Skip to content

[release-4.22] OCPBUGS-94170: tighten registry override matching to strict longest-prefix across release-image consumers#8873

Closed
openshift-cherrypick-robot wants to merge 6 commits into
openshift:release-4.22from
openshift-cherrypick-robot:cherry-pick-8509-to-release-4.22
Closed

[release-4.22] OCPBUGS-94170: tighten registry override matching to strict longest-prefix across release-image consumers#8873
openshift-cherrypick-robot wants to merge 6 commits into
openshift:release-4.22from
openshift-cherrypick-robot:cherry-pick-8509-to-release-4.22

Conversation

@openshift-cherrypick-robot

Copy link
Copy Markdown

This is an automated cherry-pick of #8509

/assign avollmer-redhat

/cherrypick release-4.21 release-4.20

raelga and others added 6 commits June 30, 2026 15:01
When CPO creates sub-resources (e.g. capi-provider deployments), it
injects init containers like availability-prober using image references
from the release image. These references were not being remapped by
--registry-overrides, causing the init containers to reference the
original registry (e.g. quay.io) instead of the override target.

Add NewWithRegistryOverrides to the imageprovider package that clones
the component images map and applies registry overrides using safe
prefix matching (source+"/") to prevent subdomain false matches. Use
it when creating the releaseImageProvider in the HostedControlPlane
reconciler.

Bug: https://redhat.atlassian.net/browse/OCPBUGS-85585
…refix matching

Introduce a shared helper that applies a map of registry-prefix overrides
to an image reference using strict matching semantics:

  * An override matches only on exact equality with the source key or on a
    "/"-boundary prefix. Bare substring matches (e.g. an override for
    "quay.io" against "quay.io.example.com/...") are no longer possible.
  * When several override keys match the same image, the longest key wins.
    This makes the result deterministic regardless of map iteration order
    and lets callers express both broad ("quay.io") and narrow
    ("quay.io/openshift-release-dev") overrides simultaneously.
  * Empty source keys are skipped defensively.
  * On no match, the image is returned unchanged.

The helper lives in a leaf subpackage of support/util so it can be consumed
from support/releaseinfo (which support/util itself imports). Follow-up
commits will wire it into RegistryMirrorProviderDecorator and
SimpleReleaseImageProvider, replacing two slightly different ad-hoc
implementations of the same logic.

Related: OCPBUGS-85585

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…tryMirrorProviderDecorator

Replace the bare strings.Replace(image, source, dest, 1) loop, which was
the root cause of OCPBUGS-85585, with the shared registryoverride.Replace
helper.

The previous implementation had three latent issues:

  1. Substring matching: an override for "quay.io" would also replace the
     prefix of "quay.io.example.com/..." or "quay.io-mirror/..." -- any
     string containing "quay.io" anywhere in its image path.
  2. No slash-boundary check: the same false-positive class affected
     narrower keys like "quay.io/openshift" against
     "quay.io/openshift-release-dev/...".
  3. Non-deterministic iteration: every key in RegistryOverrides was
     applied in arbitrary map iteration order, so with overlapping keys
     two runs of CPO could end up with different image references.

The shared helper applies strict matching (exact or "/"-boundary prefix),
picks the longest matching key deterministically, and skips empty source
keys defensively. Behaviour is unchanged for the common case of a single,
non-overlapping override registered against a clean image reference.

Related: OCPBUGS-85585

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… shared helper

Three small refactors that align this provider with the decorator change
in the previous commit and address review feedback on openshift#8509:

  * New() now delegates to NewWithRegistryOverrides(releaseImage, nil)
    instead of duplicating the field initialisation. registryoverride.Replace
    is a no-op for a nil override map, so callers of New() see exactly the
    same component images as before.
  * NewWithRegistryOverrides() uses maps.Clone (Go 1.25+, already required
    by go.mod) to copy ComponentImages() and registryoverride.Replace to
    remap each image. The inline duplicate-detection loop is gone.
  * The matching semantics now match RegistryMirrorProviderDecorator:
    strict slash-boundary prefix matching with longest-prefix-wins, instead
    of first-match-in-map-iteration-order.

As a small defensive bonus, New() now also returns a SimpleReleaseImageProvider
that owns a private copy of ComponentImages(), rather than aliasing the
map embedded in the ReleaseImage.

Related: OCPBUGS-85585

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…gistry overrides

Cover the two properties highlighted in review feedback on openshift#8509:

  * NewWithRegistryOverrides must not mutate either its overrides argument
    or the source release image's ComponentImages map. This is the contract
    that lets multiple callers share the same release image and overrides
    map without surprises.
  * Applying the same overrides twice must be a no-op (idempotency).
    Regressions here would manifest as compounding rewrites, e.g.
    mirror.example.com/quay-cache/mirror.example.com/quay-cache/...

Also adds a focused longest-prefix-wins assertion at this layer (the
shared helper already has full coverage for the matching algorithm, but
exercising it through the imageprovider keeps the layers honest).

Related: OCPBUGS-85585

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ntroller tests

Flip the two registry-override mocks added by the previous commits from
map[string]string{} to a non-empty override so the full Reconcile path
actually walks the override-application logic at
hostedcontrolplane_controller.go:1106 (and the related propagation through
configoperatorv2.NewComponent and the ignitionserver --registry-overrides
flag).

The release image fixture has no images matching the override key, so the
existing semantic assertions of these tests are unchanged: this is purely
added coverage of the override code path through reconcile, matching the
convention already used at lines 176 and 1040 of the same file. Addresses
review feedback on openshift#8509.

Related: OCPBUGS-85585

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e4d283d4-94d0-49f2-abee-31b7e193be4c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from enxebre and sjenning June 30, 2026 15:02
@openshift-ci openshift-ci Bot added the area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release label Jun 30, 2026
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-cherrypick-robot
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release and removed do-not-merge/needs-area labels Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@openshift-cherrypick-robot: Jira Issue OCPBUGS-85585 has been cloned as Jira Issue OCPBUGS-94170. Will retitle bug to link to clone.
/retitle [release-4.22] OCPBUGS-94170: tighten registry override matching to strict longest-prefix across release-image consumers

Details

In response to this:

This is an automated cherry-pick of #8509

/assign avollmer-redhat

/cherrypick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot changed the title [release-4.22] OCPBUGS-85585: tighten registry override matching to strict longest-prefix across release-image consumers [release-4.22] OCPBUGS-94170: tighten registry override matching to strict longest-prefix across release-image consumers Jun 30, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-94170, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #8509

/assign avollmer-redhat

/cherrypick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jun 30, 2026
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 93.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 35.80%. Comparing base (491d5ec) to head (a5b0104).

Files with missing lines Patch % Lines
.../hostedcontrolplane/imageprovider/imageprovider.go 90.90% 1 Missing ⚠️
support/releaseinfo/registry_mirror_provider.go 0.00% 1 Missing ⚠️
Additional details and impacted files
@@               Coverage Diff                @@
##           release-4.22    #8873      +/-   ##
================================================
+ Coverage         35.78%   35.80%   +0.02%     
================================================
  Files               774      775       +1     
  Lines             94734    94756      +22     
================================================
+ Hits              33904    33931      +27     
+ Misses            58065    58060       -5     
  Partials           2765     2765              
Files with missing lines Coverage Δ
...ostedcontrolplane/hostedcontrolplane_controller.go 36.78% <100.00%> (ø)
support/util/registryoverride/registryoverride.go 100.00% <100.00%> (ø)
.../hostedcontrolplane/imageprovider/imageprovider.go 93.33% <90.90%> (+18.33%) ⬆️
support/releaseinfo/registry_mirror_provider.go 45.45% <0.00%> (+1.97%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@muraee

muraee commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/close
@avollmer-redhat please reopen a manual backport that includes the fix #8824

@openshift-ci openshift-ci Bot closed this Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-94170. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

This is an automated cherry-pick of #8509

/assign avollmer-redhat

/cherrypick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@muraee: Closed this PR.

Details

In response to this:

/close
@avollmer-redhat please reopen a manual backport that includes the fix #8824

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@avollmer-redhat

Copy link
Copy Markdown

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jun 30, 2026
@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94170, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-85585 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
  • dependent Jira Issue OCPBUGS-85585 targets the "5.0.0" version, which is one of the valid target versions: 5.0.0
  • bug has dependents

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@avollmer-redhat

Copy link
Copy Markdown

@muraee Done — here are the combined manual backports of #8509 + #8824 for all three release branches:

All three include the strict longest-prefix matching fix (#8509) and the digest/tag separator fix (#8824), plus the init container override propagation in CPO. CI is running; reviews welcome when you get a chance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants