Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPRUN-3566: UPSTREAM: <carry>: Add global-pull-secret flag #75

Merged
merged 1 commit into from
Oct 15, 2024
Merged

OPRUN-3566: UPSTREAM: <carry>: Add global-pull-secret flag #75

merged 1 commit into from
Oct 15, 2024

Conversation

m1kola
Copy link
Member

@m1kola m1kola commented Oct 8, 2024
edited
Loading

Pass global-pull-secret to the manager container.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 8, 2024
edited by openshift-ci bot
Loading

@m1kola: This pull request references OPRUN-3566 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Pass global-pull-secret to the manager container.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 8, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 8, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 8, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 8, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 8, 2024
edited by openshift-ci bot
Loading

@m1kola: This pull request references OPRUN-3566 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Blocked by upstream sync & needs more work.

Pass global-pull-secret to the manager container.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@m1kola m1kola force-pushed the add-global-pull-secret branch 2 times, most recently from 6ad06bd to a24f239 Compare October 10, 2024 20:40
@m1kola m1kola marked this pull request as ready for review October 10, 2024 20:41
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 10, 2024
@m1kola
Copy link
Member Author

m1kola commented Oct 10, 2024

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 10, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 10, 2024
edited by openshift-ci bot
Loading

@m1kola: This pull request references OPRUN-3566 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Pass global-pull-secret to the manager container.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@m1kola
Copy link
Member Author

m1kola commented Oct 11, 2024

At this point we have a flag and all the required RBAC, but I think both catalogd and operator-controller need to be built with containers_image_openpgp build tag.

@m1kola
Copy link
Member Author

m1kola commented Oct 11, 2024

Ah, it looks like we do build with containers_image_openpgp already. Something else is off: unpack fails like so:

    conditions:
    - lastTransitionTime: "2024-10-11T08:13:02Z"
      message: 'source catalog content: error copying image: copying system image
        from manifest list: Can not copy signatures to oci:/tmp/oci-layout-redhat-community-operators658406605:registry.redhat.io/redhat/community-operator-index@sha256:907fece168a3753e606a31c9c976ef49153487205e9bce8481ea5c1e0bf7f905:
        Pushing signatures for OCI images is not supported'
      observedGeneration: 1
      reason: Retrying
      status: "True"
      type: Progressing

@m1kola
Copy link
Member Author

m1kola commented Oct 11, 2024

Ok, so it fails because on OCP we have this: /etc/containers/registries.d/registry.redhat.io.yaml:

docker:
     registry.redhat.io:
         sigstore: https://registry.redhat.io/containers/sigstore

With this config in place image copying fails. Now need to figure out how to make it work.

@m1kola
Copy link
Member Author

m1kola commented Oct 11, 2024

With this patch to upstream it works, but not sure if this is a proper solution. Need to dig a bit more on implications of doing this.

diff --git a/internal/source/containers_image.go b/internal/source/containers_image.go
index cf40b62..44458de 100644
--- a/internal/source/containers_image.go
+++ b/internal/source/containers_image.go
@@ -130,7 +130,8 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, catalog *catalogdv
        //
        //////////////////////////////////////////////////////
        if _, err := copy.Image(ctx, policyContext, layoutRef, dockerRef, &copy.Options{
-               SourceCtx: srcCtx,
+               RemoveSignatures: true,
+               SourceCtx:        srcCtx,
        }); err != nil {
                return nil, fmt.Errorf("error copying image: %w", err)
        }

@tmshort
Copy link
Contributor

tmshort commented Oct 11, 2024

Where are we on this @m1kola?

@m1kola
Copy link
Member Author

m1kola commented Oct 11, 2024

@tmshort the latest is in the comments above. Pull secret works, but catalogd (and operator-controller too, I suspect) will fail to unpack images due to this issue.

@m1kola
Copy link
Member Author

m1kola commented Oct 14, 2024

operator-framework/catalogd#431 and operator-framework/operator-controller#1369 should resolve the blocker after syncing downstream.

@m1kola
Copy link
Member Author

m1kola commented Oct 14, 2024

This now (temporary) includes #78. Once #78 merges we will need to rebase on top of main.

@m1kola
UPSTREAM: <carry>: Add global-pull-secret flag
ff6e98e 
Pass global-pull-secret to the manager container.

Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 14, 2024

@m1kola: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@m1kola m1kola mentioned this pull request Oct 15, 2024
Merged
@m1kola
Copy link
Member Author

m1kola commented Oct 15, 2024

/unhold

Removing hold. I think it is ready to go. See openshift/operator-framework-operator-controller#166 (comment)

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 15, 2024
anik120
anik120 approved these changes Oct 15, 2024
View reviewed changes
Copy link
Contributor

@anik120 anik120 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 15, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 15, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anik120, m1kola

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 7b54785 into openshift:main Oct 15, 2024
7 checks passed
@m1kola m1kola deleted the add-global-pull-secret branch October 15, 2024 12:01
@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

Distgit: ose-olm-catalogd
This PR has been included in build ose-olm-catalogd-container-v4.18.0-202410151242.p0.g7b54785.assembly.stream.el9.
All builds following this will include this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anik120 anik120 anik120 approved these changes

@ankitathomas ankitathomas Awaiting requested review from ankitathomas

@dtfranz dtfranz Awaiting requested review from dtfranz

Assignees

@anik120 anik120

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@m1kola @openshift-ci-robot @tmshort @openshift-bot @anik120