openshift · openshift-merge-bot · Aug 14, 2024 · Jun 11, 2024 · Aug 13, 2024
diff --git a/config/v1/tests/images.config.openshift.io/ImageStreamImportMode.yaml b/config/v1/tests/images.config.openshift.io/ImageStreamImportMode.yaml
@@ -0,0 +1,55 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "Image"
+crdName: images.config.openshift.io
+featureGate: ImageStreamImportMode
+tests:
+  onCreate:
+    - name: Should be able to create a minimal Image config
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec: {}
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec: {}
+    - name: Should be able to configure imageStreamImportMode to Legacy
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec:
+          imageStreamImportMode: Legacy
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec:
+          imageStreamImportMode: Legacy
+    - name: Should be able to configure imageStreamImportMode to PreserveOriginal
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec:
+          imageStreamImportMode: PreserveOriginal
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec:
+          imageStreamImportMode: PreserveOriginal
+    - name: Should not be able to configure imageStreamImportMode to a value other than Legacy or PreserveOriginal
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec:
+          imageStreamImportMode: InvalidValue
+      expectedError: 'spec.imageStreamImportMode: Unsupported value: "InvalidValue": supported values: "", "Legacy", "PreserveOriginal"'
+    - name: Should be able to configure imageStreamImportMode to empty string
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec:
+          imageStreamImportMode: ""
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Image
+        spec:
+          imageStreamImportMode: ""
diff --git a/config/v1/types_image.go b/config/v1/types_image.go
@@ -37,6 +37,23 @@ type Image struct {
 	Status ImageStatus `json:"status"`
 }
 
+// ImportModeType describes how to import an image manifest.
+// +enum
+// +kubebuilder:validation:Enum:="";Legacy;PreserveOriginal
+type ImportModeType string
+
+const (
+	// ImportModeLegacy indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// This mode is the default.
+	ImportModeLegacy ImportModeType = "Legacy"
+	// ImportModePreserveOriginal indicates that the original manifest will be preserved.
+	// For manifest lists, the manifest list and all its sub-manifests will be imported.
+	ImportModePreserveOriginal ImportModeType = "PreserveOriginal"
+)
+
 type ImageSpec struct {
 	// allowedRegistriesForImport limits the container image registries that normal users may import
 	// images from. Set this list to the registries that you trust to contain valid Docker
@@ -45,13 +62,15 @@ type ImageSpec struct {
 	// this policy - typically only administrators or system integrations will have those
 	// permissions.
 	// +optional
+	// +listType=atomic
 	AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"`
 
 	// externalRegistryHostnames provides the hostnames for the default external image
 	// registry. The external hostname should be set only when the image registry
 	// is exposed externally. The first value is used in 'publicDockerImageRepository'
 	// field in ImageStreams. The value must be in "hostname[:port]" format.
 	// +optional
+	// +listType=atomic
 	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
 
 	// additionalTrustedCA is a reference to a ConfigMap containing additional CAs that
@@ -67,6 +86,21 @@ type ImageSpec struct {
 	// internal cluster registry.
 	// +optional
 	RegistrySources RegistrySources `json:"registrySources"`
+
+	// imageStreamImportMode controls the import mode behaviour of imagestreams.
+	// It can be set to `Legacy` or `PreserveOriginal` or the empty string. If this value
+	// is specified, this setting is applied to all newly created imagestreams which do not have the
+	// value set. `Legacy` indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists,
+	// the manifest list and all its sub-manifests will be imported. When empty, the behaviour will be
+	// decided based on the payload type advertised by the ClusterVersion status, i.e single arch payload
+	// implies the import mode is Legacy and multi payload implies PreserveOriginal.
+	// +openshift:enable:FeatureGate=ImageStreamImportMode
+	// +optional
+	ImageStreamImportMode ImportModeType `json:"imageStreamImportMode"`
 }
 
 type ImageStatus struct {
@@ -82,7 +116,22 @@ type ImageStatus struct {
 	// is exposed externally. The first value is used in 'publicDockerImageRepository'
 	// field in ImageStreams. The value must be in "hostname[:port]" format.
 	// +optional
+	// +listType=atomic
 	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
+
+	// imageStreamImportMode controls the import mode behaviour of imagestreams. It can be
+	// `Legacy` or `PreserveOriginal`. `Legacy` indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists,
+	// the manifest list and all its sub-manifests will be imported. This value will be reconciled based
+	// on either the spec value or if no spec value is specified, the image registry operator would look
+	// at the ClusterVersion status to determine the payload type and set the import mode accordingly,
+	// i.e single arch payload implies the import mode is Legacy and multi payload implies PreserveOriginal.
+	// +openshift:enable:FeatureGate=ImageStreamImportMode
+	// +optional
+	ImageStreamImportMode ImportModeType `json:"imageStreamImportMode,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -116,16 +165,19 @@ type RegistryLocation struct {
 type RegistrySources struct {
 	// insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
 	// +optional
+	// +listType=atomic
 	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
 	// blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.
 	//
 	// Only one of BlockedRegistries or AllowedRegistries may be set.
 	// +optional
+	// +listType=atomic
 	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
 	// allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.
 	//
 	// Only one of BlockedRegistries or AllowedRegistries may be set.
 	// +optional
+	// +listType=atomic
 	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
 	// containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified
 	// domains in their pull specs. Registries will be searched in the order provided in the list.

diff --git a/.../v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml b/.../v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,211 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/470
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/bootstrap-required: "true"
+    release.openshift.io/feature-set: CustomNoUpgrade
+  name: images.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: Image
+    listKind: ImageList
+    plural: images
+    singular: image
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: "Image governs policies related to imagestream imports and runtime
+          configuration for external registries. It allows cluster admins to configure
+          which registries OpenShift is allowed to import images from, extra CA trust
+          bundles for external registries, and policies to block or allow registry
+          hostnames. When exposing OpenShift's image registry to the public, this
+          also lets cluster admins specify the external hostname. \n Compatibility
+          level 1: Stable within a major release for a minimum of 12 months or 3 minor
+          releases (whichever is longer)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec holds user settable values for configuration
+            properties:
+              additionalTrustedCA:
+                description: additionalTrustedCA is a reference to a ConfigMap containing
+                  additional CAs that should be trusted during imagestream import,
+                  pod image pull, build image pull, and imageregistry pullthrough.
+                  The namespace for this config map is openshift-config.
+                properties:
+                  name:
+                    description: name is the metadata.name of the referenced config
+                      map
+                    type: string
+                required:
+                - name
+                type: object
+              allowedRegistriesForImport:
+                description: allowedRegistriesForImport limits the container image
+                  registries that normal users may import images from. Set this list
+                  to the registries that you trust to contain valid Docker images
+                  and that you want applications to be able to import from. Users
+                  with permission to create Images or ImageStreamMappings via the
+                  API are not affected by this policy - typically only administrators
+                  or system integrations will have those permissions.
+                items:
+                  description: RegistryLocation contains a location of the registry
+                    specified by the registry domain name. The domain name might include
+                    wildcards, like '*' or '??'.
+                  properties:
+                    domainName:
+                      description: domainName specifies a domain name for the registry
+                        In case the registry use non-standard (80 or 443) port, the
+                        port should be included in the domain name as well.
+                      type: string
+                    insecure:
+                      description: insecure indicates whether the registry is secure
+                        (https) or insecure (http) By default (if not specified) the
+                        registry is assumed as secure.
+                      type: boolean
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+              externalRegistryHostnames:
+                description: externalRegistryHostnames provides the hostnames for
+                  the default external image registry. The external hostname should
+                  be set only when the image registry is exposed externally. The first
+                  value is used in 'publicDockerImageRepository' field in ImageStreams.
+                  The value must be in "hostname[:port]" format.
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: atomic
+              imageStreamImportMode:
+                description: 'imageStreamImportMode controls the import mode behaviour
+                  of imagestreams. It can be set to `Legacy` or `PreserveOriginal`
+                  or the empty string. If this value is specified, this setting is
+                  applied to all newly created imagestreams which do not have the
+                  value set. `Legacy` indicates that the legacy behaviour should be
+                  used. For manifest lists, the legacy behaviour will discard the
+                  manifest list and import a single sub-manifest. In this case, the
+                  platform is chosen in the following order of priority: 1. tag annotations;
+                  2. control plane arch/os; 3. linux/amd64; 4. the first manifest
+                  in the list. `PreserveOriginal` indicates that the original manifest
+                  will be preserved. For manifest lists, the manifest list and all
+                  its sub-manifests will be imported. When empty, the behaviour will
+                  be decided based on the payload type advertised by the ClusterVersion
+                  status, i.e single arch payload implies the import mode is Legacy
+                  and multi payload implies PreserveOriginal.'
+                enum:
+                - ""
+                - Legacy
+                - PreserveOriginal
+                type: string
+              registrySources:
+                description: registrySources contains configuration that determines
+                  how the container runtime should treat individual registries when
+                  accessing images for builds+pods. (e.g. whether or not to allow
+                  insecure access).  It does not contain configuration for the internal
+                  cluster registry.
+                properties:
+                  allowedRegistries:
+                    description: "allowedRegistries are the only registries permitted
+                      for image pull and push actions. All other registries are denied.
+                      \n Only one of BlockedRegistries or AllowedRegistries may be
+                      set."
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  blockedRegistries:
+                    description: "blockedRegistries cannot be used for image pull
+                      and push actions. All other registries are permitted. \n Only
+                      one of BlockedRegistries or AllowedRegistries may be set."
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  containerRuntimeSearchRegistries:
+                    description: 'containerRuntimeSearchRegistries are registries
+                      that will be searched when pulling images that do not have fully
+                      qualified domains in their pull specs. Registries will be searched
+                      in the order provided in the list. Note: this search list only
+                      works with the container runtime, i.e CRI-O. Will NOT work with
+                      builds or imagestream imports.'
+                    format: hostname
+                    items:
+                      type: string
+                    minItems: 1
+                    type: array
+                    x-kubernetes-list-type: set
+                  insecureRegistries:
+                    description: insecureRegistries are registries which do not have
+                      a valid TLS certificates or only support HTTP connections.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                type: object
+            type: object
+          status:
+            description: status holds observed values from the cluster. They may not
+              be overridden.
+            properties:
+              externalRegistryHostnames:
+                description: externalRegistryHostnames provides the hostnames for
+                  the default external image registry. The external hostname should
+                  be set only when the image registry is exposed externally. The first
+                  value is used in 'publicDockerImageRepository' field in ImageStreams.
+                  The value must be in "hostname[:port]" format.
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: atomic
+              imageStreamImportMode:
+                description: 'imageStreamImportMode controls the import mode behaviour
+                  of imagestreams. It can be `Legacy` or `PreserveOriginal`. `Legacy`
+                  indicates that the legacy behaviour should be used. For manifest
+                  lists, the legacy behaviour will discard the manifest list and import
+                  a single sub-manifest. In this case, the platform is chosen in the
+                  following order of priority: 1. tag annotations; 2. control plane
+                  arch/os; 3. linux/amd64; 4. the first manifest in the list. `PreserveOriginal`
+                  indicates that the original manifest will be preserved. For manifest
+                  lists, the manifest list and all its sub-manifests will be imported.
+                  This value will be reconciled based on either the spec value or
+                  if no spec value is specified, the image registry operator would
+                  look at the ClusterVersion status to determine the payload type
+                  and set the import mode accordingly, i.e single arch payload implies
+                  the import mode is Legacy and multi payload implies PreserveOriginal.'
+                enum:
+                - ""
+                - Legacy
+                - PreserveOriginal
+                type: string
+              internalRegistryHostname:
+                description: internalRegistryHostname sets the hostname for the default
+                  internal image registry. The value must be in "hostname[:port]"
+                  format. This value is set by the image registry operator which controls
+                  the internal registry hostname.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}