OKD-379: Fix missing namespace in database template image triggers

[pskrbasu]

Problem

Deploying databases (PostgreSQL, MySQL, MariaDB, Redis) from the Software Catalog on OKD 4.22 fails with:

spec.containers[0].image: Invalid value: " ": must not have leading or trailing whitespace

Reported in okd-project/okd#2337

Root Cause

When database templates were migrated from DeploymentConfig to Deployment (openshift/library@f865a9e2, Dec 2023), the image.openshift.io/triggers annotation on database Deployments dropped the namespace field from the ImageStreamTag reference.

The old DeploymentConfig trigger had:

{"from": {"kind": "ImageStreamTag", "name": "postgresql:${POSTGRESQL_VERSION}", "namespace": "${NAMESPACE}"}}

The new Deployment annotation was missing namespace:

{"from": {"kind": "ImageStreamTag", "name": "postgresql:${POSTGRESQL_VERSION}"}}

Without an explicit namespace, the image trigger controller defaults to the Deployment's own namespace (the user's project) instead of openshift. Since database ImageStreams live in the openshift namespace, the lookup fails and the container image is never resolved — it stays as " " (a single space placeholder). Kubernetes then rejects the pod with the whitespace validation error.

Fix

Add "namespace": "${NAMESPACE}" to the from object in the image.openshift.io/triggers annotation on all affected database Deployments. The NAMESPACE parameter already exists in every template with a default value of "openshift", so no new parameters are needed.

Templates fixed (11 files — namespace added to trigger):

Template	ImageStreamTag
postgresql-persistent	postgresql:${POSTGRESQL_VERSION}
postgresql-ephemeral	postgresql:${POSTGRESQL_VERSION}
mysql-persistent	mysql:${MYSQL_VERSION}
mysql-ephemeral	mysql:${MYSQL_VERSION}
mariadb-persistent	mariadb:${MARIADB_VERSION}
mariadb-ephemeral	mariadb:${MARIADB_VERSION}
redis-persistent	redis:${REDIS_VERSION}
redis-ephemeral	redis:${REDIS_VERSION}
cakephp-mysql-example	mysql:${MYSQL_VERSION}
cakephp-mysql-persistent	mysql:${MYSQL_VERSION}
dancer-mysql-persistent	mysql:${MYSQL_VERSION}

Additional fixes:

• dancer-mysql-example: The database Deployment had "image": " " but was entirely missing the image.openshift.io/triggers annotation — image resolution could never fire. Added the trigger annotation with namespace. Also added the missing MYSQL_VERSION parameter (default "8.0-el8").
• mysql-persistent: Removed a stray image.openshift.io/triggers annotation from the Service object. It was a copy-paste error that referenced ${MARIADB_VERSION} — Services don't have containers, so this annotation had no effect but was incorrect.

OCP impact: None

All changes are under assets/operator/okd-x86_64/ only. OCP Dockerfiles (Dockerfile, Dockerfile.rhel7) copy from ocp-x86_64 / ocp-s390x / ocp-ppc64le / ocp-aarch64. Only Dockerfile.okd copies from okd-x86_64. The two directory trees are completely separate.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 31b92d62-c3b2-4a7c-ac9f-137af49aa8b1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pskrbasu]

Testing

Validated end-to-end on a live OKD 4.22.0-okd-scos.4 cluster (ci-ln-pqjck5t).

1. Reproduced the bug (before fix)

$ oc new-project test-bug-repro
$ oc new-app postgresql-persistent -p POSTGRESQL_VERSION=15-el9

$ oc get deployment postgresql -o jsonpath='{.spec.template.spec.containers[0].image}'
 
$ oc get events --field-selector reason=FailedCreate | tail -3
Warning   FailedCreate   replicaset/postgresql-65487b95f7   Error creating: Pod "postgresql-65487b95f7-bm7xc" is invalid:
  spec.containers[0].image: Invalid value: " ": must not have leading or trailing whitespace

No pods were created. The image stayed as " " — confirming the bug.

2. Applied the fix

Paused the cluster-samples-operator to prevent it from overwriting our template changes:

$ oc patch config.samples.operator.openshift.io/cluster \
    --type merge -p '{"spec":{"managementState":"Unmanaged"}}'

Then replaced all 12 fixed templates in the openshift namespace:

$ for tpl in assets/operator/okd-x86_64/*/templates/*.json; do
    oc replace -f "$tpl" -n openshift
  done
template.template.openshift.io/postgresql-persistent replaced
template.template.openshift.io/postgresql-ephemeral replaced
template.template.openshift.io/mysql-persistent replaced
template.template.openshift.io/mysql-ephemeral replaced
template.template.openshift.io/mariadb-persistent replaced
template.template.openshift.io/mariadb-ephemeral replaced
template.template.openshift.io/redis-persistent replaced
template.template.openshift.io/redis-ephemeral replaced
...

3. Verified the fix — all 4 database types

$ oc new-project test-db-fix
$ oc new-app postgresql-persistent -p POSTGRESQL_VERSION=15-el9
$ oc new-app mysql-persistent -p MYSQL_VERSION=8.0-el9
$ oc new-app mariadb-persistent -p MARIADB_VERSION=10.11-el9
$ oc new-app redis-persistent -p REDIS_VERSION=6-el9

Image resolution — all resolved to real registry refs (no more " "):

$ for db in postgresql mysql mariadb redis; do
    echo "$db: $(oc get deployment $db -o jsonpath='{.spec.template.spec.containers[0].image}')"
  done
postgresql: image-registry.openshift-image-registry.svc:5000/openshift/postgresql@sha256:e74be1b...
mysql:      image-registry.openshift-image-registry.svc:5000/openshift/mysql@sha256:41df7695...
mariadb:    image-registry.openshift-image-registry.svc:5000/openshift/mariadb@sha256:bb8e9c91...
redis:      image-registry.openshift-image-registry.svc:5000/openshift/redis@sha256:b33dedfeb...

All pods Running and Ready:

$ oc get pods
NAME                          READY   STATUS    RESTARTS   AGE
mariadb-b47c4bc87-854lg       1/1     Running   0          30s
mysql-547d97cfbd-crlzq        1/1     Running   0          30s
postgresql-84489577b5-6rc7l   1/1     Running   0          30s
redis-75d4c7bbc4-9zdfx        1/1     Running   0          30s

Database connectivity verified:

$ oc rsh deployment/postgresql psql -c "SELECT 1"
 ok 
----
  1

$ oc rsh deployment/mysql bash -c 'MYSQL_PWD="$MYSQL_PASSWORD" mysql -u $MYSQL_USER -D $MYSQL_DATABASE -e "SELECT 1"'
ok
1

$ oc rsh deployment/mariadb bash -c 'MYSQL_PWD="$MYSQL_PASSWORD" mysql -u $MYSQL_USER -D $MYSQL_DATABASE -e "SELECT 1"'
ok
1

$ oc rsh deployment/redis bash -c 'redis-cli -a "$REDIS_PASSWORD" PING'
PONG

4. Cleanup

$ oc delete project test-db-fix
$ oc patch config.samples.operator.openshift.io/cluster \
    --type merge -p '{"spec":{"managementState":"Managed"}}'

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pskrbasu
Once this PR has been reviewed and has the lgtm label, please assign gabemontero for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@pskrbasu: This pull request references OKD-379 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Problem

Deploying databases (PostgreSQL, MySQL, MariaDB, Redis) from the Software Catalog on OKD 4.22 fails with:

spec.containers[0].image: Invalid value: " ": must not have leading or trailing whitespace

Reported in okd-project/okd#2337

Root Cause

When database templates were migrated from DeploymentConfig to Deployment (openshift/library@f865a9e2, Dec 2023), the image.openshift.io/triggers annotation on database Deployments dropped the namespace field from the ImageStreamTag reference.

The old DeploymentConfig trigger had:

{"from": {"kind": "ImageStreamTag", "name": "postgresql:${POSTGRESQL_VERSION}", "namespace": "${NAMESPACE}"}}

The new Deployment annotation was missing namespace:

{"from": {"kind": "ImageStreamTag", "name": "postgresql:${POSTGRESQL_VERSION}"}}

Without an explicit namespace, the image trigger controller defaults to the Deployment's own namespace (the user's project) instead of openshift. Since database ImageStreams live in the openshift namespace, the lookup fails and the container image is never resolved — it stays as " " (a single space placeholder). Kubernetes then rejects the pod with the whitespace validation error.

Fix

Add "namespace": "${NAMESPACE}" to the from object in the image.openshift.io/triggers annotation on all affected database Deployments. The NAMESPACE parameter already exists in every template with a default value of "openshift", so no new parameters are needed.

Templates fixed (11 files — namespace added to trigger):

Template	ImageStreamTag
postgresql-persistent	postgresql:${POSTGRESQL_VERSION}
postgresql-ephemeral	postgresql:${POSTGRESQL_VERSION}
mysql-persistent	mysql:${MYSQL_VERSION}
mysql-ephemeral	mysql:${MYSQL_VERSION}
mariadb-persistent	mariadb:${MARIADB_VERSION}
mariadb-ephemeral	mariadb:${MARIADB_VERSION}
redis-persistent	redis:${REDIS_VERSION}
redis-ephemeral	redis:${REDIS_VERSION}
cakephp-mysql-example	mysql:${MYSQL_VERSION}
cakephp-mysql-persistent	mysql:${MYSQL_VERSION}
dancer-mysql-persistent	mysql:${MYSQL_VERSION}

Additional fixes:

• dancer-mysql-example: The database Deployment had "image": " " but was entirely missing the image.openshift.io/triggers annotation — image resolution could never fire. Added the trigger annotation with namespace. Also added the missing MYSQL_VERSION parameter (default "8.0-el8").
• mysql-persistent: Removed a stray image.openshift.io/triggers annotation from the Service object. It was a copy-paste error that referenced ${MARIADB_VERSION} — Services don't have containers, so this annotation had no effect but was incorrect.

OCP impact: None

All changes are under assets/operator/okd-x86_64/ only. OCP Dockerfiles (Dockerfile, Dockerfile.rhel7) copy from ocp-x86_64 / ocp-s390x / ocp-ppc64le / ocp-aarch64. Only Dockerfile.okd copies from okd-x86_64. The two directory trees are completely separate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@pskrbasu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[aroyoredhat]

@pskrbasu for this change to take effect you need to fix it where the openshift/library is syncing those templates, for example on the cakephp template it needs to be fixed here https://github.com/sclorg/cakephp-ex/blob/master/openshift/templates/cakephp-mysql.json#L306