force-import manifest list into IST after push to fix multi-arch race

[joepvd]

Summary

• After PushManifestList pushes a manifest list to the registry via the Docker V2 API (manifest-tool), the OpenShift image controller's async reconciliation does not reliably update the ImageStreamTag. This leaves the IST at a stale digest, causing downstream builds (like bin, private-org-sync) to fail with no image found in manifest list for architecture "amd64" — burning 30-60 minutes on retries that will never succeed.
• Fix: after pushing the manifest list, create an ImageStreamImport with Import:true to synchronously force the IST to point at the correct manifest list digest. Uses ImportModePreserveOriginal to preserve the manifest list structure for multi-arch resolution.
• This is a follow-up to avoid race conditions on multiple instances on arch specific builds #5004 which fixed manifest merging but did not address the IST sync issue.

Details

The images presubmit job has been failing intermittently since #5004 merged (see job history). Affected failures include PRs #5010, #5001, #5011, #5013 — all showing the same pattern:

1. src builds succeed and manifest list is pushed to pipeline:src
2. Downstream bin-amd64 (or later steps) try to pull pipeline@sha256:<stale-digest> — a digest that does not match the just-pushed manifest
3. The stale digest's manifest list lacks the amd64 entry → PullBuilderImageFailed / FetchImageContentFailed
4. All 5 retry attempts use the same stale digest (IST never updates)

Root cause: PushManifestList pushes via the Docker registry API, but the IST update depends on the image controller's async reconciliation which doesn't reliably fire for manifest-tool pushes. The ImageStreamImport API is the proven synchronous mechanism for this, already used elsewhere in the codebase (ImportTagWithRetries in pkg/steps/utils/image.go).

Test plan

• Unit tests for importManifestList verify correct ImageStreamImport parameters (namespace, imagestream name, tag, digest-based pull spec, ImportModePreserveOriginal, Insecure)
• Unit tests for parseImageStreamRef verify three-way split of image references
• All existing manifestEntries and splitImageStreamTagRef tests continue to pass
• images presubmit job should stop failing with the multi-arch IST race pattern

/cc @openshift/test-platform

Made with Cursor

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Walkthrough

Adds manifest-list import after pushing manifests: new helper creates an ImageStreamImport referencing the pushed manifest list with retry/backoff and status checks; adds parsing helpers to split image stream references into namespace, name, and tag; includes tests for import and parsing logic.

Changes

Cohort / File(s)	Summary
Manifest import & parsing pkg/manifestpusher/manifestpusher.go	Added importManifestList to create ImageStreamImport for a pushed manifest list with 3-step exponential backoff and status validation; added parseImageStreamRef and updated splitImageStreamTagRef to produce namespace and name:tag strings; improved error wrapping and handling.
Tests & test helpers pkg/manifestpusher/manifestpusher_test.go	Added TestImportManifestList, TestParseImageStreamRef, and supporting unexported test client (importCapturingClient) to capture created ImageStreamImport objects and simulate server-populated status; exercised parsing and import error paths.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: joepvd
Once this PR has been reviewed and has the lgtm label, please assign jmguzik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (2)

pkg/manifestpusher/manifestpusher.go (1)

120-120: Use a timeout-bearing context for the create call.

Line 120 uses context.Background(), so a stalled apiserver call can hang this post-push path indefinitely even though the retry count is bounded. Please thread a caller context through PushImageWithManifest/importManifestList, or wrap each Create attempt in a context.WithTimeout.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/manifestpusher/manifestpusher.go` at line 120, The call to
m.client.Create currently uses context.Background() (in
importManifestList/PushImageWithManifest) which can hang; replace it with a
timeout-bearing context by either threading the caller context into
PushImageWithManifest/importManifestList and using that, or wrapping each Create
attempt with a context.WithTimeout (e.g., create ctx, cancel :=
context.WithTimeout(parentCtx, timeout); defer cancel()) and pass ctx to
m.client.Create for streamImport; ensure cancel is called and errors from
context deadlines are handled/retried consistently with existing retry logic.

pkg/manifestpusher/manifestpusher_test.go (1)

197-307: Add one case for the retry/error-status path.

The new flake-prevention logic is in the backoff and Status.Images handling, but this test only locks in request construction. A case for Forbidden/Conflict retry or an empty Status.Images response would keep the core behavior from regressing.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/manifestpusher/manifestpusher_test.go` around lines 197 - 307, Add a test
case in TestImportManifestList that exercises the retry/error-status path:
create a case that targets manifestPusher.importManifestList where the
importCapturingClient.Create simulates transient API errors (e.g., return
apierrors.NewForbidden or apierrors.NewConflict for the first N calls and then
succeed) and another case where Create returns an ImageStreamImport with an
empty Status.Images slice to assert the function retries or returns the expected
error; update importCapturingClient.Create to inspect a test-controlled flag or
count (referencing importCapturingClient and its Create method) so it can return
apierrors.NewForbidden/apierrors.NewConflict on early calls and later populate
isi.Status.Images (or leave it empty) to validate retry and error handling in
manifestPusher.importManifestList.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/manifestpusher/manifestpusher_test.go`:
- Around line 197-307: Add a test case in TestImportManifestList that exercises
the retry/error-status path: create a case that targets
manifestPusher.importManifestList where the importCapturingClient.Create
simulates transient API errors (e.g., return apierrors.NewForbidden or
apierrors.NewConflict for the first N calls and then succeed) and another case
where Create returns an ImageStreamImport with an empty Status.Images slice to
assert the function retries or returns the expected error; update
importCapturingClient.Create to inspect a test-controlled flag or count
(referencing importCapturingClient and its Create method) so it can return
apierrors.NewForbidden/apierrors.NewConflict on early calls and later populate
isi.Status.Images (or leave it empty) to validate retry and error handling in
manifestPusher.importManifestList.

In `@pkg/manifestpusher/manifestpusher.go`:
- Line 120: The call to m.client.Create currently uses context.Background() (in
importManifestList/PushImageWithManifest) which can hang; replace it with a
timeout-bearing context by either threading the caller context into
PushImageWithManifest/importManifestList and using that, or wrapping each Create
attempt with a context.WithTimeout (e.g., create ctx, cancel :=
context.WithTimeout(parentCtx, timeout); defer cancel()) and pass ctx to
m.client.Create for streamImport; ensure cancel is called and errors from
context deadlines are handled/retried consistently with existing retry logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 54f2c2c5-758a-4f85-b0c3-a6f2c654e3b1

📥 Commits

Reviewing files that changed from the base of the PR and between 05494d0 and a081233.

📒 Files selected for processing (2)

• pkg/manifestpusher/manifestpusher.go
• pkg/manifestpusher/manifestpusher_test.go

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/manifestpusher/manifestpusher.go (1)

121-124: Retrying on Forbidden may be unnecessary.

IsForbidden typically indicates a permanent authorization issue (HTTP 403), which won't resolve on retry. Consider whether this retry condition was intentional or if it was carried over from other patterns. If RBAC eventually propagates and this is expected, a comment explaining the rationale would help maintainability.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/manifestpusher/manifestpusher.go` around lines 121 - 124, The current
retry branch in manifestpusher.go treats kerrors.IsForbidden the same as
kerrors.IsConflict which causes transient retries; update the condition in the
function containing the block that sets lastErr and returns false (the if
checking kerrors.IsConflict || kerrors.IsForbidden) to stop retrying on
kerrors.IsForbidden by removing kerrors.IsForbidden from the OR, or if Forbidden
should be retried due to expected RBAC propagation, add a concise comment above
the if explaining that rationale and under what timeframe/conditions a retry is
appropriate so future readers understand why IsForbidden is handled as
transient.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/manifestpusher/manifestpusher.go`:
- Around line 127-130: The code currently only checks for a non-nil Image
(streamImport.Status.Images[0].Image) but ignores the import result; inspect the
corresponding ImageImportStatus.Status (e.g.,
streamImport.Status.Images[0].Status.Status) and if it indicates failure include
that error text in lastErr and return an error (or false plus an error) instead
of treating it as success. Update the branch that sets lastErr =
fmt.Errorf("import returned no image status") to also check the
ImageImportStatus.Status field, populate lastErr with the Status message when
present, and return the error so callers know the import actually failed.

---

Nitpick comments:
In `@pkg/manifestpusher/manifestpusher.go`:
- Around line 121-124: The current retry branch in manifestpusher.go treats
kerrors.IsForbidden the same as kerrors.IsConflict which causes transient
retries; update the condition in the function containing the block that sets
lastErr and returns false (the if checking kerrors.IsConflict ||
kerrors.IsForbidden) to stop retrying on kerrors.IsForbidden by removing
kerrors.IsForbidden from the OR, or if Forbidden should be retried due to
expected RBAC propagation, add a concise comment above the if explaining that
rationale and under what timeframe/conditions a retry is appropriate so future
readers understand why IsForbidden is handled as transient.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03d469cc-e7ff-4b52-9e43-0d9376541350

📥 Commits

Reviewing files that changed from the base of the PR and between a081233 and 1a93112.

📒 Files selected for processing (2)

• pkg/manifestpusher/manifestpusher.go
• pkg/manifestpusher/manifestpusher_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Consider checking the import status for errors.

The code checks that Status.Images[0].Image is populated but doesn't verify that the import actually succeeded. The ImageImportStatus can contain a Status.Status field with an error message if the import failed. Without this check, you might silently treat a failed import as successful.

🛠️ Proposed fix to add status error check

 		if len(streamImport.Status.Images) == 0 || streamImport.Status.Images[0].Image == nil {
 			lastErr = fmt.Errorf("import returned no image status")
 			return false, nil
 		}
+		if status := streamImport.Status.Images[0].Status; status.Status == metav1.StatusFailure {
+			lastErr = fmt.Errorf("import failed: %s", status.Message)
+			return false, nil
+		}
 		return true, nil

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if len(streamImport.Status.Images) == 0 || streamImport.Status.Images[0].Image == nil {
	lastErr = fmt.Errorf("import returned no image status")
	return false, nil
	}
	if len(streamImport.Status.Images) == 0 || streamImport.Status.Images[0].Image == nil {
	lastErr = fmt.Errorf("import returned no image status")
	return false, nil
	}
	if status := streamImport.Status.Images[0].Status; status.Status == metav1.StatusFailure {
	lastErr = fmt.Errorf("import failed: %s", status.Message)
	return false, nil
	}
	return true, nil

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/manifestpusher/manifestpusher.go` around lines 127 - 130, The code
currently only checks for a non-nil Image (streamImport.Status.Images[0].Image)
but ignores the import result; inspect the corresponding
ImageImportStatus.Status (e.g., streamImport.Status.Images[0].Status.Status) and
if it indicates failure include that error text in lastErr and return an error
(or false plus an error) instead of treating it as success. Update the branch
that sets lastErr = fmt.Errorf("import returned no image status") to also check
the ImageImportStatus.Status field, populate lastErr with the Status message
when present, and return the error so callers know the import actually failed.

[openshift-ci]

@joepvd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	1a93112	link	true	/test images
ci/prow/breaking-changes	1a93112	link	false	/test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.