manager/prow: fix mce release image access#625
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AlexNPavel The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fix access to custom release images for MCE clusters. When ci-operator is used to create a custom release, it will import the release image specified by release-controller and then import the images that the release image references. The release image itself continues to point to the app.ci registry (or the app.ci based quay-proxy), which MCE based clusters cannot use as they don't have the proper pull secret. This PR fixes the issue by adding a new step after ci-operator runs to create a new release image from the imported images in the `stable` imagestream created by ci-operator to replace the original release image. It also removes the original permission script used by `build` and changes `build` commands to follow the same pattern of using a multistage test that only includes `ipi-install-rbac`. The original permission script would not work with MCE images due to a permissions issue, so the `ipi-install-rbac` route was the best way to allow `Build` and `MCECustomImageset` jobs to share the same logic. I have tested this with reference: false releases (5.0.0-0.ci) and reference: true releases (4.22.0-0.ci) and have tested builds to make sure they still work as expected.
fe7c79d to
af7aaac
Compare
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR modifies ChangesMCE custom image release rewrite
Estimated code review effort: 4 (Complex) | ~45 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
/hold |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
pkg/manager/prow.go (1)
1624-1629: 🩺 Stability & Availability | 🔵 Trivial | 💤 Low valueMinor:
mkdir /tmp/bincan fail if the dir already exists; prefermkdir -p.Under the
hasRefspath this script runs withset -e, so a pre-existing/tmp/binwould abort the step. Usingmkdir -pmakes the rewrite idempotent and robust to future changes in the surrounding command composition.♻️ Proposed tweak
-mkdir /tmp/bin +mkdir -p /tmp/bin🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/manager/prow.go` around lines 1624 - 1629, The mceReleaseRewriteScript setup is not idempotent because `mkdir /tmp/bin` can fail if the directory already exists. Update the script in the `mceReleaseRewriteScript` constant to use `mkdir -p` before adding `oc` to `/tmp/bin`, so the `hasRefs` path remains safe under `set -e` and the rewrite logic is robust if the directory is pre-created.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/manager/prow.go`:
- Around line 898-923: The MCE custom image branch in prow.go builds a shell
command for the ci-operator path without fail-fast handling, so a failed
ci-operator invocation can still fall through into the release rewrite step.
Update the JobTypeMCECustomImage / !hasRefs block in the relevant prow command
assembly to include the same error-exit semantics used by the hasRefs path (via
the shared script or equivalent shell flags), ensuring mceReleaseRewriteScript
only runs after a successful ci-operator execution. Verify the command
construction around container.Command, container.Args, and the ci-operator $@
invocation preserves early exit behavior.
---
Nitpick comments:
In `@pkg/manager/prow.go`:
- Around line 1624-1629: The mceReleaseRewriteScript setup is not idempotent
because `mkdir /tmp/bin` can fail if the directory already exists. Update the
script in the `mceReleaseRewriteScript` constant to use `mkdir -p` before adding
`oc` to `/tmp/bin`, so the `hasRefs` path remains safe under `set -e` and the
rewrite logic is robust if the directory is pre-created.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: d256b69b-f59a-4827-b0d0-d8d32e91da15
📒 Files selected for processing (1)
pkg/manager/prow.go
7d5ce9a to
1024f01
Compare
|
@AlexNPavel: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Fix access to custom release images for MCE clusters. When ci-operator is used to create a custom release, it will import the release image specified by release-controller and then import the images that the release image references. The release image itself continues to point to the app.ci registry (or the app.ci based quay-proxy), which MCE based clusters cannot use as they don't have the proper pull secret.
This PR fixes the issue by adding a new step after ci-operator runs to create a new release image from the imported images in the
stableimagestream created by ci-operator to replace the original release image. It also removes the original permission script used bybuildand changesbuildcommands to follow the same pattern of using a multistage test that only includesipi-install-rbac. The original permission script would not work with MCE images due to a permissions issue, so theipi-install-rbacroute was the best way to allowBuildandMCECustomImagesetjobs to share the same logic.I have tested this with reference: false releases (5.0.0-0.ci) and reference: true releases (4.22.0-0.ci) and have tested builds to make sure they still work as expected.
Summary by CodeRabbit
New Features
Bug Fixes