OCPBUGS-94170: fix registry override matching and propagation to init containers#8877
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94170, which is valid. 7 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/label backport-risk-assessed This is a combined manual backport of #8509 + #8824 as requested by @muraee in #8873. Backport risk assessment: Low risk. The changes add a new leaf package ( |
|
@avollmer-redhat: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/approve |
d62a7b1 to
fb88a55
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release-4.22 #8877 +/- ##
================================================
+ Coverage 35.45% 35.87% +0.42%
================================================
Files 767 775 +8
Lines 93724 94768 +1044
================================================
+ Hits 33226 33996 +770
- Misses 57785 57991 +206
- Partials 2713 2781 +68
🚀 New features to boost your workflow:
|
fb88a55 to
5153904
Compare
…t containers Combined manual backport of openshift#8509 and openshift#8824 to release-4.22. Introduces strict longest-prefix registry override matching and wires overrides into CPO init container image resolution.
5153904 to
714067c
Compare
raelga
left a comment
There was a problem hiding this comment.
Cherry picks two already tested and shiped changes.
/lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: avollmer-redhat, muraee, raelga The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Scheduling tests matching the |
|
/retest |
|
/retest |
|
@avollmer-redhat: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
Combined manual backport of #8509 and #8824 to
release-4.22.The cherry-pick bot could not create this backport automatically because the
support/util/registryoverride/package does not exist onrelease-4.22(it was introduced onmainby #8509), causing merge conflicts.What this fixes
Registry override substring matching bug (OCPBUGS-85585: tighten registry override matching to strict longest-prefix across release-image consumers #8509):
RegistryMirrorProviderDecorator.Lookup()usedstrings.Replacewhich could match substrings inside hostnames (e.g.quay.ioinsidequay.io.example.com). Replaced with strict longest-prefix matching via newregistryoverride.Replace()helper.Digest/tag separator handling (OCPBUGS-92034: fix registry override matching for digest and tag separators #8824): The strict matching from OCPBUGS-85585: tighten registry override matching to strict longest-prefix across release-image consumers #8509 only accepted
/as a valid separator. Repository-level overrides failed to match digest-based references (repo@sha256:...). FixedmatchesPrefix()to also accept@(digest) and:(tag, when source contains a path component).Init container image override propagation (OCPBUGS-85585: tighten registry override matching to strict longest-prefix across release-image consumers #8509): CPO-managed init containers (e.g.
availability-prober) were not getting registry overrides applied becauseimageprovider.New()populated component images without running them through override logic. AddedNewWithRegistryOverrides()and wired it into the HCP controller.Root cause
Without these fixes, ValidatingAdmissionPolicies in Deny mode block HCP creation because CPO init containers still reference original registries (e.g.
quay.io/redhat-user-workloads/...) instead of the configured mirror/ACR.Changes
support/util/registryoverride/package withReplace()and comprehensive tests (18 test cases)support/releaseinfo/registry_mirror_provider.go— useregistryoverride.Replace()instead ofstrings.Replacecontrol-plane-operator/.../imageprovider/imageprovider.go— addNewWithRegistryOverrides()control-plane-operator/.../hostedcontrolplane_controller.go— wireNewWithRegistryOverrideswith registry overrides from the release providerTest plan
registryoverride.Replacecovering boundary matching, longest-prefix, digest/tag separators, false-positive rejection, mutation safetyreleaseinfotests passimageprovidertests pass (compilation verified)Related
/cc @muraee @sjenning @raelga