Merge pull request #28307 from eggfoobar/fix-image-registry-no-cap

OCPBUGS-20205: feat: added support for ImageRegistry capability

Author: openshift-ci[bot]

pkg/clioptions/clusterdiscovery/provider.go

@@ -8,6 +8,7 @@ import (
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 
+	"github.com/openshift/origin/test/extended/util/image"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 
 	exutil "github.com/openshift/origin/test/extended/util"
@@ -67,6 +68,16 @@ func InitializeTestFramework(context *e2e.TestContextType, config *ClusterConfig
 
 	// IPFamily constants are taken from kube e2e and used by tests
 	context.IPFamily = config.IPFamily
+
+	imageStreamString, _, err := exutil.NewCLIWithoutNamespace("").AsAdmin().Run("adm", "release", "info", `-ojsonpath={.references}`).Outputs()
+	if err != nil {
+		return err
+	}
+
+	if err := image.InitializeReleasePullSpecString(imageStreamString, config.HasNoOptionalCapabilities); err != nil {
+		return err
+	}
+
 	return nil
 }
 

pkg/monitortests/network/disruptionpodnetwork/monitortest.go

@@ -178,6 +178,7 @@ func (pna *podNetworkAvalibility) StartCollection(ctx context.Context, adminREST
 	pna.targetService = service
 
 	hostNetworkTargetDeployment.Spec.Replicas = &numNodes
+	hostNetworkTargetDeployment.Spec.Template.Spec.Containers[0].Image = image.LimitedShellImage()
 	if _, err := pna.kubeClient.AppsV1().Deployments(pna.namespaceName).Create(context.Background(), hostNetworkTargetDeployment, metav1.CreateOptions{}); err != nil {
 		return err
 	}

test/extended/cli/debug.go

@@ -10,6 +10,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	admissionapi "k8s.io/pod-security-admission/api"
 
+	configv1 "github.com/openshift/api/config/v1"
 	exutil "github.com/openshift/origin/test/extended/util"
 )
 
@@ -181,7 +182,10 @@ spec:
 	})
 
 	g.It("ensure it works with image streams [apigroup:image.openshift.io]", func() {
-		err := oc.Run("create").Args("-f", imageStreamsCentos).Execute()
+		hasImageRegistry, err := exutil.IsCapabilityEnabled(oc, configv1.ClusterVersionCapabilityImageRegistry)
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		err = oc.Run("create").Args("-f", imageStreamsCentos).Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
 		err = wait.Poll(cliInterval, cliTimeout, func() (bool, error) {
 			err := oc.Run("get").Args("imagestreamtags", "wildfly:latest").Execute()
@@ -190,9 +194,14 @@ spec:
 		o.Expect(err).NotTo(o.HaveOccurred())
 
 		var out string
+		var resolvedImageMatcher = o.MatchRegexp("image:.*oc-debug-.*/wildfly@sha256")
+		if !hasImageRegistry {
+			resolvedImageMatcher = o.ContainSubstring("image: quay.io/wildfly/wildfly-centos7")
+		}
+
 		out, err = oc.Run("debug").Args("istag/wildfly:latest", "-o", "yaml").Output()
 		o.Expect(err).NotTo(o.HaveOccurred())
-		o.Expect(out).To(o.MatchRegexp("image:.*oc-debug-.*/wildfly@sha256"))
+		o.Expect(out).To(resolvedImageMatcher)
 
 		var sha string
 		sha, err = oc.Run("get").Args("istag/wildfly:latest", "--template", "{{ .image.metadata.name }}").Output()

test/extended/images/extract.go

@@ -15,9 +15,11 @@ import (
 	k8simage "k8s.io/kubernetes/test/utils/image"
 	admissionapi "k8s.io/pod-security-admission/api"
 
+	configv1 "github.com/openshift/api/config/v1"
 	imageapi "github.com/openshift/api/image/v1"
 	imageclientset "github.com/openshift/client-go/image/clientset/versioned"
 	exutil "github.com/openshift/origin/test/extended/util"
+	"github.com/openshift/origin/test/extended/util/image"
 )
 
 var _ = g.Describe("[sig-imageregistry][Feature:ImageExtract] Image extract", func() {
@@ -35,12 +37,23 @@ var _ = g.Describe("[sig-imageregistry][Feature:ImageExtract] Image extract", fu
 	oc = exutil.NewCLIWithPodSecurityLevel("image-extract", admissionapi.LevelBaseline)
 
 	g.It("should extract content from an image [apigroup:image.openshift.io]", func() {
+		hasImageRegistry, err := exutil.IsCapabilityEnabled(oc, configv1.ClusterVersionCapabilityImageRegistry)
+		o.Expect(err).NotTo(o.HaveOccurred())
 		is, err := oc.ImageClient().ImageV1().ImageStreams("openshift").Get(context.Background(), "tools", metav1.GetOptions{})
 		o.Expect(err).NotTo(o.HaveOccurred())
-		o.Expect(is.Status.DockerImageRepository).NotTo(o.BeEmpty(), "registry not yet configured?")
-		registry := strings.Split(is.Status.DockerImageRepository, "/")[0]
 
 		ns = oc.Namespace()
+		extractImage := image.ShellImage()
+
+		// If ImageRegistry is present, we expect DockerImageRepository to have a value
+		// and we create the registry url for ImageStream extracting, otherwise we use
+		// the ShellImage()
+		if hasImageRegistry {
+			o.Expect(is.Status.DockerImageRepository).NotTo(o.BeEmpty(), "registry not yet configured?")
+			registry := strings.Split(is.Status.DockerImageRepository, "/")[0]
+			extractImage = fmt.Sprintf("%s/%s/1:tools", registry, ns)
+		}
+
 		cli := e2epod.PodClientNS(oc.KubeFramework(), ns)
 		client := imageclientset.NewForConfigOrDie(oc.UserConfig()).ImageV1()
 
@@ -74,35 +87,30 @@ var _ = g.Describe("[sig-imageregistry][Feature:ImageExtract] Image extract", fu
 			o.Expect(img.Status.Status).To(o.Equal("Success"), fmt.Sprintf("imagestreamimport status for spec.image[%d] (message: %s)", i, img.Status.Message))
 		}
 
-		// toolsLayers := isi.Status.Images[0].Image.DockerImageLayers
-		// toolsLen := len(toolsLayers)
-		// mysqlLayers := isi.Status.Images[1].Image.DockerImageLayers
-		// mysqlLen := len(mysqlLayers)
-
 		pod := cli.Create(context.TODO(), cliPodWithPullSecret(oc, heredoc.Docf(`
 			set -x
 
 			# command exits if directory doesn't exist
-			! oc image extract --insecure %[2]s/%[1]s/1:tools --path=/:/tmp/doesnotexist
+			! oc image extract --insecure %[1]s --path=/:/tmp/doesnotexist
 			# command exits if directory isn't empty
-			! oc image extract --insecure %[2]s/%[1]s/1:tools --path=/:/
+			! oc image extract --insecure %[1]s --path=/:/
 
 			# extract a directory to a directory, verify the contents
 			mkdir -p /tmp/test
-			oc image extract --insecure %[2]s/%[1]s/1:tools --path=/etc/cron.d/:/tmp/test/
+			oc image extract --insecure %[1]s --path=/etc/cron.d/:/tmp/test/
 			[ -f /tmp/test/0hourly ] && grep root /tmp/test/0hourly
 
 			# extract multiple individual files
 			mkdir -p /tmp/test2
-			oc image extract --insecure %[2]s/%[1]s/1:tools --path=/etc/shadow:/tmp/test2 --path=/etc/system-release:/tmp/test2
+			oc image extract --insecure %[1]s --path=/etc/shadow:/tmp/test2 --path=/etc/system-release:/tmp/test2
 			[ -f /tmp/test2/shadow ] && [ -L /tmp/test2/system-release ]
 
 			# extract a single file to the current directory
 			mkdir -p /tmp/test3
 			cd /tmp/test3
-			oc image extract --insecure %[2]s/%[1]s/1:tools --file=/etc/shadow
+			oc image extract --insecure %[1]s --file=/etc/shadow
 			[ -f /tmp/test3/shadow ]
-		`, ns, registry)))
+		`, extractImage)))
 		cli.WaitForSuccess(context.TODO(), pod.Name, podStartupTimeout)
 	})
 })

test/extended/images/resolve.go

@@ -9,6 +9,7 @@ import (
 	o "github.com/onsi/gomega"
 
 	appsv1 "github.com/openshift/api/apps/v1"
+	configv1 "github.com/openshift/api/config/v1"
 	kappsv1 "k8s.io/api/apps/v1"
 	kbatchv1 "k8s.io/api/batch/v1"
 	kapiv1 "k8s.io/api/core/v1"
@@ -28,7 +29,10 @@ var _ = g.Describe("[sig-imageregistry][Feature:ImageLookup] Image policy", func
 	ctx := context.Background()
 
 	g.It("should update standard Kube object image fields when local names are on [apigroup:image.openshift.io]", func() {
-		err := oc.Run("tag").Args(k8simage.GetE2EImage(k8simage.BusyBox), "busybox:latest").Execute()
+		hasImageRegistry, err := exutil.IsCapabilityEnabled(oc, configv1.ClusterVersionCapabilityImageRegistry)
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		err = oc.Run("tag").Args(k8simage.GetE2EImage(k8simage.BusyBox), "busybox:latest").Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
 		err = oc.Run("set", "image-lookup").Args("busybox").Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
@@ -68,8 +72,15 @@ var _ = g.Describe("[sig-imageregistry][Feature:ImageLookup] Image policy", func
 			g.Skip("default image resolution is not configured, can't verify pod resolution")
 		}
 
+		// When ImageRegistry is not present this should not get resolved and will remain
+		// and Attempt resolve meaning it will not get changed by the admission plugin
+		unknownImageSuffix := "busybox:unknown"
+		if hasImageRegistry {
+			unknownImageSuffix = "/" + oc.Namespace() + "/" + unknownImageSuffix
+		}
+
 		o.Expect(pod.Spec.Containers[0].Image).To(o.Equal(internalImageReference))
-		o.Expect(pod.Spec.Containers[1].Image).To(o.HaveSuffix("/" + oc.Namespace() + "/busybox:unknown"))
+		o.Expect(pod.Spec.Containers[1].Image).To(o.HaveSuffix(unknownImageSuffix))
 		defer func() { oc.KubeClient().CoreV1().Pods(oc.Namespace()).Delete(ctx, pod.Name, metav1.DeleteOptions{}) }()
 
 		// replica sets should auto replace local references
@@ -219,7 +230,10 @@ var _ = g.Describe("[sig-imageregistry][Feature:ImageLookup] Image policy", func
 	})
 
 	g.It("should perform lookup when the object has the resolve-names annotation [apigroup:image.openshift.io]", func() {
-		err := oc.Run("tag").Args(k8simage.GetE2EImage(k8simage.BusyBox), "busybox:latest").Execute()
+		hasImageRegistry, err := exutil.IsCapabilityEnabled(oc, configv1.ClusterVersionCapabilityImageRegistry)
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		err = oc.Run("tag").Args(k8simage.GetE2EImage(k8simage.BusyBox), "busybox:latest").Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
 
 		var internalImageReference string
@@ -258,8 +272,15 @@ var _ = g.Describe("[sig-imageregistry][Feature:ImageLookup] Image policy", func
 			g.Skip("default image resolution is not configured, can't verify pod resolution")
 		}
 
+		// When ImageRegistry is not present this should not get resolved and will remain
+		// and Attempt resolve meaning it will not get changed by the admission plugin
+		unknownImageSuffix := "busybox:unknown"
+		if hasImageRegistry {
+			unknownImageSuffix = "/" + oc.Namespace() + "/" + unknownImageSuffix
+		}
+
 		o.Expect(pod.Spec.Containers[0].Image).To(o.Equal(internalImageReference))
-		o.Expect(pod.Spec.Containers[1].Image).To(o.HaveSuffix("/" + oc.Namespace() + "/busybox:unknown"))
+		o.Expect(pod.Spec.Containers[1].Image).To(o.HaveSuffix(unknownImageSuffix))
 
 		g.By("auto replacing local references on ReplicaSets")
 		rs, err := oc.KubeClient().AppsV1().ReplicaSets(oc.Namespace()).Create(ctx, &kappsv1.ReplicaSet{

test/extended/util/annotate/generated/zz_generated.annotations.go

@@ -231,6 +231,15 @@ var (
 		"[Skipped:NoOptionalCapabilities]": {
 			// This test requires a valid console url which doesn't exist when the optional console capability is disabled.
 			`\[sig-cli\] oc basics can show correct whoami result with console`,
+
+			// Image Registry Skips:
+			// Requires ImageRegistry to upload appended images
+			`\[sig-imageregistry\]\[Feature:ImageAppend\] Image append should create images by appending them`,
+			// Requires ImageRegistry to redirect blob pull
+			`\[sig-imageregistry\] Image registry \[apigroup:route.openshift.io\] should redirect on blob pull`,
+			// Requires ImageRegistry service to be active for OCM to be able to create pull secrets
+			`\[sig-devex\]\[Feature:OpenShiftControllerManager\] TestAutomaticCreationOfPullSecrets \[apigroup:config.openshift.io\]`,
+			`\[sig-devex\]\[Feature:OpenShiftControllerManager\] TestDockercfgTokenDeletedController \[apigroup:image.openshift.io\]`,
 		},
 	}
 )

test/extended/util/annotate/rules.go

@@ -240,10 +240,25 @@ func processScanError(log string) error {
 // WaitForOpenShiftNamespaceImageStreams waits for the standard set of imagestreams to be imported
 func WaitForOpenShiftNamespaceImageStreams(oc *CLI) error {
 	ctx := context.Background()
-	langs := []string{"ruby", "nodejs", "perl", "php", "python", "mysql", "postgresql", "jenkins"}
+	images := []string{"ruby", "nodejs", "perl", "php", "python", "mysql", "postgresql", "jenkins"}
+
+	hasSamplesOperator, err := IsCapabilityEnabled(oc, configv1.ClusterVersionCapabilityOpenShiftSamples)
+	if err != nil {
+		return err
+	}
+	// Check to see if we have ImageRegistry and SamplesOperator enabled
+	hasImageRegistry, err := IsCapabilityEnabled(oc, configv1.ClusterVersionCapabilityImageRegistry)
+	if err != nil {
+		return err
+	}
+
+	if !hasSamplesOperator {
+		images = []string{"cli", "tools", "tests", "installer"}
+	}
+
 	e2e.Logf("waiting for image ecoystem imagestreams to be imported")
-	for _, lang := range langs {
-		err := WaitForSamplesImagestream(ctx, oc, lang)
+	for _, image := range images {
+		err := WaitForSamplesImagestream(ctx, oc, image, hasImageRegistry, hasSamplesOperator)
 		if err != nil {
 			DumpSampleOperator(oc)
 			return err
@@ -258,11 +273,15 @@ func WaitForOpenShiftNamespaceImageStreams(oc *CLI) error {
 // managed by the samples operator, and therefore will not be retried.
 //
 // This will wait up to 150 seconds for the referenced imagestream to finish importing.
-func WaitForSamplesImagestream(ctx context.Context, oc *CLI, imagestream string) error {
-	// First wait for the internal registry hostname to be published
-	registryHostname, err := WaitForInternalRegistryHostname(oc)
-	if err != nil {
-		return err
+func WaitForSamplesImagestream(ctx context.Context, oc *CLI, imagestream string, imageRegistryEnabled, openshiftSamplesEnabled bool) error {
+	var registryHostname string
+	var err error
+
+	if imageRegistryEnabled {
+		registryHostname, err = WaitForInternalRegistryHostname(oc)
+		if err != nil {
+			return err
+		}
 	}
 
 	var retried bool
@@ -271,12 +290,14 @@ func WaitForSamplesImagestream(ctx context.Context, oc *CLI, imagestream string)
 	// Based on a sampling of CI tests, imagestream imports from registry.redhat.io can take up to 2 minutes to complete.
 	// Imports which take longer generally indicate that there is a performance regression or outage in the container registry.
 	pollErr := wait.Poll(10*time.Second, 150*time.Second, func() (bool, error) {
-		retried, err = retrySamplesImagestreamImportIfNeeded(ctx, oc, imagestream)
-		if err != nil {
-			return false, err
-		}
-		if retried {
-			return false, nil
+		if openshiftSamplesEnabled {
+			retried, err = retrySamplesImagestreamImportIfNeeded(ctx, oc, imagestream)
+			if err != nil {
+				return false, err
+			}
+			if retried {
+				return false, nil
+			}
 		}
 		return checkOpenShiftNamespaceImageStreamImported(ctx, oc, imagestream, registryHostname)
 	})
@@ -2205,3 +2226,16 @@ func collectConfigManifestsFromDir(configManifestsDir string) (error, []runtime.
 
 	return err, objects
 }
+
+func IsCapabilityEnabled(oc *CLI, cap configv1.ClusterVersionCapability) (bool, error) {
+	cv, err := oc.AdminConfigClient().ConfigV1().ClusterVersions().Get(context.Background(), "version", metav1.GetOptions{})
+	if err != nil {
+		return false, err
+	}
+	for _, capability := range cv.Status.Capabilities.EnabledCapabilities {
+		if capability == cap {
+			return true, nil
+		}
+	}
+	return false, nil
+}