CMP-2859: Resolve failing Image-stream-sets-schedule

[KaushikOP]

Description:

• Resolve failing Image-stream-sets-schedule. Changes to samples operator which were not accounted for, and ClusterVersion managed imagestreams should be excluded.

Rationale:

• fixes failing rule

• Fixes #CMP-2859

Review Hints:

• Part of DISA-STIG profile for OCP

[openshift-ci]

Hi @KaushikOP. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[prb112]

/jira-refresh

[prb112]

1. Gather all ImageStreams - .items[]
2. Select only those not managed by ClusterVersion - select( .metadata.ownerReferences? // [] | all(.kind != "ClusterVersion"))

• ClusterVersion implies on upgrade that these ImageStream entries are upgraded

3. From those that remain, check if it's managed by the Samples Operator, if so ignore those - select(.metadata.labels[]? | select("samples.operator.openshift.io/managed: true") | not)
4. Check the Remaining ones are not tags - select(.spec.tags[]?.from.kind != "ImageStreamTag" and (partial query here)

• e.g. ImageStreamTag latest points to v1.2.3

5. The ones that remain from that check to see if scheduled is false or not set - (.importPolicy.scheduled != null or .importPolicy.scheduled != false))] | any' %}}

If any fail the last condition it returns false for the query.

[yuumasato]

Thanks a bunch for the breakdown and explanation of the jq filter.

[prb112]

/retest-required

[openshift-ci]

@prb112: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest-required

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[prb112]

/jira-refresh

[yuumasato]

/ok-to-test

[yuumasato]

/LGTM

But could you also update the expected results so that our CI doesn't flag this change?

Change the following lines from FAIL to PASS.

$ grep -rA2 "imagestream-sets-schedule" tests/assertions/ocp4/
tests/assertions/ocp4/ocp4-stig-4.12.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.12.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.12.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.13.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.13.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.13.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.14.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.14.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.14.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.15.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.15.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.15.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.16.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.16.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.16.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.17.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.17.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.17.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.18.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.18.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.18.yml-    result_after_remediation: FAIL

$ cat ./applications/openshift/registry/imagestream_sets_schedule/tests/ocp4/e2e.yml 
---
default_result: FAIL

[prb112]

Thanks @yuumasato I'll leave a message with Kaushik letting him know

[yuumasato]

@KaushikOP tests/assertions/ocp4/ocp4-stig-4.18.yml was left out of the assertion update.

Please update it as well.

[yuumasato]

/test 4.17-e2e-aws-ocp4-stig
/test 4.18-e2e-aws-ocp4-stig

[prb112]

/retest-required

[KaushikOP]

Hi @yuumasato

I have made the changes. Please re-review.

[rhmdnd]

/retest-required

[yuumasato]

/test 4.12-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig

[prb112]

Grabbed the imagestreams from the must-gather. https://gist.github.com/prb112/06768521d08ecf0eba49476252580e8e

Will ask @KaushikOP to test the jq locally to see why it failed.

[prb112]

Analyzed the gist / imagestreams - it should have passed. Perhaps a retest?

[prb112]

/retest-required

[prb112]

/retest-required

[openshift-ci]

@KaushikOP: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.17-e2e-aws-ocp4-stig	e594653	link	true	/test 4.17-e2e-aws-ocp4-stig
ci/prow/4.18-e2e-aws-ocp4-stig	e594653	link	true	/test 4.18-e2e-aws-ocp4-stig
ci/prow/4.12-e2e-aws-ocp4-stig	ec65613	link	true	/test 4.12-e2e-aws-ocp4-stig
ci/prow/4.16-e2e-aws-ocp4-stig	ec65613	link	true	/test 4.16-e2e-aws-ocp4-stig

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.