pkg/payload/render: Include release image (Cluster)ImagePolicy

Address [1], where a ClusterImagePolicy manifest from the
cluster-update-keys repository was not part of the bootstrap-rendered
MachineConfigs, but was part of the production MachineConfigs.  That
kind of skew causes trouble for the machine-config operator, as in
this run [2]:

  $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-api-provider-aws/519/pull-ci-openshift-cluster-api-provider-aws-master-e2e-aws-ovn-techpreview/1818614625273384960/artifacts/e2e-aws-ovn-techpreview/gather-extra/artifacts/machineconfigpools.json | jq -r '.items[0].status.conditions[] | select(.type == "NodeDegraded").message'
  Node ip-10-0-107-110.us-east-2.compute.internal is reporting: "missing MachineConfig rendered-master-f78e8c7637cfbc6ca42f0f102eaef4e7\nmachineconfig.machineconfiguration.openshift.io \"rendered-master-f78e8c7637cfbc6ca42f0f102eaef4e7\" not found", Node ip-10-0-20-34.us-east-2.compute.internal is reporting: "missing MachineConfig rendered-master-f78e8c7637cfbc6ca42f0f102eaef4e7\nmachineconfig.machineconfiguration.openshift.io \"rendered-master-f78e8c7637cfbc6ca42f0f102eaef4e7\" not found", Node ip-10-0-47-251.us-east-2.compute.internal is reporting: "missing MachineConfig rendered-master-f78e8c7637cfbc6ca42f0f102eaef4e7\nmachineconfig.machineconfiguration.openshift.io \"rendered-master-f78e8c7637cfbc6ca42f0f102eaef4e7\" not found"

To address that, this commit renders any ClusterImagePolicy and
ImagePolicy manifests from the release image into the output manifests
directory.  From there:

1. The installer's bootkube service puts the manifest into the central
   manifests directory [3]:

     cp cvo-bootstrap/manifests/* manifests/

2. The installer's bootkube service puts the manifest into into the
   machine-config controller's manifest directory [4]:

     cp manifests/* /etc/mcc/bootstrap/

3. The MCO renders a static MCO bootstrap pod YAML file with
   --manifest-dir=/etc/mcc/bootstrap/ [5] to configure a manifestDir
   variable.

4. The installer's bootkube service passes the rendered static MCO
   bootstrap pod to the kubelet [6]:

     cp mco-bootstrap/bootstrap/machineconfigoperator-bootstrap-pod.yaml /etc/kubernetes/manifests/

5. The bootstrap MCO static pod pulls in the ClusterImagePolicy
   manifest while walking manifestDir [7].

6. The bootstrap MCO static pod includes feature-gate status and any
   collected ClusterImagePolicy manifest when rendering bootstrap
   MachineConfigs [8].

My implementation uses group/kind tuples to figure out what needs
rendering, because that is robust against things like manifest renames
or other release-image-referenced repositories providing their own
manifests (using manifest names in skipFiles is ok, because all the
manifests we skip that way are from our own repository, where we
control naming).

We could extend this to other manifest types that the MCO consumes
when rendering MachineConfigs (MachineConfig itself, KubeletConfig,
etc.), but I'm leaving those out for now in the optimistic hope that
nobody ever needs the CVO to manage those resources.

The vendor/ bumps are via:

  $ go mod vendor

with:

  $ go version
  go version go1.22.2 linux/amd64

to hopefully address [9]:

  pkg/payload/render.go:11:2: cannot find module providing package github.com/openshift/api/config: import lookup disabled by -mod=vendor

now that we're a direct consumer of that particular package.

[1]: https://issues.redhat.com/browse/OCPBUGS-37770
[2]: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-api-provider-aws/519/pull-ci-openshift-cluster-api-provider-aws-master-e2e-aws-ovn-techpreview/1818614625273384960
[3]: https://github.com/openshift/installer/blob/e9c454889b638a9af3e1203d0585c756f8cf0136/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L165
[4]: https://github.com/openshift/installer/blob/e9c454889b638a9af3e1203d0585c756f8cf0136/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L431
[5]: https://github.com/openshift/machine-config-operator/blob/d72d2ed139de8f8d3c60c411b4741045edde2a34/manifests/bootstrap-pod-v2.yaml#L15
[6]: https://github.com/openshift/installer/blob/e9c454889b638a9af3e1203d0585c756f8cf0136/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L433
[7]: https://github.com/openshift/machine-config-operator/blob/d72d2ed139de8f8d3c60c411b4741045edde2a34/pkg/controller/bootstrap/bootstrap.go#L100-L142
[8]: https://github.com/openshift/machine-config-operator/blob/d72d2ed139de8f8d3c60c411b4741045edde2a34/pkg/controller/bootstrap/bootstrap.go#L183
[9]: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-version-operator/1076/pull-ci-openshift-cluster-version-operator-master-images/1818752166689509376#1:build-log.txt%3A77

Author: wking

pkg/payload/payload.go

@@ -169,9 +169,7 @@ func LoadUpdate(dir, releaseImage, excludeIdentifier string, requiredFeatureSet
 				continue
 			}
 
-			switch filepath.Ext(file.Name()) {
-			case ".yaml", ".yml", ".json":
-			default:
+			if !hasManifestExtension(file.Name()) {
 				continue
 			}
 
@@ -437,3 +435,12 @@ func loadImageReferences(releaseDir string) (*imagev1.ImageStream, error) {
 	}
 	return nil, fmt.Errorf("%s is a %T, not a v1 ImageStream", imageReferencesFile, imageRefObj)
 }
+
+func hasManifestExtension(filename string) bool {
+	switch filepath.Ext(filename) {
+	case ".yaml", ".yml", ".json":
+		return true
+	default:
+		return false
+	}
+}

pkg/payload/render.go

@@ -8,19 +8,22 @@ import (
 	"strings"
 	"text/template"
 
+	"github.com/openshift/api/config"
+	"github.com/openshift/library-go/pkg/manifest"
 	"github.com/pkg/errors"
-
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 // Render renders critical manifests from /manifests to outputDir.
 func Render(outputDir, releaseImage, clusterProfile string) error {
 	var (
-		manifestsDir  = filepath.Join(DefaultPayloadDir, CVOManifestDir)
-		oManifestsDir = filepath.Join(outputDir, "manifests")
-		bootstrapDir  = "/bootstrap"
-		oBootstrapDir = filepath.Join(outputDir, "bootstrap")
+		manifestsDir        = filepath.Join(DefaultPayloadDir, CVOManifestDir)
+		releaseManifestsDir = filepath.Join(DefaultPayloadDir, ReleaseManifestDir)
+		oManifestsDir       = filepath.Join(outputDir, "manifests")
+		bootstrapDir        = "/bootstrap"
+		oBootstrapDir       = filepath.Join(outputDir, "bootstrap")
 
 		renderConfig = manifestRenderConfig{
 			ReleaseImage:   releaseImage,
@@ -29,26 +32,36 @@ func Render(outputDir, releaseImage, clusterProfile string) error {
 	)
 
 	tasks := []struct {
-		idir      string
-		odir      string
-		skipFiles sets.Set[string]
+		idir            string
+		odir            string
+		processTemplate bool
+		skipFiles       sets.Set[string]
+		filterGroupKind sets.Set[schema.GroupKind]
 	}{{
-		idir: manifestsDir,
-		odir: oManifestsDir,
+		idir:            manifestsDir,
+		odir:            oManifestsDir,
+		processTemplate: true,
 		skipFiles: sets.New[string](
-			"image-references",
 			"0000_90_cluster-version-operator_00_prometheusrole.yaml",
 			"0000_90_cluster-version-operator_01_prometheusrolebinding.yaml",
 			"0000_90_cluster-version-operator_02_servicemonitor.yaml",
 		),
 	}, {
-		idir:      bootstrapDir,
-		odir:      oBootstrapDir,
-		skipFiles: sets.Set[string]{},
+		idir: releaseManifestsDir,
+		odir: oManifestsDir,
+		filterGroupKind: sets.New[schema.GroupKind](
+			schema.GroupKind{Group: config.GroupName, Kind: "ClusterImagePolicy"},
+			schema.GroupKind{Group: config.GroupName, Kind: "ImagePolicy"},
+		),
+	}, {
+		idir:            bootstrapDir,
+		odir:            oBootstrapDir,
+		processTemplate: true,
+		skipFiles:       sets.Set[string]{},
 	}}
 	var errs []error
 	for _, task := range tasks {
-		if err := renderDir(renderConfig, task.idir, task.odir, task.skipFiles); err != nil {
+		if err := renderDir(renderConfig, task.idir, task.odir, task.processTemplate, task.skipFiles, task.filterGroupKind); err != nil {
 			errs = append(errs, err)
 		}
 	}
@@ -60,7 +73,7 @@ func Render(outputDir, releaseImage, clusterProfile string) error {
 	return nil
 }
 
-func renderDir(renderConfig manifestRenderConfig, idir, odir string, skipFiles sets.Set[string]) error {
+func renderDir(renderConfig manifestRenderConfig, idir, odir string, processTemplate bool, skipFiles sets.Set[string], filterGroupKind sets.Set[schema.GroupKind]) error {
 	if err := os.MkdirAll(odir, 0666); err != nil {
 		return err
 	}
@@ -73,6 +86,10 @@ func renderDir(renderConfig manifestRenderConfig, idir, odir string, skipFiles s
 		if file.IsDir() {
 			continue
 		}
+		if !hasManifestExtension(file.Name()) {
+			continue
+		}
+
 		if skipFiles.Has(file.Name()) {
 			continue
 		}
@@ -90,10 +107,40 @@ func renderDir(renderConfig manifestRenderConfig, idir, odir string, skipFiles s
 			continue
 		}
 
-		rraw, err := renderManifest(renderConfig, iraw)
-		if err != nil {
-			errs = append(errs, err)
-			continue
+		var rraw []byte
+		if processTemplate {
+			rraw, err = renderManifest(renderConfig, iraw)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("render template %s from %s: %w", file.Name(), idir, err))
+				continue
+			}
+		} else {
+			rraw = iraw
+		}
+
+		if len(filterGroupKind) > 0 {
+			manifests, err := manifest.ParseManifests(bytes.NewReader(rraw))
+			if err != nil {
+				errs = append(errs, fmt.Errorf("parse manifest %s from %s: %w", file.Name(), idir, err))
+				continue
+			}
+
+			filteredManifests := make([]string, 0, len(manifests))
+			for _, manifest := range manifests {
+				if filterGroupKind.Has(manifest.GVK.GroupKind()) {
+					filteredManifests = append(filteredManifests, string(manifest.Raw))
+				}
+			}
+
+			if len(filteredManifests) == 0 {
+				continue
+			}
+
+			if len(filteredManifests) == 1 {
+				rraw = []byte(filteredManifests[0])
+			} else {
+				rraw = []byte(strings.Join(filteredManifests, "\n---\n"))
+			}
 		}
 
 		opath := filepath.Join(odir, file.Name())

vendor/github.com/openshift/api/config/.codegen.yaml

@@ -106,6 +106,7 @@ github.com/munnerz/goautoneg
 github.com/mwitkow/go-conntrack
 # github.com/openshift/api v0.0.0-20240709002213-329ea3755649
 ## explicit; go 1.22.0
+github.com/openshift/api/config
 github.com/openshift/api/config/v1
 github.com/openshift/api/config/v1/zz_generated.crd-manifests
 github.com/openshift/api/config/v1alpha1