explicitly prohibit updates to imagestream tags that are not spec tags

[bparees]

fixes #18519

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/image/OWNERS [bparees]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[bparees]

@smarterclayton @deads2k ptal

the net effect of this is that if you edit an IST that was only pushed, the update results in adding a new spec tag to the IS:

spec:
  lookupPolicy:
    local: false
  tags:
  - annotations:
      foo: bar
    generation: 2
    importPolicy: {}
    name: latest
    referencePolicy:
      type: Source

Which near as i can tell is absolutely required because that's where the annotations are stored, so you can't add annotations w/o introducing a spec tag.

I would certainly rather this go through the mainline defaulting logic instead of what i'm doing, but it sounds like that might not be a realistic option.

[bparees]

(the other option is that we just say "you shouldn't be updating ISTs that were only pushed, the current behavior is acceptable")

[deads2k]

I don't actually know how other clients will interpret this. Without an import policy, it doesn't sound that bad.

[bparees]

@smarterclayton bump

[bparees]

one bad thing about this: since "From" is empty, it results in rather user unfriendly errors when you run "oc import-image", e.g.:

error: the tag "latest" does not exist on the image stream - choose an existing tag to import or use the 'tag' command to create a new tag

Clearly having a spec.tag with an empty "From" is not handled well by oc import-image. So this may not be the right solution. (In theory i could also craft the "From" value to point to the internal registry, but that seems a bit dubious)

/hold

[bparees]

@deads2k @smarterclayton ok i've reworked this to just reject the update w/ a clean message telling you why your imagestreamtag update is being rejected. ptal again.

/hold cancel

[bparees]

/retest

[bparees]

@smarterclayton bump

[bparees]

implicit approval from @smarterclayton and @deads2k, lgtm'ing

/hold

[deads2k]

Makes me sad, but I doubt we fix it now.

lgetm

[deads2k]

/cherry-pick release-3.9

[bparees]

@deads2k I think it's /cherrypick and anyway I don't deem this critical enough to backport to 3.9 at this point (just in case this new error behavior causes unexpected problems, i'd rather let it soak for a release).

[bparees]

/hold cancel

[bparees]

/retest

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 18587, 18296, 18667, 18665, 18532).