Skip to content

OCPBUGS-92034: fix registry override matching for digest and tag separators#8824

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
muraee:fix-registry-override-digest-matching
Jun 25, 2026
Merged

OCPBUGS-92034: fix registry override matching for digest and tag separators#8824
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
muraee:fix-registry-override-digest-matching

Conversation

@muraee

@muraee muraee commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fix registryoverride.Replace to accept @ (digest) and : (tag) as valid separators alongside /, so repository-level --registry-overrides work for digest-based images
  • Add test cases covering digest separator, tag separator, longest-prefix with digest, and false-positive rejection

Root Cause

PR #8509 introduced strict prefix matching in registryoverride.Replace that only checked for / as a valid separator after the source key. Release payload images use @sha256: digest references, so repository-level overrides like:

--registry-overrides=quay.io/openshift-release-dev/ocp-v4.0-art-dev=mirror.example.com/art-dev

failed to match quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:abc123 because the character after the source prefix is @, not /.

This broke CAPI and all other component image rewrites in disconnected/air-gapped environments using repository-level overrides.

Which issue(s) this PR fixes

Fixes OCPBUGS-92034
Regression of OCPBUGS-74247 (PR #7575)

Test plan

  • Unit tests for digest separator matching (@sha256:)
  • Unit tests for tag separator matching (:latest)
  • Unit tests for longest-prefix selection with digest references
  • Unit tests for false-positive rejection (trailing dash in repo name)
  • All existing registryoverride, imageprovider, and registry_mirror_provider tests pass

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

    • Improved deterministic image override matching using stricter, separator-based prefix rules.
    • Reduced false positives for similarly named repositories.
    • Ensured the most specific (longest) matching override is applied.
    • Correctly handled tag/digest boundaries and host:port behavior.
  • Tests

    • Expanded coverage for repository, tag, and digest match scenarios.
    • Added cases for longest-prefix selection and non-matching similar prefixes.
    • Added validation for host:port matching and correct boundary handling.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 24, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@muraee: This pull request references Jira Issue OCPBUGS-92034, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Fix registryoverride.Replace to accept @ (digest) and : (tag) as valid separators alongside /, so repository-level --registry-overrides work for digest-based images
  • Add test cases covering digest separator, tag separator, longest-prefix with digest, and false-positive rejection

Root Cause

PR #8509 introduced strict prefix matching in registryoverride.Replace that only checked for / as a valid separator after the source key. Release payload images use @sha256: digest references, so repository-level overrides like:

--registry-overrides=quay.io/openshift-release-dev/ocp-v4.0-art-dev=mirror.example.com/art-dev

failed to match quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:abc123 because the character after the source prefix is @, not /.

This broke CAPI and all other component image rewrites in disconnected/air-gapped environments using repository-level overrides.

Which issue(s) this PR fixes

Fixes OCPBUGS-92034
Regression of OCPBUGS-74247 (PR #7575)

Test plan

  • Unit tests for digest separator matching (@sha256:)
  • Unit tests for tag separator matching (:latest)
  • Unit tests for longest-prefix selection with digest references
  • Unit tests for false-positive rejection (trailing dash in repo name)
  • All existing registryoverride, imageprovider, and registry_mirror_provider tests pass

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4315d4e3-6e5b-4ac0-bb70-c54d910341d2

📥 Commits

Reviewing files that changed from the base of the PR and between aa1bab5 and e498117.

📒 Files selected for processing (2)
  • support/util/registryoverride/registryoverride.go
  • support/util/registryoverride/registryoverride_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • support/util/registryoverride/registryoverride.go
  • support/util/registryoverride/registryoverride_test.go

📝 Walkthrough

Walkthrough

Replace in support/util/registryoverride/registryoverride.go now uses a new unexported matchesPrefix helper for separator-aware override matching. The helper accepts exact matches and prefix matches only at valid image-reference boundaries. The package documentation was updated to describe digest and repository override behavior. TestReplace gained cases for digest and tag separators, longest-prefix selection, trailing-dash mismatch, and host:port matching.

Possibly related PRs

  • openshift/hypershift#8509: Updates the same registry override matching path and is directly related to prefix-matching behavior in Replace.

Suggested reviewers

  • jparrill
  • devguyio
🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: fixing registry override matching for digest and tag separators.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All subtest names are static strings; no dynamic values, generated IDs, timestamps, or environment-specific data appear in test titles.
Test Structure And Quality ✅ Passed PASS: these are plain table-driven unit tests, not Ginkgo/cluster tests; each subtest targets one behavior and uses self-contained assertions.
Topology-Aware Scheduling Compatibility ✅ Passed Only registryoverride utility code and tests changed; no manifests, operators, controllers, or scheduling/topology logic were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; changes are limited to registryoverride package unit code/tests.
No-Weak-Crypto ✅ Passed Touched registryoverride code only changes image-prefix matching/tests; no weak crypto, custom crypto, or secret comparison logic appears in the diff.
Container-Privileges ✅ Passed The PR only changes Go logic/tests in support/util/registryoverride; no K8s manifests or privilege-related fields were added.
No-Sensitive-Data-In-Logs ✅ Passed No logging or printf-style production code was added; the touched package only contains pure string logic and tests with hardcoded image refs.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from jparrill and sdminonne June 24, 2026 15:23
@openshift-ci openshift-ci Bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed do-not-merge/needs-area labels Jun 24, 2026
@muraee

muraee commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 24, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@muraee: This pull request references Jira Issue OCPBUGS-92034, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@support/util/registryoverride/registryoverride.go`:
- Around line 60-61: The boundary check in the registry override matcher is too
permissive because the logic in the override matching function accepts ':' after
every source, which causes host-only entries to match host:port images
unintentionally. Update the matching logic around the source/image boundary
check so ':' is only treated as a valid separator when it truly indicates a tag
or digest boundary, not a registry port, and keep the existing '/' and '@'
behavior intact. Use the registry override matching code path and the symbol
that performs the boundary comparison to localize the fix.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8d284b7f-3998-4c24-8479-0a7b04a7725c

📥 Commits

Reviewing files that changed from the base of the PR and between 438c61f and 5628395.

📒 Files selected for processing (2)
  • support/util/registryoverride/registryoverride.go
  • support/util/registryoverride/registryoverride_test.go

Comment thread support/util/registryoverride/registryoverride.go Outdated
@muraee muraee force-pushed the fix-registry-override-digest-matching branch from 5628395 to aa1bab5 Compare June 24, 2026 15:30
@openshift-ci-robot

Copy link
Copy Markdown

@muraee: This pull request references Jira Issue OCPBUGS-92034, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Summary

  • Fix registryoverride.Replace to accept @ (digest) and : (tag) as valid separators alongside /, so repository-level --registry-overrides work for digest-based images
  • Add test cases covering digest separator, tag separator, longest-prefix with digest, and false-positive rejection

Root Cause

PR #8509 introduced strict prefix matching in registryoverride.Replace that only checked for / as a valid separator after the source key. Release payload images use @sha256: digest references, so repository-level overrides like:

--registry-overrides=quay.io/openshift-release-dev/ocp-v4.0-art-dev=mirror.example.com/art-dev

failed to match quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:abc123 because the character after the source prefix is @, not /.

This broke CAPI and all other component image rewrites in disconnected/air-gapped environments using repository-level overrides.

Which issue(s) this PR fixes

Fixes OCPBUGS-92034
Regression of OCPBUGS-74247 (PR #7575)

Test plan

  • Unit tests for digest separator matching (@sha256:)
  • Unit tests for tag separator matching (:latest)
  • Unit tests for longest-prefix selection with digest references
  • Unit tests for false-positive rejection (trailing dash in repo name)
  • All existing registryoverride, imageprovider, and registry_mirror_provider tests pass

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

  • Improved image override matching for repository, tag, and digest references.

  • Prevented false-positive matches for similarly named image paths.

  • Ensured the most specific (longest) applicable override is selected.

  • Added stricter separator and boundary handling, including correct behavior for host:port cases.

  • Tests

  • Expanded coverage for digest and tag match scenarios, longest-prefix selection, and non-matching similar prefixes.

  • Added cases validating correct matching behavior when ports are present.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.60%. Comparing base (438c61f) to head (e498117).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #8824   +/-   ##
=======================================
  Coverage   42.59%   42.60%           
=======================================
  Files         768      768           
  Lines       95359    95371   +12     
=======================================
+ Hits        40617    40629   +12     
  Misses      51934    51934           
  Partials     2808     2808           
Files with missing lines Coverage Δ
support/util/registryoverride/registryoverride.go 100.00% <100.00%> (ø)
Flag Coverage Δ
cmd-support 35.48% <100.00%> (+0.02%) ⬆️
cpo-hostedcontrolplane 44.84% <ø> (ø)
cpo-other 44.94% <ø> (ø)
hypershift-operator 53.05% <ø> (ø)
other 31.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

…arators

The registryoverride.Replace function only accepted "/" as a valid
separator after the source prefix, causing repository-level
--registry-overrides to fail for images with @sha256: digest references.
This broke all component image rewrites in disconnected environments
using overrides like:
  quay.io/openshift-release-dev/ocp-v4.0-art-dev=mirror/art-dev

Extend matchesPrefix to also accept "@" (digest) and ":" (tag) as valid
separators alongside "/".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@muraee muraee force-pushed the fix-registry-override-digest-matching branch from aa1bab5 to e498117 Compare June 24, 2026 15:42

@bryan-cox bryan-cox left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@bryan-cox

Copy link
Copy Markdown
Member

/verified by UT

Changes covered well by unit tests

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 24, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@bryan-cox: This PR has been marked as verified by UT.

Details

In response to this:

/verified by UT

Changes covered well by unit tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 24, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, muraee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hypershift-jira-solve-ci

Copy link
Copy Markdown

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2069826787344388096 | Cost: $3.7135339499999986 | Failed step: hypershift-azure-run-e2e

View full analysis report


Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 64c8878 and 2 for PR HEAD e498117 in total

@cwbotbot

cwbotbot commented Jun 24, 2026

Copy link
Copy Markdown

Test Results

e2e-aws

e2e-aks

@hypershift-jira-solve-ci

Copy link
Copy Markdown

Now I have all the evidence I need. Let me produce the final report for both jobs.

Test Failure Analysis Complete

Job Information

  • Prow Job 1: pull-ci-openshift-hypershift-main-e2e-aks
  • Build ID: 2069826787344388096
  • Prow Job 2: pull-ci-openshift-hypershift-main-e2e-aws
  • Build ID: 2069860098154434560
  • PR: #8824 — OCPBUGS-92034: fix registry override matching for digest and tag separators
  • PR Changes: support/util/registryoverride/registryoverride.go and registryoverride_test.go only

e2e-aks — TestNodePool/HostedCluster2/Main/TestAdditionalTrustBundlePropagation/AdditionalTrustBundlePropagationTest

Test Failure Analysis

Error

OSProvisioningTimedOut: OS Provisioning for VM 'node-pool-6rjwj-test-additional-trust-bundle-propagation-8zvfjz'
did not finish in the allotted time.

nodepool_additionalTrustBundlePropagation_test.go:104: Failed to wait for Waiting for NodePool
e2e-clusters-8lxq8/node-pool-6rjwj-test-additional-trust-bundle-propagation to stop updating in 20m0s:
context deadline exceeded

Summary

The TestAdditionalTrustBundlePropagation test triggers a NodePool rolling config update after adding a trust bundle. One of two Azure VMs (8zvfjz) failed OS provisioning within Azure's 20-minute timeout — the VM never booted, never reached the ignition endpoint, and never registered as a Kubernetes node. The other VM (gnmkh4) succeeded normally. This is an Azure infrastructure flake completely unrelated to the PR, which only modifies image registry override matching logic. Overall pass rate: 404/409 tests passed (98.8%); all 5 failures cascade from this single Azure VM provisioning timeout.

Root Cause

Azure infrastructure flake — OSProvisioningTimedOut. The Azure VM node-pool-6rjwj-test-additional-trust-bundle-propagation-8zvfjz failed to complete OS provisioning within Azure's 20-minute timeout. Azure started VM provisioning at 2026-06-24T17:53:22Z and declared it failed at 2026-06-24T18:13:34Z with error code OSProvisioningTimedOut. This is a well-known intermittent Azure issue where VMs occasionally take too long to boot and complete ignition initialization. The AzureMachine shows a status contradiction (ready: true but vmState: Failed), a known CAPZ behavior during provisioning timeout scenarios.

Not related to PR #8824. The PR modifies support/util/registryoverride/registryoverride.go to support @ (digest) and : (tag) separators in registry override matching. The failing test (TestAdditionalTrustBundlePropagation) tests trust bundle propagation through NodePool rolling updates — no code path from the PR is involved. All other 404 tests passed.


e2e-aws — TestKarpenter/Main/Parallel_provisioning_tests/OpenshiftEC2NodeClass_Kubelet_propagation

Test Failure Analysis

Error

Get "https://10.0.142.65:10250/containerLogs/kube-system/kubelet-config-checker/checker":
remote error: tls: internal error

Status: "Failure", Code: 500

Summary

The OpenshiftEC2NodeClass_Kubelet_propagation test provisions a Karpenter node with custom kubelet config, deploys a kubelet-config-checker pod, then attempts to read container logs via the kubelet API (port 10250). The API server's request to the kubelet at 10.0.142.65:10250 failed with tls: internal error — a TLS handshake failure between the API server and kubelet, typically caused by the kubelet's serving certificate not yet being signed/rotated or a transient CSR approval delay on a newly provisioned node. This is an infrastructure-level TLS timing issue completely unrelated to the PR's registry override logic changes. Overall pass rate: 619/623 tests passed (99.4%); all 4 failures cascade from this single TLS error.

Root Cause

Transient TLS handshake failure on newly provisioned Karpenter node. The Karpenter-provisioned node at 10.0.142.65 had its kubelet serving on port 10250 but the TLS handshake failed with tls: internal error when the API server tried to proxy container logs. This occurs when the kubelet's serving certificate is not yet signed or the CSR has not been approved by the time the test attempts to read logs. The node had just finished provisioning (5m33s to become ready) and the test immediately attempted to read pod logs from the kubelet.

Not related to PR #8824. The PR modifies support/util/registryoverride/registryoverride.go to handle digest (@) and tag (:) separators in image registry overrides. The failing test (OpenshiftEC2NodeClass_Kubelet_propagation) tests Karpenter-provisioned nodes with custom kubelet configuration — no code path from the PR is involved. All other 619 tests passed, including other Karpenter provisioning tests (capacity reservation, GPU, block device, etc.).

Recommendations
  • Retry both jobs — both failures are infrastructure flakes unrelated to the PR code changes
  • The PR only changes registryoverride.go (image registry override matching for digest/tag separators) — neither failing test exercises any registry override code path
  • e2e-aks: Consider extending the NodePool update timeout in TestAdditionalTrustBundlePropagation beyond 20 minutes to provide headroom for Azure VM provisioning flakes
  • e2e-aws: Consider adding a retry or wait for kubelet TLS readiness in the OpenshiftEC2NodeClass_Kubelet_propagation test before attempting to read container logs from newly provisioned Karpenter nodes
Evidence
Evidence Detail
PR #8824 changed files support/util/registryoverride/registryoverride.go, registryoverride_test.go — registry override matching only
e2e-aks pass rate 404/409 passed (98.8%), 5 failures all cascade from 1 test
e2e-aks failing test TestAdditionalTrustBundlePropagation/AdditionalTrustBundlePropagationTest
e2e-aks root cause Azure OSProvisioningTimedOut for VM 8zvfjz (started 17:53:22, failed 18:13:34)
e2e-aks Azure error OSProvisioningTimedOut: OS Provisioning for VM did not finish in the allotted time
e2e-aks AzureMachine status ready: true but vmState: Failed — known CAPZ inconsistency
e2e-aks healthy comparison Other VM (gnmkh4) in same NodePool succeeded: vmState: Succeeded, phase: Running
e2e-aws pass rate 619/623 passed (99.4%), 4 failures all cascade from 1 test
e2e-aws failing test TestKarpenter/Main/Parallel_provisioning_tests/OpenshiftEC2NodeClass_Kubelet_propagation
e2e-aws root cause tls: internal error on kubelet API at 10.0.142.65:10250 — TLS handshake failure
e2e-aws error code HTTP 500 — Get "https://10.0.142.65:10250/containerLogs/kube-system/kubelet-config-checker/checker": remote error: tls: internal error
e2e-aws node provisioning Node became ready in 5m33s, then immediate log read attempt failed with TLS error
Relationship to PR None — neither test exercises registry override matching code

@trevorwilliams2025

Copy link
Copy Markdown

/test e2e-aks

@trevorwilliams2025

Copy link
Copy Markdown

/test e2e-aws

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@muraee: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-merge-bot Bot pushed a commit to Azure/ARO-HCP that referenced this pull request Jun 25, 2026
…ROSLSRE-1318)

The latest HyperShift operator image includes a regression in
registryoverride.Replace (openshift/hypershift#8509) that breaks
repository-level --registry-overrides for digest-based images.
This causes all CAPI and component image rewrites to fail in
environments using ACR mirrors, blocking cluster creation.

Pin to the known-good build (a101e669, 2026-06-05) until the
upstream fix (openshift/hypershift#8824, OCPBUGS-92034) merges
and a new image is published.
@openshift-merge-bot openshift-merge-bot Bot merged commit 9acec47 into openshift:main Jun 25, 2026
41 checks passed
@openshift-ci-robot

Copy link
Copy Markdown

@muraee: Jira Issue Verification Checks: Jira Issue OCPBUGS-92034
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-92034 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary

  • Fix registryoverride.Replace to accept @ (digest) and : (tag) as valid separators alongside /, so repository-level --registry-overrides work for digest-based images
  • Add test cases covering digest separator, tag separator, longest-prefix with digest, and false-positive rejection

Root Cause

PR #8509 introduced strict prefix matching in registryoverride.Replace that only checked for / as a valid separator after the source key. Release payload images use @sha256: digest references, so repository-level overrides like:

--registry-overrides=quay.io/openshift-release-dev/ocp-v4.0-art-dev=mirror.example.com/art-dev

failed to match quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:abc123 because the character after the source prefix is @, not /.

This broke CAPI and all other component image rewrites in disconnected/air-gapped environments using repository-level overrides.

Which issue(s) this PR fixes

Fixes OCPBUGS-92034
Regression of OCPBUGS-74247 (PR #7575)

Test plan

  • Unit tests for digest separator matching (@sha256:)
  • Unit tests for tag separator matching (:latest)
  • Unit tests for longest-prefix selection with digest references
  • Unit tests for false-positive rejection (trailing dash in repo name)
  • All existing registryoverride, imageprovider, and registry_mirror_provider tests pass

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

  • Improved deterministic image override matching using stricter, separator-based prefix rules.

  • Reduced false positives for similarly named repositories.

  • Ensured the most specific (longest) matching override is applied.

  • Correctly handled tag/digest boundaries and host:port behavior.

  • Tests

  • Expanded coverage for repository, tag, and digest match scenarios.

  • Added cases for longest-prefix selection and non-matching similar prefixes.

  • Added validation for host:port matching and correct boundary handling.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot

Copy link
Copy Markdown
Contributor

Fix included in release 5.0.0-0.nightly-2026-06-25-194049

@avollmer-redhat

Copy link
Copy Markdown

/cherrypick release-4.22 release-4.21 release-4.20

@openshift-cherrypick-robot

Copy link
Copy Markdown

@avollmer-redhat: #8824 failed to apply on top of branch "release-4.22":

Applying: fix(OCPBUGS-92034): registry override matching for digest and tag separators
Using index info to reconstruct a base tree...
A	support/util/registryoverride/registryoverride.go
A	support/util/registryoverride/registryoverride_test.go
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): support/util/registryoverride/registryoverride.go deleted in HEAD and modified in fix(OCPBUGS-92034): registry override matching for digest and tag separators.  Version fix(OCPBUGS-92034): registry override matching for digest and tag separators of support/util/registryoverride/registryoverride.go left in tree.
CONFLICT (modify/delete): support/util/registryoverride/registryoverride_test.go deleted in HEAD and modified in fix(OCPBUGS-92034): registry override matching for digest and tag separators.  Version fix(OCPBUGS-92034): registry override matching for digest and tag separators of support/util/registryoverride/registryoverride_test.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 fix(OCPBUGS-92034): registry override matching for digest and tag separators

Details

In response to this:

/cherrypick release-4.22 release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

avollmer-redhat added a commit to avollmer-redhat/hypershift that referenced this pull request Jun 30, 2026
… containers

Backports openshift#8509 and openshift#8824 to release-4.22:

1. Add support/util/registryoverride package with strict longest-prefix
   matching that correctly handles digest (@sha256:) and tag (:) separators,
   preventing false substring matches (e.g. "quay.io" matching
   "quay.io.example.com").

2. Fix RegistryMirrorProviderDecorator.Lookup to use registryoverride.Replace
   instead of strings.Replace, eliminating the original substring-match bug.

3. Add imageprovider.NewWithRegistryOverrides to apply registry overrides to
   all component images at provider creation time, ensuring init containers
   (availability-prober) and other CPO sub-resources use overridden images.

4. Wire NewWithRegistryOverrides into the HCP controller reconcile loop so
   the control-plane release image provider applies overrides.

Without this fix, CPO-managed init containers (e.g. availability-prober)
retain original registry references, causing ValidatingAdmissionPolicies in
Deny mode to block HCP creation in environments that restrict image sources.
avollmer-redhat added a commit to avollmer-redhat/hypershift that referenced this pull request Jun 30, 2026
… containers

Backports openshift#8509 and openshift#8824 to release-4.21:

1. Add support/util/registryoverride package with strict longest-prefix
   matching that correctly handles digest (@sha256:) and tag (:) separators,
   preventing false substring matches (e.g. "quay.io" matching
   "quay.io.example.com").

2. Fix RegistryMirrorProviderDecorator.Lookup to use registryoverride.Replace
   instead of strings.Replace, eliminating the original substring-match bug.

3. Add imageprovider.NewWithRegistryOverrides to apply registry overrides to
   all component images at provider creation time, ensuring init containers
   (availability-prober) and other CPO sub-resources use overridden images.

4. Wire NewWithRegistryOverrides into the HCP controller reconcile loop so
   the control-plane release image provider applies overrides.

Without this fix, CPO-managed init containers (e.g. availability-prober)
retain original registry references, causing ValidatingAdmissionPolicies in
Deny mode to block HCP creation in environments that restrict image sources.
avollmer-redhat added a commit to avollmer-redhat/hypershift that referenced this pull request Jun 30, 2026
… containers

Backports openshift#8509 and openshift#8824 to release-4.20:

1. Add support/util/registryoverride package with strict longest-prefix
   matching that correctly handles digest (@sha256:) and tag (:) separators,
   preventing false substring matches (e.g. "quay.io" matching
   "quay.io.example.com").

2. Fix RegistryMirrorProviderDecorator.Lookup to use registryoverride.Replace
   instead of strings.Replace, eliminating the original substring-match bug.

3. Add imageprovider.NewWithRegistryOverrides to apply registry overrides to
   all component images at provider creation time, ensuring init containers
   (availability-prober) and other CPO sub-resources use overridden images.

4. Wire NewWithRegistryOverrides into the HCP controller reconcile loop so
   the control-plane release image provider applies overrides.

Without this fix, CPO-managed init containers (e.g. availability-prober)
retain original registry references, causing ValidatingAdmissionPolicies in
Deny mode to block HCP creation in environments that restrict image sources.
avollmer-redhat added a commit to avollmer-redhat/hypershift that referenced this pull request Jul 1, 2026
…t containers

Combined manual backport of openshift#8509 and openshift#8824 to release-4.21.
Introduces strict longest-prefix registry override matching and
wires overrides into CPO init container image resolution.
avollmer-redhat added a commit to avollmer-redhat/hypershift that referenced this pull request Jul 1, 2026
…t containers

Combined manual backport of openshift#8509 and openshift#8824 to release-4.20.
Introduces strict longest-prefix registry override matching and
wires overrides into CPO init container image resolution.
avollmer-redhat added a commit to avollmer-redhat/hypershift that referenced this pull request Jul 1, 2026
…t containers

Combined manual backport of openshift#8509 and openshift#8824 to release-4.22.
Introduces strict longest-prefix registry override matching and
wires overrides into CPO init container image resolution.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants