Bug 2058044

Summary: operator-sdk 1.8-ocp: scorecard impacted by docker rate limit; switch to using ubi instead of busybox
Product: OpenShift Container Platform Reporter: diflores
Component: Operator SDKAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED ERRATA QA Contact: xzha
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.8CC: aos-bugs, diflores, jesusr, jfan, scuppett
Target Milestone: ---   
Target Release: 4.8.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2064408 (view as bug list) Environment:
Last Closed: 2022-04-27 11:46:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2064408    
Bug Blocks:    

Description diflores 2022-02-24 11:02:14 UTC 
Description of problem:
operator-sdk version 1.8-ocp does not contain option to --untar-image and --storage-image that is harcoded to docker.io/busybox
CU would like to override this setting and be able to use image from private repository instead of pulling from docker.io

Version-Release number of selected component (if applicable):
OCP 4.8
operator-sdk 1-8-ocp

How reproducible:
Pulling an image from docker.io fails with You have reached your pull rate limit

Steps to Reproduce:
1. operator-sdk scorecard <bundle-dir> -o text --selector=suite=olm -w 600 -x
2. scorecard pod events log:

Failed to pull image "docker.io/busybox:1.33.0": rpc error: code = Unknown desc = Error reading manifest 1.33.0 in docker.io/library/busybox: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

Actual results:


Expected results:
Use scorecard without the need to pull images from docker.io to avoid pull rate limit issue

Additional info:
Comment 2 Jesus M. Rodriguez 2022-03-10 20:58:48 UTC 
@diflores I believe we can easily add the --untar-image flag. I don't think storage-image is viable for 1.8-ocp since that is a feature that was not ready for this release of OCP.
Comment 3 diflores 2022-03-11 09:52:09 UTC 
@jesusr ack --untar-image flag is of benefit for CU on 1.8-ocp
Comment 4 Jesus M. Rodriguez 2022-03-15 19:10:28 UTC 
So the final solution for this bug was to use UBI as we did in a newer release of operator-sdk. Adding a new flag is effectively adding a new feature which for such an old release did not make sense. In OCP 4.10 with operator-sdk 1.16-ocp there is a flag that can solve this if you still have a problem.
Comment 6 Jesus M. Rodriguez 2022-04-07 02:47:26 UTC 
this is currently blocked by a repo configuration that is causing e2e tests to fail. A PR to fix the test infrastructure has been posted. https://github.com/openshift/release/pull/27626

And it is also waiting on the 4.9 bugzilla to merge first.
Comment 7 xzha 2022-04-14 01:10:14 UTC 
verify:
zhaoxia@xzha-mac memcached-operator % ./operator-sdk version
operator-sdk version: "v1.8.2-ocp", commit: "07ddfb76fa3341f7bc4a891fbf0e9b5713c33737", kubernetes version: "v1.20.2", go version: "go1.17.6", GOOS: "darwin", GOARCH: "amd64"

zhaoxia@xzha-mac memcached-operator % ./operator-sdk scorecard ./bundle -o text --selector=suite=olm -w 600s -x
--------------------------------------------------------------------------------
Image:      quay.io/operator-framework/scorecard-test:v1.10.1
Entrypoint: [scorecard-test olm-bundle-validation]
Labels:
	"suite":"olm"
	"test":"olm-bundle-validation-test"
....

zhaoxia@xzha-mac memcached-operator % oc get pod
NAME                  READY   STATUS      RESTARTS   AGE
scorecard-test-fdm2   0/1     Completed   0          2m15s
scorecard-test-lk85   0/1     Completed   0          2m15s
scorecard-test-m4bk   0/1     Completed   0          2m15s
scorecard-test-tbdx   0/1     Completed   0          2m15s
scorecard-test-xql6   0/1     Completed   0          2m15s

zhaoxia@xzha-mac memcached-operator % oc get pod scorecard-test-xql6 -o yaml
apiVersion: v1
kind: Pod
...
  initContainers:
  - args:
    - tar
    - xvzf
    - /scorecard/bundle.tar.gz
    - -C
    - /scorecard-bundle
    image: registry.access.redhat.com/ubi8/ubi:8.4
    imagePullPolicy: IfNotPresent
    name: scorecard-untar
...

zhaoxia@xzha-mac memcached-operator % oc get events | grep "Pulling image"  
2m38s       Normal   Pulling          pod/scorecard-test-fdm2   Pulling image "registry.access.redhat.com/ubi8/ubi:8.4"
2m9s        Normal   Pulling          pod/scorecard-test-fdm2   Pulling image "quay.io/operator-framework/scorecard-test:v1.10.1"
2m38s       Normal   Pulling          pod/scorecard-test-lk85   Pulling image "registry.access.redhat.com/ubi8/ubi:8.4"
2m8s        Normal   Pulling          pod/scorecard-test-lk85   Pulling image "quay.io/operator-framework/scorecard-test:v1.10.1"
2m38s       Normal   Pulling          pod/scorecard-test-m4bk   Pulling image "registry.access.redhat.com/ubi8/ubi:8.4"
2m9s        Normal   Pulling          pod/scorecard-test-m4bk   Pulling image "quay.io/operator-framework/scorecard-test:v1.10.1"
2m38s       Normal   Pulling          pod/scorecard-test-tbdx   Pulling image "registry.access.redhat.com/ubi8/ubi:8.4"
2m8s        Normal   Pulling          pod/scorecard-test-tbdx   Pulling image "quay.io/operator-framework/scorecard-test:v1.10.1"
2m37s       Normal   Pulling          pod/scorecard-test-xql6   Pulling image "registry.access.redhat.com/ubi8/ubi:8.4"
2m9s        Normal   Pulling          pod/scorecard-test-xql6   Pulling image "quay.io/operator-framework/scorecard-test:v1.10.1"


LGTM, verified.
Comment 10 errata-xmlrpc 2022-04-27 11:46:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.39 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1427