26. Specifying OCP targets for File-based Catalogs

Status

Accepted

Context

One of the supported component types within Konflux are File-based Catalogs (FBC). These catalogs can either be used in isolation with a version of opm packaged in the container itself or in conjunction with other catalog configurations via a service such as IIB Image Builder. Red Hat OpenShift Container Platform (OCP) is one example of a platform that leverages FBCs for defining the operator graphs. In order to enable operator support to vary on a version-by-version basis, Red Hat maintains one catalog per OpenShift version.

In order to support being able to target FBC components to specific versions of Red Hat OpenShift, Konflux needs to be able to keep track of the specific targeted version. In addition to the concerns around releasing FBC components to OpenShift, the version of opm used by each version of OpenShift may differ, so the Konflux integration process will need to ensure that tests are run using an appropriate binary version.

Decision

All FBC components intending to be released to OCP will be built using a OCP-specific parent image containing the target version number as a tag. This will result in a FROM instruction like

# The base image is expected to contain
# /bin/opm (with a serve subcommand) and /bin/grpc_health_probe
FROM registry.redhat.io/openshift4/ose-operator-registry:v4.12

While the annotation “org.opencontainers.image.base.name” is populated by buildah, any additional image build processes for the FBC components will also need to include this annotation indicating the pullspec of the base image. The annotation will enable all components to use skopeo to inspect the artifact to retrieve the pullspec:

$ skopeo inspect --raw docker://quay.io/hacbs-release-tests/managed-release-team-tenant/sample-fbc-application/sample-fbc-component@sha256:da4bf45ba45b72aa306dc2889572e92bbac43da08de0a0146e2421f506c5517e | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:c83abcfb3af92d9b8ccea573fce6560a90919e77a8024c8269969b7799a2385c",
    "size": 21327
  },
  "layers": [
    [...]
  ],
  "annotations": {
    "org.opencontainers.image.base.digest": "sha256:e5a07eff6865b2761889ee275d9fc940237c90d05d63b00f60350841ecf42df2",
    "org.opencontainers.image.base.name": "registry.redhat.io/openshift4/ose-operator-registry:v4.12"
  }
}

The target Red Hat OpenShift version will then be able to be pulled from the image tag on the “org.opencontainers.image.base.name” annotation. If a task within the Konflux pipeline needs to access an appropriate opm binary for performing validation, it can determine the base image and use the binary from that container if it is trusted (for example, if it is an image from the registry.redhat.io/openshift4/ose-operator-registry repository), or fail if the base image isn’t trusted.

Consequences