Hide Forgot
Description of problem: In a cluster with a default (empty) `configs.spec.samplesRegistry` field but with whitelist entries in `image.spec.registrySources.allowedRegistries` an upgrade to 4.9.9 stalls: $ oc get co openshift-samples NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE openshift-samples 4.9.9 True True True 6m19s Samples installation in error at 4.9.9: &errors.errorString{s:"global openshift image configuration prevents the creation of imagestream s using the registry "} Version-Release number of selected component (if applicable): 4.9.9 How reproducible: 1. Steps to Reproduce: 1. ensure samplesRegistry field is empty: $ oc get configs.samples.operator.openshift.io/cluster -o jsonpath='{.spec.samplesRegistry}' $ 2. ensure registrySources.allowedRegistries whitelists registry.redhat.io $ oc get image.config.openshift.io/cluster -o jsonpath='{.spec.registrySources.allowedRegistries}'|jq [ "image-registry.openshift-image-registry.svc:5000", "registry.redhat.io", "registry.access.redhat.com", "quay.io", "k8s.gcr.io", "docker.io" ] 3. upgrade to 4.9.9 Actual results: $ oc get co openshift-samples NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE openshift-samples 4.9.9 True True True 6m19s Samples installation in error at 4.9.9: &errors.errorString{s:"global openshift image configuration prevents the creation of imagestream s using the registry "} Expected results: $ oc get co openshift-samples NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE openshift-samples 4.9.9 True False False 23m Additional info: With the introduction of a check for allow/block registry settings (https://github.com/openshift/cluster-samples-operator/pull/394) a regression is introduced when no spec.samplesRegistry is set and an empty string is passed to `imageConfigBlocksImageStreamCreation` (https://github.com/openshift/cluster-samples-operator/blob/8c0e76d14c396f3035f1fe2b9b1f8fede7d4fc66/pkg/stub/handler.go#L369) causing 'level=info msg="considering allowed registry registry.redhat.io for " ' As a workaround, patching spec.samplesRegistries to point to registry.redhat.io allows the upgrade to continue. $ oc patch configs.samples.operator.openshift.io cluster --type merge --patch '{"spec": {"samplesRegistry": "registry.redhat.io"}}'
Looking into this, based on CRD https://github.com/openshift/api/blob/master/samples/v1/0000_10_samplesconfig.crd.yaml#L53 it looks like in most cases it will default to registry.redhat.io but I also do not see it in my 4.9.11 and 4.8.24 clusters: dperaza@dperaza-mac cluster-samples-operator % oc get configs.samples.operator.openshift.io/cluster -o json | jq .spec { "architectures": [ "x86_64" ], "managementState": "Managed" } Trying to figure out why it defaults to empty. Will keep you posted
Yep that file is common between OKD and OCP, so it cannot list registry.redhat.io as the default. That field is really intended for mirroring scenarios. But yes, the imageConfigBlocksImageStreamCreation logic needs to properly handle the default case where an empty name is passed into it. If the name is empty, as long as the allowed list contains "registry.redhat.io", "registry.access.redhat.com", "quay.io", the method should return true
Started to work on this fix, thanks for confirming @gmontero
verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056
Hello David, We have a customer facing this issue again in the OpenShift 4.10.14. The issue got resolved after implementing the workaround --oc patch configs.samples.operator.openshift.io cluster --type merge --patch '{"spec": {"samplesRegistry": "registry.redhat.io"}}, Can we reopen this bug?