OCPBUGS-84652: Add InternalReleaseImage CA to OSImageStream

[bfournie]

When the OSImageStream feature is enabled with the Agent-Based Installer and ISONoRegistry, MCO fails to build the OSImageStream with the error "unable to retrieve any OSImageStream from the configured sources". This occurs because MCO cannot trust the self-signed TLS certificates used by the InternalReleaseImage mirrored registries.

This fix sets the RootCA used for OSImageStream to the InternalReleaseImage CA.

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• Bug Fixes
  • Improved TLS certificate handling for image stream operations: when the feature is enabled the operator will attempt to load a cluster TLS certificate, log a warning if it is missing, and only fail when unexpected retrieval errors occur. Valid certificates are now applied to controller configuration; missing or empty certificate entries are ignored with a warning.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@bfournie: This pull request references Jira Issue OCPBUGS-84652, which is invalid:

• expected the bug to target only the "5.0.0" version, but multiple target versions were set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When the OSImageStream feature is enabled with the Agent-Based Installer and ISONoRegistry, MCO fails to build the OSImageStream with the error "unable to retrieve any OSImageStream from the configured sources". This occurs because MCO cannot trust the self-signed TLS certificates used by the InternalReleaseImage mirrored registries.

This fix sets the RootCA used for OSImageStream to the InternalReleaseImage CA.

- What I did

- How to verify it

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

When building a minimal controller config for OSImageStream, the operator checks that OSImageStream is enabled and the FeatureGateNoRegistryClusterInstall gate is set; it then attempts to read the InternalReleaseImage TLS secret and, if present with non-empty tls.crt, copies that cert into cc.Spec.RootCAData. NotFound is warned; other secret errors fail the build.

Changes

Cohort / File(s)	Summary
OSImageStream Trust Augmentation pkg/operator/osimagestream_ocp.go	Added logic to, when OSImageStream is enabled and FeatureGateNoRegistryClusterInstall is active, read the InternalReleaseImage TLS secret from ctrlcommon.MCONamespace; on success, set cc.Spec.RootCAData from tls.crt if present and non-empty. Logs a warning on NotFound, returns error on other retrieval failures, and warns if tls.crt is missing/empty.

Sequence Diagram(s)

sequenceDiagram
    participant Operator
    participant FeatureGate
    participant KubeAPI as Kubernetes API (Secret)
    participant ControllerConfig

    Operator->>FeatureGate: check FeatureGateNoRegistryClusterInstall
    alt feature gate enabled and OSImageStream enabled
        Operator->>KubeAPI: GET Secret `InternalReleaseImage` in ctrlcommon.MCONamespace
        alt Secret found
            KubeAPI-->>Operator: Secret data
            Operator->>Operator: extract `tls.crt`
            alt tls.crt present and non-empty
                Operator->>ControllerConfig: set cc.Spec.RootCAData = tls.crt
            else tls.crt missing/empty
                Operator-->>Operator: log warning (do not set RootCAData)
            end
        else Secret not found
            KubeAPI-->>Operator: NotFound
            Operator-->>Operator: log warning (continue)
        else other error
            KubeAPI-->>Operator: error
            Operator-->>Operator: fail build / return error
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding InternalReleaseImage CA certificate handling to OSImageStream functionality, directly aligning with the code changes that retrieve and apply the TLS certificate.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies pkg/operator/osimagestream_ocp.go (non-test file) with operational code changes. No test files or Ginkgo test names were modified.
Test Structure And Quality	✅ Passed	This check is not applicable to the provided pull request. The PR only modifies production code in pkg/operator/osimagestream_ocp.go with 22 lines added and zero test file modifications. The custom check specifically reviews Ginkgo test code quality, which is not present in this PR's changes.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests; only operator implementation code in pkg/operator/osimagestream_ocp.go is modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Pull request does not add any new Ginkgo e2e tests, only modifies implementation code in osimagestream_ocp.go.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request modifies only TLS certificate configuration without introducing scheduling constraints or topology assumptions.
Ote Binary Stdout Contract	✅ Passed	PR changes use klog for all logging, which is configured to write to stderr by default, preserving the JSON stdout contract required by OTE.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR modifies operator runtime logic for TLS certificate handling but does not introduce new Ginkgo e2e tests, so the custom check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bfournie
Once this PR has been reviewed and has the lgtm label, please assign dkhater-redhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bfournie]

/jira refresh

[openshift-ci-robot]

@bfournie: This pull request references Jira Issue OCPBUGS-84652, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bfournie: This pull request references Jira Issue OCPBUGS-84652, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

When the OSImageStream feature is enabled with the Agent-Based Installer and ISONoRegistry, MCO fails to build the OSImageStream with the error "unable to retrieve any OSImageStream from the configured sources". This occurs because MCO cannot trust the self-signed TLS certificates used by the InternalReleaseImage mirrored registries.

This fix sets the RootCA used for OSImageStream to the InternalReleaseImage CA.

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• Bug Fixes
• Enhanced TLS certificate handling for image stream operations with improved error detection and recovery. The operator now properly manages certificate retrieval failures with appropriate warnings and error escalation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/operator/osimagestream_ocp.go (1)

298-298: Prefer corev1.TLSCertKey over hard-coded "tls.crt".

Using the Kubernetes constant avoids typo drift and keeps this aligned with TLS secret conventions.

Suggested refactor

-			if tlsCert, ok := iriTLSSecret.Data["tls.crt"]; ok && len(tlsCert) > 0 {
+			if tlsCert, ok := iriTLSSecret.Data[corev1.TLSCertKey]; ok && len(tlsCert) > 0 {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/osimagestream_ocp.go` at line 298, Replace the hard-coded
"tls.crt" key with the Kubernetes constant corev1.TLSCertKey when accessing
iriTLSSecret.Data (e.g., change iriTLSSecret.Data["tls.crt"] to
iriTLSSecret.Data[corev1.TLSCertKey]); add the corev1 import if missing and
ensure any references to the Data map use the constant to avoid typos and follow
TLS secret conventions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/operator/osimagestream_ocp.go`:
- Around line 291-293: The NotFound branch currently only logs a warning for the
InternalReleaseImage TLS secret; change it to fail fast when
FeatureGateNoRegistryClusterInstall is enabled. In the apierrors.IsNotFound(err)
block (the TLS secret handling for InternalReleaseImage in
osimagestream_ocp.go), check the FeatureGateNoRegistryClusterInstall feature
gate and, if enabled, return a descriptive error (instead of just klog.Warningf)
so the caller can stop; if the feature gate is not enabled, retain the current
warning behavior.

---

Nitpick comments:
In `@pkg/operator/osimagestream_ocp.go`:
- Line 298: Replace the hard-coded "tls.crt" key with the Kubernetes constant
corev1.TLSCertKey when accessing iriTLSSecret.Data (e.g., change
iriTLSSecret.Data["tls.crt"] to iriTLSSecret.Data[corev1.TLSCertKey]); add the
corev1 import if missing and ensure any references to the Data map use the
constant to avoid typos and follow TLS secret conventions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c599b0d2-fc52-40dd-9722-2055be03b19d

📥 Commits

Reviewing files that changed from the base of the PR and between 89245a0 and e6e209c.

📒 Files selected for processing (1)

• pkg/operator/osimagestream_ocp.go

[coderabbitai]

🧹 Nitpick comments (1)

pkg/operator/osimagestream_ocp.go (1)

286-305: Add regression coverage for the new secret-handling branches.

This block now decides whether OSImageStream can trust the mirrored registry during bootstrap. Please add focused tests for the three intended cases here: secret missing, secret present with empty tls.crt, and secret present with a valid cert populating RootCAData. That would lock in the warn-and-retry behavior discussed on this PR.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/osimagestream_ocp.go` around lines 286 - 305, Add unit tests
covering the three secret-handling branches in the OSImageStream code: when the
InternalReleaseImage TLS secret is missing, when it exists but corev1.TLSCertKey
is empty, and when it exists with a valid cert that sets cc.Spec.RootCAData.
Write tests that exercise the branch guarded by
osimagestream.IsFeatureEnabled(optr.fgHandler) &&
optr.fgHandler.Enabled(features.FeatureGateNoRegistryClusterInstall) by faking
optr.mcoSecretLister.Secrets(...).Get to return (a) an apierrors.IsNotFound
error, (b) a Secret with Data[corev1.TLSCertKey] = []byte{} and (c) a Secret
with Data[corev1.TLSCertKey] containing a sample cert; then assert the expected
log/return behavior for cases (a) and (b) and that cc.Spec.RootCAData is
populated for case (c) (use the function/logic around
InternalReleaseImageTLSSecretName, iriTLSSecret, and cc.Spec.RootCAData to
locate the code under test).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/operator/osimagestream_ocp.go`:
- Around line 286-305: Add unit tests covering the three secret-handling
branches in the OSImageStream code: when the InternalReleaseImage TLS secret is
missing, when it exists but corev1.TLSCertKey is empty, and when it exists with
a valid cert that sets cc.Spec.RootCAData. Write tests that exercise the branch
guarded by osimagestream.IsFeatureEnabled(optr.fgHandler) &&
optr.fgHandler.Enabled(features.FeatureGateNoRegistryClusterInstall) by faking
optr.mcoSecretLister.Secrets(...).Get to return (a) an apierrors.IsNotFound
error, (b) a Secret with Data[corev1.TLSCertKey] = []byte{} and (c) a Secret
with Data[corev1.TLSCertKey] containing a sample cert; then assert the expected
log/return behavior for cases (a) and (b) and that cc.Spec.RootCAData is
populated for case (c) (use the function/logic around
InternalReleaseImageTLSSecretName, iriTLSSecret, and cc.Spec.RootCAData to
locate the code under test).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9888875b-04a7-4aaf-b607-fbcfc67c84b0

📥 Commits

Reviewing files that changed from the base of the PR and between e6e209c and fce0501.

📒 Files selected for processing (1)

• pkg/operator/osimagestream_ocp.go

[openshift-ci]

@bfournie: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[andfasano]

I don't think this is correct, and moreover the clusterconfig is managed elsewhere

[andfasano]

Sorry I saw after it's the controllerconfig created just before. In any case RootCAData is meant to store the Root CA field, not the (leaf) server cert (which is valid only for the IRI registry)

[bfournie]

/hold

[bfournie]

Closing as this is covered by #5896
/close

[openshift-ci]

@bfournie: Closed this PR.

Details

In response to this:

Closing as this is covered by #5896
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@bfournie: This pull request references Jira Issue OCPBUGS-84652. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

When the OSImageStream feature is enabled with the Agent-Based Installer and ISONoRegistry, MCO fails to build the OSImageStream with the error "unable to retrieve any OSImageStream from the configured sources". This occurs because MCO cannot trust the self-signed TLS certificates used by the InternalReleaseImage mirrored registries.

This fix sets the RootCA used for OSImageStream to the InternalReleaseImage CA.

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• Bug Fixes
• Improved TLS certificate handling for image stream operations: when the feature is enabled the operator will attempt to load a cluster TLS certificate, log a warning if it is missing, and only fail when unexpected retrieval errors occur. Valid certificates are now applied to controller configuration; missing or empty certificate entries are ignored with a warning.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.