MCO-2133: Select bootimages based on OSImageStream

[pablintino]

Consume the osImageStream install-config field through all code paths that consume embedded bootimage metadata, allowing the installer to load per-stream files (rhel-9.json, rhel-10.json) instead of a single rhcos.json. Defaults to RHEL 9 when the field is not set.

[openshift-ci-robot]

@pablintino: This pull request references MCO-2133 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Consume the osImageStream install-config field through all code paths that consume embedded bootimage metadata, allowing the installer to load per-stream files (rhel-9.json, rhel-10.json) instead of a single rhcos.json. Defaults to RHEL 9 when the field is not set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[andfasano]

Not sure if I'm missing something, but my expectations for this asset weres to modify setStreamGetter method to take into account the OSImageStream (by reading it from the agent.OptionalInstallConfig{}, already listed as a dependency). Otherwise the live ISO will remain pinned to rhcos9.

[pablintino]

I haven't covered the agent cause I saw that I'd need to cover the case where the install-config is not provided but the AgentConfig is given, that means I need to add a field to it and so on. To avoid making the change bigger and bigger I thought about leaving the agent side consistent and ready for a follow up.
Anyways, if you think that for now supporting the intall-config.yaml only is enought, cool, I can incorporate this simple change to this PR and do the rest as a follow up.

[andfasano]

I see that as an incremental step. The first step usually is to support a new install-config field in the connected environment (ABI may be used also for that). With a simple change that part could be covered - otherwise with the current code a user may be confused by the fact that a config field was specified but "ignored".
The alternative (still valid) would be to put an explicit validation rule in agent.OptionalInstallConfig{} to fail if a value different from the default is specified as "unsupported". At least there will not be any confusing behavior for the end user

[andfasano]

@pablintino please disregard my previous comment. I understood (also from @djoshy comment) that for the 4.22 scope the current approach is correct (just default to rhcos.DefaultOSImageStream)

[pablintino]

Simplest ever approach, should this be ok for now? I'm not too familiar with the concept of marketplace, so not really sure.

[pablintino]

Reviewers: Please take a look at this change. It's the safest approach I could come up with. Basically, the structure of the ConfigMap is preserved and the stream field will continue to be reported, but from now on, it will use the default stream. A new streams field with a JSON map<streamName, streamJson> is now present. The format for SCOS remains unchanged, and the marketplace file is merged only if the file exists, which is only true for rhcos-9 for now.

cc:@djoshy

[patrickdillon]

At a high-level this looks good, but I'm trying to find as much time as I can to go through the details.

One thing that's missing is that the installer has a command to output the rhcos stream, openshift-install coreos print-stream-json, so we would need to handle that as well.

https://github.com/openshift/installer/blob/main/pkg/coreoscli/cmd.go#L23

The underlying code is here:

installer/pkg/rhcos/builds.go

Line 27 in 435db5e

func FetchRawCoreOSStream(ctx context.Context) ([]byte, error) {

I will continue to review this.

[pablintino]

At a high-level this looks good, but I'm trying to find as much time as I can to go through the details.

One thing that's missing is that the installer has a command to output the rhcos stream, openshift-install coreos print-stream-json, so we would need to handle that as well.

https://github.com/openshift/installer/blob/main/pkg/coreoscli/cmd.go#L23

The underlying code is here:

installer/pkg/rhcos/builds.go

Line 27 in 435db5e

func FetchRawCoreOSStream(ctx context.Context) ([]byte, error) {

I will continue to review this.

I saw it, and I tried to address it alongside the agent references cause I thought it was used by the agent installer, but the amound of changes grew to the point the PR was bigger than I would like, so I decided to limit this PR to the bare minimum and acknoledge we need to continue working on this to cover the agent and that command.
I had this conversation privately with @andfasano. To be honest, I don't mind fixing the agent basic install workflow (the one that uses the install-config.yaml as an input) and this small command, but fixing the agent workflow that uses the AgentConfig CR or the add node is way too much. WDYT?
If you think the basic agent with intall-config.yaml is valuable as part of this PR I can restore that piece of work I did and fix the command to. If not, I can follow up after this PR is merged.

[pablintino]

@patrickdillon I've thought twice about the command and true that may feel weird to keep it unaware of the streams. I've pushed an update to address it. What's missing? Basically everything related to the agent.

[pablintino]

/retest

[patrickdillon]

/test e2e-aws-ovn-rhcos10-devpreview

I might have chosen a bad name for the presubmit, should probably be rhel10...

[patrickdillon]

/approve

Approach looks good to me. I'm doing some final reviewing before tagging.

Machine AMIs are being set correctly.

Not sure why the previous run of

/test e2e-aws-ovn-rhcos10-devpreview

failed. The SSH gathering has been broken but we have a workaround in place now, so perhaps another run will provide more information.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[patrickdillon]

There are some linter errors that need to be addressed:

pkg/asset/agent/image/baseiso.go:38:1: exported: exported function DefaultCoreOSStreamGetter should have comment or be unexported (revive)
func DefaultCoreOSStreamGetter(ctx context.Context) (*stream.Stream, error) {
^
pkg/rhcos/ami_regions.go:14:85: SA1019: sets.String is deprecated: use generic Set instead. new ways: s1 := Set[string]{} s2 := New[string]() (staticcheck)
func AMIRegions(architecture types.Architecture, osImageStream types.OSImageStream) sets.String {

Sorry about hat last one, as that is existing code. Doesn't look too painful though...

[djoshy]

Before we merge this - do we want to add any labels/annotations on the rhel10 machinesets/machines that the MCO's boot image controller can then use for exclusion?

In 4.22, boot image updates are enabled by default in gcp, aws, azure and vsphere and I think they would get automatically updated to the rhel9 stream(perhaps not for AWS, since the RHEL10 images won't be in the whitelist)

Update: I opened openshift/machine-config-operator#5752 to a stab at the boot image side of this, reviews welcome! For now, I've kept old behavior of using stream (rather than the new streams being added here) until we decide what PR needs to land first.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0e070281-f9c3-4259-8df4-1bda32bf1be7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Parameterizes OS image stream selection across the codebase, adds an RHCOS RHEL‑10 manifest, and implements discovery plus marketplace-overlay merging of multiple boot image streams for ConfigMap population and per‑stream image/region lookups.

Changes

Cohort / File(s)	Summary
New Data Manifest data/data/coreos/coreos-rhel-10.json	Adds a full RHCOS RHEL‑10 manifest with per-architecture artifacts, provider images, URLs, and checksums.
Manifest builder & marketplace hack/build-coreos-manifest.go, hack/rhcos/populate-marketplace-imagestream.go	Builder discovers multiple coreos stream JSONs and marketplace overlays, reads/merges per-stream bytes, embeds a default stream and aggregated streams JSON into the generated ConfigMap; marketplace path constants updated.
Stream filename & tagging pkg/rhcos/stream.go, pkg/rhcos/stream_scos.go	Adds DefaultOSImageStream, parameterizes getStreamFileName / getMarketplaceStreamFileName to accept an OSImageStream, and adds GetPayloadImageStreamTag.
Core RHCOS fetch plumbing pkg/rhcos/builds.go, pkg/rhcos/stream.go, pkg/rhcos/stream_scos.go	FetchRawCoreOSStream and FetchCoreOSBuild now accept an osImageStream parameter; marketplace fetch/merge and stream filename resolution use the provided stream.
AMI / region logic pkg/rhcos/ami_regions.go, pkg/asset/installconfig/aws/regions.go, pkg/asset/installconfig/aws/validation.go, pkg/asset/installconfig/aws/platform.go	AMIRegions signature now accepts osImageStream and returns sets.Set[string]; AWS region helpers updated to pass the configured stream so AMI availability is stream‑scoped.
Validation flows pkg/asset/installconfig/nutanix/validation.go, pkg/asset/installconfig/vsphere/validation.go	Validation functions now accept and forward ic.OSImageStream into preloaded-image checks and RHCOS stream fetches.
Image assets & consumers pkg/asset/imagebased/image/baseiso.go, pkg/asset/rhcos/image.go, pkg/asset/rhcos/iso.go, pkg/asset/rhcos/release.go	Default CoreOS fetcher wrapped to supply a default stream; image asset code propagates osImageStream into FetchCoreOSBuild and AMI lookups.
Bootstrap template & scripts pkg/asset/ignition/bootstrap/common.go, data/data/bootstrap/files/usr/local/bin/node-image-pull.sh.template	Adds StreamTag to bootstrap template data (populated via payload tag helper); template uses {{.StreamTag}} for the coreos image tag.
CLI & types pkg/coreoscli/cmd.go, pkg/types/installconfig.go	print-stream-json gains a --stream flag validated against new exported OSImageStreamValues (adds RHCOS10 alongside RHCOS9).
Infrastructure integration pkg/infrastructure/azure/azure.go	Azure infra readiness now passes in.InstallConfig.Config.OSImageStream into RHCOS fetch calls.
Various callers & signatures multiple pkg/* files	Many function signatures updated to accept types.OSImageStream; call sites adjusted accordingly. Review all updated call sites for matching signatures.

Sequence Diagram(s)

sequenceDiagram
  participant Builder as "hack/build-coreos-manifest"
  participant FS as "data/data/coreos/*"
  participant Marketplace as "data/data/coreos/marketplace/*"
  participant ConfigMap as "generated ConfigMap"

  Builder->>FS: discover coreos-<stream>.json files
  Builder->>Marketplace: locate marketplace overlay for each stream
  Builder->>FS: read stream bytes for each discovered stream
  Builder->>Marketplace: read overlay bytes (if present)
  Builder->>Builder: merge marketplace overlay into stream bytes
  Builder->>ConfigMap: embed default "stream" bytes and aggregated "streams" JSON
  ConfigMap-->>Builder: persisted ConfigMap

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'MCO-2133: Select bootimages based on OSImageStream' accurately reflects the main objective of the PR: selecting and loading boot images based on the OSImageStream configuration parameter across all code paths.
Stable And Deterministic Test Names	✅ Passed	PR does not modify any test files; no Ginkgo tests with dynamic information were introduced.
Test Structure And Quality	✅ Passed	This PR does not include any Ginkgo test code, only source implementation and data manifest files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andfasano]

@pablintino I think this was also added to pkg/asset/agent/image/baseiso.go but for some reason I'm not able to find that change anymore

[andfasano]

Ok, clarified by @pablintino that's not required anymore, since the ABI workflow will anyhow receive the defaultCoreOSStreamGetter (currently hard-coded to rhel-9)

[pablintino]

Yeah, that part is not yet covered. It's part of the work we need to plan.

[zaneb]

pkg/asset/agent/image/baseiso.go moved to pkg/asset/rhcos/iso.go because it is now shared with the baremetal bootstrap.

[openshift-ci-robot]

@pablintino: This pull request references MCO-2133 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Consume the osImageStream install-config field through all code paths that consume embedded bootimage metadata, allowing the installer to load per-stream files (rhel-9.json, rhel-10.json) instead of a single rhcos.json. Defaults to RHEL 9 when the field is not set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/retest-required

[pablintino]

/retest

[pablintino]

/unhold

[patrickdillon]

/test e2e-aws-ovn-rhel10-devpreview

[patrickdillon]

/lgtm

[pablintino]

/verified by @pablintino
Using a local build against GCP

[openshift-ci-robot]

@pablintino: This PR has been marked as verified by @pablintino.

Details

In response to this:

/verified by @pablintino
Using a local build against GCP

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gpei]

Do we need to add a data/data/coreos/marketplace/coreos-rhel-10.json here for Azure marketplace metadata file of RHEL-10?

For now, Azure deployments with osImageStream: rhel-10 would fail to populate marketplace image information in CPMS and worker MachineSets, the image field in CPMS and MachineSet generated like:

            image:
              offer: ""
              publisher: ""
              resourceID: /resourceGroups/gpei-0319azure-g7gbb-rg/providers/Microsoft.Compute/galleries/gallery_gpei_0319azure_g7gbb/images/gpei-0319azure-g7gbb-gen2
              sku: ""
              version: ""

[pablintino]

I think this is a question that @dustymabe or @ravanelli may answer better than me.

[patrickdillon]

I think actually more a question for me: the installer team owns the marketplace image stream, which we handle in collaboration with ARO.

We will need ARO to get RHEL10 marketplace images, at which point we can incorporate them into the stream.

[gpei]

@patrickdillon Thanks, so do you think we need to file a bug or create a JIRA story for this issue to make sure we don't forget about it? It looks like a blocker for a complete RHEL 10 testing on Azure.

[gpei]

BTW @pablintino Based on the e2e-aws-ovn-rhel10-devpreview job results, all nodes in the cluster are using RHEL-9 OS content in the end, the MCD log also indicates that the machines boot from RHEL-10 AMI but are then replaced with RHEL-9 OS content.

So will there be follow-up PRs to enable a complete RHEL-10 cluster installation when we set osImageStream: rhel-10 in install-config, without requiring additional RHEL-10 configuration of master and worker MachineConfigPools? Thanks.

[pablintino]

/retest-required

[pablintino]

BTW @pablintino Based on the e2e-aws-ovn-rhel10-devpreview job results, all nodes in the cluster are using RHEL-9 OS content in the end, the MCD log also indicates that the machines boot from RHEL-10 AMI but are then replaced with RHEL-9 OS content.

So will there be follow-up PRs to enable a complete RHEL-10 cluster installation when we set osImageStream: rhel-10 in install-config, without requiring additional RHEL-10 configuration of master and worker MachineConfigPools? Thanks.

Yes, we still need openshift/machine-config-operator#5714 and #10357. The MCO PR should land first, but we are having a hard-time getting it merged because of CI.

Without those 2 PRs expect the machines to boot with whatever stream the user selected but with a pivot to rhel 9 at each node startup.

[pablintino]

/test e2e-aws-ovn

[pablintino]

/retest-required

[openshift-ci]

@pablintino: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-dualstack-ipv4-primary-techpreview	3d585f6	link	false	/test e2e-aws-ovn-dualstack-ipv4-primary-techpreview
ci/prow/e2e-aws-ovn-dualstack-ipv6-primary-techpreview	3d585f6	link	false	/test e2e-aws-ovn-dualstack-ipv6-primary-techpreview
ci/prow/e2e-agent-compact-ipv4-iso-no-registry	5b99b3d	link	false	/test e2e-agent-compact-ipv4-iso-no-registry
ci/prow/e2e-agent-two-node-fencing-ipv4	5b99b3d	link	false	/test e2e-agent-two-node-fencing-ipv4
ci/prow/e2e-aws-ovn-rhcos10-devpreview	c0c4b6a	link	false	/test e2e-aws-ovn-rhcos10-devpreview
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones	9b9c526	link	false	/test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-aws-ovn-heterogeneous	9b9c526	link	false	/test e2e-aws-ovn-heterogeneous
ci/prow/e2e-azurestack	9b9c526	link	false	/test e2e-azurestack
ci/prow/e2e-vsphere-ovn-hybrid-env	9b9c526	link	false	/test e2e-vsphere-ovn-hybrid-env
ci/prow/e2e-azure-ovn-shared-vpc	9b9c526	link	false	/test e2e-azure-ovn-shared-vpc
ci/prow/e2e-aws-ovn-edge-zones	9b9c526	link	false	/test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pablintino]

/retest-required