CMP-3362: Update bundle images for Red Hat registries

[rhmdnd]

This commit updates the bundle build scripts so that it references
images in registry.redhat.io, so that the bundle image will work once
it's released. The images won't resolve, and we will use an
ImageContentSourcePolicy to replace the image requests to
registry.redhat.io with the quay.io references maintained by Konflux.

The important part here is that we're using the same SHA as what's
proposed in quay.io, so that when the image is mirrored the reference
will resolve.

[openshift-ci-robot]

@rhmdnd: This pull request references CMP-3362 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

This commit updates the bundle build scripts so that it references
images in registry.redhat.io, so that the bundle image will work once
it's released. The images won't resolve, and we will use an
ImageContentSourcePolicy to replace the image requests to
registry.redhat.io with the quay.io references maintained by Konflux.

The important part here is that we're using the same SHA as what's
proposed in quay.io, so that when the image is mirrored the reference
will resolve.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Vincent056]

used
operator-sdk run bundle -n openshift-file-integrity quay.io/redhat-user-workloads/ocp-isc-tenant/file-integrity-operator-bundle:on-pr-5426a104c63dcba6ce3d3512c7dafe786664d504
to deploy the PR

kind: Deployment
apiVersion: apps/v1
metadata:
  annotations:
    deployment.kubernetes.io/revision: '1'
  resourceVersion: '96553'
  name: file-integrity-operator
  uid: 150876e8-6904-44d6-ba25-45a7055c100e
  creationTimestamp: '2025-04-25T19:23:14Z'
  generation: 2
  ownerReferences:
    - apiVersion: operators.coreos.com/v1alpha1
      kind: ClusterServiceVersion
      name: file-integrity-operator.v1.3.5-dev
      uid: 7a49f73a-09a7-4ac4-9f7d-9cb05b488a39
      controller: false
      blockOwnerDeletion: false
  labels:
    olm.deployment-spec-hash: 2lLMF2nfkDZj3IlcPljbU3JF0ckmI7W1OT72S3
    olm.managed: 'true'
    olm.owner: file-integrity-operator.v1.3.5-dev
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: openshift-file-integrity
    operators.coreos.com/file-integrity-operator.openshift-file-integrity: ''
spec:
  replicas: 1
  selector:
    matchLabels:
      name: file-integrity-operator
  template:
    metadata:
      creationTimestamp: null
      labels:
        name: file-integrity-operator
      annotations:
        olm.skipRange: '>=1.0.0 <1.3.5-dev'
        features.operators.openshift.io/token-auth-azure: 'false'
        operators.openshift.io/valid-subscription: '["OpenShift Kubernetes Engine", "OpenShift Container Platform", "OpenShift Platform Plus"]'
        operators.operatorframework.io/builder: operator-sdk-v1.27.0
        features.operators.openshift.io/token-auth-gcp: 'false'
        operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
        olm.targetNamespaces: ''
        operatorframework.io/properties: '{"properties":[{"type":"olm.gvk","value":{"group":"fileintegrity.openshift.io","kind":"FileIntegrity","version":"v1alpha1"}},{"type":"olm.gvk","value":{"group":"fileintegrity.openshift.io","kind":"FileIntegrityNodeStatus","version":"v1alpha1"}},{"type":"olm.package","value":{"packageName":"file-integrity-operator","version":"1.3.5-dev"}}]}'
        repository: 'https://github.com/openshift/file-integrity-operator'
        features.operators.openshift.io/token-auth-aws: 'false'
        operatorframework.io/cluster-monitoring: 'true'
        operators.openshift.io/infrastructure-features: '["disconnected", "fips"]'
        alm-examples: |-
          [
            {
              "apiVersion": "fileintegrity.openshift.io/v1alpha1",
              "kind": "FileIntegrity",
              "metadata": {
                "name": "example-fileintegrity",
                "namespace": "openshift-file-integrity"
              },
              "spec": {
                "config": {},
                "debug": false
              }
            }
          ]
        capabilities: Seamless Upgrades
        features.operators.openshift.io/fips-compliant: 'true'
        olm.operatorNamespace: openshift-file-integrity
        createdAt: '2024-11-21T18:02:08Z'
        categories: 'Monitoring,Security'
        features.operators.openshift.io/proxy-aware: 'false'
        operatorframework.io/suggested-namespace: openshift-file-integrity
        olm.operatorGroup: operator-sdk-og
        features.operators.openshift.io/disconnected: 'true'
        features.operators.openshift.io/tls-profiles: 'false'
    spec:
      restartPolicy: Always
      serviceAccountName: file-integrity-operator
      schedulerName: default-scheduler
      terminationGracePeriodSeconds: 30
      securityContext: {}
      containers:
        - resources:
            limits:
              cpu: 100m
              memory: 200Mi
            requests:
              cpu: 10m
              memory: 10Mi
          terminationMessagePath: /dev/termination-log
          name: file-integrity-operator
          command:
            - file-integrity-operator
          env:
            - name: WATCH_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: 'metadata.annotations[''olm.targetNamespaces'']'
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: OPERATOR_NAME
              value: file-integrity-operator
            - name: RELATED_IMAGE_OPERATOR
              value: 'registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:148940c5046c11914540b7c9ad872f5b7c1219d2c75d2eeb6d721c9578b9f43a'
            - name: OPERATOR_CONDITION_NAME
              value: file-integrity-operator.v1.3.5-dev
          imagePullPolicy: Always
          volumeMounts:
            - name: serving-cert
              readOnly: true
              mountPath: /var/run/secrets/serving-cert
          terminationMessagePolicy: File
          image: 'quay.io/file-integrity-operator/file-integrity-operator:latest'
          args:
            - operator
      serviceAccount: file-integrity-operator
      volumes:
        - name: serving-cert
          secret:
            secretName: file-integrity-operator-serving-cert
            defaultMode: 420
            optional: true
      dnsPolicy: ClusterFirst
      tolerations:
        - key: node.kubernetes.io/unreachable
          operator: Exists
          effect: NoExecute
          tolerationSeconds: 120
        - key: node.kubernetes.io/not-ready
          operator: Exists
          effect: NoExecute
          tolerationSeconds: 120

we might need to adjust the deployment image besides RELATED_IMAGE_OPERATOR

[Vincent056]

I think the ICSP is working as expected when I manually created the deployment using redhat registry image:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: file-integrity-operator-2
spec:
  replicas: 1
  selector:
    matchLabels:
      name: file-integrity-operator
  template:
    metadata:
      creationTimestamp: null
      labels:
        name: file-integrity-operator
      annotations:
        olm.skipRange: '>=1.0.0 <1.3.5-dev'
        features.operators.openshift.io/token-auth-azure: 'false'
        operators.openshift.io/valid-subscription: '["OpenShift Kubernetes Engine", "OpenShift Container Platform", "OpenShift Platform Plus"]'
        operators.operatorframework.io/builder: operator-sdk-v1.27.0
        features.operators.openshift.io/token-auth-gcp: 'false'
        operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
        olm.targetNamespaces: ''
        operatorframework.io/properties: '{"properties":[{"type":"olm.gvk","value":{"group":"fileintegrity.openshift.io","kind":"FileIntegrity","version":"v1alpha1"}},{"type":"olm.gvk","value":{"group":"fileintegrity.openshift.io","kind":"FileIntegrityNodeStatus","version":"v1alpha1"}},{"type":"olm.package","value":{"packageName":"file-integrity-operator","version":"1.3.5-dev"}}]}'
        repository: 'https://github.com/openshift/file-integrity-operator'
        features.operators.openshift.io/token-auth-aws: 'false'
        operatorframework.io/cluster-monitoring: 'true'
        operators.openshift.io/infrastructure-features: '["disconnected", "fips"]'
        alm-examples: |-
          [
            {
              "apiVersion": "fileintegrity.openshift.io/v1alpha1",
              "kind": "FileIntegrity",
              "metadata": {
                "name": "example-fileintegrity",
                "namespace": "openshift-file-integrity"
              },
              "spec": {
                "config": {},
                "debug": false
              }
            }
          ]
        capabilities: Seamless Upgrades
        features.operators.openshift.io/fips-compliant: 'true'
        olm.operatorNamespace: openshift-file-integrity
        createdAt: '2024-11-21T18:02:08Z'
        categories: 'Monitoring,Security'
        features.operators.openshift.io/proxy-aware: 'false'
        operatorframework.io/suggested-namespace: openshift-file-integrity
        olm.operatorGroup: operator-sdk-og
        features.operators.openshift.io/disconnected: 'true'
        features.operators.openshift.io/tls-profiles: 'false'
    spec:
      restartPolicy: Always
      serviceAccountName: file-integrity-operator
      schedulerName: default-scheduler
      terminationGracePeriodSeconds: 30
      securityContext: {}
      containers:
        - resources:
            limits:
              cpu: 100m
              memory: 200Mi
            requests:
              cpu: 10m
              memory: 10Mi
          terminationMessagePath: /dev/termination-log
          name: file-integrity-operator
          command:
            - file-integrity-operator
          env:
            - name: WATCH_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: 'metadata.annotations[''olm.targetNamespaces'']'
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: OPERATOR_NAME
              value: file-integrity-operator
            - name: RELATED_IMAGE_OPERATOR
              value: 'registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:148940c5046c11914540b7c9ad872f5b7c1219d2c75d2eeb6d721c9578b9f43a'
            - name: OPERATOR_CONDITION_NAME
              value: file-integrity-operator.v1.3.5-dev
          imagePullPolicy: Always
          volumeMounts:
            - name: serving-cert
              readOnly: true
              mountPath: /var/run/secrets/serving-cert
          terminationMessagePolicy: File
          image: 'registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:148940c5046c11914540b7c9ad872f5b7c1219d2c75d2eeb6d721c9578b9f43a'
          args:
            - operator
      serviceAccount: file-integrity-operator
      volumes:
        - name: serving-cert
          secret:
            secretName: file-integrity-operator-serving-cert
            defaultMode: 420
            optional: true
      dnsPolicy: ClusterFirst
      tolerations:
        - key: node.kubernetes.io/unreachable
          operator: Exists
          effect: NoExecute
          tolerationSeconds: 120
        - key: node.kubernetes.io/not-ready
          operator: Exists
          effect: NoExecute
          tolerationSeconds: 120
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 1
  progressDeadlineSeconds: 600

ICSP in use are :

vincent@node:~$ cat icsp.yaml 
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: file-integrity-operator-mirror
spec:
  repositoryDigestMirrors:
  - source: registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator
    mirrors:
    - quay.io/redhat-user-workloads/ocp-isc-tenant/file-integrity-operator

[rhmdnd]

Updating the bundle upgrade job in openshift/release#64353

Should be able to work through those failures there.

[rhmdnd]

Updating the bundle upgrade job in openshift/release#64353

Should be able to work through those failures there.

This will be more involved than just a Dockerfile image update. We'll need to think about how we can build bundle images in Konflux that reference the operator image from the PR, too. Not a blocker for this PR since we haven't tested that particular OpenShift operator bundle upgrade path in the past, but something we'll need to sketch out and implement after the 1.3.6 release.

[rhmdnd]

/test e2e-bundle-aws

[Vincent056]

/lgtm

vincent@node:~/ws-compliance/compliance-operator$ operator-sdk run bundle -n openshift-file-integrity quay.io/redhat-user-workloads/ocp-isc-tenant/file-integrity-operator-bundle:on-pr-f92bdf96939e92b0e88f06cc6668959b3639b858
INFO[0021] Creating a File-Based Catalog of the bundle "quay.io/redhat-user-workloads/ocp-isc-tenant/file-integrity-operator-bundle:on-pr-f92bdf96939e92b0e88f06cc6668959b3639b858" 
INFO[0028] Generated a valid File-Based Catalog         
INFO[0032] Created registry pod: operator-bundle-on-pr-f92bdf96939e92b0e88f06cc6668959b3639b858 
INFO[0033] Created CatalogSource: file-integrity-operator-catalog 
INFO[0033] OperatorGroup "operator-sdk-og" created      
INFO[0033] Created Subscription: file-integrity-operator-v1-3-6-sub 
INFO[0050] Approved InstallPlan install-4r5n9 for the Subscription: file-integrity-operator-v1-3-6-sub 
INFO[0050] Waiting for ClusterServiceVersion "openshift-file-integrity/file-integrity-operator.v1.3.6" to reach 'Succeeded' phase 
INFO[0050]   Waiting for ClusterServiceVersion "openshift-file-integrity/file-integrity-operator.v1.3.6" to appear 
INFO[0051]   Found ClusterServiceVersion "openshift-file-integrity/file-integrity-operator.v1.3.6" phase: Pending 
INFO[0054]   Found ClusterServiceVersion "openshift-file-integrity/file-integrity-operator.v1.3.6" phase: Installing 
INFO[0065]   Found ClusterServiceVersion "openshift-file-integrity/file-integrity-operator.v1.3.6" phase: Succeeded 
INFO[0066] OLM has successfully installed "file-integrity-operator.v1.3.6" 




vincent@node:~/ws-compliance/compliance-operator$ oc get deployment file-integrity-operator -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: "2025-04-30T00:30:13Z"
  generation: 1
  labels:
    olm.deployment-spec-hash: 7a8JXuVed4Ql7MsySfI1tFwT4t6XhlgCzldiCg
    olm.managed: "true"
    olm.owner: file-integrity-operator.v1.3.6
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: openshift-file-integrity
    operators.coreos.com/file-integrity-operator.openshift-file-integrity: ""
  name: file-integrity-operator
  namespace: openshift-file-integrity
  ownerReferences:
  - apiVersion: operators.coreos.com/v1alpha1
    blockOwnerDeletion: false
    controller: false
    kind: ClusterServiceVersion
    name: file-integrity-operator.v1.3.6
    uid: 0e50f1ba-c41e-4818-828c-cbb71ef4d4af
  resourceVersion: "43690"
  uid: 683b570e-ceec-43cc-be6b-b2af9feeecae
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      name: file-integrity-operator
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        alm-examples: |-
          [
            {
              "apiVersion": "fileintegrity.openshift.io/v1alpha1",
              "kind": "FileIntegrity",
              "metadata": {
                "name": "example-fileintegrity",
                "namespace": "openshift-file-integrity"
              },
              "spec": {
                "config": {},
                "debug": false
              }
            }
          ]
        capabilities: Seamless Upgrades
        categories: Monitoring,Security
        createdAt: "2024-11-21T18:02:08Z"
        features.operators.openshift.io/disconnected: "true"
        features.operators.openshift.io/fips-compliant: "true"
        features.operators.openshift.io/proxy-aware: "false"
        features.operators.openshift.io/tls-profiles: "false"
        features.operators.openshift.io/token-auth-aws: "false"
        features.operators.openshift.io/token-auth-azure: "false"
        features.operators.openshift.io/token-auth-gcp: "false"
        olm.operatorGroup: operator-sdk-og
        olm.operatorNamespace: openshift-file-integrity
        olm.skipRange: '>=1.0.0 <1.3.6'
        olm.targetNamespaces: ""
        operatorframework.io/cluster-monitoring: "true"
        operatorframework.io/properties: '{"properties":[{"type":"olm.gvk","value":{"group":"fileintegrity.openshift.io","kind":"FileIntegrity","version":"v1alpha1"}},{"type":"olm.gvk","value":{"group":"fileintegrity.openshift.io","kind":"FileIntegrityNodeStatus","version":"v1alpha1"}},{"type":"olm.package","value":{"packageName":"file-integrity-operator","version":"1.3.6"}}]}'
        operatorframework.io/suggested-namespace: openshift-file-integrity
        operators.openshift.io/infrastructure-features: '["disconnected", "fips"]'
        operators.openshift.io/valid-subscription: '["OpenShift Kubernetes Engine",
          "OpenShift Container Platform", "OpenShift Platform Plus"]'
        operators.operatorframework.io/builder: operator-sdk-v1.27.0
        operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
        repository: https://github.com/openshift/file-integrity-operator
      creationTimestamp: null
      labels:
        name: file-integrity-operator
    spec:
      containers:
      - args:
        - operator
        command:
        - file-integrity-operator
        env:
        - name: WATCH_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.annotations['olm.targetNamespaces']
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: OPERATOR_NAME
          value: file-integrity-operator
        - name: RELATED_IMAGE_OPERATOR
          value: registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:148940c5046c11914540b7c9ad872f5b7c1219d2c75d2eeb6d721c9578b9f43a
        - name: OPERATOR_CONDITION_NAME
          value: file-integrity-operator.v1.3.6
        image: registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:148940c5046c11914540b7c9ad872f5b7c1219d2c75d2eeb6d721c9578b9f43a
        imagePullPolicy: Always
        name: file-integrity-operator
        resources:
          limits:
            cpu: 100m
            memory: 200Mi
          requests:
            cpu: 10m
            memory: 10Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/serving-cert
          name: serving-cert
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: file-integrity-operator
      serviceAccountName: file-integrity-operator
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoExecute
        key: node.kubernetes.io/unreachable
        operator: Exists
        tolerationSeconds: 120
      - effect: NoExecute
        key: node.kubernetes.io/not-ready
        operator: Exists
        tolerationSeconds: 120
      volumes:
      - name: serving-cert
        secret:
          defaultMode: 420
          optional: true
          secretName: file-integrity-operator-serving-cert
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2025-04-30T00:30:23Z"
    lastUpdateTime: "2025-04-30T00:30:23Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2025-04-30T00:30:13Z"
    lastUpdateTime: "2025-04-30T00:30:23Z"
    message: ReplicaSet "file-integrity-operator-5c55d5dfdc" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

[Vincent056]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Vincent056,rhmdnd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@rhmdnd: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-rosa	f92bdf9	link	false	/test e2e-rosa

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.