Merge pull request #5318 from umohnani8/reboots

MCO-1529, MCO-1530: Implement install time support for Image Mode

Author: openshift-merge-bot[bot]

pkg/controller/bootstrap/bootstrap.go

@@ -18,10 +18,14 @@ import (
 	kscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/klog/v2"
 
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/opencontainers/go-digest"
 	apicfgv1 "github.com/openshift/api/config/v1"
 	apicfgv1alpha1 "github.com/openshift/api/config/v1alpha1"
 	mcfgv1 "github.com/openshift/api/machineconfiguration/v1"
 	apioperatorsv1alpha1 "github.com/openshift/api/operator/v1alpha1"
+	"github.com/openshift/machine-config-operator/pkg/apihelpers"
+	buildconstants "github.com/openshift/machine-config-operator/pkg/controller/build/constants"
 	ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common"
 	containerruntimeconfig "github.com/openshift/machine-config-operator/pkg/controller/container-runtime-config"
 	kubeletconfig "github.com/openshift/machine-config-operator/pkg/controller/kubelet-config"
@@ -73,8 +77,9 @@ func (b *Bootstrap) Run(destDir string) error {
 	apioperatorsv1alpha1.Install(scheme)
 	apicfgv1.Install(scheme)
 	apicfgv1alpha1.Install(scheme)
+	corev1.AddToScheme(scheme)
 	codecFactory := serializer.NewCodecFactory(scheme)
-	decoder := codecFactory.UniversalDecoder(mcfgv1.GroupVersion, apioperatorsv1alpha1.GroupVersion, apicfgv1.GroupVersion, apicfgv1alpha1.GroupVersion)
+	decoder := codecFactory.UniversalDecoder(mcfgv1.GroupVersion, apioperatorsv1alpha1.GroupVersion, apicfgv1.GroupVersion, apicfgv1alpha1.GroupVersion, corev1.SchemeGroupVersion)
 
 	var (
 		cconfig              *mcfgv1.ControllerConfig
@@ -83,6 +88,7 @@ func (b *Bootstrap) Run(destDir string) error {
 		kconfigs             []*mcfgv1.KubeletConfig
 		pools                []*mcfgv1.MachineConfigPool
 		configs              []*mcfgv1.MachineConfig
+		machineOSConfigs     []*mcfgv1.MachineOSConfig
 		crconfigs            []*mcfgv1.ContainerRuntimeConfig
 		icspRules            []*apioperatorsv1alpha1.ImageContentSourcePolicy
 		idmsRules            []*apicfgv1.ImageDigestMirrorSet
@@ -124,6 +130,8 @@ func (b *Bootstrap) Run(destDir string) error {
 				pools = append(pools, obj)
 			case *mcfgv1.MachineConfig:
 				configs = append(configs, obj)
+			case *mcfgv1.MachineOSConfig:
+				machineOSConfigs = append(machineOSConfigs, obj)
 			case *mcfgv1.ControllerConfig:
 				cconfig = obj
 			case *mcfgv1.ContainerRuntimeConfig:
@@ -234,6 +242,18 @@ func (b *Bootstrap) Run(destDir string) error {
 	}
 	klog.Infof("Successfully generated MachineConfigs from kubelet configs.")
 
+	// Create component MachineConfigs for pre-built images for hybrid OCL
+	// This must happen BEFORE render.RunBootstrap() so they can be merged into rendered MCs
+	if len(machineOSConfigs) > 0 {
+		klog.Infoln("Found machineOSConfig(s) at install time, will install cluster with Image Mode enabled")
+		preBuiltImageMCs, err := createPreBuiltImageMachineConfigs(machineOSConfigs, pools)
+		if err != nil {
+			return fmt.Errorf("failed to create pre-built image MachineConfigs: %w", err)
+		}
+		configs = append(configs, preBuiltImageMCs...)
+		klog.Infof("Successfully created %d pre-built image component MachineConfigs for hybrid OCL.", len(preBuiltImageMCs))
+	}
+
 	fpools, gconfigs, err := render.RunBootstrap(pools, configs, cconfig)
 	if err != nil {
 		return err
@@ -376,3 +396,101 @@ func parseManifests(filename string, r io.Reader) ([]manifest, error) {
 		manifests = append(manifests, m)
 	}
 }
+
+// createPreBuiltImageMachineConfigs creates component MachineConfigs that set osImageURL for pools
+// that have associated MachineOSConfigs with pre-built image annotations.
+// These component MCs will be automatically merged into rendered MCs by the render controller.
+// This function validates pre-built images at bootstrap time and will fail if:
+// - The annotation is missing for a MOSC that hasn't been seeded yet (required for install-time OCL)
+// - The image format is invalid
+// MOSCs without the annotation are skipped only if seeding has already completed.
+func createPreBuiltImageMachineConfigs(machineOSConfigs []*mcfgv1.MachineOSConfig, pools []*mcfgv1.MachineConfigPool) ([]*mcfgv1.MachineConfig, error) {
+	var preBuiltImageMCs []*mcfgv1.MachineConfig
+	var validationErrors []error
+
+	for _, mosc := range machineOSConfigs {
+		preBuiltImage, hasPreBuiltImage := mosc.Annotations[buildconstants.PreBuiltImageAnnotationKey]
+
+		// Check if seeding has completed (either Seeded condition or currentBuild annotation)
+		hasSeededCondition := apihelpers.IsMachineOSConfigConditionPresentAndEqual(mosc.Status.Conditions, buildconstants.MachineOSConfigSeeded, metav1.ConditionTrue)
+		hasCurrentBuild := mosc.Annotations[buildconstants.CurrentMachineOSBuildAnnotationKey] != ""
+		isPostSeeding := hasSeededCondition || hasCurrentBuild
+
+		// Validate annotation presence
+		if !hasPreBuiltImage || preBuiltImage == "" {
+			if isPostSeeding {
+				// Post-seeding: annotation was removed after seeding completed, this is OK, skip
+				klog.V(4).Infof("Skipping MachineOSConfig %s - no pre-built image annotation but seeding already completed", mosc.Name)
+				continue
+			}
+			// Pre-seeding: annotation is REQUIRED for install-time OCL
+			validationErrors = append(validationErrors, fmt.Errorf("MachineOSConfig %q is missing required annotation %q - this is required for install-time OCL",
+				mosc.Name, buildconstants.PreBuiltImageAnnotationKey))
+			continue
+		}
+
+		poolName := mosc.Spec.MachineConfigPool.Name
+		// verify that the pool used in the MOSC actually exists
+		poolExists := false
+		for _, pool := range pools {
+			if pool.Name == poolName {
+				poolExists = true
+				break
+			}
+		}
+		if !poolExists {
+			validationErrors = append(validationErrors, fmt.Errorf("MachineOSConfig %q references non-existent pool %q", mosc.Name, poolName))
+			continue
+		}
+
+		// Validate the pre-built image format and digest
+		if err := validatePreBuiltImage(preBuiltImage); err != nil {
+			validationErrors = append(validationErrors, fmt.Errorf("invalid pre-built image %q for MachineOSConfig %q (pool %q): %w",
+				preBuiltImage, mosc.Name, poolName, err))
+			continue
+		}
+
+		// Create the component MachineConfig
+		mc := ctrlcommon.CreatePreBuiltImageMachineConfig(poolName, preBuiltImage, buildconstants.PreBuiltImageAnnotationKey)
+		preBuiltImageMCs = append(preBuiltImageMCs, mc)
+		klog.Infof("Validated and created component MachineConfig %s with OSImageURL: %s for pool %s", mc.Name, preBuiltImage, poolName)
+	}
+
+	// Return all validation errors if any occurred
+	if len(validationErrors) > 0 {
+		return nil, fmt.Errorf("validation failed for MachineOSConfigs: %s", errors.Join(validationErrors...))
+	}
+
+	return preBuiltImageMCs, nil
+}
+
+// validatePreBuiltImage validates the pre-built image format using containers/image library
+func validatePreBuiltImage(imageSpec string) error {
+	if imageSpec == "" {
+		return fmt.Errorf("pre-built image spec cannot be empty")
+	}
+
+	// Use the containers/image library to parse and validate the image reference
+	ref, err := reference.ParseNamed(imageSpec)
+	if err != nil {
+		return fmt.Errorf("pre-built image %q has invalid format: %w", imageSpec, err)
+	}
+
+	// Ensure the reference has a digest (is canonical)
+	canonical, ok := ref.(reference.Canonical)
+	if !ok {
+		return fmt.Errorf("pre-built image must use digested format (image@sha256:digest), got: %q", imageSpec)
+	}
+
+	// Validate the digest using the go-digest library
+	if err := canonical.Digest().Validate(); err != nil {
+		return fmt.Errorf("pre-built image %q has invalid digest: %w", imageSpec, err)
+	}
+
+	// Ensure it's specifically a SHA256 digest (which is what we expect for container images)
+	if canonical.Digest().Algorithm() != digest.SHA256 {
+		return fmt.Errorf("pre-built image must use SHA256 digest, got %s: %q", canonical.Digest().Algorithm(), imageSpec)
+	}
+
+	return nil
+}

pkg/controller/bootstrap/bootstrap_test.go

@@ -200,3 +200,66 @@ func TestBootstrapRun(t *testing.T) {
 		})
 	}
 }
+
+func TestValidatePreBuiltImage(t *testing.T) {
+	tests := []struct {
+		name          string
+		imageSpec     string
+		errorContains string
+	}{
+		{
+			name:          "Valid image with proper digest format",
+			imageSpec:     "registry.example.com/test@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
+			errorContains: "",
+		},
+		{
+			name:          "Empty image spec should fail",
+			imageSpec:     "",
+			errorContains: "cannot be empty",
+		},
+		{
+			name:          "Image without digest should fail",
+			imageSpec:     "registry.example.com/test:latest",
+			errorContains: "must use digested format",
+		},
+		{
+			name:          "Image with invalid digest length should fail",
+			imageSpec:     "registry.example.com/test@sha256:12345",
+			errorContains: "invalid reference format",
+		},
+		{
+			name:          "Image with invalid digest characters should fail",
+			imageSpec:     "registry.example.com/test@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdez",
+			errorContains: "invalid reference format",
+		},
+		{
+			name:          "Image with uppercase digest should fail",
+			imageSpec:     "registry.example.com/test@sha256:1234567890ABCDEF1234567890abcdef1234567890abcdef1234567890abcdef",
+			errorContains: "invalid checksum digest format",
+		},
+		{
+			name:          "Image with MD5 digest should fail",
+			imageSpec:     "registry.example.com/test@md5:1234567890abcdef1234567890abcdef",
+			errorContains: "unsupported digest algorithm",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validatePreBuiltImage(tt.imageSpec)
+
+			if tt.errorContains != "" && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+			if tt.errorContains == "" && err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+			if tt.errorContains != "" {
+				// If we reach here, err must be non-nil (checked above)
+				if !strings.Contains(err.Error(), tt.errorContains) {
+					t.Errorf("Expected error to contain %q, but got: %v", tt.errorContains, err)
+				}
+			}
+		})
+	}
+}

pkg/controller/bootstrap/testdata/bootstrap/layered-worker.machineconfigpool.yaml

@@ -0,0 +1,11 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfigPool
+metadata:
+  name: layered-worker
+spec:
+  machineConfigSelector:
+    matchLabels:
+      "machineconfiguration.openshift.io/role": "layered-worker"
+  nodeSelector:
+    matchLabels:
+      node-role.kubernetes.io/layered-worker: ""

pkg/controller/bootstrap/testdata/bootstrap/layered-worker.machineosconfig.yaml

@@ -0,0 +1,22 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineOSConfig
+metadata:
+  name: layered-worker
+  annotations:
+    machineconfiguration.openshift.io/pre-built-image: "quay.io/example/layered-rhcos:latest@sha256:abcd1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab"
+spec:
+  machineConfigPool:
+    name: layered-worker
+  imageBuilder:
+    imageBuilderType: Job
+  baseImagePullSecret:
+    name: pull-secret
+  renderedImagePushSecret:
+    name: push-secret
+  renderedImagePushSpec: quay.io/example/layered-rhcos:latest
+  containerFile:
+  - containerfileArch: NoArch
+    content: |
+      FROM configs AS final
+      RUN rpm-ostree install httpd && \
+        ostree container commit

pkg/controller/build/constants/constants.go

@@ -13,6 +13,18 @@ const (
 	TargetMachineConfigPoolLabelKey = "machineconfiguration.openshift.io/target-machine-config-pool"
 )
 
+// New labels for pre-built image tracking
+const (
+	// PreBuiltImageLabelKey marks MachineOSBuild objects created from pre-built images
+	PreBuiltImageLabelKey = "machineconfiguration.openshift.io/pre-built-image"
+)
+
+// Common label values
+const (
+	// TrueValue is the string representation of true used in labels and annotations
+	TrueValue = "true"
+)
+
 // Annotations added to all ephemeral build objects BuildController creates.
 const (
 	MachineOSBuildNameAnnotationKey      = "machineconfiguration.openshift.io/machine-os-build"
@@ -36,6 +48,31 @@ const (
 	RebuildMachineOSConfigAnnotationKey string = "machineconfiguration.openshift.io/rebuild"
 )
 
+// New annotations for pre-built image support
+const (
+	// PreBuiltImageAnnotationKey indicates a MachineOSConfig should be seeded with a pre-built image
+	PreBuiltImageAnnotationKey = "machineconfiguration.openshift.io/pre-built-image"
+)
+
+// MachineOSConfig condition types
+// TODO: These should eventually be moved to the API package once MOSC conditions are finalized
+const (
+	// MachineOSConfigSeeded indicates that a MachineOSConfig has been seeded with a pre-built image at install time
+	MachineOSConfigSeeded = "Seeded"
+)
+
+// MachineOSConfig condition reasons
+const (
+	// ReasonPreBuiltImageSeeded indicates the MachineOSConfig was seeded with a pre-built image
+	ReasonPreBuiltImageSeeded = "PreBuiltImageSeeded"
+)
+
+// Component MachineConfig naming for pre-built images
+const (
+	// PreBuiltImageMachineConfigPrefix is the prefix for component MCs that set osImageURL from pre-built images
+	PreBuiltImageMachineConfigPrefix = "10-prebuiltimage-osimageurl-"
+)
+
 // Entitled build secret names
 const (
 	// Name of the etc-pki-entitlement secret from the openshift-config-managed namespace.

pkg/controller/build/helpers.go

@@ -256,6 +256,43 @@ func hasRebuildAnnotation(mosc *mcfgv1.MachineOSConfig) bool {
 	return metav1.HasAnnotation(mosc.ObjectMeta, constants.RebuildMachineOSConfigAnnotationKey)
 }
 
+// getPreBuiltImage returns the pre-built image from a MachineOSConfig's annotations.
+// Returns the image string and a boolean indicating if it exists and is non-empty.
+func getPreBuiltImage(mosc *mcfgv1.MachineOSConfig) (string, bool) {
+	image, exists := mosc.Annotations[constants.PreBuiltImageAnnotationKey]
+	return image, exists && image != ""
+}
+
+// shouldSeedWithPreBuiltImage determines if a MachineOSConfig should be seeded with a pre-built image.
+// Returns true if:
+// - The MOSC has a pre-built image annotation
+// - The MOSC does NOT have a current build annotation (meaning seeding hasn't happened yet)
+func shouldSeedWithPreBuiltImage(mosc *mcfgv1.MachineOSConfig) bool {
+	_, hasImage := getPreBuiltImage(mosc)
+	return hasImage && !hasCurrentBuildAnnotation(mosc)
+}
+
+// isPreBuiltImageAwaitingSeeding checks if a MOSC has pre-built image annotation but hasn't been seeded.
+// This is useful for skipping normal build workflows when the seeding workflow should handle it.
+// Seeding is considered complete once the currentBuild annotation is set.
+func isPreBuiltImageAwaitingSeeding(mosc *mcfgv1.MachineOSConfig) bool {
+	_, hasImage := getPreBuiltImage(mosc)
+	return hasImage && !hasCurrentBuildAnnotation(mosc)
+}
+
+// needsPreBuiltImageAnnotationCleanup determines if a MOSC has completed seeding and
+// the pre-built image annotation can be safely removed.
+// Returns true if:
+// - The MOSC has a current build annotation (seeding is complete)
+// - The MOSC status has been populated with CurrentImagePullSpec
+// - The MOSC still has the PreBuiltImageAnnotationKey (needs cleanup)
+func needsPreBuiltImageAnnotationCleanup(mosc *mcfgv1.MachineOSConfig) bool {
+	_, hasImage := getPreBuiltImage(mosc)
+	return hasCurrentBuildAnnotation(mosc) &&
+		mosc.Status.CurrentImagePullSpec != "" &&
+		hasImage
+}
+
 // Looks at the error chain for the given error and determines if the error
 // should be ignored or not based upon whether it is a not found error. If it
 // should be ignored, this will log the error as well as the name and kind of