Bug 1805250 - oauth-proxy image cannot be referenced for disconnected installs
Summary: oauth-proxy image cannot be referenced for disconnected installs
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.2.z
Assignee: Stefan Schimanski
QA Contact: scheng
Depends On: 1812554
TreeView+ depends on / blocked
Reported: 2020-02-20 15:02 UTC by Ben Parees
Modified: 2020-06-03 09:26 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1805247
: 1812489 (view as bug list)
Last Closed: 2020-06-03 09:26:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-samples-operator pull 235 0 None closed [release-4.2] bug 1805250: add imagestream for oauthproxy image 2020-11-05 23:39:47 UTC
Github openshift cluster-samples-operator pull 248 0 None closed Bug 1805250: manifests: add openshift/oauth-proxy:v4.4 image 2020-11-05 23:39:47 UTC
Red Hat Product Errata RHBA-2020:2307 0 None None None 2020-06-03 09:26:18 UTC

Description Ben Parees 2020-02-20 15:02:42 UTC
+++ This bug was initially created as a clone of Bug #1805247 +++

+++ This bug was initially created as a clone of Bug #1804765 +++

+++ This bug was initially created as a clone of Bug #1804763 +++

Description of problem:

The oauth-proxy image is used by various external products (e.g. OLM operators).  Currently they must reference all their images using SHAs to ensure they can be mirrored for disconnected installs.  However that means they must repackage their operator every time the SHA changes.

It would be better if they can simply reference the current image via an imagestreamtag provided by OCP.

We will introduce a new imagestreamtag that maps to the SHA from the OCP payload for the cluster and OLM components can reference that tag to ensure they are always getting the right image.

Actual results:
There is no oauth-proxy imagestreamtag in the openshift namespace

Expected results:
There will be an oauth-proxy imagestreamtag in the openshift namespace which resolves to the SHA of the oauth-proxy image from the cluster's payload.

Comment 1 Ben Parees 2020-05-18 15:34:48 UTC
Stefan looks like this never got moved to modified?

PR is merged.

Comment 2 Stefan Schimanski 2020-05-20 08:51:45 UTC
PRs merged.

Comment 8 Ben Parees 2020-06-01 02:54:32 UTC
> I am unsure as to whether the issue where oauth proxy image is not referenced for disconnected installation is resolved and if resolved then which Bugzilla should be followed. 

This bug made it possible for operator manifests to reference the oauth proxy image by sha, which ensures that they can work in disconnected environments.

each individual operator needs to update its manifest to use the new imagestreamtag if they want to ensure they can work properly in a disconnected environment, this bug(and the related bugs which were for backporting the change to different openshift releases) does nothing to fix any specific operator.  You would need to talk to the individual operator teams to find out if they have made use of the new imagestreamtag and in what version of their operator they did so.

Comment 10 errata-xmlrpc 2020-06-03 09:26:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.