Merge pull request #5560 from pablintino/ocpbugs-71238

OCPBUGS-71238: Consider image mirrors for OSImageStream fetching

Author: sdodson

cmd/machine-config-operator/start.go

@@ -92,6 +92,9 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 			ctrlctx.KubeInformerFactory.Core().V1().Nodes(),
 			ctrlctx.KubeMAOSharedInformer.Core().V1().Secrets(),
 			ctrlctx.ConfigInformerFactory.Config().V1().Images(),
+			ctrlctx.ConfigInformerFactory.Config().V1().ImageDigestMirrorSets(),
+			ctrlctx.ConfigInformerFactory.Config().V1().ImageTagMirrorSets(),
+			ctrlctx.OperatorInformerFactory.Operator().V1alpha1().ImageContentSourcePolicies(),
 			ctrlctx.KubeNamespacedInformerFactory.Core().V1().ServiceAccounts(),
 			ctrlctx.KubeNamespacedInformerFactory.Core().V1().Secrets(),
 			ctrlctx.OpenShiftConfigKubeNamespacedInformerFactory.Core().V1().ConfigMaps(),

pkg/controller/bootstrap/bootstrap.go

@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/openshift/machine-config-operator/pkg/imageutils"
 	"github.com/openshift/machine-config-operator/pkg/osimagestream"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -220,33 +221,19 @@ func (b *Bootstrap) Run(destDir string) error {
 	var osImageStream *mcfgv1alpha1.OSImageStream
 	// Enable OSImageStreams if the FeatureGate is active and the deployment is not OKD
 	if osimagestream.IsFeatureEnabled(fgHandler) {
-		ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-		defer cancel()
-
-		osImageStream, err = osimagestream.BuildOsImageStreamBootstrap(ctx,
-			pullSecret,
-			cconfig,
-			imageStream,
-			&osimagestream.OSImageTuple{
-				OSImage:           cconfig.Spec.BaseOSContainerImage,
-				OSExtensionsImage: cconfig.Spec.BaseOSExtensionsContainerImage,
-			},
-			osimagestream.NewDefaultStreamSourceFactory(nil, &osimagestream.DefaultImagesInspectorFactory{}),
-		)
+		osImageStream, err = b.fetchOSImageStream(imageStream, cconfig, icspRules, idmsRules, itmsRules, imgCfg, pullSecret)
 		if err != nil {
-			return fmt.Errorf("error inspecting available OSImageStreams: %w", err)
+			return err
 		}
 
-		// If no error happened override the ControllerConfig URLs with the default stream ones
-		if err == nil {
-			defaultStreamSet, err := osimagestream.GetOSImageStreamSetByName(osImageStream, "")
-			if err != nil {
-				// Should never happen
-				return fmt.Errorf("error getting default OSImageStreamSet: %w", err)
-			}
-			cconfig.Spec.BaseOSContainerImage = string(defaultStreamSet.OSImage)
-			cconfig.Spec.BaseOSExtensionsContainerImage = string(defaultStreamSet.OSExtensionsImage)
+		// Override the ControllerConfig URLs with the default stream ones
+		defaultStreamSet, err := osimagestream.GetOSImageStreamSetByName(osImageStream, "")
+		if err != nil {
+			// Should never happen
+			return fmt.Errorf("error getting default OSImageStreamSet: %w", err)
 		}
+		cconfig.Spec.BaseOSContainerImage = string(defaultStreamSet.OSImage)
+		cconfig.Spec.BaseOSExtensionsContainerImage = string(defaultStreamSet.OSExtensionsImage)
 	}
 
 	pullSecretBytes := pullSecret.Data[corev1.DockerConfigJsonKey]
@@ -416,6 +403,46 @@ func (b *Bootstrap) Run(destDir string) error {
 
 }
 
+func (b *Bootstrap) fetchOSImageStream(
+	imageStream *imagev1.ImageStream,
+	cconfig *mcfgv1.ControllerConfig,
+	icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy,
+	idmsRules []*apicfgv1.ImageDigestMirrorSet,
+	itmsRules []*apicfgv1.ImageTagMirrorSet,
+	imgCfg *apicfgv1.Image,
+	pullSecret *corev1.Secret,
+) (*mcfgv1alpha1.OSImageStream, error) {
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	sysCtxBuilder := imageutils.NewSysContextBuilder().
+		WithControllerConfig(cconfig).
+		WithSecret(pullSecret)
+
+	registriesConfig, err := imageutils.GenerateRegistriesConfig(imgCfg, icspRules, idmsRules, itmsRules)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate registries config for OSImageStreams fetching: %w", err)
+	}
+	if registriesConfig != nil {
+		sysCtxBuilder.WithRegistriesConfig(registriesConfig)
+	}
+
+	osImageStream, err := osimagestream.BuildOsImageStreamBootstrap(ctx,
+		sysCtxBuilder,
+		imageStream,
+		&osimagestream.OSImageTuple{
+			OSImage:           cconfig.Spec.BaseOSContainerImage,
+			OSExtensionsImage: cconfig.Spec.BaseOSExtensionsContainerImage,
+		},
+		osimagestream.NewDefaultStreamSourceFactory(nil, &osimagestream.DefaultImagesInspectorFactory{}),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("error inspecting available OSImageStreams: %w", err)
+	}
+	return osImageStream, nil
+}
+
 func getValidPullSecretFromBytes(sData []byte) (*corev1.Secret, error) {
 	obji, err := runtime.Decode(kscheme.Codecs.UniversalDecoder(corev1.SchemeGroupVersion), sData)
 	if err != nil {

pkg/controller/build/imagepruner/imagepruner.go

@@ -38,7 +38,7 @@ func NewImagePruner() ImagePruner {
 // InspectImage inspects the given image using the provided secret. It also accepts a
 // ControllerConfig so that certificates may be placed on the filesystem for authentication.
 func (i *imagePrunerImpl) InspectImage(ctx context.Context, pullspec string, secret *corev1.Secret, cc *mcfgv1.ControllerConfig) (*types.ImageInspectInfo, *digest.Digest, error) {
-	sysCtx, err := imageutils.NewSysContextFromControllerConfig(secret, cc)
+	sysCtx, err := imageutils.NewSysContextBuilder().WithSecret(secret).WithControllerConfig(cc).Build()
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not prepare for image inspection: %w", err)
 	}
@@ -60,7 +60,7 @@ func (i *imagePrunerImpl) InspectImage(ctx context.Context, pullspec string, sec
 // DeleteImage deletes the given image using the provided secret. It also accepts a
 // ControllerConfig so that certificates may be placed on the filesystem for authentication.
 func (i *imagePrunerImpl) DeleteImage(ctx context.Context, pullspec string, secret *corev1.Secret, cc *mcfgv1.ControllerConfig) error {
-	sysCtx, err := imageutils.NewSysContextFromControllerConfig(secret, cc)
+	sysCtx, err := imageutils.NewSysContextBuilder().WithSecret(secret).WithControllerConfig(cc).Build()
 	if err != nil {
 		return fmt.Errorf("could not prepare for image deletion: %w", err)
 	}

pkg/imageutils/registries.go

@@ -0,0 +1,35 @@
+package imageutils
+
+import (
+	"github.com/containers/image/v5/pkg/sysregistriesv2"
+	apicfgv1 "github.com/openshift/api/config/v1"
+	configv1 "github.com/openshift/api/config/v1"
+	apioperatorsv1alpha1 "github.com/openshift/api/operator/v1alpha1"
+	"github.com/openshift/runtime-utils/pkg/registries"
+)
+
+// GenerateRegistriesConfig builds a container runtime registries configuration by consolidating
+// cluster image policies, registry mirrors (ICSP/IDMS/ITMS), and registry access controls.
+func GenerateRegistriesConfig(
+	image *configv1.Image,
+	icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy,
+	idmsRules []*apicfgv1.ImageDigestMirrorSet,
+	itmsRules []*apicfgv1.ImageTagMirrorSet) (*sysregistriesv2.V2RegistriesConf, error) {
+
+	// TODO: Consume this values from templates
+	// Tracked by https://issues.redhat.com/browse/MCO-2060
+	tomlConf := &sysregistriesv2.V2RegistriesConf{
+		UnqualifiedSearchRegistries: []string{"registry.access.redhat.com", "docker.io"},
+	}
+
+	var insecureScopes []string
+	var blockedScopes []string
+	if image != nil {
+		insecureScopes = image.Spec.RegistrySources.InsecureRegistries
+		blockedScopes = image.Spec.RegistrySources.BlockedRegistries
+	}
+	if err := registries.EditRegistriesConfig(tomlConf, insecureScopes, blockedScopes, icspRules, idmsRules, itmsRules); err != nil {
+		return nil, err
+	}
+	return tomlConf, nil
+}