Skip to content

OCPBUGS-82292: extend supported values for MCN IRI image status field #2800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andfasano wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-82292: extend supported values for MCN IRI image status field #2800

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions .../tests/machineconfignodes.machineconfiguration.openshift.io/NoRegistryClusterInstall.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,42 @@ tests:
reason: "Degraded"
message: ""
lastTransitionTime: "2024-12-01T08:04:21Z"
- name: ocp-release-bundle-4.19.0-x86_64
image: localhost/openshift/release-images@sha256:e98795f7932441b30bb8bcfbbf05912875383fad1f2b3be08a22ec148d68607f
conditions:
- type: Mounted
status: "False"
reason: "Mounted"
message: ""
lastTransitionTime: "2024-12-01T08:04:30Z"
- type: Available
status: "True"
reason: "Available"
message: "Release ocp-release-bundle-4.19.0-x86_64 is currently available on node master-0"
lastTransitionTime: "2024-12-01T08:04:30Z"
- type: Degraded
status: "False"
reason: "Degraded"
message: ""
lastTransitionTime: "2024-12-01T08:04:30Z"
- name: ocp-release-bundle-4.20.0-x86_64
image: localhost.localdomain/openshift/release-images@sha256:f98795f7932441b30bb8bcfbbf05912875383fad1f2b3be08a22ec148d68607f
Copy link
Copy Markdown
Contributor

@everettraven everettraven Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding based on the field documentation and validation change is that something like this shouldn't be allowed - is that incorrect?

Copy link
Copy Markdown
Contributor Author

@andfasano andfasano Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should be ok. Will not be accepted no-dot domains (with just the single exception of localhost), domains starting with a dot (.com) or ending with a dot (example.)

Copy link
Copy Markdown
Contributor

@everettraven everettraven Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. I think I interpreted the documentation change of:

The host must be either exactly "localhost" or a dot-qualified domain name.

To mean that something like localhost.* would be considered invalid (either you use exactly localhost or a dot-qualified domain name not containing localhost. Maybe we can clarify the documentation a bit more to be less prone to incorrect interpretation?

Copy link
Copy Markdown
Contributor Author

@andfasano andfasano Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for the sake of clarity I also added Single-label hosts other than "localhost" are not permitted.. Any other dot-qualified (included localhost.* remain valid, as it was in the previous version of the rule)

conditions:
- type: Mounted
status: "False"
reason: "Mounted"
message: ""
lastTransitionTime: "2024-12-01T08:04:40Z"
- type: Available
status: "True"
reason: "Available"
message: "Release ocp-release-bundle-4.20.0-x86_64 is currently available on node master-0"
lastTransitionTime: "2024-12-01T08:04:40Z"
- type: Degraded
status: "False"
reason: "Degraded"
message: ""
lastTransitionTime: "2024-12-01T08:04:40Z"
expected: |
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfigNode
Expand Down Expand Up @@ -84,3 +120,39 @@ tests:
reason: "Degraded"
message: ""
lastTransitionTime: "2024-12-01T08:04:21Z"
- name: ocp-release-bundle-4.19.0-x86_64
image: localhost/openshift/release-images@sha256:e98795f7932441b30bb8bcfbbf05912875383fad1f2b3be08a22ec148d68607f
conditions:
- type: Mounted
status: "False"
reason: "Mounted"
message: ""
lastTransitionTime: "2024-12-01T08:04:30Z"
- type: Available
status: "True"
reason: "Available"
message: "Release ocp-release-bundle-4.19.0-x86_64 is currently available on node master-0"
lastTransitionTime: "2024-12-01T08:04:30Z"
- type: Degraded
status: "False"
reason: "Degraded"
message: ""
lastTransitionTime: "2024-12-01T08:04:30Z"
- name: ocp-release-bundle-4.20.0-x86_64
image: localhost.localdomain/openshift/release-images@sha256:f98795f7932441b30bb8bcfbbf05912875383fad1f2b3be08a22ec148d68607f
conditions:
- type: Mounted
status: "False"
reason: "Mounted"
message: ""
lastTransitionTime: "2024-12-01T08:04:40Z"
- type: Available
status: "True"
reason: "Available"
message: "Release ocp-release-bundle-4.20.0-x86_64 is currently available on node master-0"
lastTransitionTime: "2024-12-01T08:04:40Z"
- type: Degraded
status: "False"
reason: "Degraded"
message: ""
lastTransitionTime: "2024-12-01T08:04:40Z"
4 changes: 3 additions & 1 deletion machineconfiguration/v1/types_machineconfignode.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,12 +211,14 @@ type MachineConfigNodeStatusInternalReleaseImageRef struct {
// image is an OCP release image referenced by digest.
// The format of the image pull spec is: host[:port][/namespace]/name@sha256:<digest>,
// where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
// The host must be either exactly "localhost" or a dot-qualified domain name.
// Single-label hosts other than "localhost" are not permitted.
// The length of the whole spec must be between 1 to 447 characters.
// The field is optional, and it will be provided after a release will be successfully installed.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=447
// +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:<digest>' suffix, where '<digest>' is 64 characters long"
// +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme"
// +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^(localhost|([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+)(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme; host must be either 'localhost' or a dot-qualified domain name"
Copy link
Copy Markdown
Contributor

@everettraven everettraven Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious, why is using 127.0.0.1:{port} not sufficient?

Copy link
Copy Markdown
Contributor Author

@andfasano andfasano Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IPv6 will not be accepted with that validation (ie ::1 or [::1]:22625). We currently support either ipv4, ipv6 or dualstack, so using localhost will be a nice simplification at this level

Copy link
Copy Markdown
Contributor

@everettraven everettraven Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if you added support for ipv6 to the validation?

I won't block this PR based on the approach, but it seems odd to me to add a localhost label to resolve this.

If you support ipv6 would it ever be reasonable for an end-user to want to be able to specify an ipv6 hostname that is not localhost, much like the current validation would allow for ipv4?

Copy link
Copy Markdown
Contributor Author

@andfasano andfasano Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I'm wrong but I don't think the original validation rule (coming from ImageDigestFormat and reused in many other resources) was meant to support directly an IP (either v4 or v6) as part of the host section. Neither was our intention to support that.
This field will be consumed only by the MCD IRI manager to check the status on its local node, and it's not meant to be directly used by an end-user.
The end-user will instead look to the (singleton) IRI resource, which will aggregate the various MCNs and will use api-int as a valid pullspec (this latter part currently under implementation)

// +optional
Image string `json:"image,omitempty"`
}
Expand Down
8 changes: 6 additions & 2 deletions ...anifests/0000_80_machine-config_01_machineconfignodes-Hypershift-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,8 @@ spec:
image is an OCP release image referenced by digest.
The format of the image pull spec is: host[:port][/namespace]/name@sha256:<digest>,
where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
The host must be either exactly "localhost" or a dot-qualified domain name.
Single-label hosts other than "localhost" are not permitted.
The length of the whole spec must be between 1 to 447 characters.
The field is optional, and it will be provided after a release will be successfully installed.
maxLength: 447
Expand All @@ -460,8 +462,10 @@ spec:
long
rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))
- message: the OCI Image name should follow the host[:port][/namespace]/name
format, resembling a valid URL without the scheme
rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
format, resembling a valid URL without the scheme; host
must be either 'localhost' or a dot-qualified domain
name
rule: (self.split('@')[0].matches('^(localhost|([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+)(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
name:
description: |-
name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long.
Expand Down
8 changes: 6 additions & 2 deletions ...fests/0000_80_machine-config_01_machineconfignodes-SelfManagedHA-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,8 @@ spec:
image is an OCP release image referenced by digest.
The format of the image pull spec is: host[:port][/namespace]/name@sha256:<digest>,
where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
The host must be either exactly "localhost" or a dot-qualified domain name.
Single-label hosts other than "localhost" are not permitted.
The length of the whole spec must be between 1 to 447 characters.
The field is optional, and it will be provided after a release will be successfully installed.
maxLength: 447
Expand All @@ -460,8 +462,10 @@ spec:
long
rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))
- message: the OCI Image name should follow the host[:port][/namespace]/name
format, resembling a valid URL without the scheme
rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
format, resembling a valid URL without the scheme; host
must be either 'localhost' or a dot-qualified domain
name
rule: (self.split('@')[0].matches('^(localhost|([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+)(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
name:
description: |-
name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long.
Expand Down
8 changes: 6 additions & 2 deletions ...s/0000_80_machine-config_01_machineconfignodes-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,8 @@ spec:
image is an OCP release image referenced by digest.
The format of the image pull spec is: host[:port][/namespace]/name@sha256:<digest>,
where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
The host must be either exactly "localhost" or a dot-qualified domain name.
Single-label hosts other than "localhost" are not permitted.
The length of the whole spec must be between 1 to 447 characters.
The field is optional, and it will be provided after a release will be successfully installed.
maxLength: 447
Expand All @@ -460,8 +462,10 @@ spec:
long
rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))
- message: the OCI Image name should follow the host[:port][/namespace]/name
format, resembling a valid URL without the scheme
rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
format, resembling a valid URL without the scheme; host
must be either 'localhost' or a dot-qualified domain
name
rule: (self.split('@')[0].matches('^(localhost|([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+)(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
name:
description: |-
name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long.
Expand Down
8 changes: 6 additions & 2 deletions .../0000_80_machine-config_01_machineconfignodes-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,8 @@ spec:
image is an OCP release image referenced by digest.
The format of the image pull spec is: host[:port][/namespace]/name@sha256:<digest>,
where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
The host must be either exactly "localhost" or a dot-qualified domain name.
Single-label hosts other than "localhost" are not permitted.
The length of the whole spec must be between 1 to 447 characters.
The field is optional, and it will be provided after a release will be successfully installed.
maxLength: 447
Expand All @@ -460,8 +462,10 @@ spec:
long
rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))
- message: the OCI Image name should follow the host[:port][/namespace]/name
format, resembling a valid URL without the scheme
rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
format, resembling a valid URL without the scheme; host
must be either 'localhost' or a dot-qualified domain
name
rule: (self.split('@')[0].matches('^(localhost|([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+)(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
name:
description: |-
name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long.
Expand Down
8 changes: 6 additions & 2 deletions ...ifests/machineconfignodes.machineconfiguration.openshift.io/NoRegistryClusterInstall.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,8 @@ spec:
image is an OCP release image referenced by digest.
The format of the image pull spec is: host[:port][/namespace]/name@sha256:<digest>,
where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
The host must be either exactly "localhost" or a dot-qualified domain name.
Single-label hosts other than "localhost" are not permitted.
The length of the whole spec must be between 1 to 447 characters.
The field is optional, and it will be provided after a release will be successfully installed.
maxLength: 447
Expand All @@ -391,8 +393,10 @@ spec:
long
rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))
- message: the OCI Image name should follow the host[:port][/namespace]/name
format, resembling a valid URL without the scheme
rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
format, resembling a valid URL without the scheme; host
must be either 'localhost' or a dot-qualified domain
name
rule: (self.split('@')[0].matches('^(localhost|([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+)(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
name:
description: |-
name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long.
Expand Down
2 changes: 1 addition & 1 deletion machineconfiguration/v1/zz_generated.swagger_doc_generated.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 6 additions & 2 deletions ...sts/crds/0000_80_machine-config_01_machineconfignodes-Hypershift-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,8 @@ spec:
image is an OCP release image referenced by digest.
The format of the image pull spec is: host[:port][/namespace]/name@sha256:<digest>,
where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
The host must be either exactly "localhost" or a dot-qualified domain name.
Single-label hosts other than "localhost" are not permitted.
The length of the whole spec must be between 1 to 447 characters.
The field is optional, and it will be provided after a release will be successfully installed.
maxLength: 447
Expand All @@ -460,8 +462,10 @@ spec:
long
rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))
- message: the OCI Image name should follow the host[:port][/namespace]/name
format, resembling a valid URL without the scheme
rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
format, resembling a valid URL without the scheme; host
must be either 'localhost' or a dot-qualified domain
name
rule: (self.split('@')[0].matches('^(localhost|([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+)(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
name:
description: |-
name indicates the desired release bundle identifier. This field is required and must be between 1 and 64 characters long.
Expand Down
Loading