diff --git a/cmd/machine-config-controller/start.go b/cmd/machine-config-controller/start.go index dbf75b8312..5acab028d2 100644 --- a/cmd/machine-config-controller/start.go +++ b/cmd/machine-config-controller/start.go @@ -120,6 +120,7 @@ func createControllers(ctx *ctrlcommon.ControllerContext) []ctrlcommon.Controlle ctx.InformerFactory.Machineconfiguration().V1().ControllerConfigs(), ctx.InformerFactory.Machineconfiguration().V1().ContainerRuntimeConfigs(), ctx.ConfigInformerFactory.Config().V1().Images(), + ctx.ConfigInformerFactory.Config().V1().ImageContentPolicies(), ctx.OperatorInformerFactory.Operator().V1alpha1().ImageContentSourcePolicies(), ctx.ConfigInformerFactory.Config().V1().ClusterVersions(), ctx.ClientBuilder.KubeClientOrDie("container-runtime-config-controller"), diff --git a/go.mod b/go.mod index a82625130c..0c64cd0cc7 100644 --- a/go.mod +++ b/go.mod @@ -35,9 +35,9 @@ require ( github.com/imdario/mergo v0.3.12 github.com/mattn/go-isatty v0.0.12 // indirect github.com/opencontainers/go-digest v1.0.0 - github.com/openshift/api v0.0.0-20210924154557-a4f696157341 - github.com/openshift/client-go v0.0.0-20210916133943-9acee1a0fb83 - github.com/openshift/library-go v0.0.0-20210930103404-8911cacccb05 + github.com/openshift/api v0.0.0-20210927171657-636513e97fda + github.com/openshift/client-go v0.0.0-20210927134410-067cd720e52a + github.com/openshift/library-go v0.0.0-20210906100234-6754cfd64cb5 github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.11.0 @@ -70,7 +70,7 @@ replace ( github.com/godbus/dbus => github.com/godbus/dbus v0.0.0-20190623212516-8a1682060722 github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1 github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v0.1.2-0.20190408193819-a1b50f621a48 - github.com/openshift/api => github.com/openshift/api v0.0.0-20210924154557-a4f696157341 + github.com/openshift/api => github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52 github.com/openshift/cluster-api => github.com/openshift/cluster-api v0.0.0-20191129101638-b09907ac6668 github.com/securego/gosec => github.com/securego/gosec v0.0.0-20190709033609-4b59c948083c k8s.io/api => k8s.io/api v0.22.1 @@ -100,3 +100,5 @@ replace ( k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.22.1 k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.22.1 ) + +replace github.com/openshift/runtime-utils => github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d diff --git a/go.sum b/go.sum index 7db2bcc6b8..c70b828c07 100644 --- a/go.sum +++ b/go.sum @@ -104,6 +104,8 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d h1:y5NimrgDusOrIXDV4HhDxcf8d1Bbolbsy1Kntw3z1VI= +github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d/go.mod h1:xcwHYhGPZFBXK687HUZ4AY2kn1vQu05vmNcIPI6JT4g= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= @@ -871,17 +873,15 @@ github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqi github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= github.com/opencontainers/selinux v1.8.2 h1:c4ca10UMgRcvZ6h0K4HtS15UaVSBEaE+iln2LVpAuGc= github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= -github.com/openshift/api v0.0.0-20210924154557-a4f696157341 h1:UUFuSm+bNyMr0Bf8CTY1eDbEmB2DiO8zENK850DgAMU= -github.com/openshift/api v0.0.0-20210924154557-a4f696157341/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160/go.mod h1:1CkcsT3aVebzRBzVTSbiKSkJMsC/CASqxesfqEMfJEc= +github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52 h1:/Psrr5UV6fqPYvN+mzTxsdiKYn8qPXZuHEe5lWfF1dA= +github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= -github.com/openshift/client-go v0.0.0-20210916133943-9acee1a0fb83 h1:TGBy40xVBCqDqvu8gaakva4u+08JtOt/LfekiwbCMyc= -github.com/openshift/client-go v0.0.0-20210916133943-9acee1a0fb83/go.mod h1:iSeqKIqUKxVec3gV1kNvwS1tjDpzpdP134RimkLc3BE= -github.com/openshift/library-go v0.0.0-20210930103404-8911cacccb05 h1:fqacx32b0XdTNe5yU6rvkkI9UPl1R2ztN8vXWy/6/8U= -github.com/openshift/library-go v0.0.0-20210930103404-8911cacccb05/go.mod h1:b1cKE6TuNqjl7wT0y3W4g0qREuab1mH6WOJm9pT8L/A= -github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d h1:lmhB56wFIB/CBhjiZTd1IinQz9OFoNet8OYBQF59Z0I= -github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d/go.mod h1:H2kQ7bM4oYJk8G+N9ybDDlTg45V10G/+h2xL8zmjjHU= +github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= +github.com/openshift/client-go v0.0.0-20210927134410-067cd720e52a h1:hgDqZDU+q4YTNqmgMTy4aEuhTnyWTZaEC5OMi3CeWyo= +github.com/openshift/client-go v0.0.0-20210927134410-067cd720e52a/go.mod h1:hvUrAN65G/TvcwbY4PDOkS0lao0dAl7SaHvcPJvpr7o= +github.com/openshift/library-go v0.0.0-20210906100234-6754cfd64cb5 h1:hz4W1nHi2xZZUGh9cTj7mqRQ4HGO6J35w02B4JimURs= +github.com/openshift/library-go v0.0.0-20210906100234-6754cfd64cb5/go.mod h1:fKtzrsRXSWMLiBT1SM8cEVT2YyL7ihx/TEuT3gmgFgQ= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= diff --git a/manifests/machineconfigcontroller/clusterrole.yaml b/manifests/machineconfigcontroller/clusterrole.yaml index 9462d6ecea..80845c8708 100644 --- a/manifests/machineconfigcontroller/clusterrole.yaml +++ b/manifests/machineconfigcontroller/clusterrole.yaml @@ -19,6 +19,9 @@ rules: - apiGroups: ["config.openshift.io"] resources: ["schedulers", "apiservers"] verbs: ["get", "list", "watch"] +- apiGroups: ["config.openshift.io"] + resources: ["imagecontentpolicies"] + verbs: ["get", "list", "watch"] - apiGroups: ["operator.openshift.io"] resources: ["imagecontentsourcepolicies"] verbs: ["get", "list", "watch"] diff --git a/pkg/controller/container-runtime-config/container_runtime_config_controller.go b/pkg/controller/container-runtime-config/container_runtime_config_controller.go index c0bd2e06f0..412b7c7d94 100644 --- a/pkg/controller/container-runtime-config/container_runtime_config_controller.go +++ b/pkg/controller/container-runtime-config/container_runtime_config_controller.go @@ -89,6 +89,9 @@ type Controller struct { imgLister cligolistersv1.ImageLister imgListerSynced cache.InformerSynced + icpLister cligolistersv1.ImageContentPolicyLister + icpListerSynced cache.InformerSynced + icspLister operatorlistersv1alpha1.ImageContentSourcePolicyLister icspListerSynced cache.InformerSynced @@ -109,6 +112,7 @@ func New( ccInformer mcfginformersv1.ControllerConfigInformer, mcrInformer mcfginformersv1.ContainerRuntimeConfigInformer, imgInformer cligoinformersv1.ImageInformer, + icpInformer cligoinformersv1.ImageContentPolicyInformer, icspInformer operatorinformersv1alpha1.ImageContentSourcePolicyInformer, clusterVersionInformer cligoinformersv1.ClusterVersionInformer, kubeClient clientset.Interface, @@ -140,6 +144,12 @@ func New( DeleteFunc: ctrl.imageConfDeleted, }) + icpInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: ctrl.icpConfAdded, + UpdateFunc: ctrl.icpConfUpdated, + DeleteFunc: ctrl.icpConfDeleted, + }) + icspInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: ctrl.icspConfAdded, UpdateFunc: ctrl.icspConfUpdated, @@ -162,6 +172,9 @@ func New( ctrl.imgLister = imgInformer.Lister() ctrl.imgListerSynced = imgInformer.Informer().HasSynced + ctrl.icpLister = icpInformer.Lister() + ctrl.icpListerSynced = icpInformer.Informer().HasSynced + ctrl.icspLister = icspInformer.Lister() ctrl.icspListerSynced = icspInformer.Informer().HasSynced @@ -178,7 +191,7 @@ func (ctrl *Controller) Run(workers int, stopCh <-chan struct{}) { defer ctrl.imgQueue.ShutDown() if !cache.WaitForCacheSync(stopCh, ctrl.mcpListerSynced, ctrl.mccrListerSynced, ctrl.ccListerSynced, - ctrl.imgListerSynced, ctrl.icspListerSynced, ctrl.clusterVersionListerSynced) { + ctrl.imgListerSynced, ctrl.icpListerSynced, ctrl.icspListerSynced, ctrl.clusterVersionListerSynced) { return } @@ -217,6 +230,18 @@ func (ctrl *Controller) imageConfDeleted(obj interface{}) { ctrl.imgQueue.Add("openshift-config") } +func (ctrl *Controller) icpConfAdded(obj interface{}) { + ctrl.imgQueue.Add("openshift-config") +} + +func (ctrl *Controller) icpConfUpdated(oldObj, newObj interface{}) { + ctrl.imgQueue.Add("openshift-config") +} + +func (ctrl *Controller) icpConfDeleted(obj interface{}) { + ctrl.imgQueue.Add("openshift-config") +} + func (ctrl *Controller) icspConfAdded(obj interface{}) { ctrl.imgQueue.Add("openshift-config") } @@ -669,6 +694,7 @@ func (ctrl *Controller) mergeConfigChanges(origFile *ign3types.File, cfg *mcfgv1 return cfgTOML, ctrl.syncStatusOnly(cfg, nil) } +// nolint:gocyclo func (ctrl *Controller) syncImageConfig(key string) error { startTime := time.Now() glog.V(4).Infof("Started syncing ImageConfig %q (%v)", key, startTime) @@ -716,6 +742,18 @@ func (ctrl *Controller) syncImageConfig(key string) error { return fmt.Errorf("could not get ControllerConfig %v", err) } + // Find all ImageContentPolicy objects + icpRules, err := ctrl.icpLister.List(labels.Everything()) + if err != nil && errors.IsNotFound(err) { + icpRules = []*apicfgv1.ImageContentPolicy{} + } else if err != nil { + return err + } + if err = validateICPRules(icpRules); err != nil { + return err + } + glog.Info("getting all icpRules", icpRules) + // Find all ImageContentSourcePolicy objects icspRules, err := ctrl.icspLister.List(labels.Everything()) if err != nil && errors.IsNotFound(err) { @@ -723,6 +761,7 @@ func (ctrl *Controller) syncImageConfig(key string) error { } else if err != nil { return err } + icpRules = mergeToICPRules(icspRules, icpRules) sel, err := metav1.LabelSelectorAsSelector(metav1.AddLabelToSelector(&metav1.LabelSelector{}, builtInLabelKey, "")) if err != nil { @@ -745,7 +784,7 @@ func (ctrl *Controller) syncImageConfig(key string) error { if err := retry.RetryOnConflict(updateBackoff, func() error { registriesIgn, err := registriesConfigIgnition(ctrl.templatesDir, controllerConfig, role, imgcfg.Spec.RegistrySources.InsecureRegistries, blockedRegs, imgcfg.Spec.RegistrySources.AllowedRegistries, - imgcfg.Spec.RegistrySources.ContainerRuntimeSearchRegistries, icspRules) + imgcfg.Spec.RegistrySources.ContainerRuntimeSearchRegistries, icpRules) if err != nil { return err } @@ -806,7 +845,7 @@ func (ctrl *Controller) syncImageConfig(key string) error { } func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.ControllerConfig, role string, - insecureRegs, blockedRegs, allowedRegs, searchRegs []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) (*ign3types.Config, error) { + insecureRegs, blockedRegs, allowedRegs, searchRegs []string, icpRules []*apicfgv1.ImageContentPolicy) (*ign3types.Config, error) { var ( registriesTOML []byte @@ -819,7 +858,7 @@ func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.Contr return nil, fmt.Errorf("could not generate origin ContainerRuntime Configs: %v", err) } - if insecureRegs != nil || blockedRegs != nil || len(icspRules) != 0 { + if insecureRegs != nil || blockedRegs != nil || len(icpRules) != 0 { if originalRegistriesIgn.Contents.Source == nil { return nil, fmt.Errorf("original registries config is empty") } @@ -827,7 +866,7 @@ func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.Contr if err != nil { return nil, fmt.Errorf("could not decode original registries config: %v", err) } - registriesTOML, err = updateRegistriesConfig(dataURL.Data, insecureRegs, blockedRegs, icspRules) + registriesTOML, err = updateRegistriesConfig(dataURL.Data, insecureRegs, blockedRegs, icpRules) if err != nil { return nil, fmt.Errorf("could not update registries config with new changes: %v", err) } @@ -881,6 +920,9 @@ func RunImageBootstrap(templateDir string, controllerConfig *mcfgv1.ControllerCo } } + icpRules := []*apicfgv1.ImageContentPolicy{} + icpRules = mergeToICPRules(icspRules, icpRules) + var res []*mcfgv1.MachineConfig for _, pool := range mcpPools { role := pool.Name @@ -889,7 +931,7 @@ func RunImageBootstrap(templateDir string, controllerConfig *mcfgv1.ControllerCo return nil, err } registriesIgn, err := registriesConfigIgnition(templateDir, controllerConfig, role, - insecureRegs, blockedRegs, allowedRegs, searchRegs, icspRules) + insecureRegs, blockedRegs, allowedRegs, searchRegs, icpRules) if err != nil { return nil, err } diff --git a/pkg/controller/container-runtime-config/container_runtime_config_controller_test.go b/pkg/controller/container-runtime-config/container_runtime_config_controller_test.go index 04f4cf518f..816e18e574 100644 --- a/pkg/controller/container-runtime-config/container_runtime_config_controller_test.go +++ b/pkg/controller/container-runtime-config/container_runtime_config_controller_test.go @@ -179,6 +179,7 @@ func (f *fixture) newController() *Controller { i.Machineconfiguration().V1().ControllerConfigs(), i.Machineconfiguration().V1().ContainerRuntimeConfigs(), ci.Config().V1().Images(), + ci.Config().V1().ImageContentPolicies(), oi.Operator().V1alpha1().ImageContentSourcePolicies(), ci.Config().V1().ClusterVersions(), k8sfake.NewSimpleClientset(), f.client, f.imgClient) @@ -353,9 +354,10 @@ func verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mc *mcfgv1.Machin // configuration file. // First get the valid blocked registries to ensure we don't block the registry where the release image is from blockedRegistries, _ := getValidBlockedRegistries(releaseImageReg, &imgcfg.Spec) + icps := mergeToICPRules(icsps, []*apicfgv1.ImageContentPolicy{}) expectedRegistriesConf, err := updateRegistriesConfig(templateRegistriesConfig, imgcfg.Spec.RegistrySources.InsecureRegistries, - blockedRegistries, icsps) + blockedRegistries, icps) require.NoError(t, err) assert.Equal(t, mcName, mc.ObjectMeta.Name) diff --git a/pkg/controller/container-runtime-config/helpers.go b/pkg/controller/container-runtime-config/helpers.go index 5055c26900..5526bdbae6 100644 --- a/pkg/controller/container-runtime-config/helpers.go +++ b/pkg/controller/container-runtime-config/helpers.go @@ -356,17 +356,66 @@ func updateSearchRegistriesConfig(searchRegs []string) []generatedConfigFile { return generatedConfigFileList } -func updateRegistriesConfig(data []byte, internalInsecure, internalBlocked []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) ([]byte, error) { +// mergeToICPRules converts specs of ImageContentPolicy objects to ImageContentPolicy spec and adds it to the currnt icpRules +// hornors the contents of ImageContentPolicy if there is confict between ImageContentPolicy and ImageContentPolicy on the source field +func mergeToICPRules(icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy, icpRules []*apicfgv1.ImageContentPolicy) []*apicfgv1.ImageContentPolicy { + + if len(icspRules) == 0 && len(icpRules) == 0 { + return icpRules + } + if len(icspRules) == 0 { + return icpRules + } + icpSourceSet := make(map[string]bool) + for _, icp := range icpRules { + for _, mirrorSet := range icp.Spec.RepositoryDigestMirrors { + if _, ok := icpSourceSet[mirrorSet.Source]; !ok { + icpSourceSet[mirrorSet.Source] = true + } + } + } + + var icpRepoDigestMirrors []apicfgv1.RepositoryDigestMirrors + for _, icsp := range icspRules { + for _, mirrorSet := range icsp.Spec.RepositoryDigestMirrors { + if _, ok := icpSourceSet[mirrorSet.Source]; ok { + continue + } + var icpMirrors []apicfgv1.Mirror + for _, mirror := range mirrorSet.Mirrors { + icpMirrors = append(icpMirrors, apicfgv1.Mirror(mirror)) + } + icpRepoDigestMirror := apicfgv1.RepositoryDigestMirrors{ + Source: mirrorSet.Source, + Mirrors: icpMirrors, + } + icpRepoDigestMirrors = append(icpRepoDigestMirrors, icpRepoDigestMirror) + } + } + icpRule := &apicfgv1.ImageContentPolicy{ + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: icpRepoDigestMirrors, + }, + } + icpRules = append(icpRules, icpRule) + return icpRules +} + +func updateRegistriesConfig(data []byte, internalInsecure, internalBlocked []string, icpRules []*apicfgv1.ImageContentPolicy) ([]byte, error) { tomlConf := sysregistriesv2.V2RegistriesConf{} if _, err := toml.Decode(string(data), &tomlConf); err != nil { return nil, fmt.Errorf("error unmarshalling registries config: %v", err) } - if err := validateRegistriesConfScopes(internalInsecure, internalBlocked, []string{}, icspRules); err != nil { + if len(icpRules) != 0 { + glog.V(2).Infoln("icpRules configured: ", icpRules) + } + + if err := validateRegistriesConfScopes(internalInsecure, internalBlocked, []string{}, icpRules); err != nil { return nil, err } - if err := registries.EditRegistriesConfig(&tomlConf, internalInsecure, internalBlocked, icspRules); err != nil { + if err := registries.EditRegistriesConfig(&tomlConf, internalInsecure, internalBlocked, icpRules); err != nil { return nil, err } @@ -505,7 +554,7 @@ func getValidBlockedRegistries(releaseImage string, imgSpec *apicfgv1.ImageSpec) return blockedRegs, nil } -func validateRegistriesConfScopes(insecure, blocked, allowed []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) error { +func validateRegistriesConfScopes(insecure, blocked, allowed []string, icpRules []*apicfgv1.ImageContentPolicy) error { for _, scope := range insecure { if !registries.IsValidRegistriesConfScope(scope) { return fmt.Errorf("invalid entry for insecure registries %q", scope) @@ -524,13 +573,13 @@ func validateRegistriesConfScopes(insecure, blocked, allowed []string, icspRules } } - for _, icsp := range icspRules { + for _, icsp := range icpRules { for _, mirrorSet := range icsp.Spec.RepositoryDigestMirrors { if strings.Contains(mirrorSet.Source, "*") { return fmt.Errorf("wildcard entries are not supported with mirror configuration %q", mirrorSet.Source) } for _, mirror := range mirrorSet.Mirrors { - if strings.Contains(mirror, "*") { + if strings.Contains(string(mirror), "*") { return fmt.Errorf("wildcard entries are not supported with mirror configuration %q", mirror) } } @@ -539,3 +588,21 @@ func validateRegistriesConfScopes(insecure, blocked, allowed []string, icspRules } return nil } + +// validateICPRules validate that the user does not apply conlicting values of allowMirrorByTags among pre-existing and newly added ImageContentPolicy CR. +// returns error if there the conflict exists +func validateICPRules(icpRules []*apicfgv1.ImageContentPolicy) error { + allowMirror := make(map[string]bool) + for _, icp := range icpRules { + for _, repoMirror := range icp.Spec.RepositoryDigestMirrors { + v, ok := allowMirror[repoMirror.Source] + glog.Infof("source: %v, allowTag: %v, nil: %v", repoMirror.Source, repoMirror.AllowMirrorByTags, repoMirror.AllowMirrorByTags == nil) + if !ok { + allowMirror[repoMirror.Source] = *repoMirror.AllowMirrorByTags + } else if v != *repoMirror.AllowMirrorByTags { + return fmt.Errorf("conflicting value of allowMirrorByTags for the same souce %v", repoMirror.Source) + } + } + } + return nil +} diff --git a/pkg/controller/container-runtime-config/helpers_test.go b/pkg/controller/container-runtime-config/helpers_test.go index 6cad236a4a..75c4cb98ef 100644 --- a/pkg/controller/container-runtime-config/helpers_test.go +++ b/pkg/controller/container-runtime-config/helpers_test.go @@ -12,6 +12,7 @@ import ( "github.com/containers/image/v5/pkg/sysregistriesv2" signature "github.com/containers/image/v5/signature" "github.com/containers/image/v5/types" + apicfgv1 "github.com/openshift/api/config/v1" apioperatorsv1alpha1 "github.com/openshift/api/operator/v1alpha1" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -31,6 +32,7 @@ func TestUpdateRegistriesConfig(t *testing.T) { name string insecure, blocked []string icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy + icpRules []*apicfgv1.ImageContentPolicy want sysregistriesv2.V2RegistriesConf }{ { @@ -120,6 +122,104 @@ func TestUpdateRegistriesConfig(t *testing.T) { }, }, + { + Endpoint: sysregistriesv2.Endpoint{ + Location: "other.com/ns-o3", + }, + MirrorByDigestOnly: true, + Mirrors: []sysregistriesv2.Endpoint{ + {Location: "insecure.com/ns-i2", Insecure: true}, + {Location: "blocked.com/ns-b/ns3-b"}, + {Location: "foo.insecure-example.com/bar", Insecure: true}, + }, + }, + { + Endpoint: sysregistriesv2.Endpoint{ + Location: "blocked.com", + }, + Blocked: true, + }, + { + Prefix: "*.blocked.insecure-example.com", + Blocked: true, + Endpoint: sysregistriesv2.Endpoint{ + Location: "", + Insecure: true, + }, + }, + { + Prefix: "*.blocked-example.com", + Endpoint: sysregistriesv2.Endpoint{ + Location: "", + }, + Blocked: true, + }, + { + Endpoint: sysregistriesv2.Endpoint{ + Location: "insecure.com", + Insecure: true, + }, + }, + { + Prefix: "*.insecure-example.com", + Endpoint: sysregistriesv2.Endpoint{ + Location: "", + Insecure: true, + }, + }, + { + Prefix: "*.insecure.blocked-example.com", + Blocked: true, + Endpoint: sysregistriesv2.Endpoint{ + Location: "", + Insecure: true, + }, + }, + }, + }, + }, + { + name: "icp,insecure+blocked prefixes with wildcard entries", + insecure: []string{"insecure.com", "*.insecure-example.com", "*.insecure.blocked-example.com"}, + blocked: []string{"blocked.com", "*.blocked.insecure-example.com", "*.blocked-example.com"}, + icpRules: []*apicfgv1.ImageContentPolicy{ + { + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ // other.com is neither insecure nor blocked + {Source: "insecure.com/ns-i1", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1", "other.com/ns-o1"}}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"other.com/ns-o2", "insecure.com/ns-i2"}}, + {Source: "other.com/ns-o3", Mirrors: []apicfgv1.Mirror{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + }, + }, + }, + }, + want: sysregistriesv2.V2RegistriesConf{ + UnqualifiedSearchRegistries: []string{"registry.access.redhat.com", "docker.io"}, + Registries: []sysregistriesv2.Registry{ + { + Endpoint: sysregistriesv2.Endpoint{ + Location: "blocked.com/ns-b/ns2-b", + }, + Blocked: true, + MirrorByDigestOnly: true, + Mirrors: []sysregistriesv2.Endpoint{ + {Location: "other.com/ns-o2"}, + {Location: "insecure.com/ns-i2", Insecure: true}, + }, + }, + + { + Endpoint: sysregistriesv2.Endpoint{ + Location: "insecure.com/ns-i1", + Insecure: true, + }, + MirrorByDigestOnly: true, + Mirrors: []sysregistriesv2.Endpoint{ + {Location: "blocked.com/ns-b1"}, + {Location: "other.com/ns-o1"}, + }, + }, + { Endpoint: sysregistriesv2.Endpoint{ Location: "other.com/ns-o3", @@ -179,7 +279,8 @@ func TestUpdateRegistriesConfig(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := updateRegistriesConfig(templateBytes, tt.insecure, tt.blocked, tt.icspRules) + icpRules := mergeToICPRules(tt.icspRules, tt.icpRules) + got, err := updateRegistriesConfig(templateBytes, tt.insecure, tt.blocked, icpRules) if err != nil { t.Errorf("updateRegistriesConfig() error = %v", err) return @@ -293,3 +394,157 @@ func TestUpdatePolicyJSON(t *testing.T) { }) } } + +func TestMergeToICPRules(t *testing.T) { + for _, tc := range []struct { + icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy + icpRules []*apicfgv1.ImageContentPolicy + expected []*apicfgv1.ImageContentPolicy + }{ + { + // convert icsp rules to apicfgv1.ImageContentPolicy, expect icpRules + icspRules: []*apioperatorsv1alpha1.ImageContentSourcePolicy{ + { + Spec: apioperatorsv1alpha1.ImageContentSourcePolicySpec{ + RepositoryDigestMirrors: []apioperatorsv1alpha1.RepositoryDigestMirrors{ + {Source: "insecure.com/ns-i1", Mirrors: []string{"blocked.com/ns-b1", "other.com/ns-o1"}}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []string{"other.com/ns-o2", "insecure.com/ns-i2"}}, + {Source: "other.com/ns-o3", Mirrors: []string{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + }, + }, + }, + { + Spec: apioperatorsv1alpha1.ImageContentSourcePolicySpec{ + RepositoryDigestMirrors: []apioperatorsv1alpha1.RepositoryDigestMirrors{ + {Source: "other.com/ns-o3", Mirrors: []string{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + }, + }, + }, + }, + icpRules: []*apicfgv1.ImageContentPolicy{}, + expected: []*apicfgv1.ImageContentPolicy{ + { + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + {Source: "insecure.com/ns-i1", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1", "other.com/ns-o1"}}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"other.com/ns-o2", "insecure.com/ns-i2"}}, + {Source: "other.com/ns-o3", Mirrors: []apicfgv1.Mirror{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + {Source: "other.com/ns-o3", Mirrors: []apicfgv1.Mirror{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + }, + }, + }, + }, + }, + { + // convert and append the icsprules to icprules, except the conflic setting for the same source + icspRules: []*apioperatorsv1alpha1.ImageContentSourcePolicy{ + { + Spec: apioperatorsv1alpha1.ImageContentSourcePolicySpec{ + RepositoryDigestMirrors: []apioperatorsv1alpha1.RepositoryDigestMirrors{ + {Source: "insecure.com/ns-i1", Mirrors: []string{"blocked.com/ns-b1", "other.com/ns-o1"}}, + {Source: "other.com/ns-o3", Mirrors: []string{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + }, + }, + }, + { + Spec: apioperatorsv1alpha1.ImageContentSourcePolicySpec{ + RepositoryDigestMirrors: []apioperatorsv1alpha1.RepositoryDigestMirrors{ + {Source: "other.com/ns-o3", Mirrors: []string{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + }, + }, + }, + }, + icpRules: []*apicfgv1.ImageContentPolicy{ + { + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + {Source: "insecure.com/ns-i1", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1"}, AllowMirrorByTags: true}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"other.com/ns-o2", "insecure.com/ns-i2"}}, + }, + }, + }, + }, + expected: []*apicfgv1.ImageContentPolicy{ + { + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + {Source: "insecure.com/ns-i1", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1"}, AllowMirrorByTags: true}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"other.com/ns-o2", "insecure.com/ns-i2"}}, + }, + }, + }, + { + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + {Source: "other.com/ns-o3", Mirrors: []apicfgv1.Mirror{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + {Source: "other.com/ns-o3", Mirrors: []apicfgv1.Mirror{"insecure.com/ns-i2", "blocked.com/ns-b/ns3-b", "foo.insecure-example.com/bar"}}, + }, + }, + }, + }, + }, + } { + res := mergeToICPRules(tc.icspRules, tc.icpRules) + if !reflect.DeepEqual(res, tc.expected) { + t.Errorf("mergeToICPRules() Diff:\n %s", diff.ObjectGoPrintDiff(tc.expected, res)) + } + } +} + +func TestValidateICPRules(t *testing.T) { + for _, tc := range []struct { + icpRules []*apicfgv1.ImageContentPolicy + expectErr error + }{ + { + icpRules: []*apicfgv1.ImageContentPolicy{}, + expectErr: nil, + }, + { + // valid case + icpRules: []*apicfgv1.ImageContentPolicy{ + { + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + {Source: "insecure.com/ns-i1", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1"}, AllowMirrorByTags: true}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"other.com/ns-o2"}}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"insecure.com/ns-i2"}}, + }, + }, + }, + { + // no conflict duplicate previouse spec + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + {Source: "insecure.com/ns-i1", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1"}, AllowMirrorByTags: true}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"other.com/ns-o2"}}, + {Source: "blocked.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"insecure.com/ns-i2"}}, + }, + }, + }, + { + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + // no conflict add new source + {Source: "other.com/ns-b/ns2-b", Mirrors: []apicfgv1.Mirror{"other.com/ns-o2", "insecure.com/ns-i2"}}, + }, + }, + }, + { + // no conflict explicit false or leave the default + Spec: apicfgv1.ImageContentPolicySpec{ + RepositoryDigestMirrors: []apicfgv1.RepositoryDigestMirrors{ + {Source: "other.com/ns-i1", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1"}, AllowMirrorByTags: true}, + {Source: "other.com/ns-i2", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1"}}, + {Source: "other.com/ns-i2", Mirrors: []apicfgv1.Mirror{"blocked.com/ns-b1"}, AllowMirrorByTags: false}, + }, + }, + }, + }, + expectErr: nil, + }, + } { + err := validateICPRules(tc.icpRules) + require.Equal(t, tc.expectErr, err) + } +} diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go index 59c0d829f2..a3a3027145 100644 --- a/pkg/operator/assets/bindata.go +++ b/pkg/operator/assets/bindata.go @@ -1075,6 +1075,9 @@ rules: - apiGroups: ["config.openshift.io"] resources: ["schedulers", "apiservers"] verbs: ["get", "list", "watch"] +- apiGroups: ["config.openshift.io"] + resources: ["imagecontentpolicies"] + verbs: ["get", "list", "watch"] - apiGroups: ["operator.openshift.io"] resources: ["imagecontentsourcepolicies"] verbs: ["get", "list", "watch"] diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index 51e5877641..2b3f4cb642 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -117,8 +117,6 @@ var FeatureSets = map[FeatureSet]*FeatureGateEnabledDisabled{ with("CSIMigrationOpenStack"). // sig-storage, jsafrane, Kubernetes feature gate with("CSIMigrationGCE"). // sig-storage, fbertina, Kubernetes feature gate with("CSIMigrationAzureDisk"). // sig-storage, fbertina, Kubernetes feature gate - with("CSIMigrationAzureFile"). // sig-storage, fbertina, Kubernetes feature gate - with("CSIMigrationVSphere"). // sig-storage, fbertina, Kubernetes feature gate with("ExternalCloudProvider"). // sig-cloud-provider, jspeed, OCP specific with("InsightsOperatorPullingSCA"). // insights-operator/ccx, tremes, OCP specific with("CSIDriverSharedResource"). // sig-build, adkaplan, OCP specific diff --git a/vendor/github.com/openshift/api/config/v1/types_image_content_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_content_policy.go index 8ccad9c53e..128593d6ce 100644 --- a/vendor/github.com/openshift/api/config/v1/types_image_content_policy.go +++ b/vendor/github.com/openshift/api/config/v1/types_image_content_policy.go @@ -71,7 +71,7 @@ type RepositoryDigestMirrors struct { // Pulling images by tag can potentially yield different images, depending on which endpoint // we pull from. Forcing digest-pulls for mirrors avoids that issue. // +optional - AllowMirrorByTags bool `json:"allowMirrorByTags,omitempty"` + AllowMirrorByTags *bool `json:"allowMirrorByTags,omitempty"` // mirrors is zero or more repositories that may also contain the same images. // If the "mirrors" is not specified, the image will continue to be pulled from the specified // repository in the pull spec. No mirror will be configured. diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go index 0f2182d2f5..707e5fc06e 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go @@ -19,6 +19,7 @@ type ConfigV1Interface interface { DNSesGetter FeatureGatesGetter ImagesGetter + ImageContentPoliciesGetter InfrastructuresGetter IngressesGetter NetworksGetter @@ -70,6 +71,10 @@ func (c *ConfigV1Client) Images() ImageInterface { return newImages(c) } +func (c *ConfigV1Client) ImageContentPolicies() ImageContentPolicyInterface { + return newImageContentPolicies(c) +} + func (c *ConfigV1Client) Infrastructures() InfrastructureInterface { return newInfrastructures(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go index d743f46792..40d153d7c0 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go @@ -48,6 +48,10 @@ func (c *FakeConfigV1) Images() v1.ImageInterface { return &FakeImages{c} } +func (c *FakeConfigV1) ImageContentPolicies() v1.ImageContentPolicyInterface { + return &FakeImageContentPolicies{c} +} + func (c *FakeConfigV1) Infrastructures() v1.InfrastructureInterface { return &FakeInfrastructures{c} } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagecontentpolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagecontentpolicy.go new file mode 100644 index 0000000000..1cb92e2ee1 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagecontentpolicy.go @@ -0,0 +1,106 @@ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + configv1 "github.com/openshift/api/config/v1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeImageContentPolicies implements ImageContentPolicyInterface +type FakeImageContentPolicies struct { + Fake *FakeConfigV1 +} + +var imagecontentpoliciesResource = schema.GroupVersionResource{Group: "config.openshift.io", Version: "v1", Resource: "imagecontentpolicies"} + +var imagecontentpoliciesKind = schema.GroupVersionKind{Group: "config.openshift.io", Version: "v1", Kind: "ImageContentPolicy"} + +// Get takes name of the imageContentPolicy, and returns the corresponding imageContentPolicy object, and an error if there is any. +func (c *FakeImageContentPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *configv1.ImageContentPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(imagecontentpoliciesResource, name), &configv1.ImageContentPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*configv1.ImageContentPolicy), err +} + +// List takes label and field selectors, and returns the list of ImageContentPolicies that match those selectors. +func (c *FakeImageContentPolicies) List(ctx context.Context, opts v1.ListOptions) (result *configv1.ImageContentPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(imagecontentpoliciesResource, imagecontentpoliciesKind, opts), &configv1.ImageContentPolicyList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &configv1.ImageContentPolicyList{ListMeta: obj.(*configv1.ImageContentPolicyList).ListMeta} + for _, item := range obj.(*configv1.ImageContentPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested imageContentPolicies. +func (c *FakeImageContentPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(imagecontentpoliciesResource, opts)) +} + +// Create takes the representation of a imageContentPolicy and creates it. Returns the server's representation of the imageContentPolicy, and an error, if there is any. +func (c *FakeImageContentPolicies) Create(ctx context.Context, imageContentPolicy *configv1.ImageContentPolicy, opts v1.CreateOptions) (result *configv1.ImageContentPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(imagecontentpoliciesResource, imageContentPolicy), &configv1.ImageContentPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*configv1.ImageContentPolicy), err +} + +// Update takes the representation of a imageContentPolicy and updates it. Returns the server's representation of the imageContentPolicy, and an error, if there is any. +func (c *FakeImageContentPolicies) Update(ctx context.Context, imageContentPolicy *configv1.ImageContentPolicy, opts v1.UpdateOptions) (result *configv1.ImageContentPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(imagecontentpoliciesResource, imageContentPolicy), &configv1.ImageContentPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*configv1.ImageContentPolicy), err +} + +// Delete takes name of the imageContentPolicy and deletes it. Returns an error if one occurs. +func (c *FakeImageContentPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteAction(imagecontentpoliciesResource, name), &configv1.ImageContentPolicy{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeImageContentPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(imagecontentpoliciesResource, listOpts) + + _, err := c.Fake.Invokes(action, &configv1.ImageContentPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched imageContentPolicy. +func (c *FakeImageContentPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *configv1.ImageContentPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(imagecontentpoliciesResource, name, pt, data, subresources...), &configv1.ImageContentPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*configv1.ImageContentPolicy), err +} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go index 50a4ec7f8f..646801584a 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go @@ -20,6 +20,8 @@ type FeatureGateExpansion interface{} type ImageExpansion interface{} +type ImageContentPolicyExpansion interface{} + type InfrastructureExpansion interface{} type IngressExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/imagecontentpolicy.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/imagecontentpolicy.go new file mode 100644 index 0000000000..17c441e5be --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/imagecontentpolicy.go @@ -0,0 +1,152 @@ +// Code generated by client-gen. DO NOT EDIT. + +package v1 + +import ( + "context" + "time" + + v1 "github.com/openshift/api/config/v1" + scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ImageContentPoliciesGetter has a method to return a ImageContentPolicyInterface. +// A group's client should implement this interface. +type ImageContentPoliciesGetter interface { + ImageContentPolicies() ImageContentPolicyInterface +} + +// ImageContentPolicyInterface has methods to work with ImageContentPolicy resources. +type ImageContentPolicyInterface interface { + Create(ctx context.Context, imageContentPolicy *v1.ImageContentPolicy, opts metav1.CreateOptions) (*v1.ImageContentPolicy, error) + Update(ctx context.Context, imageContentPolicy *v1.ImageContentPolicy, opts metav1.UpdateOptions) (*v1.ImageContentPolicy, error) + Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error + Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.ImageContentPolicy, error) + List(ctx context.Context, opts metav1.ListOptions) (*v1.ImageContentPolicyList, error) + Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.ImageContentPolicy, err error) + ImageContentPolicyExpansion +} + +// imageContentPolicies implements ImageContentPolicyInterface +type imageContentPolicies struct { + client rest.Interface +} + +// newImageContentPolicies returns a ImageContentPolicies +func newImageContentPolicies(c *ConfigV1Client) *imageContentPolicies { + return &imageContentPolicies{ + client: c.RESTClient(), + } +} + +// Get takes name of the imageContentPolicy, and returns the corresponding imageContentPolicy object, and an error if there is any. +func (c *imageContentPolicies) Get(ctx context.Context, name string, options metav1.GetOptions) (result *v1.ImageContentPolicy, err error) { + result = &v1.ImageContentPolicy{} + err = c.client.Get(). + Resource("imagecontentpolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ImageContentPolicies that match those selectors. +func (c *imageContentPolicies) List(ctx context.Context, opts metav1.ListOptions) (result *v1.ImageContentPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1.ImageContentPolicyList{} + err = c.client.Get(). + Resource("imagecontentpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested imageContentPolicies. +func (c *imageContentPolicies) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("imagecontentpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a imageContentPolicy and creates it. Returns the server's representation of the imageContentPolicy, and an error, if there is any. +func (c *imageContentPolicies) Create(ctx context.Context, imageContentPolicy *v1.ImageContentPolicy, opts metav1.CreateOptions) (result *v1.ImageContentPolicy, err error) { + result = &v1.ImageContentPolicy{} + err = c.client.Post(). + Resource("imagecontentpolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(imageContentPolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a imageContentPolicy and updates it. Returns the server's representation of the imageContentPolicy, and an error, if there is any. +func (c *imageContentPolicies) Update(ctx context.Context, imageContentPolicy *v1.ImageContentPolicy, opts metav1.UpdateOptions) (result *v1.ImageContentPolicy, err error) { + result = &v1.ImageContentPolicy{} + err = c.client.Put(). + Resource("imagecontentpolicies"). + Name(imageContentPolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(imageContentPolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the imageContentPolicy and deletes it. Returns an error if one occurs. +func (c *imageContentPolicies) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error { + return c.client.Delete(). + Resource("imagecontentpolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *imageContentPolicies) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("imagecontentpolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched imageContentPolicy. +func (c *imageContentPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.ImageContentPolicy, err error) { + result = &v1.ImageContentPolicy{} + err = c.client.Patch(pt). + Resource("imagecontentpolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagecontentpolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagecontentpolicy.go new file mode 100644 index 0000000000..c50ea7b1b2 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagecontentpolicy.go @@ -0,0 +1,73 @@ +// Code generated by informer-gen. DO NOT EDIT. + +package v1 + +import ( + "context" + time "time" + + configv1 "github.com/openshift/api/config/v1" + versioned "github.com/openshift/client-go/config/clientset/versioned" + internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" + v1 "github.com/openshift/client-go/config/listers/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ImageContentPolicyInformer provides access to a shared informer and lister for +// ImageContentPolicies. +type ImageContentPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1.ImageContentPolicyLister +} + +type imageContentPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewImageContentPolicyInformer constructs a new informer for ImageContentPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewImageContentPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredImageContentPolicyInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredImageContentPolicyInformer constructs a new informer for ImageContentPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredImageContentPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1().ImageContentPolicies().List(context.TODO(), options) + }, + WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1().ImageContentPolicies().Watch(context.TODO(), options) + }, + }, + &configv1.ImageContentPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *imageContentPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredImageContentPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *imageContentPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&configv1.ImageContentPolicy{}, f.defaultInformer) +} + +func (f *imageContentPolicyInformer) Lister() v1.ImageContentPolicyLister { + return v1.NewImageContentPolicyLister(f.Informer().GetIndexer()) +} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go index 00054daf31..6ee69a4811 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go @@ -26,6 +26,8 @@ type Interface interface { FeatureGates() FeatureGateInformer // Images returns a ImageInformer. Images() ImageInformer + // ImageContentPolicies returns a ImageContentPolicyInformer. + ImageContentPolicies() ImageContentPolicyInformer // Infrastructures returns a InfrastructureInformer. Infrastructures() InfrastructureInformer // Ingresses returns a IngressInformer. @@ -100,6 +102,11 @@ func (v *version) Images() ImageInformer { return &imageInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// ImageContentPolicies returns a ImageContentPolicyInformer. +func (v *version) ImageContentPolicies() ImageContentPolicyInformer { + return &imageContentPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // Infrastructures returns a InfrastructureInformer. func (v *version) Infrastructures() InfrastructureInformer { return &infrastructureInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go index 2795d10e95..e804d1cde5 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go @@ -55,6 +55,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().FeatureGates().Informer()}, nil case v1.SchemeGroupVersion.WithResource("images"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Images().Informer()}, nil + case v1.SchemeGroupVersion.WithResource("imagecontentpolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().ImageContentPolicies().Informer()}, nil case v1.SchemeGroupVersion.WithResource("infrastructures"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Infrastructures().Informer()}, nil case v1.SchemeGroupVersion.WithResource("ingresses"): diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go index 56b41a0445..1fbedb4dbb 100644 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go @@ -38,6 +38,10 @@ type FeatureGateListerExpansion interface{} // ImageLister. type ImageListerExpansion interface{} +// ImageContentPolicyListerExpansion allows custom methods to be added to +// ImageContentPolicyLister. +type ImageContentPolicyListerExpansion interface{} + // InfrastructureListerExpansion allows custom methods to be added to // InfrastructureLister. type InfrastructureListerExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/imagecontentpolicy.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/imagecontentpolicy.go new file mode 100644 index 0000000000..c9dadb9235 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/imagecontentpolicy.go @@ -0,0 +1,52 @@ +// Code generated by lister-gen. DO NOT EDIT. + +package v1 + +import ( + v1 "github.com/openshift/api/config/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ImageContentPolicyLister helps list ImageContentPolicies. +// All objects returned here must be treated as read-only. +type ImageContentPolicyLister interface { + // List lists all ImageContentPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1.ImageContentPolicy, err error) + // Get retrieves the ImageContentPolicy from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1.ImageContentPolicy, error) + ImageContentPolicyListerExpansion +} + +// imageContentPolicyLister implements the ImageContentPolicyLister interface. +type imageContentPolicyLister struct { + indexer cache.Indexer +} + +// NewImageContentPolicyLister returns a new ImageContentPolicyLister. +func NewImageContentPolicyLister(indexer cache.Indexer) ImageContentPolicyLister { + return &imageContentPolicyLister{indexer: indexer} +} + +// List lists all ImageContentPolicies in the indexer. +func (s *imageContentPolicyLister) List(selector labels.Selector) (ret []*v1.ImageContentPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1.ImageContentPolicy)) + }) + return ret, err +} + +// Get retrieves the ImageContentPolicy from the index for a given name. +func (s *imageContentPolicyLister) Get(name string) (*v1.ImageContentPolicy, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1.Resource("imagecontentpolicy"), name) + } + return obj.(*v1.ImageContentPolicy), nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/cloudprovider/external.go b/vendor/github.com/openshift/library-go/pkg/cloudprovider/external.go index 867a1f3f74..ab123bd0a3 100644 --- a/vendor/github.com/openshift/library-go/pkg/cloudprovider/external.go +++ b/vendor/github.com/openshift/library-go/pkg/cloudprovider/external.go @@ -33,8 +33,7 @@ func IsCloudProviderExternal(platformStatus *configv1.PlatformStatus, featureGat return true, nil } return isExternalFeatureGateEnabled(featureGate) - case configv1.IBMCloudPlatformType, - configv1.AlibabaCloudPlatformType: + case configv1.IBMCloudPlatformType: return true, nil default: // Platforms that do not have external cloud providers implemented diff --git a/vendor/github.com/openshift/runtime-utils/pkg/registries/registries.go b/vendor/github.com/openshift/runtime-utils/pkg/registries/registries.go index cdb752c4f8..6799b77256 100644 --- a/vendor/github.com/openshift/runtime-utils/pkg/registries/registries.go +++ b/vendor/github.com/openshift/runtime-utils/pkg/registries/registries.go @@ -5,7 +5,7 @@ import ( "strings" "github.com/containers/image/v5/pkg/sysregistriesv2" - apioperatorsv1alpha1 "github.com/openshift/api/operator/v1alpha1" + apicfgv1 "github.com/openshift/api/config/v1" ) // scopeIsNestedInsideScope returns true if a subScope value (as in sysregistriesv2.Registry.Prefix / sysregistriesv2.Endpoint.Location) @@ -35,29 +35,29 @@ func scopeIsNestedInsideScope(subScope, superScope string) bool { } // rdmContainsARealMirror returns true if set.Mirrors contains at least one entry that is not set.Source. -func rdmContainsARealMirror(set *apioperatorsv1alpha1.RepositoryDigestMirrors) bool { +func rdmContainsARealMirror(set *apicfgv1.RepositoryDigestMirrors) bool { for _, mirror := range set.Mirrors { - if mirror != set.Source { + if string(mirror) != set.Source { return true } } return false } -// mergedMirrorSets processes icspRules and returns a set of RepositoryDigestMirrors, one for each Source value, +// mergedMirrorSets processes icpRules and returns a set of RepositoryDigestMirrors, one for each Source value, // ordered consistently with the preference order of the individual entries (if possible) // E.g. given mirror sets (B, C) and (A, B), it will combine them into a single (A, B, C) set. -func mergedMirrorSets(icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) ([]apioperatorsv1alpha1.RepositoryDigestMirrors, error) { - disjointSets := map[string]*[]*apioperatorsv1alpha1.RepositoryDigestMirrors{} // Key == Source - for _, icsp := range icspRules { - for i := range icsp.Spec.RepositoryDigestMirrors { - set := &icsp.Spec.RepositoryDigestMirrors[i] +func mergedMirrorSets(icpRules []*apicfgv1.ImageContentPolicy) ([]apicfgv1.RepositoryDigestMirrors, error) { + disjointSets := map[string]*[]*apicfgv1.RepositoryDigestMirrors{} // Key == Source + for _, icp := range icpRules { + for i := range icp.Spec.RepositoryDigestMirrors { + set := &icp.Spec.RepositoryDigestMirrors[i] if !rdmContainsARealMirror(set) { continue // No mirrors (or mirrors that only repeat the authoritative source) is not really a mirror set. } ds, ok := disjointSets[set.Source] if !ok { - ds = &[]*apioperatorsv1alpha1.RepositoryDigestMirrors{} + ds = &[]*apicfgv1.RepositoryDigestMirrors{} disjointSets[set.Source] = ds } *ds = append(*ds, set) @@ -71,24 +71,29 @@ func mergedMirrorSets(icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy } sort.Strings(sources) // Convert the sets of mirrors - res := []apioperatorsv1alpha1.RepositoryDigestMirrors{} + res := []apicfgv1.RepositoryDigestMirrors{} for _, source := range sources { + var allowMirrorByTags *bool ds := disjointSets[source] topoGraph := newTopoGraph() for _, set := range *ds { + // AllowMirrorByTags is only set once for each source in imagecontentpolicies.config.openshift.io + if set.AllowMirrorByTags != nil { + allowMirrorByTags = set.AllowMirrorByTags + } for i := 0; i+1 < len(set.Mirrors); i++ { - topoGraph.AddEdge(set.Mirrors[i], set.Mirrors[i+1]) + topoGraph.AddEdge(string(set.Mirrors[i]), string(set.Mirrors[i+1])) } sourceInGraph := false for _, m := range set.Mirrors { - if m == source { + if string(m) == source { sourceInGraph = true break } } if !sourceInGraph { // The build of mirrorSets guarantees len(set.Mirrors) > 0. - topoGraph.AddEdge(set.Mirrors[len(set.Mirrors)-1], source) + topoGraph.AddEdge(string(set.Mirrors[len(set.Mirrors)-1]), source) } // Every node in topoGraph, including source, is implicitly added by topoGraph.AddEdge (every mirror set contains at least one non-source mirror, // so there are no unconnected nodes that we would have to add separately from the edges). @@ -101,9 +106,14 @@ func mergedMirrorSets(icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy // We don't need to explicitly include source in the list, it will be automatically tried last per the semantics of sysregistriesv2. Mirrors. sortedRepos = sortedRepos[:len(sortedRepos)-1] } - res = append(res, apioperatorsv1alpha1.RepositoryDigestMirrors{ - Source: source, - Mirrors: sortedRepos, + var mirrors []apicfgv1.Mirror + for _, repo := range sortedRepos { + mirrors = append(mirrors, apicfgv1.Mirror(repo)) + } + res = append(res, apicfgv1.RepositoryDigestMirrors{ + Source: source, + Mirrors: mirrors, + AllowMirrorByTags: allowMirrorByTags, }) } return res, nil @@ -112,14 +122,14 @@ func mergedMirrorSets(icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy // EditRegistriesConfig edits, IN PLACE, the /etc/containers/registries.conf configuration provided in config, to: // - Mark scope entries in insecureScopes as insecure (TLS is not required, and TLS certificate verification is not required when TLS is used) // - Mark scope entries in blockedScopes as blocked (any attempts to access them fail) -// - Implement ImageContentSourcePolicy rules in icspRules. +// - Implement ImageContentPolicy rules in icpRules. // "scopes" can be any of whole registries, which means that the configuration applies to everything on that registry, including any possible separately-configured // namespaces/repositories within that registry. // or can be wildcard entries, which means that we accept wildcards in the form of *.example.registry.com for insecure and blocked registries only. We do not // accept them for mirror configuration. // A valid scope is in the form of registry/namespace...[/repo] (can also refer to sysregistriesv2.Registry.Prefix) // NOTE: Validation of wildcard entries is done before EditRegistriesConfig is called in the MCO code. -func EditRegistriesConfig(config *sysregistriesv2.V2RegistriesConf, insecureScopes, blockedScopes []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) error { +func EditRegistriesConfig(config *sysregistriesv2.V2RegistriesConf, insecureScopes, blockedScopes []string, icpRules []*apicfgv1.ImageContentPolicy) error { // addRegistryEntry creates a Registry object corresponding to scope. // NOTE: The pointer is valid only until the next getRegistryEntry call. @@ -153,15 +163,20 @@ func EditRegistriesConfig(config *sysregistriesv2.V2RegistriesConf, insecureScop return addRegistryEntry(scope) } - mirrorSets, err := mergedMirrorSets(icspRules) + mirrorSets, err := mergedMirrorSets(icpRules) if err != nil { return err } for _, mirrorSet := range mirrorSets { reg := getRegistryEntry(mirrorSet.Source) - reg.MirrorByDigestOnly = true + if mirrorSet.AllowMirrorByTags != nil && *mirrorSet.AllowMirrorByTags { + reg.MirrorByDigestOnly = false + } else { + reg.MirrorByDigestOnly = true + } + for _, mirror := range mirrorSet.Mirrors { - reg.Mirrors = append(reg.Mirrors, sysregistriesv2.Endpoint{Location: mirror}) + reg.Mirrors = append(reg.Mirrors, sysregistriesv2.Endpoint{Location: string(mirror)}) } } diff --git a/vendor/modules.txt b/vendor/modules.txt index b62e944181..4468a9c32e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -536,12 +536,12 @@ github.com/opencontainers/runtime-spec/specs-go github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/go-selinux/label github.com/opencontainers/selinux/pkg/pwalk -# github.com/openshift/api v0.0.0-20210924154557-a4f696157341 => github.com/openshift/api v0.0.0-20210924154557-a4f696157341 +# github.com/openshift/api v0.0.0-20210927171657-636513e97fda => github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52 ## explicit github.com/openshift/api/config/v1 github.com/openshift/api/operator/v1 github.com/openshift/api/operator/v1alpha1 -# github.com/openshift/client-go v0.0.0-20210916133943-9acee1a0fb83 +# github.com/openshift/client-go v0.0.0-20210927134410-067cd720e52a ## explicit github.com/openshift/client-go/config/clientset/versioned github.com/openshift/client-go/config/clientset/versioned/fake @@ -567,13 +567,13 @@ github.com/openshift/client-go/operator/informers/externalversions/operator/v1 github.com/openshift/client-go/operator/informers/externalversions/operator/v1alpha1 github.com/openshift/client-go/operator/listers/operator/v1 github.com/openshift/client-go/operator/listers/operator/v1alpha1 -# github.com/openshift/library-go v0.0.0-20210930103404-8911cacccb05 +# github.com/openshift/library-go v0.0.0-20210906100234-6754cfd64cb5 ## explicit github.com/openshift/library-go/pkg/cloudprovider github.com/openshift/library-go/pkg/config/clusteroperator/v1helpers github.com/openshift/library-go/pkg/crypto github.com/openshift/library-go/pkg/operator/v1helpers -# github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d +# github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d => github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d ## explicit github.com/openshift/runtime-utils/pkg/registries # github.com/pelletier/go-toml v1.8.1 @@ -1415,7 +1415,7 @@ sourcegraph.com/sqs/pbtypes # github.com/godbus/dbus => github.com/godbus/dbus v0.0.0-20190623212516-8a1682060722 # github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1 # github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v0.1.2-0.20190408193819-a1b50f621a48 -# github.com/openshift/api => github.com/openshift/api v0.0.0-20210924154557-a4f696157341 +# github.com/openshift/api => github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52 # github.com/openshift/cluster-api => github.com/openshift/cluster-api v0.0.0-20191129101638-b09907ac6668 # github.com/securego/gosec => github.com/securego/gosec v0.0.0-20190709033609-4b59c948083c # k8s.io/api => k8s.io/api v0.22.1 @@ -1444,3 +1444,4 @@ sourcegraph.com/sqs/pbtypes # k8s.io/mount-utils => k8s.io/mount-utils v0.22.1 # k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.22.1 # k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.22.1 +# github.com/openshift/runtime-utils => github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d