[release-4.20] OCPBUGS-94180: fix registry override matching and propagation to init containers#8880
Conversation
|
@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94180, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/label backport-risk-assessed |
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@avollmer-redhat: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/area control-plane-operator |
|
/jira refresh |
|
@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94180, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
c441228 to
aca100a
Compare
|
/jira refresh |
|
@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94180, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
aca100a to
f1d2c49
Compare
|
/jira refresh |
|
@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94180, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
…t containers Combined manual backport of openshift#8509 and openshift#8824 to release-4.20. Introduces strict longest-prefix registry override matching and wires overrides into CPO init container image resolution.
f1d2c49 to
25519be
Compare
|
/jira refresh |
|
@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94180, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@avollmer-redhat: This pull request references Jira Issue OCPBUGS-94180, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
raelga
left a comment
There was a problem hiding this comment.
Cherry picks two already tested and shiped changes.
/lgtm
|
/retest |
|
Pipeline controller notification No second-stage tests were triggered for this PR. This can happen when:
Use |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: avollmer-redhat, raelga The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@avollmer-redhat: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
Combined manual backport of #8509 and #8824 to
release-4.20.The cherry-pick bot could not create this backport automatically because the
support/util/registryoverride/package does not exist onrelease-4.20(it was introduced onmainby #8509), causing merge conflicts.What this fixes
Registry override substring matching bug (OCPBUGS-85585: tighten registry override matching to strict longest-prefix across release-image consumers #8509):
RegistryMirrorProviderDecorator.Lookup()usedstrings.Replacewhich could match substrings inside hostnames (e.g.quay.ioinsidequay.io.example.com). Replaced with strict longest-prefix matching via newregistryoverride.Replace()helper.Digest/tag separator handling (OCPBUGS-92034: fix registry override matching for digest and tag separators #8824): The strict matching from OCPBUGS-85585: tighten registry override matching to strict longest-prefix across release-image consumers #8509 only accepted
/as a valid separator. Repository-level overrides failed to match digest-based references (repo@sha256:...). FixedmatchesPrefix()to also accept@(digest) and:(tag, when source contains a path component).Init container image override propagation (OCPBUGS-85585: tighten registry override matching to strict longest-prefix across release-image consumers #8509): CPO-managed init containers (e.g.
availability-prober) were not getting registry overrides applied becauseimageprovider.New()populated component images without running them through override logic. AddedNewWithRegistryOverrides()and wired it into the HCP controller.Root cause
Without these fixes, ValidatingAdmissionPolicies in Deny mode block HCP creation because CPO init containers still reference original registries (e.g.
quay.io/redhat-user-workloads/...) instead of the configured mirror/ACR.Changes
support/util/registryoverride/package withReplace()and comprehensive tests (18 test cases)support/releaseinfo/registry_mirror_provider.go— useregistryoverride.Replace()instead ofstrings.Replacecontrol-plane-operator/.../imageprovider/imageprovider.go— addNewWithRegistryOverrides()control-plane-operator/.../hostedcontrolplane_controller.go— wireNewWithRegistryOverrideswith registry overrides from the release providerTest plan
registryoverride.Replacecovering boundary matching, longest-prefix, digest/tag separators, false-positive rejection, mutation safetyreleaseinfotests passimageprovidertests pass (compilation verified)Related
/cc @muraee @sjenning @raelga