Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1825565

Summary: oc refuses to mirror unless at least one of --apply-release-image-signature, --release-image-signature-to-dir, or --to-dir is set
Product: OpenShift Container Platform Reporter: Stephen Benjamin <stbenjam>
Component: ocAssignee: W. Trevor King <wking>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.5CC: aos-bugs, augol, jialiu, jokerman, lmohanty, mfojtik, wking
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:28:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Benjamin 2020-04-18 23:57:58 UTC 
Description of problem:

https://github.com/openshift/oc/pull/343 introduces a bunch of options to handle release image signatures.

The e2e-metal-ipi job is now broken, as it does a disconnected install.


Version-Release number of selected component (if applicable):

Latest CI build since Friday

How reproducible:
Always

Steps to Reproduce:
1. Try to mirror a release to a local registry:

```
oc adm release mirror --insecure=true -a combined-pullsecret--gyUsq8fVYL --from registry.svc.ci.openshift.org/ci-op-hmxpdxpw/release@sha256:7d9cc5731a84efab3c59fe66a81a66ec1d3e386183b383f905d0efc71dd6f161 --to-release-image virthost.ostest.test.metalkube.org:5000/localimages/local-release-image:7d9cc5731a84efab3c59fe66a81a66ec1d3e386183b383f905d0efc71dd6f161 --to virthost.ostest.test.metalkube.org:5000/localimages/local-release-image
```


Actual results:

error: if --to-dir and --apply-release-image-signature are not specified, --release-image-signature-to-dir must be used to specify a directory to export the signature

Expected results:

Ideally the old command would always work, possibly exporting the config map to `$PWD`. This would make the change backwards-compatible and not require us to do something special in 4.5 with our automation.

Additional info:

This whole change is problematic to deal with because `oc version --client -o json` doesn't give you an easily comparable version. Even if we parse the `releaseClientVersion`, I don't believe this was in 4.3 or 4.4 -- the output of oc version` has changed.
Comment 1 Stephen Benjamin 2020-04-18 23:58:32 UTC 
Here's an example of the failing CI: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-ocp-4.5-e2e-metal-ipi/89
Comment 2 W. Trevor King 2020-04-19 04:18:22 UTC 
> Ideally the old command would always work, possibly exporting the config map to `$PWD`.

If --to-dir, --release-image-signature-to-dir, and --apply-release-image-signature are all unset, oc should probably just do nothing about the signature.
Comment 6 Johnny Liu 2020-04-22 09:57:23 UTC 
Reproduced this bug with 4.5.0-202004201837-2039c60.

[root@preserve-jialiu-ansible ~]# oc version
Client Version: 4.5.0-202004201837-2039c60

[root@preserve-jialiu-ansible ~]# oc adm release mirror --from=registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-04-21-103613 --to=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release --to-release-image=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release:4.5.0-0.nightly-2020-04-21-103613
error: if --to-dir and --apply-release-image-signature are not specified, --release-image-signature-to-dir must be used to specify a directory to export the signature

Fixed in 4.5.0-0.nightly-2020-04-21-075048

[root@preserve-jialiu-ansible ~]# oc version
Client Version: 4.5.0-0.nightly-2020-04-21-075048

[root@preserve-jialiu-ansible ~]# oc adm release mirror --from=registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-04-21-103613 --to=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release --to-release-image=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release:4.5.0-0.nightly-2020-04-21-103613
info: Mirroring 111 images to upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release ...
upshift.mirror-registry.qe.devcluster.openshift.com:5000/
  ocp/release
    manifests:
<--snip-->
info: Mirroring completed in 1.04s (0B/s)

Success
Update image:  upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release:4.5.0-0.nightly-2020-04-21-103613
Mirror prefix: upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release

To use the new mirrored repository to install, add the following section to the install-config.yaml:

imageContentSources:
- mirrors:
  - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
- mirrors:
  - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
  source: registry.svc.ci.openshift.org/ocp/release


To use the new mirrored repository for upgrades, use the following to create an ImageContentSourcePolicy:

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: example
spec:
  repositoryDigestMirrors:
  - mirrors:
    - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
    source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
  - mirrors:
    - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
    source: registry.svc.ci.openshift.org/ocp/release
Comment 7 errata-xmlrpc 2020-07-13 17:28:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409