OPRUN-3566: UPSTREAM: <carry>: Add global-pull-secret flag

[m1kola]

Pass global-pull-secret to the manager container.

[openshift-ci-robot]

@m1kola: This pull request references OPRUN-3566 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Pass global-pull-secret to the manager container.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@m1kola: This pull request references OPRUN-3566 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Blocked by upstream sync & needs more work.

Pass global-pull-secret to the manager container.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[m1kola]

/hold

[openshift-ci-robot]

@m1kola: This pull request references OPRUN-3566 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Pass global-pull-secret to the manager container.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[m1kola]

At this point we have a flag and all the required RBAC, but I think both catalogd and operator-controller need to be built with containers_image_openpgp build tag.

[m1kola]

Ah, it looks like we do build with containers_image_openpgp already. Something else is off: unpack fails like so:

    conditions:
    - lastTransitionTime: "2024-10-11T08:13:02Z"
      message: 'source catalog content: error copying image: copying system image
        from manifest list: Can not copy signatures to oci:/tmp/oci-layout-redhat-community-operators658406605:registry.redhat.io/redhat/community-operator-index@sha256:907fece168a3753e606a31c9c976ef49153487205e9bce8481ea5c1e0bf7f905:
        Pushing signatures for OCI images is not supported'
      observedGeneration: 1
      reason: Retrying
      status: "True"
      type: Progressing

[m1kola]

Ok, so it fails because on OCP we have this: /etc/containers/registries.d/registry.redhat.io.yaml:

docker:
     registry.redhat.io:
         sigstore: https://registry.redhat.io/containers/sigstore

With this config in place image copying fails. Now need to figure out how to make it work.

[m1kola]

With this patch to upstream it works, but not sure if this is a proper solution. Need to dig a bit more on implications of doing this.

diff --git a/internal/source/containers_image.go b/internal/source/containers_image.go
index cf40b62..44458de 100644
--- a/internal/source/containers_image.go
+++ b/internal/source/containers_image.go
@@ -130,7 +130,8 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, catalog *catalogdv
        //
        //////////////////////////////////////////////////////
        if _, err := copy.Image(ctx, policyContext, layoutRef, dockerRef, &copy.Options{
-               SourceCtx: srcCtx,
+               RemoveSignatures: true,
+               SourceCtx:        srcCtx,
        }); err != nil {
                return nil, fmt.Errorf("error copying image: %w", err)
        }

[tmshort]

Where are we on this @m1kola?

[m1kola]

@tmshort the latest is in the comments above. Pull secret works, but catalogd (and operator-controller too, I suspect) will fail to unpack images due to this issue.

[m1kola]

operator-framework/catalogd#431 and operator-framework/operator-controller#1369 should resolve the blocker after syncing downstream.

[m1kola]

This now (temporary) includes #78. Once #78 merges we will need to rebase on top of main.

[openshift-ci]

@m1kola: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[m1kola]

/unhold

Removing hold. I think it is ready to go. See openshift/operator-framework-operator-controller#166 (comment)

[anik120]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anik120, m1kola

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [m1kola]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-olm-catalogd
This PR has been included in build ose-olm-catalogd-container-v4.18.0-202410151242.p0.g7b54785.assembly.stream.el9.
All builds following this will include this PR.