Drop image signature annotations

[miminar]

Because they were never meant to be allowed.

Includes and superseds #19030 (kudos to @deads2k)
Closes #19011

Resolves: rhbz#1557607

/assign @bparees @deads2k
/cc @mfojtik

[miminar]

@openshift/api-review

[miminar]

/retest

[bparees]

should only need this on prepare for update right?

on a create i think we want to reject the creation w/ the validation failure reason, rather than silently drop the user's metadata.

[deads2k]

I agree. that is consistent with existing behavior

[miminar]

What if somebody wants to import backed up images?

[deads2k]

@mfojtik does the controller do something with this annotation later?

[miminar]

No, there's no other reference to the annotation apart those referenced here.

[mfojtik]

no and I don't remember adding this

[deads2k]

I would only drop the old controller annotation.

[bparees]

yeah i guess that makes sense. for any other annotation they'll run into the validation rule.

[miminar]

Fixed.

[bparees]

since it's now only going to drop the one annotation, i think i'm ok w/ doing this on create, for the (unlikely) backup/restore use case. @deads2k ?

[deads2k]

since it's now only going to drop the one annotation, i think i'm ok w/ doing this on create, for the (unlikely) backup/restore use case. @deads2k ?

Ok.

[deads2k]

nit: private, right?

[miminar]

good catch, fixed

[deads2k]

I think this is our best route forward.

@smarterclayton @liggitt any alternative ideas? We'll have to pick this fairly far back.

[bparees]

We'll have to pick this fairly far back.

back to 3.7, no further right?

[bparees]

We'll have to pick this fairly far back.
back to 3.7, no further right?

I see now, the validation check itself (the swap args) needs to be backported further to ensure users don't update image objects w/ invalid content.

[deads2k]

Add more commits by pushing to the naughty-image-signature-annotation branch on miminar/origin.

@mfojtik and that's what we think of your annotation! :)

[bparees]

/lgtm

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[miminar]

Made it compilable again.

[mfojtik]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, mfojtik, miminar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/image/OWNERS [bparees,mfojtik]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 18905, 18968, 19016, 19037, 19056).

[bparees]

@miminar can you start queuing up backports of the validation fix? Needs to go back to at least v3.3 i'd say. (and the removal of the signature annotation logic would need to go back to at least 3.7 where it was introduced)