1. 1. Summary

CloudKitty deployment on downstream RHOSO 18 fails because the operator defaults to upstream
container images (quay.rdoproject.org) that are rejected by the cluster's image signature
validation policy

1. 1. Description

When enabling CloudKitty on a downstream RHOSO 18 environment, the telemetry-operator uses
upstream container images from quay.rdoproject.org instead of downstream images from
images.paas.redhat.com or registry.redhat.io. These upstream images are rejected by the
cluster's image signature validation policy with `SignatureValidationFailed`.

1. 1. 1. To Reproduce

1. Deploy RHOSO 18 downstream environment
2. Enable CloudKitty in the telemetry CR
3. Wait for CloudKitty pods to be created
4. Check pod status:
   ```bash
   oc get pods -n openstack | grep cloudkitty
   ```
5. See: `ImagePullBackOff` or `ErrImagePull`
6. Check the image being used:
   ```bash
   oc get pod cloudkitty-db-sync-<id> -n openstack -o jsonpath='

{.spec.containers[0].image}

'
   ```
7. See: `quay.rdoproject.org/podified-master-centos10/openstack-cloudkitty-api:current-tested`
8. Check events:
   ```
   SignatureValidationFailed: Source image rejected: Running image
   docker://quay.rdoproject.org/podified-master-centos10/openstack-cloudkitty-api:current-tested
   is rejected by policy
   ```

1. 1. 1. Expected behavior

The CloudKitty operator should use downstream container images consistent with the rest of the
RHOSO 18 deployment (from images.paas.redhat.com or registry.redhat.io).

1. 1. Bug Impact

CloudKitty cannot be deployed on downstream RHOSO 18 environments without manually overriding
the container images via openstackversions customContainerImages. This blocks ZDPR testing for
CloudKitty and any downstream use of the rating/billing service.

1. 1. Known Workaround

Manually set the CloudKitty container images via openstackversions:

```bash
oc patch openstackversions controlplane -n openstack --type=merge -p '{
  "spec": {
    "customContainerImages":

{       "cloudkittyAPIImage": "registry.redhat.io/rhoso/openstack-cloudkitty-api-rhel9@sha256:<digest>",       "cloudkittyProcImage": "registry.redhat.io/rhoso/openstack-cloudkitty-processor-rhel9@sha256:<digest>"     }

  }
}'
```

Image references can be found at:

• https://catalog.redhat.com/en/software/containers/rhoso/openstack-cloudkitty-api-rhel9
• https://catalog.redhat.com/en/software/containers/rhoso/openstack-cloudkitty-processor-rhel9

Note: After setting the images, you may need to delete any stuck db-sync jobs for the new
images to take effect.

1. 1. Additional Context

• The telemetry-operator README section 4.d provides openstackversions patches that use
    upstream images (quay.rdoproject.org) - these do NOT work on downstream deployments
    with image signature validation enabled
• Other telemetry-operator README section 4.d patches (heat, aodh, ceilometer, openstackclient)
    also use upstream images that fail on downstream - skip section 4.d entirely for downstream
• CloudKitty also required manual configuration of: memcachedInstance, passwordSelector,
    serviceUser, databaseAccount, databaseInstance, lokiStackSize, s3StorageConfig - all were
    empty or missing defaults
• JIRA: OSPRH-21647
• Discovered during manual ZDPR testing on RHOSO 18, Feb 18-19, 2026