Major Description of problem:
The oc client has recently had functionality added to reference an icsp manifest with a variety of commands (using the --icsp flag).
The issue is that the registry/repo scope in an icsp required to trigger a mapping is different between ocp and oc. OCP icsp will match an image at the registry level, where the OC client requires exact registry + repo to match. This difference can cause major confusion (especially without adequate warning/error messages in the oc client).
Example Image to mirror: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1631b0f0bf9c6dc4f9519ceb06b6ec9277f53f4599853fcfad3b3a47d2afd404o
In OCP registry.mirrorregistry.com:5000/openshift-release-dev/ will accurately mirror the image
But using OC with --icsp , quay.io/openshift-release-dev/ocp-v4.0-art-dev is required or or the mirroring will not match.
Version-Release number of selected component (if applicable):{code:none}
oc version
Client Version: 4.11.0-202212070335.p0.g1928ac4.assembly.stream-1928ac4
Kustomize Version: v4.5.4
Server Version: 4.12.0-rc.8
Kubernetes Version: v1.25.4+77bec7a
How reproducible:
100%
Steps to Reproduce:
1. Create an ICSP file with content similar to below (Replace with your mirror registry url)
apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: creationTimestamp: null name: image-policy spec: repositoryDigestMirrors: - mirrors: - registry.mirrorregistry.com:5005/openshift-release-dev source: quay.io/openshift-release-dev
2. Add the ICSP to a bm openshift cluster and wait for MCP to finish node restarts
3. SSH to a cluster node
4. Try to podman pull the following image with debug log level
podman pull --log-level=debug quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1631b0f0bf9c6dc4f9519ceb06b6ec9277f53f4599853fcfad3b3a47d2afd404
5. The log will show the mirror registry is attempted (Which is similar behavior to OCP)
6. Now try to extract a the payload image from the release using oc client and --icsp flag (ICSP file should be the same manifest uses at step 1)
oc adm release extract --command=openshift-baremetal-install --to=/data/install-config-generate/installercache/registry.mirrorregistry.com:5005/openshift-release-dev/ocp-release:4.12.0-rc.8-x86_64 --insecure=false --icsp-file=/tmp/icsp-file1635083302 registry.mirrorregistry.com:5005/openshift-release-dev/ocp-release:4.12.0-rc.8-x86_64 --registry-config=/tmp/registry-config1265925963
Expected results:
openshift-baremetal-install is extracted to the proper directory using the mirrored payload image
Actual result:
oc client does not match the payload image because the icsp is not exact, so it immediately tries quay.io rather than the mirror registry
ited with non-zero exit code 1: \nwarning: --icsp-file only applies to images referenced by digest and will be ignored for tags\nerror: unable to read image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1631b0f0bf9c6dc4f9519ceb06b6ec9277f53f4599853fcfad3b3a47d2afd404: Get \"https://quay.io/v2/\": dial tcp 52.203.129.140:443: i/o timeout\n" func=github.com/openshift/assisted-service/internal/oc.execute file="/remote-source/assisted-service/app/internal/oc/release.go:404" go-id=26228 request_id=
Additional info:
I understand that oc-mirror or oc adm release mirror provides an icsp manifest to use, but as OCP itself allows for a wider scope for mapping, it can cause great confusion that oc icsp scope is not in parity. At the very least a warning/error message in the oc client when the icsp partially matches an image (but is not used) would be VERY useful.
