Bug 2032589

Summary: DeploymentConfigs ignore resolve-names annotation
Product: OpenShift Container Platform Reporter: Oleg Bulatov <obulatov>
Component: ImageStreamsAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: high Docs Contact:
Priority: high    
Version: 4.6.zCC: aos-bugs, jcoscia, jpinto, luaparicio, mdeloren, pablmartinez, rgarrote, vfarias
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: the image admission plugin didn't check annotations inside the deployment configs templates. Consequence: the annotation inside the template cannot be handled in replica controllers (as they are managed by the deployment config), and the deployment config didn't see them, so they were ignored. Fix: update the image admission plugin so that it can analyze templates of deployment configs. Result: the image admission plugin recognized annotations on the deployment configs and on their templates.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:33:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2040240    

Description Oleg Bulatov 2021-12-14 18:58:51 UTC 
Description of problem:

This problem has been initially reported as BZ 2000216, but it hasn't been solved completely.

When you have the resolve-names annotation on a deployment config, image references used to be resolved on the replication controllers. Once we fixed BZ 1925180, it doesn't happen anymore.

The resolving process should happen on the deployment config object, so that only the deployment config manages its replication controllers.

Once we fixed BZ 2000216, the image policy admission plugin started to work with deployment configs that have the resolve-names annotation. But it still doesn't work when the annotation is put onto the template.

For deployments the admission plugin recognizes the annotation on the object and on its template. For deployment configs it should do the same.

Version-Release number of selected component (if applicable):

4.x

How reproducible:

Always.

Steps to Reproduce:

oc apply -f - <<END
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: myis
spec:
  lookupPolicy:
    local: false
  tags:
  - name: latest
    from:
      kind: DockerImage
      name: docker.io/library/nginx:latest
END

sleep 1  # Give the image stream controller some time to import the image and the admission plugin to become aware of the image 

oc apply -f - <<END
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: mydc
spec:
  replicas: 1
  selector:
    app: mydc
  template:
    metadata:
      annotations:
        alpha.image.policy.openshift.io/resolve-names: '*'
      labels:
        app: mydc
    spec:
      containers:
      - image: myis
        name: mycontainer
END

# Check the DC's image
oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}'

Actual results:

The DC's image is `myis`

Expected results:

The DC's image should be `docker.io/library/nginx@sha256:...`

Additional info:
Comment 3 XiuJuan Wang 2022-01-13 08:17:27 UTC 
Verified with 4.10.0-0.ci.test-2022-01-13-061134-ci-ln-y6dn8b2-latest
Scenario 1:
Create an imagestream
oc tag docker.io/library/nginx:latest myis:latest
sleep 1

oc apply -f - <<END
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: mydc
spec:
  replicas: 1
  selector:
    app: mydc
  template:
    metadata:
      annotations:
        alpha.image.policy.openshift.io/resolve-names: '*'
      labels:
        app: mydc
    spec:
      containers:
      - image: myis
        name: mycontainer
END

oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}'

docker.io/library/nginx@sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3

Senario 2:
Create an imagestream with pullthrough policy
oc tag docker.io/library/nginx:latest myis:latest --reference-policy='local'


oc apply -f - <<END
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: mydc
spec:
  replicas: 1
  selector:
    app: mydc
  template:
    metadata:
      annotations:
        alpha.image.policy.openshift.io/resolve-names: '*'
      labels:
        app: mydc
    spec:
      containers:
      - image: myis
        name: mycontainer
END

oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}'

image-registry.openshift-image-registry.svc:5000/wxj12/myis@sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
Comment 11 errata-xmlrpc 2022-03-10 16:33:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056