Can't pull the right certified-operator-index image in a brand new cluster

[sxd]

Bug Description

When running the operator to certify a new version, we found out that it was pulling the wrong image of the certified-operator-index because it was 4.15, which "doesn't exist" yet, leading to a problem like this

++ echo registry.redhat.io/redhat/certified-operator-index:v4.15
++ rev
++ cut -f1 -d/
++ rev
+ INDEX_IMG_STREAM=certified-operator-index:v4.15
+ FROM_INDEX=image-registry.openshift-image-registry.svc:5000/oco/certified-operator-index:v4.15
+ podman pull image-registry.openshift-image-registry.svc:5000/oco/certified-operator-index:v4.15
Trying to pull image-registry.openshift-image-registry.svc:5000/oco/certified-operator-index:v4.15...
Error: initializing source docker://image-registry.openshift-image-registry.svc:5000/oco/certified-operator-index:v4.15: reading manifest v4.15 in image-registry.openshift-image-registry.svc:5000/oco/certified-operator-index: name unknown

Even if the operator only supports v4.14 as a top version, the operator certification downloads the the v4.15 tag and the container can't pull the v4.14, to clarify, I don't know if this is the right place to ask for help, but the certification process doesn't work because of this.

The fix is clear, if you set the operator to have the maximum support on 4.15, it works really nice, that's why I open this issue, if it's not the right please, can you point me the right one?

[acornett21]

Hi @sxd I'm not sure I understand the question/issue fully, so let me ask some questions...

• what version of OCP are you installing this operator on?
• what version(s) of OCP does the operator under test support?

[acornett21]

@sxd Answers to the above would be helpful, but I think I kind of understand. It seems that the --all cmd even in the oc cli is not important every tag into this particular image stream. Since the CLI can't do it, the likelihood of the API calls in our operator doing them is probably not possible, which we'll have to address another way.

As a workaround after the operate is installed and CR reconciled the below should work (replace v4.14 with the version of your cluster):

oc import-image certified-operator-index:v4.14 \                  
  --from=registry.redhat.io/redhat/certified-operator-index:v4.14 \
  --reference-policy local \
  --scheduled \
  --confirm

[sxd]

Hi @acornett21

Well you got the issue sorry for the delay in the answer.
Yes, that's the issue, we get only latest-latest certified-operator-index image, not the one as the max annotations.
Also yes!, the solution will be to import the images, we took another approach, since we already support 4.15, we decided to go with 4.15 as the latest supported version in the annotations.

Now, possible solutions, I've been checking the code and how the ImageStream works, and since we cannot pull all the tags, even if the documentation doesn't say anything about (if you can point me to more explicit documentation, please go ahead), what if we add another options that will be a list of tags something like this:

operatorCertification.OperatorPipelineSpec{
			ApplyCIPipeline:          true,
			ApplyHostedPipeline:      false,
			ApplyReleasePipeline:     false,
			GitHubSecretName:         githubSecretName,
			KubeconfigSecretName:     kubeconfigSecretName,
			OperatorPipelinesRelease: "v1.0.103",
			PyxisSecretName:          pyxisSecretName,
                        CertifiedOperatorIndexTags: "v4.14,v4.15",
		}

And starting from this we can create the ImageStreamTags required to pull the proper images, what do you about this idea?

Regards!

[acornett21]

@sxd Sorry for the long delay on this, finally had some time to get back to it. I have a PR up that should address this now, and for future versions of OCP with zero impact on the API/user. Zero in the sense there isn't any more work for them to do.

I'd like to have this released this week, but we'll see how PR reviews go, since some people are on PTO.

[sxd]

@acornett21 That's amazing!!! I'll be the first user for sure! I'm guessing this is the PR #160 I'll test it as soon as is released, don't know if there's a way to test before the release, for me it's almost no effort to test, please let me know!

Cheers!

[acornett21]

Hey @sxd If you want to install a custom catalog in your cluster to test, another set of eyes is always welcome.

Catalog Spec

oc apply -f - <<'EOF'
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: operator-certification-operator
  namespace: openshift-marketplace
spec:
  displayName: Operator Certification Operator
  icon:
    base64data: ""
    mediatype: ""
  image: quay.io/acornett/operator-certification-operator-catalog:latest
  priority: -200
  publisher: Red Hat
  sourceType: grpc
  updateStrategy:
    registryPoll:
      interval: 10m0s
EOF

Then you could either use the UI to create a subscription, or create one manually. Let me know if there you spot any issues.

[sxd]

@acornett21 perfect! scheduled for tomorrow morning work! I'll let you know as soon as I have results!

CheerS1

[acornett21]

Hey @sxd did you have a chance to test this? Any feedback you have would be great! Thanks!