The latest productized build of Kiali Operator (which is currently undergoing QE testing) has encountered the same problem.

For this build, we needed our health index to be an "A" so we upgraded to the latest productized ansible operator base image of openshift/ose-ansible-operator:v4.5.0-202101120955.p0 - it was with this base image that we see this problem. We'll need a new productized base image of the ansible operator with this fix (assuming it retains its health index of "A") in order to be able to release the next Kiali Operator.

This update was made to address the following issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1883799

Easy reproducer is to do the following:

$ python
import requests
requests.get(url="https://paste.centos.org/view/74829507")

With the broken package you get InvalidURL

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 498, in request
    prep = self.prepare_request(req)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 441, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 309, in prepare
    self.prepare_url(url, params)
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 377, in prepare_url
    raise InvalidURL(*e.args)
requests.exceptions.InvalidURL: Failed to parse: https://paste.centos.org/view/74829507

With the FIXED package you get a 200:

<Response [200]>

The underlying problem is that the package requires a newer version of python-six but the upstream source carries its own copy of the six.py it needs. The RPM tries to use the system version which is way too old and updating it would cause a dependency chain reaction. I've updated the spec file to use the six.py included in the urllib3 tarball as the developers intended.

Easy way to test this is to use ansible-operator image.

docker run -it --entrypoint=/bin/sh registry.redhat.io/openshift4/ose-ansible-operator:v4.5

Then run the reproducer python lines from comment #2

With the FIXED package you get a 200:

<Response [200]>

There is a problem with the released image - or at least something isn't right with the way the images are being served.

See here: https://catalog.redhat.com/software/containers/openshift4/ose-ansible-operator/5cdc9a53bed8bd5717d6345e?tag=all

Notice the latest (from 2 days ago) is v4.5.0-202101180538.p0 and has health index "A" (notice it is also labeled v4.5).

Well, that first one (v4.5.0-202101180538.p0) fails but the second one (v4.5) passes -- how is this possible when it should be the same image??!?!?

Doing the replication test as documented above, notice the difference in behavior:

$ docker run --entrypoint /bin/bash --rm -i -t registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-ansible-operator:v4.5.0-202101180538.p0
bash-4.2$ python
Python 2.7.5 (default, Aug 13 2020, 02:51:10)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get(url="https://paste.centos.org/view/123456")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 472, in request
    prep = self.prepare_request(req)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 403, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 304, in prepare
    self.prepare_url(url, params)
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 357, in prepare_url
    raise InvalidURL(*e.args)
requests.exceptions.InvalidURL: Failed to parse: https://paste.centos.org/view/123456
>>>
bash-4.2$ exit
exit


$ docker run --entrypoint /bin/bash --rm -i -t registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-ansible-operator:v4.5
bash-4.2$ python
Python 2.7.5 (default, Mar 20 2020, 17:08:22)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get(url="https://paste.centos.org/view/123456")
<Response [404]>
>>>


The above was using images from registry-proxy.engineering.redhat.com - but the same happens with registry.redhat.io:


$ docker run --entrypoint /bin/bash --rm -i -t registry.redhat.io/openshift4/ose-ansible-operator:v4.5.0-202101180538.p0
Unable to find image 'registry.redhat.io/openshift4/ose-ansible-operator:v4.5.0-202101180538.p0' locally
v4.5.0-202101180538.p0: Pulling from openshift4/ose-ansible-operator
Digest: sha256:d2dc06abf24eea5928757453ba89c886662906624f79b31852a6d9d3b0c4c7f9
Status: Downloaded newer image for registry.redhat.io/openshift4/ose-ansible-operator:v4.5.0-202101180538.p0
bash-4.2$ python
Python 2.7.5 (default, Aug 13 2020, 02:51:10) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get(url="https://paste.centos.org/view/123456")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 472, in request
    prep = self.prepare_request(req)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 403, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 304, in prepare
    self.prepare_url(url, params)
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 357, in prepare_url
    raise InvalidURL(*e.args)
requests.exceptions.InvalidURL: Failed to parse: https://paste.centos.org/view/123456
>>> 


$ docker run --entrypoint /bin/bash --rm -i -t registry.redhat.io/openshift4/ose-ansible-operator:v4.5
bash-4.2$ python
Python 2.7.5 (default, Sep 26 2019, 13:23:47) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get(url="https://paste.centos.org/view/123456")
<Response [404]>
>>> 
bash-4.2$ exit
exit

Confirmed the dated tag has the wrong RPM: python2-urllib3-1.26.2-1.el7.noarch

$ docker run --entrypoint /bin/bash --rm -i -t registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-ansible-operator:v4.5.0-202101180538.p0
bash-4.2$ rpm -q python2-urllib3
python2-urllib3-1.26.2-1.el7.noarch

The v4.5 one has the correct RPM:
$ docker run --entrypoint /bin/bash --rm -i -t registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-ansible-operator:v4.5
bash-4.2$ rpm -q python2-urllib3
python2-urllib3-1.26.2-2.el7.noarch

"v4.5" is a floating tag, and docker will cache whatever it first pulls by that name, so I have no idea what you're actually looking at when running that. Try pulling it again; if I inspect it like so, currently registry.redhat.io has them as the same:

$ oc image info registry.redhat.io/openshift4/ose-ansible-operator:v4.5.0-202101180538.p0 --filter-by-os linux/amd64 | grep Digest
Digest:        sha256:09580934cccdd8f33006de9a13e5bb9b7bc8c8cbdf57b80e034cbc35dcaabd19
$ oc image info registry.redhat.io/openshift4/ose-ansible-operator:v4.5 --filter-by-os linux/amd64 | grep Digest
Digest:        sha256:09580934cccdd8f33006de9a13e5bb9b7bc8c8cbdf57b80e034cbc35dcaabd19


Of course that will change with the next release (and in registry-proxy already has with a newer dev build v4.5.0-202101270256.p0).

FWIW the build currently teed up to ship next week is openshift-enterprise-ansible-operator-container-v4.6.0-202101230113.p0
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1471182

Created attachment 1752033 [details]
catalog showing the images should be the same, but they are not

snapshot of catalog erroneously showing the three tags refer to the same image (in actuality, they do not).

In my case, I never use the floating tag in my operator's Dockerfile (precisely because it is floating and my brew build never knows which one it will get).

So the point is - I was using v4.5.0-202101180538.p0 when I last built yesterday and it didn't pick up the latest build with this fix that this bugzilla provides, which is a problem because the catalog told me it would be the same image. When you look at the software catalog right now at https://catalog.redhat.com/software/containers/openshift4/ose-ansible-operator/5cdc9a53bed8bd5717d6345e?tag=all all of v4.5, v4.5.0 and v4.5.0-202101180538.p0 referred to the SAME image. See attached screenshot.

This is a problem - based on the information shown in the catalog, a customer expects to be able to pull either of those 3 and get the same image. It should not be that all three are labeling the same image in the catalog but yet docker will pull different images. This is a bug somewhere in our system (but I do not know where, I'm merely a consumer of this stuff - I have no idea what is going on in the bowels of our image repositories).

OH! I see what my problem is... ignore my last two comments.

I just realized i had an OLD v4.5 on my system... so when I did a docker run, it was using THAT image (it wasn't pulling from the registry the latest).

So when I ran the test, it was actually running the OLDER image.

I was thinking v4.5.0-202101180538.p0 was an image that fixed this BZ bug - but apparently, that bug fix didn't get released yet - so no image in the catalog fixes this bug yet. That was my misunderstanding - sorry about that.

OK, so this bug fix isn't available yet via the images from the catalog. I'll have to wait for it to be released, which I assume won't happen until next week.

> (and in registry-proxy already has with a newer dev build v4.5.0-202101270256.p0)

Looks like I can use this one:

===

$ docker run --entrypoint /bin/bash --rm -i -t registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-ansible-operator:v4.5.0-202101270256.p0
Unable to find image 'registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-ansible-operator:v4.5.0-202101270256.p0' locally
v4.5.0-202101270256.p0: Pulling from rh-osbs/openshift-ose-ansible-operator
eae19a56e9c6: Already exists 
be73321c7956: Already exists 
3f2f24330eef: Pull complete 
bc72924bc5e6: Pull complete 
a6394a34e4b5: Pull complete 
Digest: sha256:7c7025b712c798f90c0c9a05e8085a211be40c13fea61a5b963ee6242a9887ed
Status: Downloaded newer image for registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-ansible-operator:v4.5.0-202101270256.p0
bash-4.2$ python
Python 2.7.5 (default, Aug 13 2020, 02:51:10) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get(url="https://paste.centos.org/view/123456")
<Response [404]>
>>> 
bash-4.2$ exit
exit

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.30 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0231