Bug 2055620

Summary: ImageStreamChange triggers using annotations does not work
Product: OpenShift Container Platform Reporter: Gabriel Meghnagi <gmeghnag>
Component: Image RegistryAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.8CC: jiazha, obulatov, sreber, stevsmit, xiuwang
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Previously, the image trigger controller did not have permissions to change objects. Consequently, image trigger annotations did not work on some resources. This update creates cluster role binding that provides the controller the required permissions to update objects according to annotations. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2055620([*BZ#2055620*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:47:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabriel Meghnagi 2022-02-17 11:42:19 UTC 
- Description of problem:

Triggering updates on image stream changes does not work as expected configuring triggers on resources using annotations.

- Version-Release number of selected component (if applicable):
~~~
$ oc version
Client Version: 4.8.0-202108312109.p0.git.0d10c3f.assembly.stream-0d10c3f
Server Version: 4.8.11
Kubernetes Version: v1.21.1+9807387
~~~

- How reproducible: 
100%


- Steps to Reproduce:
~~~
// Create the project
$ oc adm new-project 03149630 --node-selector=""

// Import the image reproducer-03149630 with tag v1.1
$ oc import-image reproducer-03149630:v1.1 -n 03149630 --from=quay.io/gmeghnag/reproducer-03149630:v1.1 --confirm

// Tag image reproducer-03149630:v1.1 as reproducer-03149630:latest
$ oc tag reproducer-03149630:v1.1 reproducer-03149630:latest

// (Optional, for debugging) Get IsTag dockerImageReference digest
$ oc get istag reproducer-03149630:latest -o jsonpath="{.image.dockerImageReference}"

// Create DaemonSet resource that use the image: image-registry.openshift-image-registry.svc:5000/03149630/reproducer-03149630:latest
$ curl -sk https://gist.githubusercontent.com/gmeghnag/f3cc8124dd29fec55f80b7e85464fda9/raw/726faa7b585c285007339a2b28e18f680fd5d7b0/reproducer-03149630.yaml | oc apply -f -

// Allow some time for the resource to be created
$ sleep 10

// Import the image reproducer-03149630 with tag v1.2 
$ oc import-image reproducer-03149630:v1.2 -n 03149630 --from=quay.io/gmeghnag/reproducer-03149630:v1.2 --confirm

// Tag image reproducer-03149630:v1.2 as reproducer-03149630:latest
$ oc tag reproducer-03149630:v1.2 reproducer-03149630:latest

// (Optional, for debugging) Get IsTag dockerImageReference digest
$ oc get istag reproducer-03149630:latest -o jsonpath="{.image.dockerImageReference}"

// ! HERE THE IMAGE REFERENCED INSIDE THE DAEMONSET RESOURCE SHOULD BE CHANGED BUT NOTHING HAPPEN !
$ oc get pods -o jsonpath="{.items[0].status.containerStatuses[0].imageID}"
~~~

- Actual results:

Image is not changed

- Expected results:

Image should change

- Additional info:

Documentation followed [1]


[1] https://docs.openshift.com/container-platform/4.8/openshift_images/triggering-updates-on-imagestream-changes.html
Comment 2 webner 2022-03-08 09:15:17 UTC 
Also verified on this version:
Client Version: 4.8.22
Server Version: 4.8.17
Kubernetes Version: v1.21.1+6438632
Comment 4 XiuJuan Wang 2022-06-22 08:49:07 UTC 
Image trigger works on Daemonset, but not statefulset,

oc new-project 03149630
$ oc import-image reproducer-03149630:v1.1 -n 03149630 --from=quay.io/gmeghnag/reproducer-03149630:v1.1 --confirm

$ oc tag reproducer-03149630:v1.1 reproducer-03149630:latest

$ oc get istag reproducer-03149630:latest -o jsonpath="{.image.dockerImageReference}"

Create statefulset resource that use the image: image-registry.openshift-image-registry.svc:5000/03149630/reproducer-03149630:latest

- apiVersion: apps/v1
  kind: StatefulSet
  metadata:
    name: "${NAME}"
    namespace: "${NAMESPACE}"
  spec:
    serviceName: example-statefulset
    replicas: 3
    selector:
      matchLabels:
        app: example-statefulset
    template:
      metadata:
        labels:
          app: example-statefulset
      spec:
        terminationGracePeriodSeconds: 10
        containers:
          - name: reproducer-03149630
            image: image-registry.openshift-image-registry.svc:5000/03149630/reproducer-03149630:latest
            imagePullPolicy: Always
            resources: {}
            terminationMessagePath: /dev/termination-log
        serviceAccount: default
        terminationGracePeriodSeconds: 10
parameters:
  - name: NAME
  - name: NAMESPACE

$oc process -f statefulset.yaml -p NAME=test -p NAMESPACE=03149630 | oc create -f -

// Allow some time for the resource to be created
$ sleep 10

// Import the image reproducer-03149630 with tag v1.2 
$ oc import-image reproducer-03149630:v1.2 -n 03149630 --from=quay.io/gmeghnag/reproducer-03149630:v1.2 --confirm

// Tag image reproducer-03149630:v1.2 as reproducer-03149630:latest
$ oc tag reproducer-03149630:v1.2 reproducer-03149630:latest

// (Optional, for debugging) Get IsTag dockerImageReference digest
$ oc get istag reproducer-03149630:latest -o jsonpath="{.image.dockerImageReference}"

// ! HERE THE IMAGE REFERENCED INSIDE THE DAEMONSET RESOURCE SHOULD BE CHANGED BUT NOTHING HAPPEN !
$ oc get pods -o jsonpath="{.items[0].status.containerStatuses[0].imageID}"

The statefulsetc pod don't fetch the new image
$oc get statefulset/test -o jsonpath="{..spec.containers[0]}"  | jq
{
  "image": "image-registry.openshift-image-registry.svc:5000/03149630/reproducer-03149630:latest",
  "imagePullPolicy": "Always",
  "name": "reproducer-03149630",
  "resources": {},
  "terminationMessagePath": "/dev/termination-log",
  "terminationMessagePolicy": "File"
}
Comment 5 Oleg Bulatov 2022-07-15 10:42:14 UTC 
To enable triggers, you need to add the annotation:

metadata:
  annotations:
    image.openshift.io/triggers: |-
      [
        {
          "from": {
            "kind": "ImageStreamTag",
            "name": "reproducer-03149630:latest"
          },
          "fieldPath": "spec.template.spec.containers[0].image"
        }
      ]

It seems it works with the annotation, isn't it?
Comment 6 XiuJuan Wang 2022-07-19 02:58:28 UTC 
sorry, I make mistake, the annotation works for statefulset.
Comment 15 errata-xmlrpc 2023-01-17 19:47:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399