OCPBUGS-78190: Pass image policy env setting to assisted

[bfournie]

Nightly builds are currently failing to install for agent jobs because the images are not signed. Pass in the environment setting from CI that will disable the check. This will only be true in CI.

Summary by CodeRabbit

• Chores
  • Added an experimental toggle to disable image policy via an environment variable; service startup now respects this setting when enabled.
• Bug Fixes
  • Fixed missing trailing newline at the end of the service configuration file.
• Tests
  • Added tests to validate the environment-variable toggle behavior and ensure isolation of related settings.

[openshift-ci-robot]

@bfournie: This pull request references Jira Issue OCPBUGS-78190, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @mhanss

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Nightly builds are currently failing to install for agent jobs because the images are not signed. Pass in the environment setting from CI that will disable the check. This will only be true in CI.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Read OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY during ignition/template generation and set DisableImagePolicy in template data so the assisted-service systemd unit and the Podman-run container receive the environment variable and optional ExecStart argument when enabled.

Changes

Cohort / File(s)	Summary
Systemd service template data/data/agent/systemd/units/assisted-service.service.template	Added conditional inclusion of -e OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY=true to the ExecStart podman command when the template flag is true; ensured trailing newline at EOF.
Agent ignition/template generation pkg/asset/agent/image/ignition.go, pkg/asset/agent/image/unconfigured_ignition.go	Added DisableImagePolicy bool to agentTemplateData; added shouldDisableImagePolicy() to read/parse OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY and populate the template data used to render the systemd unit.
Tests pkg/asset/agent/image/ignition_test.go	Added tests to isolate and validate shouldDisableImagePolicy() across unset, boolean, numeric, case variations, invalid, and empty values; asserted default DisableImagePolicy is false when env var is unset.

Sequence Diagram(s)

sequenceDiagram
    participant Builder as "Installer/Build"
    participant Generator as "Ignition Template Generator"
    participant Systemd as "systemd unit (host)"
    participant Podman as "Podman (container runtime)"
    participant Service as "Assisted Service (container)"

    rect rgba(0,128,255,0.5)
    Builder->>Generator: invoke template generation
    end

    Generator->>Generator: read env OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY\nset DisableImagePolicy flag
    Generator->>Systemd: render assisted-service.service.template\n(include PassEnvironment and ExecStart -e when flag true)
    Systemd->>Systemd: unit file contains env propagation and ExecStart args
    Systemd->>Podman: systemd starts Podman with ExecStart
    Podman->>Service: container inherits OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	The custom check is designed for Ginkgo BDD-style tests, but this codebase uses standard Go testing framework with testify/assert assertions.	Clarify whether the custom check should apply only to Ginkgo tests or be adapted for standard Go testing practices with appropriate metrics.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately references the Jira issue (OCPBUGS-78190) and clearly describes the main change: passing an image policy environment setting to the assisted component.
Stable And Deterministic Test Names	✅ Passed	All test names in the modified ignition_test.go file are static and deterministic, without dynamic elements like random identifiers or timestamps.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@bfournie: This pull request references Jira Issue OCPBUGS-78190, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @mhanss

Details

In response to this:

Nightly builds are currently failing to install for agent jobs because the images are not signed. Pass in the environment setting from CI that will disable the check. This will only be true in CI.

Summary by CodeRabbit

• Chores
• Updated service configuration to support experimental image policy handling.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/agent/image/ignition.go`:
- Around line 426-431: Replace the current ad-hoc check that sets
disableImagePolicy by any non-empty
OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY value with a shared helper
(e.g., parseCIOnlyBoolEnv or IsCIEnvBoolSet) that: 1) strictly parses the env
var using strconv.ParseBool so only true/false semantics are accepted, and 2)
enforces the CI/test-only boundary (e.g., require a CI marker like "CI" or
another agreed test-only env to be true) before returning true; then call that
helper instead of the existing code in both ignition paths that set
disableImagePolicy (replace current logic around disableImagePolicy and the
logrus.Warn) so the bypass is only enabled when the flag is explicitly true and
allowed by the CI guard.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d2566c63-94d6-49a4-8034-62003985dda6

📥 Commits

Reviewing files that changed from the base of the PR and between 79b1c86 and b5f8e2b.

📒 Files selected for processing (3)

• data/data/agent/systemd/units/assisted-service.service.template
• pkg/asset/agent/image/ignition.go
• pkg/asset/agent/image/unconfigured_ignition.go

🚧 Files skipped from review as they are similar to previous changes (1)

• data/data/agent/systemd/units/assisted-service.service.template

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/agent/image/ignition.go`:
- Around line 427-434: Extract the duplicated environment parsing into a shared
helper (e.g., isExperimentalImagePolicyDisabled) that performs os.LookupEnv +
strconv.ParseBool and logs the warning exactly as in the current ignition.go
logic, then replace the inline parsing in ignition.go (disableImagePolicy),
unconfigured_ignition.go, and cvoignore.go to call this helper so all code paths
use the same strict boolean parsing and identical warning message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 74ffa1d9-fc45-400f-8481-2d33a61c706a

📥 Commits

Reviewing files that changed from the base of the PR and between b5f8e2b and 7e12492.

📒 Files selected for processing (3)

• data/data/agent/systemd/units/assisted-service.service.template
• pkg/asset/agent/image/ignition.go
• pkg/asset/agent/image/unconfigured_ignition.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/asset/agent/image/unconfigured_ignition.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/agent/image/ignition_test.go`:
- Line 122: TestIgnition_getTemplateData assumes
OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY is unset; save the current
value of that env var, unset it (or set to empty) before calling
getTemplateData(...) to build templateData, then restore the original value at
the end of the test; update the TestIgnition_getTemplateData test to perform
this save/unset/restore around the call that produces templateData so the
assertion on templateData.DisableImagePolicy is isolated from CI environment.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2a3a4f7c-143f-4ae2-b268-98f73b8a1e2b

📥 Commits

Reviewing files that changed from the base of the PR and between 7e12492 and eb10664.

📒 Files selected for processing (4)

• data/data/agent/systemd/units/assisted-service.service.template
• pkg/asset/agent/image/ignition.go
• pkg/asset/agent/image/ignition_test.go
• pkg/asset/agent/image/unconfigured_ignition.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/asset/agent/image/ignition.go
• data/data/agent/systemd/units/assisted-service.service.template
• pkg/asset/agent/image/unconfigured_ignition.go

[andfasano]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andfasano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• data/data/agent/OWNERS [andfasano]
• pkg/asset/agent/OWNERS [andfasano]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bfournie]

Verified with local testing using nightly images by setting
export OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY=true

+(./agent/agent_post_install_validation.sh:216): oc get nodes
NAME       STATUS   ROLES                         AGE   VERSION
master-0   Ready    control-plane,master,worker   25m   v1.35.1
+(./agent/agent_post_install_validation.sh:218): ((  1 != 1  ))
+(./agent/agent_post_install_validation.sh:223): oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0.nightly-2026-03-09-103941   True        False         8s      Cluster version is 4.22.0-0.nightly-2026-03-09-103941

/verified by @bfournie

[openshift-ci-robot]

@bfournie: This PR has been marked as verified by @bfournie.

Details

In response to this:

Verified with local testing using nightly images by setting
export OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY=true

+(./agent/agent_post_install_validation.sh:216): oc get nodes
NAME       STATUS   ROLES                         AGE   VERSION
master-0   Ready    control-plane,master,worker   25m   v1.35.1
+(./agent/agent_post_install_validation.sh:218): ((  1 != 1  ))
+(./agent/agent_post_install_validation.sh:223): oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0.nightly-2026-03-09-103941   True        False         8s      Cluster version is 4.22.0-0.nightly-2026-03-09-103941

/verified by @bfournie

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rwsu]

/lgtm

[openshift-ci-robot]

@bfournie: Jira Issue Verification Checks: Jira Issue OCPBUGS-78190
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-78190 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Nightly builds are currently failing to install for agent jobs because the images are not signed. Pass in the environment setting from CI that will disable the check. This will only be true in CI.

Summary by CodeRabbit

• Chores
• Added an experimental toggle to disable image policy via an environment variable; service startup now respects this setting when enabled.
• Bug Fixes
• Fixed missing trailing newline at the end of the service configuration file.
• Tests
• Added tests to validate the environment-variable toggle behavior and ensure isolation of related settings.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.