Check test images

Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>

ci-operator/step-registry/hypershift/conformance/hypershift-conformance-chain.yaml

@@ -4,11 +4,51 @@ chain:
   - as: conformance-tests
     from: tests
     commands: |-
+      set -x
+
+      function patch_image_streams() {
+        # TODO: file a bug and track this as a workaround!
+        # imagestreams on the hosted cluster are ignoring
+        # the CA injected at creation/(installation) time.
+        # see: https://issues.redhat.com/browse/RFE-3093
+        # and: https://github.com/openshift/enhancements/pull/416/commits/e46072ecf77b58c79b4bece5e0c6a5a5546a1b8a
+
+        echo "### Patching image streams on the hostedcluster"
+        echo "#### Add trust for the mirroring registry"
+        oc get cm -n openshift-config user-ca-bundle -o json | jq -r '.data["ca-bundle.crt"]' > /tmp/ca-bundle.crt
+        oc create configmap registry-config --from-file=${DS_REGISTRY//:/..}=/tmp/ca-bundle.crt -n openshift-config
+        oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
+        sleep 60
+
+        DEVSCRIPTS_RELEASE_IMAGE_REPO=${DS_REGISTRY}/localimages/local-release-image
+        #PREV_KUBECONFIG=${KUBECONFIG}
+        #export KUBECONFIG=${SHARED_DIR}/nested_kubeconfig
+        IMAGESTREAMS=$(oc get imagestreams -n openshift -o=name)
+        for isName in ${IMAGESTREAMS}; do
+          echo "#### Patching ${isName} using insecure registry"
+          FROM=$(oc get -n openshift ${isName} -o=jsonpath={.spec.tags[0].from.name})
+          EXT_REG=${FROM%%@*}
+          INT_PULL_URL=${FROM/$EXT_REG/$DEVSCRIPTS_RELEASE_IMAGE_REPO}
+          oc patch -n openshift ${isName} --type json -p "[{\"op\": \"replace\", \"path\": \"/spec/tags/0/importPolicy/insecure\", \"value\": true}, {\"op\": \"replace\", \"path\": \"/spec/tags/0/from/name\", \"value\": \"${INT_PULL_URL}\"}]"
+        done
+        #export KUBECONFIG=${PREV_KUBECONFIG}
+
+        ### tests like "services when running openshift cluster on KubeVirt virtual machines should allow connections to pods from infra cluster pod *"
+        ### requires tools imagestream to be correctly refenced also on the infra cluster
+        isName=imagestream.image.openshift.io/tools
+        echo "#### Patching ${isName} using insecure registry"
+        FROM=$(oc --kubeconfig=${HYPERSHIFT_MANAGEMENT_CLUSTER_KUBECONFIG}  get -n openshift ${isName} -o=jsonpath={.spec.tags[0].from.name})
+        EXT_REG=${FROM%%@*}
+        INT_PULL_URL=${FROM/$EXT_REG/$DEVSCRIPTS_RELEASE_IMAGE_REPO}
+        oc patch --kubeconfig=${HYPERSHIFT_MANAGEMENT_CLUSTER_KUBECONFIG} -n openshift ${isName} --type json -p "[{\"op\": \"replace\", \"path\": \"/spec/tags/0/importPolicy/insecure\", \"value\": true}, {\"op\": \"replace\", \"path\": \"/spec/tags/0/from/name\", \"value\": \"${INT_PULL_URL}\"}]"
+        ###
+      }
+
       function mirror_test_images() {
         echo "### Mirroring test images"
       
         DEVSCRIPTS_TEST_IMAGE_REPO=${DS_REGISTRY}/localimages/local-test-image
-      
+
         openshift-tests images --to-repository ${DEVSCRIPTS_TEST_IMAGE_REPO} > /tmp/mirror
         scp "${SSHOPTS[@]}" /tmp/mirror "root@${IP}:/tmp/mirror"
       
@@ -17,7 +57,9 @@ chain:
       oc image mirror -f /tmp/mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json
       oc image mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json --filter-by-os="linux/${ARCHITECTURE}.*" registry.k8s.io/pause:3.8  $DEVSCRIPTS_TEST_IMAGE_REPO:e2e-28-registry-k8s-io-pause-3-8-aP7uYsw5XCmoDy5W
       oc image mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json --filter-by-os="linux/${ARCHITECTURE}.*" registry.k8s.io/pause:3.9  $DEVSCRIPTS_TEST_IMAGE_REPO:e2e-27-registry-k8s-io-pause-3-9-p9APyPDU5GsW02Rk
+      oc image mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json --filter-by-os="linux/${ARCHITECTURE}.*" registry.k8s.io/pause:3.9  $DEVSCRIPTS_TEST_IMAGE_REPO:e2e-28-registry-k8s-io-pause-3-9-p9APyPDU5GsW02Rk
       EOF
+
         TEST_ARGS+=$(echo " --from-repository ${DEVSCRIPTS_TEST_IMAGE_REPO} ")
       }
       
@@ -87,6 +129,7 @@ chain:
           if [[ "${DISCONNECTED}" == "true" ]];
           then
             mirror_test_images
+            patch_image_streams
             export TEST_PROVIDER='{"type":"kubevirt","disconnected":true}'
           else
             export TEST_PROVIDER='{"type":"kubevirt"}'

ci-operator/step-registry/hypershift/kubevirt/install/disconnected/hypershift-kubevirt-install-disconnected-commands.sh

@@ -145,6 +145,18 @@ spec:
     source: quay.io/openshift-cnv
 END
 
+cat << END | oc apply -f -
+apiVersion: config.openshift.io/v1
+kind: ImageDigestMirrorSet
+metadata:
+  name: redhat-operator-index-0-fixes
+spec:
+  imageDigestMirrors:
+  - mirrors:
+    - \${mirror_registry}/openshift4/ose-kube-rbac-proxy
+    source: registry.redhat.io/openshift4/ose-kube-rbac-proxy
+END
+
 echo "7: Waiting for the new ImageContentSourcePolicy to be updated on machines"
 oc wait clusteroperators/machine-config --for=condition=Upgradeable=true --timeout=15m
 

ci-operator/step-registry/hypershift/mce/kubevirt/baremetalds/disconnected/conformance/hypershift-mce-kubevirt-baremetalds-disconnected-conformance-workflow.yaml

@@ -23,6 +23,7 @@ workflow:
     allow_best_effort_post_steps: true
     allow_skip_on_success: true
     post:
+    - ref: wait # TODO: remove me
     - ref: hypershift-mce-dump
     - chain: gather-core-dump
     - chain: hypershift-mce-kubevirt-destroy

ci-operator/step-registry/wait/wait-ref.yaml

@@ -1,6 +1,6 @@
 ref:
   as: wait
-  from: cli
+  from: upi-installer
   grace_period: 5m
   timeout: 72h0m0s
   cli: latest