Skip to content

Add releaseImageRepo and releaseComponentRepo to ImageSetConfiguration#1452

Open
eb4x wants to merge 4 commits into
openshift:mainfrom
eb4x:paths
Open

Add releaseImageRepo and releaseComponentRepo to ImageSetConfiguration#1452
eb4x wants to merge 4 commits into
openshift:mainfrom
eb4x:paths

Conversation

@eb4x

@eb4x eb4x commented Jun 24, 2026

Copy link
Copy Markdown

Allow overriding the destination path for release images and release component images via the platform section of ImageSetConfiguration, following the targetRepo pattern used by additionalImages.

Description

Override the currently hard-coded openshift/release-images and openshift/release, If you want to preserve okd/scos-release and okd/scos-content or openshift-release-dev/ocp-release and openshift-release-dev/ocp-v4.0-art-dev, or just want it somewhere different.

Reasons for doing this might include you having a conflicting image-mirror for a larger scope, like all of quay.io

...
  imageDigestMirrors:
  - source: quay.io
    mirrors:
    - registry.example.com/mirrors/quay.io
    mirrorSourcePolicy: NeverContactSource  # optional, for fully disconnected environments

Github issue: #1451, #1453

Type of change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Compiled oc-mirror, and tried copying stable-4.22 (4.22.0 - 4.22.0) and type okd, stable-4-scos (4.18.0-okd-scos.8 - 4.18.0-okd-scos.10)

Expected Outcome

Images are copied over to paths specified in yaml.

Summary by CodeRabbit

  • New Features
    • Added support for overriding destination repository path components for release images and release component images.
  • Documentation
    • Updated mirroring docs with expanded OKD signature verification guidance and revised OKD channel naming examples.
    • Documented custom repository paths with configuration and oc-mirror --v2 examples.
  • Bug Fixes
    • Applied path overrides only to release/release-content destinations while keeping graph image path behavior unchanged.
  • Tests
    • Added coverage for path-component computation with and without overrides.

@openshift-ci openshift-ci Bot requested review from aguidirh and r4f4 June 24, 2026 22:46
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: eb4x
Once this PR has been reviewed and has the lgtm label, please assign aguidirh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Walkthrough

The PR adds optional releaseImageRepo and releaseComponentRepo fields to mirror.platform, uses them in release copy destination path calculation, updates release signature skip handling, and expands OKD and feature documentation.

Changes

Release repository path overrides

Layer / File(s) Summary
Config fields and copy support
internal/pkg/api/v2alpha1/type_config.go
Platform gains optional releaseImageRepo and releaseComponentRepo fields, and DeepCopy() copies both values.
Release copy path overrides
internal/pkg/release/local_stored_collector.go
prepareM2DCopyBatch and prepareD2MCopyBatch read the new platform overrides, pass them into preparePathComponents, and preparePathComponents uses them for release image and release content paths while leaving graph handling unchanged.
Signature skip and local registry setup
internal/pkg/cli/executor.go, internal/pkg/release/signature.go
setupLocalStorage now unsets REGISTRY_AUTH_FILE before starting the embedded registry, and release signature generation now skips solely on the global ignore flag.
Tests and documentation
internal/pkg/release/local_stored_collector_test.go, docs/features/custom-release-repo-paths.md, docs/okd-mirror.md
The override path test covers the default paths, both override cases, and graph path behavior, and the OKD and feature docs describe the override fields, signature verification settings, channel naming, and mirrored path examples.

Sequence Diagram(s)

sequenceDiagram
  participant PlatformConfig
  participant prepareM2DCopyBatch
  participant prepareD2MCopyBatch
  participant preparePathComponents

  PlatformConfig->>prepareM2DCopyBatch: ReleaseImageRepo / ReleaseComponentRepo
  prepareM2DCopyBatch->>preparePathComponents: selected release paths
  PlatformConfig->>prepareD2MCopyBatch: ReleaseImageRepo / ReleaseComponentRepo
  prepareD2MCopyBatch->>preparePathComponents: selected release paths
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality ⚠️ Warning The new unit test uses bare assert.NoError/assert.Equal calls with no diagnostic messages, violating the assertion-message quality requirement. Add contextual failure messages to each assertion (or use require/assert with message args) so failures identify which override case broke.
✅ Passed checks (13 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: adding releaseImageRepo and releaseComponentRepo to ImageSetConfiguration.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The only added test uses static t.Run titles; no Ginkgo-style titles or dynamic/generated values appear in the PR.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the only added test is a plain Go unit test, so MicroShift-unsupported APIs aren’t implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo/e2e specs were added; the only new test is a unit test using testing.T, so there are no SNO multi-node assumptions to flag.
Topology-Aware Scheduling Compatibility ✅ Passed Touched files only add docs, config fields, and image-path logic; no affinity, nodeSelector, topologySpread, replica, or controller/deployment changes.
Ote Binary Stdout Contract ✅ Passed No new stdout writes were added in process-level code; the Go changes only add repo-path overrides, an env unset, and signature-skip logic.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only a plain Go unit test was added; no Ginkgo e2e specs or IPv4/external-network assumptions were introduced.
No-Weak-Crypto ✅ Passed PASS: Exact scans of touched Go files found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or constant-time comparison issues; changes are path overrides and signature skip logic only.
Container-Privileges ✅ Passed Touched files only add docs, config fields, and path-handling logic; no manifests or code introduce privileged:true, hostPID/Network/IPC, SYS_ADMIN, root, or allowPrivilegeEscalation.
No-Sensitive-Data-In-Logs ✅ Passed No new log statements or sensitive-data exposures were added; changes only adjust repo-path config and signature-skip logic.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 24, 2026
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown

Hi @eb4x. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/features/custom-release-repo-paths.md`:
- Around line 60-63: Add a language tag to the fenced code blocks in the
documentation snippet to satisfy markdownlint MD040. Update the relevant fenced
sections in custom-release-repo-paths.md to use text fences for the examples,
keeping the existing content unchanged and applying the same fix to both
affected blocks.

In `@docs/okd-mirror.md`:
- Around line 3-14: The wording around --ignore-release-signature is too broad
and should match the actual behavior. Update the sentence in the OKD mirror docs
so it explicitly says the flag skips release signature verification only, and
keep the surrounding signature-verification guidance consistent with the runtime
behavior described by the OCP_SIGNATURE_URL and OCP_SIGNATURE_VERIFICATION_PK
instructions.

In `@internal/pkg/api/v2alpha1/type_config.go`:
- Around line 113-117: The Platform.DeepCopy implementation is missing scalar
fields, so copied config objects lose existing values. Update Platform.DeepCopy
to include all scalar members currently defined on Platform, specifically
Release and KubeVirtContainer along with Graph, ReleaseImageRepo, and
ReleaseComponentRepo, so the copied Platform preserves every configured
override.

In `@internal/pkg/release/local_stored_collector_test.go`:
- Around line 847-849: The test setup in local_stored_collector_test.go is
ignoring error returns from image.ParseRef, which can leave releaseImgSpec and
componentImgSpec as zero-value objects and hide parse failures. Update the setup
near the ParseRef calls (including the later one around the same test flow) to
handle errors explicitly, using the existing test function context and the
image.ParseRef results to fail the test immediately if parsing fails instead of
discarding the error.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2c279d1d-8e05-42b3-b509-80dc0699e5cf

📥 Commits

Reviewing files that changed from the base of the PR and between 507b46a and d24fbb7.

📒 Files selected for processing (5)
  • docs/features/custom-release-repo-paths.md
  • docs/okd-mirror.md
  • internal/pkg/api/v2alpha1/type_config.go
  • internal/pkg/release/local_stored_collector.go
  • internal/pkg/release/local_stored_collector_test.go

Comment thread docs/features/custom-release-repo-paths.md Outdated
Comment thread docs/okd-mirror.md Outdated
Comment thread internal/pkg/api/v2alpha1/type_config.go
Comment thread internal/pkg/release/local_stored_collector_test.go Outdated
eb4x and others added 4 commits June 25, 2026 10:34
Allow overriding the destination path for release images and release
component images via the platform section of ImageSetConfiguration,
following the targetRepo pattern used by additionalImages.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The flag was gated behind an additional check for platform.release
being set, which meant it only worked for direct release image
references. For channel-based discovery (the normal flow for both
OCP and OKD), the flag was silently ignored and signature
verification always ran, failing fatally when no signature existed.

This made it impossible to mirror OKD releases without setting
the OCP_SIGNATURE_URL and OCP_SIGNATURE_VERIFICATION_PK env vars,
and broke the flag for older OCP releases that predate cosign
signature support.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The distribution/distribution library parses all REGISTRY_* env vars as
config overrides, colliding with the Podman/containers REGISTRY_AUTH_FILE
convention. Unset it before calling configuration.Parse() since the value
has already been captured as the --authfile flag default.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/pkg/cli/executor.go`:
- Line 714: The REGISTRY_AUTH_FILE cleanup in executor.go is ignoring the error
returned by os.Unsetenv, which violates the no-ignored-errors rule. Update the
code in the executor flow that calls os.Unsetenv("REGISTRY_AUTH_FILE") to check
the returned error and fail fast if it is non-nil, propagating or handling the
failure through the existing error path in executor.go so the cleanup cannot
silently succeed when it actually fails.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ab75728b-9fa3-472d-89d6-298d3a1fa5e6

📥 Commits

Reviewing files that changed from the base of the PR and between d24fbb7 and 05ade39.

📒 Files selected for processing (7)
  • docs/features/custom-release-repo-paths.md
  • docs/okd-mirror.md
  • internal/pkg/api/v2alpha1/type_config.go
  • internal/pkg/cli/executor.go
  • internal/pkg/release/local_stored_collector.go
  • internal/pkg/release/local_stored_collector_test.go
  • internal/pkg/release/signature.go
✅ Files skipped from review due to trivial changes (1)
  • docs/features/custom-release-repo-paths.md
🚧 Files skipped from review as they are similar to previous changes (3)
  • internal/pkg/release/local_stored_collector_test.go
  • internal/pkg/api/v2alpha1/type_config.go
  • internal/pkg/release/local_stored_collector.go

// distribution/distribution parses all REGISTRY_* env vars as config overrides,
// colliding with the Podman/containers REGISTRY_AUTH_FILE convention.
// The value has already been captured as the --authfile default (options.go).
os.Unsetenv("REGISTRY_AUTH_FILE")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Handle os.Unsetenv error explicitly.

os.Unsetenv returns an error, but it is currently ignored. Please fail fast if unsetting the variable fails.

As per path instructions, "**/*.go: Go security (prodsec-skills): - Never ignore error returns".

Proposed fix
-	os.Unsetenv("REGISTRY_AUTH_FILE")
+	if err := os.Unsetenv("REGISTRY_AUTH_FILE"); err != nil {
+		return fmt.Errorf("unset REGISTRY_AUTH_FILE: %w", err)
+	}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
os.Unsetenv("REGISTRY_AUTH_FILE")
if err := os.Unsetenv("REGISTRY_AUTH_FILE"); err != nil {
return fmt.Errorf("unset REGISTRY_AUTH_FILE: %w", err)
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/pkg/cli/executor.go` at line 714, The REGISTRY_AUTH_FILE cleanup in
executor.go is ignoring the error returned by os.Unsetenv, which violates the
no-ignored-errors rule. Update the code in the executor flow that calls
os.Unsetenv("REGISTRY_AUTH_FILE") to check the returned error and fail fast if
it is non-nil, propagating or handling the failure through the existing error
path in executor.go so the cleanup cannot silently succeed when it actually
fails.

Source: Path instructions

@eb4x

eb4x commented Jun 25, 2026

Copy link
Copy Markdown
Author

The releaseImageRepo, and releaseComponentRepo could technically also go in to each channel object/item, incase you'd like to fetch both okd and ocp from a single imagesetconfig. Probably the most dynamic approach?

This PR is just a suggested fix, the important part is we get to tell the exact path to store the images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant