Merge pull request #2806 from mabulgu/feature/bmo-dont-require-checksum-for-oci

✨ BMO: do not require checksums for OCI images

Author: metal3-io-bot

apis/go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	k8s.io/api v0.34.2
 	k8s.io/apimachinery v0.34.2
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	sigs.k8s.io/controller-runtime v0.22.4
 )
 
@@ -26,7 +27,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect

apis/metal3.io/v1alpha1/baremetalhost_types.go

@@ -542,7 +542,7 @@ type Image struct {
 	URL string `json:"url"`
 
 	// Checksum is the checksum for the image. Required for all formats
-	// except for "live-iso".
+	// except for "live-iso" and OCI images (oci://).
 	Checksum string `json:"checksum,omitempty"`
 
 	// ChecksumType is the checksum algorithm for the image, e.g md5, sha256 or sha512.
@@ -561,6 +561,10 @@ func (image *Image) IsLiveISO() bool {
 	return image != nil && image.DiskFormat != nil && *image.DiskFormat == "live-iso"
 }
 
+func (image *Image) IsOCI() bool {
+	return image != nil && strings.HasPrefix(image.URL, "oci://")
+}
+
 // Custom deploy is a description of a customized deploy process.
 type CustomDeploy struct {
 	// Custom deploy method name.
@@ -1191,7 +1195,11 @@ func (image *Image) GetChecksum() (checksum, checksumType string, err error) {
 		return "", "", nil
 	}
 
-	// FIXME(dtantsur): Ironic supports oci:// images with an embedded checksum
+	// Checksum is not required for OCI images as they have embedded checksums
+	if image.IsOCI() && image.Checksum == "" {
+		return "", "", nil
+	}
+
 	if image.Checksum == "" {
 		// Return empty if checksum is not provided
 		return "", "", errors.New("checksum is required for normal images")

apis/metal3.io/v1alpha1/baremetalhost_types_test.go

@@ -6,6 +6,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 func TestHostNeedsHardwareInspection(t *testing.T) {
@@ -461,6 +462,56 @@ func TestGetImageChecksum(t *testing.T) {
 			},
 			Expected: false,
 		},
+		{
+			Scenario: "OCI image without checksum",
+			Host: BareMetalHost{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "myhost",
+					Namespace: "myns",
+				},
+				Spec: BareMetalHostSpec{
+					Image: &Image{
+						URL: "oci://example.com/image:latest",
+					},
+				},
+			},
+			Expected:     true,
+			ExpectedType: "",
+		},
+		{
+			Scenario: "OCI image with checksum",
+			Host: BareMetalHost{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "myhost",
+					Namespace: "myns",
+				},
+				Spec: BareMetalHostSpec{
+					Image: &Image{
+						URL:      "oci://example.com/image:latest",
+						Checksum: "sha256hash",
+					},
+				},
+			},
+			Expected:     true,
+			ExpectedType: "",
+		},
+		{
+			Scenario: "live-iso without checksum",
+			Host: BareMetalHost{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "myhost",
+					Namespace: "myns",
+				},
+				Spec: BareMetalHostSpec{
+					Image: &Image{
+						URL:        "http://example.com/image.iso",
+						DiskFormat: ptr.To("live-iso"),
+					},
+				},
+			},
+			Expected:     true,
+			ExpectedType: "",
+		},
 	} {
 		t.Run(tc.Scenario, func(t *testing.T) {
 			_, checksumType, actual := tc.Host.Spec.Image.GetChecksum()
@@ -717,3 +768,100 @@ func TestInspectionDisabled(t *testing.T) {
 		})
 	}
 }
+
+func TestIsOCI(t *testing.T) {
+	for _, tc := range []struct {
+		Scenario string
+		Image    *Image
+		Expected bool
+	}{
+		{
+			Scenario: "nil image",
+			Image:    nil,
+			Expected: false,
+		},
+		{
+			Scenario: "OCI image",
+			Image: &Image{
+				URL: "oci://example.com/image:latest",
+			},
+			Expected: true,
+		},
+		{
+			Scenario: "OCI image with checksum",
+			Image: &Image{
+				URL:      "oci://registry.io/namespace/image:tag",
+				Checksum: "sha256:abc123",
+			},
+			Expected: true,
+		},
+		{
+			Scenario: "HTTP image",
+			Image: &Image{
+				URL: "http://example.com/image.qcow2",
+			},
+			Expected: false,
+		},
+		{
+			Scenario: "HTTPS image",
+			Image: &Image{
+				URL: "https://example.com/image.qcow2",
+			},
+			Expected: false,
+		},
+		{
+			Scenario: "empty URL",
+			Image: &Image{
+				URL: "",
+			},
+			Expected: false,
+		},
+	} {
+		t.Run(tc.Scenario, func(t *testing.T) {
+			actual := tc.Image.IsOCI()
+			assert.Equal(t, tc.Expected, actual)
+		})
+	}
+}
+
+func TestIsLiveISO(t *testing.T) {
+	for _, tc := range []struct {
+		Scenario string
+		Image    *Image
+		Expected bool
+	}{
+		{
+			Scenario: "nil image",
+			Image:    nil,
+			Expected: false,
+		},
+		{
+			Scenario: "live-iso format",
+			Image: &Image{
+				URL:        "http://example.com/image.iso",
+				DiskFormat: ptr.To("live-iso"),
+			},
+			Expected: true,
+		},
+		{
+			Scenario: "raw format",
+			Image: &Image{
+				URL:        "http://example.com/image.qcow2",
+				DiskFormat: ptr.To("raw"),
+			},
+			Expected: false,
+		},
+		{
+			Scenario: "no format specified",
+			Image: &Image{
+				URL: "http://example.com/image.qcow2",
+			},
+			Expected: false,
+		},
+	} {
+		t.Run(tc.Scenario, func(t *testing.T) {
+			actual := tc.Image.IsLiveISO()
+			assert.Equal(t, tc.Expected, actual)
+		})
+	}
+}

config/base/crds/bases/metal3.io_baremetalhosts.yaml

@@ -257,7 +257,7 @@ spec:
                   checksum:
                     description: |-
                       Checksum is the checksum for the image. Required for all formats
-                      except for "live-iso".
+                      except for "live-iso" and OCI images (oci://).
                     type: string
                   checksumType:
                     description: |-
@@ -993,7 +993,7 @@ spec:
                       checksum:
                         description: |-
                           Checksum is the checksum for the image. Required for all formats
-                          except for "live-iso".
+                          except for "live-iso" and OCI images (oci://).
                         type: string
                       checksumType:
                         description: |-

config/render/capm3.yaml

@@ -257,7 +257,7 @@ spec:
                   checksum:
                     description: |-
                       Checksum is the checksum for the image. Required for all formats
-                      except for "live-iso".
+                      except for "live-iso" and OCI images (oci://).
                     type: string
                   checksumType:
                     description: |-
@@ -993,7 +993,7 @@ spec:
                       checksum:
                         description: |-
                           Checksum is the checksum for the image. Required for all formats
-                          except for "live-iso".
+                          except for "live-iso" and OCI images (oci://).
                         type: string
                       checksumType:
                         description: |-

pkg/provisioner/ironic/ironic.go

@@ -616,7 +616,12 @@ func (p *ironicProvisioner) setDirectDeployUpdateOptsForNode(ironicNode *nodes.N
 		"image_disk_format": imageData.DiskFormat,
 	}
 
-	if checksumType == "" {
+	// For OCI images without checksum, don't set checksum fields
+	if checksum == "" && checksumType == "" {
+		optValues["image_checksum"] = nil
+		optValues["image_os_hash_algo"] = nil
+		optValues["image_os_hash_value"] = nil
+	} else if checksumType == "" {
 		optValues["image_checksum"] = checksum
 		optValues["image_os_hash_algo"] = nil
 		optValues["image_os_hash_value"] = nil
@@ -903,7 +908,10 @@ func (p *ironicProvisioner) ironicHasSameImage(ironicNode *nodes.Node, image met
 			"provisionState", ironicNode.ProvisionState)
 	} else {
 		checksum, checksumType, _ := image.GetChecksum()
-		if checksumType == "" {
+		// For OCI images without checksum, only compare the URL
+		if image.IsOCI() && checksum == "" {
+			sameImage = (ironicNode.InstanceInfo["image_source"] == image.URL)
+		} else if checksumType == "" {
 			sameImage = (ironicNode.InstanceInfo["image_source"] == image.URL &&
 				ironicNode.InstanceInfo["image_checksum"] == checksum &&
 				ironicNode.InstanceInfo["image_os_hash_algo"] == nil &&