Bug 1842582 - "oc adm catalog mirror" generated ImageContentSourcePolicy contains image digests in "source"
Summary: "oc adm catalog mirror" generated ImageContentSourcePolicy contains image dig...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Evan Cordell
QA Contact: Jian Zhang
Depends On:
Blocks: 1842655
TreeView+ depends on / blocked
Reported: 2020-06-01 15:22 UTC by Marek Schmidt
Modified: 2020-10-27 16:03 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1842655 (view as bug list)
Last Closed: 2020-10-27 16:03:06 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift oc pull 445 0 None closed Bug 1842582: Don't include digest in source for ICSP when mirroring a catalog 2021-02-10 13:59:12 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:03:09 UTC

Description Marek Schmidt 2020-06-01 15:22:44 UTC
Description of problem:

Attempting to deploy staged operators using "oc adm catalog build" and "oc adm catalog mirror"

The ImageContentSourcePolicy generated by "oc adm catalog mirror" doesn't seem to work on OCP 4.5, because of the "source" contains image digests:

  - mirrors:
    - mirror.example.com/openshift-serverless-1-knative-rhel8-operator
    source: registry.stage.redhat.io/openshift-serverless-1/knative-rhel8-operator@sha256:86b76bb49e0aa1c09808ae8c1b734483155e9332a8fa6e2434f084fc2376bfa2

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
(quay.io/maschmid/catalog:v1 created via "oc adm catalog build" against quay.io/maschmid app registry, which contains staged serverless operator, downloaded from stage and pushed with operator-courier )

1. oc adm catalog mirror quay.io/maschmid/catalog:v1 mirror.example.com --manifests-only=true
2. cat catalog-manifests/imageContentSourcePolicy.yaml

Actual results:

  - mirrors:
    - mirror.example.com/openshift-serverless-1-knative-rhel8-operator
    source: registry.stage.redhat.io/openshift-serverless-1/knative-rhel8-operator@sha256:86b76bb49e0aa1c09808ae8c1b734483155e9332a8fa6e2434f084fc2376bfa2

Expected results:

  - mirrors:
    - mirror.example.com/openshift-serverless-1-knative-rhel8-operator
    source: registry.stage.redhat.io/openshift-serverless-1/knative-rhel8-operator

Additional info:
Note that even if it worked as is, ImageContentSourcePolicy shouldn't be operator-version specific, as any change in ImageContentSourcePolicy requires crio restart on all nodes.

Comment 4 Jian Zhang 2020-06-08 02:09:58 UTC
[root@preserve-olm-env data]# ./oc version -o yaml
  buildDate: "2020-06-06T02:39:31Z"
  compiler: gc
  gitCommit: e4f466b35d6b3d239ed9eba1764d0ca8aca2dd6b
  gitTreeState: dirty
  gitVersion: openshift-clients-4.6.0-202006060217
  goVersion: go1.13.4
  major: ""
  minor: ""
  platform: linux/amd64
releaseClientVersion: 4.6.0-0.nightly-2020-06-07-065515

1, mirror it.
[root@preserve-olm-env data]# ./oc adm catalog mirror quay.io/olmqe/jaeger:v1 localhost:5000 --manifests-only=true
using database path mapping: /:/tmp/870676964
wrote database to /tmp/870676964
using database at: /tmp/870676964/bundles.db
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-all-in-one-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-es-index-cleaner-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-agent-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-query-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-rhel7-operator:1.13.1, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-collector-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-rhel7-operator:1.17.1-3, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
no digest mapping available for registry.redhat.io/distributed-tracing/jaeger-es-rollover-rhel7:1.17.1-2, skip writing to ImageContentSourcePolicy
wrote mirroring manifests to jaeger-manifests

2, check the ICSP info, no digest info in the source field, LGTM, verify it.
[root@preserve-olm-env data]# cat jaeger-manifests/imageContentSourcePolicy.yaml 
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
  name: jaeger
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-es-index-cleaner-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-es-index-cleaner-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-collector-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-collector-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-agent-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-agent-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-es-rollover-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-es-rollover-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-rhel7-operator
    source: registry.redhat.io/distributed-tracing/jaeger-rhel7-operator
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-all-in-one-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-all-in-one-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-query-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-query-rhel7
  - mirrors:
    - localhost:5000/distributed-tracing/jaeger-ingester-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7

Comment 6 errata-xmlrpc 2020-10-27 16:03:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.