog ImageStream according to OpenShiftImageRegistryOverrides that are always automatically initializaed according to any ImageContentSourcePolicy (ICSP) or any ImageDigestMirrorSet (IDMS) instance from an OpenShift management cluster. But assuming that the whole default OLM catalogs got properly mirrored to a different registry just because an ICSP is there on the management cluster is overblown and with the imagestream the replacements cannot be validated ahead ot time. Let's not do it by default according to ICSP/IDMS on the management cluster but only according to the value of a new explicit annotation. Automatically mirror the 5 involved annotations from the HC CR to the HCP one. Fixes: https://issues.redhat.com/browse/OCPBUGS-18720 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
With openshift#2947 we introduced a mechanism to amend the OLM catalog ImageStream according to OpenShiftImageRegistryOverrides that are always automatically initializaed according to any ImageContentSourcePolicy (ICSP) or any ImageDigestMirrorSet (IDMS) instance from an OpenShift management cluster. But assuming that the whole default OLM catalogs got properly mirrored to a different registry just because an ICSP is there on the management cluster is overblown and with the imagestream the replacements cannot be validated ahead ot time. Let's not do it by default according to ICSP/IDMS on the management cluster but only according to the value of a new explicit annotation. Automatically mirror the 5 involved annotations from the HC CR to the HCP one. Fixes: https://issues.redhat.com/browse/OCPBUGS-18720 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
With openshift#2947 we introduced a mechanism to amend the OLM catalog ImageStream according to OpenShiftImageRegistryOverrides that are always automatically initializaed according to any ImageContentSourcePolicy (ICSP) or any ImageDigestMirrorSet (IDMS) instance from an OpenShift management cluster. But assuming that the whole default OLM catalogs got properly mirrored to a different registry just because an ICSP is there on the management cluster is overblown and with the imagestream the replacements cannot be validated ahead ot time. Let's not do it by default according to ICSP/IDMS on the management cluster but only according to the value of a new explicit annotation. Automatically mirror the 5 involved annotations from the HC CR to the HCP one. Fixes: https://issues.redhat.com/browse/OCPBUGS-18720 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
What this PR does / why we need it:
Amend the image address used for the imageStreams
used for the OLM catalog source according to the value
of OpenShiftImageRegistryOverrides as genetically used
in the control plane operator in order to handle the disconnected use case.
This will implicitly assume that the images used for
the 4 default OLM catalogs got mirrored to the internal registry
using the original name and tag.
An annotation based escape mechanism is also defined:
the owner of the hostedcluster will be able to inject custom
addresses (only by digest) for the catalog images.
In that case the imageStream mechanism is completely skipped
and the catalog deployments are directly with the values
in the annotations.
It will be completely up to the user to manually refresh
them when the internal mirror will get refreshed.
Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)
format, where issue_number might be a GitHub issue, or a Jira story:Fixes https://issues.redhat.com/browse/HOSTEDCP-591
Checklist