Bug 2027745

Summary: default samplesRegistry prevents the creation of imagestreams when registrySources.allowedRegistries is enforced
Product: OpenShift Container Platform Reporter: Bram Verschueren <bverschu>
Component: SamplesAssignee: David Peraza <dperaza>
Status: CLOSED ERRATA QA Contact: Jitendar Singh <jitsingh>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.9CC: aos-bugs, asheth, dperaza, mharri
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:31:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bram Verschueren 2021-11-30 14:50:09 UTC 
Description of problem:
In a cluster with a default (empty) `configs.spec.samplesRegistry` field but with whitelist entries in `image.spec.registrySources.allowedRegistries` an upgrade to 4.9.9 stalls:

$ oc get co openshift-samples                                                                                                                   
NAME                VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE                                                                                        
openshift-samples   4.9.9     True        True          True       6m19s   Samples installation in error at 4.9.9: &errors.errorString{s:"global openshift image configuration prevents the creation of imagestream
s using the registry "}


Version-Release number of selected component (if applicable):
4.9.9

How reproducible:
1. 

Steps to Reproduce:
1. ensure samplesRegistry field is empty:
   $ oc get configs.samples.operator.openshift.io/cluster -o jsonpath='{.spec.samplesRegistry}'
   $
2. ensure registrySources.allowedRegistries whitelists registry.redhat.io
   $ oc get image.config.openshift.io/cluster -o jsonpath='{.spec.registrySources.allowedRegistries}'|jq
[
  "image-registry.openshift-image-registry.svc:5000",
  "registry.redhat.io",
  "registry.access.redhat.com",
  "quay.io",
  "k8s.gcr.io",
  "docker.io"
]

3. upgrade to 4.9.9

Actual results:
$ oc get co openshift-samples                                                                                                                   
NAME                VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE                                                                                        
openshift-samples   4.9.9     True        True          True       6m19s   Samples installation in error at 4.9.9: &errors.errorString{s:"global openshift image configuration prevents the creation of imagestream
s using the registry "}

Expected results:
$ oc get co openshift-samples
NAME                VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
openshift-samples   4.9.9     True        False         False      23m     


Additional info:
With the introduction of a check for allow/block registry settings (https://github.com/openshift/cluster-samples-operator/pull/394) a regression is introduced when no spec.samplesRegistry is set and an empty string is passed to `imageConfigBlocksImageStreamCreation` (https://github.com/openshift/cluster-samples-operator/blob/8c0e76d14c396f3035f1fe2b9b1f8fede7d4fc66/pkg/stub/handler.go#L369) causing 'level=info msg="considering allowed registry registry.redhat.io for " '
As a workaround, patching spec.samplesRegistries to point to registry.redhat.io allows the upgrade to continue.
$ oc patch configs.samples.operator.openshift.io cluster --type merge --patch '{"spec": {"samplesRegistry": "registry.redhat.io"}}'
Comment 1 David Peraza 2021-12-14 00:17:58 UTC 
Looking into this, based on CRD https://github.com/openshift/api/blob/master/samples/v1/0000_10_samplesconfig.crd.yaml#L53 it looks like in most cases it will default to registry.redhat.io but I also do not see it in my 4.9.11 and 4.8.24 clusters:

dperaza@dperaza-mac cluster-samples-operator % oc get configs.samples.operator.openshift.io/cluster -o json | jq .spec
{
  "architectures": [
    "x86_64"
  ],
  "managementState": "Managed"
}

Trying to figure out why it defaults to empty.

Will keep you posted
Comment 2 Gabe Montero 2021-12-14 11:59:01 UTC 
Yep that file is common between OKD and OCP, so it cannot list registry.redhat.io as the default.  That field is really intended for mirroring scenarios.

But yes, the imageConfigBlocksImageStreamCreation logic needs to properly handle the default case where an empty name is passed into it.

If the name is empty, as long as the allowed list contains

  "registry.redhat.io",
  "registry.access.redhat.com",
  "quay.io",

the method should return true
Comment 3 David Peraza 2021-12-16 02:21:13 UTC 
Started to work on this fix, thanks for confirming @gmontero
Comment 10 Jitendar Singh 2022-02-08 13:41:29 UTC 
verified
Comment 12 errata-xmlrpc 2022-03-10 16:31:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Comment 13 Asheth 2022-11-10 08:57:59 UTC 
Hello David,

We have a customer facing this issue again in the OpenShift 4.10.14. The issue got resolved after implementing the workaround --oc patch configs.samples.operator.openshift.io cluster --type merge --patch '{"spec": {"samplesRegistry": "registry.redhat.io"}},

Can we reopen this bug?
Comment 14 Red Hat Bugzilla 2023-09-18 04:28:45 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days