Bug 1842582

Summary: "oc adm catalog mirror" generated ImageContentSourcePolicy contains image digests in "source"
Product: OpenShift Container Platform Reporter: Marek Schmidt <maschmid>
Component: OLMAssignee: Evan Cordell <ecordell>
OLM sub component: OLM QA Contact: Jian Zhang <jiazha>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: afield, aos-bugs, ecordell, jokerman, jwang, maszulik, mfojtik
Version: 4.5Keywords: Regression
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1842655 (view as bug list) Environment:
Last Closed: 2020-10-27 16:03:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1842655    

Description Marek Schmidt 2020-06-01 15:22:44 UTC 
Description of problem:

Attempting to deploy staged operators using "oc adm catalog build" and "oc adm catalog mirror"

The ImageContentSourcePolicy generated by "oc adm catalog mirror" doesn't seem to work on OCP 4.5, because of the "source" contains image digests:

e.g.
```
  - mirrors:
    - mirror.example.com/openshift-serverless-1-knative-rhel8-operator
    source: registry.stage.redhat.io/openshift-serverless-1/knative-rhel8-operator@sha256:86b76bb49e0aa1c09808ae8c1b734483155e9332a8fa6e2434f084fc2376bfa2
```


Version-Release number of selected component (if applicable):
4.5.0-0.nightly-2020-06-01-111748

How reproducible:
Always

Steps to Reproduce:
(quay.io/maschmid/catalog:v1 created via "oc adm catalog build" against quay.io/maschmid app registry, which contains staged serverless operator, downloaded from stage and pushed with operator-courier )

1. oc adm catalog mirror quay.io/maschmid/catalog:v1 mirror.example.com --manifests-only=true
2. cat catalog-manifests/imageContentSourcePolicy.yaml

Actual results:

...
  - mirrors:
    - mirror.example.com/openshift-serverless-1-knative-rhel8-operator
    source: registry.stage.redhat.io/openshift-serverless-1/knative-rhel8-operator@sha256:86b76bb49e0aa1c09808ae8c1b734483155e9332a8fa6e2434f084fc2376bfa2
...

Expected results:

...
  - mirrors:
    - mirror.example.com/openshift-serverless-1-knative-rhel8-operator
    source: registry.stage.redhat.io/openshift-serverless-1/knative-rhel8-operator
...


Additional info:
Note that even if it worked as is, ImageContentSourcePolicy shouldn't be operator-version specific, as any change in ImageContentSourcePolicy requires crio restart on all nodes.
Comment 4 Jian Zhang 2020-06-08 02:09:58 UTC 
[root@preserve-olm-env data]# ./oc version -o yaml
clientVersion:
  buildDate: "2020-06-06T02:39:31Z"
  compiler: gc
  gitCommit: e4f466b35d6b3d239ed9eba1764d0ca8aca2dd6b
  gitTreeState: dirty
  gitVersion: openshift-clients-4.6.0-202006060217
  goVersion: go1.13.4
  major: ""
  minor: ""
  platform: linux/amd64
releaseClientVersion: 4.6.0-0.nightly-2020-06-07-065515
...

1, mirror it.
[root@preserve-olm-env data]# ./oc adm catalog mirror quay.io/olmqe/jaeger:v1 localhost:5000 --manifests-only=true
using database path mapping: /:/tmp/870676964
wrote database to /tmp/870676964
using database at: /tmp/870676964/bundles.db
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-all-in-one-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-es-index-cleaner-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-agent-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-query-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-rhel7-operator:1.13.1, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-collector-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-rhel7-operator:1.17.1-3, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-es-rollover-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
wrote mirroring manifests to jaeger-manifests

2, check the ICSP info, no digest info in the source field, LGTM, verify it.
[root@preserve-olm-env data]# cat jaeger-manifests/imageContentSourcePolicy.yaml 
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: jaeger
spec:
  repositoryDigestMirrors:
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-es-index-cleaner-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-es-index-cleaner-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-collector-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-collector-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-agent-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-agent-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-es-rollover-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-es-rollover-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-rhel7-operator
    source: registry.redhat.io/distributed-tracing/jaeger-rhel7-operator
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-all-in-one-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-all-in-one-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-query-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-query-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-ingester-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7
Comment 6 errata-xmlrpc 2020-10-27 16:03:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196