AGENT-1193: Add --mirror-path flag to support pre-mirrored images#634
Conversation
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
openshift-merge-robot
added
the
needs-rebase
rwsu
force-pushed
the
AGENT-1193-v2
branch
2 times, most recently
from
be9a81e to
c10ba39
Compare
openshift-merge-robot
removed
the
needs-rebase
rwsu
changed the title
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
jira/valid-reference
|
@rwsu: This pull request references AGENT-1193 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@rwsu: This pull request references AGENT-1193 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@rwsu: This pull request references AGENT-1193 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@rwsu: This pull request references AGENT-1193 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cc @danielerez |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rwsu The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
rwsu
force-pushed
the
AGENT-1193-v2
branch
3 times, most recently
from
9e775e7 to
17dc5e3
Compare
Add support for using pre-mirrored images from oc-mirror workspace by
specifying the mirror path in appliance-config.yaml. When mirrorPath is
configured, the appliance skips running oc-mirror and uses the pre-mirrored
registry data directly.
Also fixes issues when using custom registries (non-quay.io) where oc adm
release info may return incomplete image references missing port and
repository path. Adds IDMS entries to ensure the cluster redirects pulls
from custom registries to the appliance's internal registry.
Changes:
- Add MirrorPath field to top level of ApplianceConfig in types
- Update appliance-config.yaml template to document the new field
- Update code to read mirrorPath from ApplianceConfig.Config.MirrorPath
- Add validateMirrorPath() to ApplianceConfig with comprehensive validation
- Use pre-mirrored images when mirrorPath is provided
- Add fixImageReference() to repair incomplete image refs from oc commands
Example: registry.example.com@sha256:... becomes
registry.example.com:5000/repo/image@sha256:...
- Add addLocalRegistryIDMS() to generate IDMS for custom registry mirrors
- Fix release image tag parsing to preserve port in registry URLs
The mirror-path can be specified in appliance-config.yaml as:
mirrorPath: /path/to/oc-mirror/workspace
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Add debug logging for IsLiveISO tracking
Pass --registry-config ~/.docker/config.json to all oc commands (release info, release extract, oc mirror) and --authfile to skopeo. This allows the appliance builder to authenticate against private registries such as the one used in dev-scripts (virthost.ostest.test.metalkube.org:5000). The pull secret from appliance-config is written to ~/.docker/config.json (existing behavior) so no separate credential management is needed. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
strings.Split(image, ":")[0] incorrectly strips the registry port when the release image URL contains one. For example, with the dev-scripts local registry virthost.ostest.test.metalkube.org:5000/openshift/release-images:tag, Split on ":" takes only "virthost.ostest.test.metalkube.org", losing the port and path entirely. Use LastIndex to locate the tag colon after the last "/" so the port is preserved, producing the correct digest reference: virthost.ostest.test.metalkube.org:5000/openshift/release-images@sha256:... Extract the logic into appendDigest() with a unit test. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
- Swap mirrorPath condition in mirrorImages() so normal flow comes first - Extract mirror-path registry data copy logic into copyMirrorRegistryData() Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
| templateExtractCmd = "oc adm release extract --command=%s --to=%s %s" | ||
| templateImageExtract = "oc image extract --path %s:%s --confirm %s" | ||
| ocMirror = "oc mirror --v2 --config=%s docker://127.0.0.1:%d --workspace=file://%s --src-tls-verify=false --dest-tls-verify=false --parallel-images=4 --parallel-layers=4 --retry-times=5 --ignore-release-signature" | ||
| templateGetImage = "oc adm release info --registry-config %s --image-for=%s %s" |
There was a problem hiding this comment.
Same here about the pull secret. Which scenario requires passing the pull secret explicitly now?
There was a problem hiding this comment.
Good catch. You're correct — oc and skopeo already pick up credentials from ~/.docker/config.json automatically, which is where storePullSecret() already writes them. We've removed --registry-config from all oc commands and --authfile from skopeo — they were redundant. Verified the ISO build and cluster install succeed without them.
|
With this PR I've been able to use a local image (machine-config-operator in this case) and successfully install a cluster via the dev-scripts UI-driven installation, confirming that my local changes were picked up. |
|
@rwsu: This pull request references AGENT-1193 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
…opeo oc and skopeo automatically pick up credentials from ~/.docker/config.json, which is already written by storePullSecret(). Passing the flags explicitly is redundant and was only introduced when the pull secret was temporarily stored in a separate temp file. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Testing the PR, one thing we've noticed that we're missing in the mirrored data is This is what the local catalog looks like on an installed cluster (using a local mco image): Compared to a system installed without the local mirror: So we're missing |
@bfournie The missing release-bundles should be fixed by this commit the missing operators can be added through this dev-scripts PR. |
|
/retest |
Two related bugs in the --mirror-path flow: 1. copyMirrorRegistryData was called after bundle.Push(), causing the mirror-path docker data to overwrite the release-bundles image that was just pushed to the registry. Move the copy before starting the registry so bundle.Push() adds release-bundles on top of the pre-populated mirror data. 2. Moving the copy earlier exposed a path mismatch: registryDir from GetRegistryDataPath() was mangled (e.g. /assetstemp/data instead of /assets/temp/data). Switch to dataDirPath (filepath.Join(envConfig.TempDir, dataDir)) throughout, consistent with how CopyRegistryImageIfNeeded computes paths. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
|
/retest-required |
|
/test e2e-agent-compact-ipv4-iso-no-registry |
|
@rwsu: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
With the latest change I confirmed that the release-bundles are now available |
|
/lgtm |
5 participants
Adds support for using pre-mirrored OCP release images instead of running oc-mirror during the build process. This is useful when images have already been mirrored in a separate step, avoiding redundant mirroring operations.
Changes
Add `--mirror-path` flag to the build command — Specifies the location of pre-mirrored registry data. When provided, the appliance builder skips running `oc-mirror` and uses the pre-mirrored images directly.
Fix image reference parsing for registries with ports — When a custom release URL contains a tag (e.g. `registry:5000/img:tag`), appending a digest directly would produce a `tag@digest` reference rejected by image validation. Uses `LastIndex` to correctly strip the tag while preserving the registry port.
Refactor mirror-path handling — Extract registry data copy logic into `copyMirrorRegistryData()` and reorder `mirrorImages()` condition so the normal flow comes first.
Assisted-by: Claude Sonnet 4.6 noreply@anthropic.com