pkg/payload: Add Images map to manifest template config

[jhadvig]

Summary

Add Images map to manifestRenderConfig, populated from the release payload's image-references ImageStream. This allows CVO manifests in /manifests/ to reference component images by short name using Go template syntax: {{index .Images "component-name"}}.

Also set missingkey=zero on the template engine so that manifests referencing template fields not yet known to an older CVO binary render as zero values instead of causing a fatal error. This is needed for upgrade safety — when an older CVO loads a newer payload that uses new template fields (like .Images), the unknown fields render as empty strings and the manifests are filtered out by feature-set or capability gating, instead of crashing the payload loading.

This PR is the first of two — it adds the Go plumbing only, no new manifests. A follow-up PR will add the console plugin manifests that use {{index.Images "cluster-update-console-plugin"}}.

Related:

• openshift/oc#2287 — keeps CVO's image-references entries in the release
• openshift/cluster-version-operator#1398 — console plugin manifests (follow-up)

Trade-offs

missingkey=zero makes template typos silent. Currently {{.ReleaseImge}} (typo) fails loudly at manifest load time. With missingkey=zero it silently renders as empty string — failing at pod runtime instead of at loading time. This is mitigated by Test_cvoManifests which renders all install/ manifests in CI, but it's a weaker signal than a hard error.

Render() now hard-errors if image-references is missing. The bootstrap rendering path now loads image-references from /release-manifests/ and fails if it's not there. This file is always present in a real release payload, but could break unusual test environments that don't include it.

/assign @wking

Summary by CodeRabbit

• Improvements
  • Payload manifest rendering now utilizes image references from releases for enhanced image resolution.
  • Template rendering behavior updated to better handle undefined template values.

[coderabbitai]

Walkthrough

The change adds an Images map[string]string field to manifestRenderConfig and a new imagesFromImageRef helper that converts imagev1.ImageStream tag entries with DockerImage sources into a short-name→URI map. Render loads image references from disk and populates this map; loadPayloadTasks gains an imageRef parameter and does the same. LoadUpdate passes payload.ImageRef to loadPayloadTasks. Template rendering switches to missingkey=zero.

Changes

Image reference rendering

Layer / File(s)	Summary
manifestRenderConfig.Images field and imagesFromImageRef helper pkg/payload/render.go	Adds Images map[string]string to manifestRenderConfig, implements imagesFromImageRef to extract short-name→URI pairs from imagev1.ImageStream DockerImage tags, changes renderManifest template parsing to missingkey=zero, and adds the imagev1 import.
Wiring through Render and loadPayloadTasks/LoadUpdate pkg/payload/render.go, pkg/payload/payload.go	Render calls loadImageReferences and sets renderConfig.Images; loadPayloadTasks accepts a new *imagev1.ImageStream parameter and populates manifestRenderConfig.Images via imagesFromImageRef; LoadUpdate passes payload.ImageRef to loadPayloadTasks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'pkg/payload: Add Images map to manifest template config' directly summarizes the main change: adding an Images map to the manifest template configuration in the payload processing logic.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR uses standard Go testing package (not Ginkgo), and all test names are static descriptive strings without dynamic information like timestamps, UUIDs, generated IDs, or variable values.
Test Structure And Quality	✅ Passed	The PR modifies only pkg/payload/payload.go (+3/-2) and pkg/payload/render.go (+23/-1), with no test file changes. The codebase contains standard Go tests (func Test...) in pkg/payload/ and Ginkgo...
Microshift Test Compatibility	✅ Passed	PR only modifies implementation files (pkg/payload/payload.go, pkg/payload/render.go); no new Ginkgo e2e tests added. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies payload.go and render.go (non-test files) with manifest rendering plumbing only. No new Ginkgo e2e tests (It(), Describe(), Context(), When()) are added, so the SNO compatibility c...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only modifies Go code in pkg/payload/{payload,render}.go to add template infrastructure plumbing. No deployment manifests, pods, or scheduling constraints (affinity, topology spread, node s...
Ote Binary Stdout Contract	✅ Passed	The PR modifies pkg/payload/payload.go and pkg/payload/render.go only. No process-level code (main, init, TestMain, BeforeSuite, etc.) was added or modified. New functions (loadImageReferences, ima...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. Changes are to source files (payload.go, render.go) only, not test files. The check is not applicable.
No-Weak-Crypto	✅ Passed	PR contains no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) usage, custom crypto, or insecure secret comparisons. Only FNV-64 for non-sensitive checksums.
Container-Privileges	✅ Passed	This PR adds only Go code changes to template rendering infrastructure (pkg/payload/payload.go and pkg/payload/render.go) with no new container/K8s manifests. The PR description explicitly states "...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging introduced. The new Images map contains component image URIs which are not sensitive, and are never logged. All error handling uses safe formatting without including the c...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jhadvig
Once this PR has been reviewed and has the lgtm label, please assign fao89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

pkg/payload/render.go (1)

194-210: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add regression tests for the new Images + missingkey=zero behavior.

Line 210 changes template failure semantics, and Lines 195-205 add filtering logic. Please add focused tests for: nil imageRef, non-DockerImage tags being ignored, and missing image keys rendering empty output. This reduces silent-template regressions.

Suggested test shape

diff --git a/pkg/payload/render_test.go b/pkg/payload/render_test.go
@@
 func TestRenderManifest(t *testing.T) {
   tests := []struct {
@@
+    {
+      name: "missing image key renders empty string",
+      config: manifestRenderConfig{
+        Images: map[string]string{"known": "quay.io/example/known:latest"},
+      },
+      manifestFile:         "./testdata/template_with_images.yaml",
+      expectedManifestFile: "./testdata/template_with_images_expected_missing_key.yaml",
+    },
   }
 }
+
+func TestImagesFromImageRef(t *testing.T) {
+  // cover nil imageRef, DockerImage extraction, and non-DockerImage filtering
+}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/payload/render.go` around lines 194 - 210, The imagesFromImageRef
function and renderManifest function have new logic that needs test coverage to
prevent regressions. Add unit tests that cover: calling imagesFromImageRef with
a nil imageRef parameter to verify it returns an empty map, calling
imagesFromImageRef with tags that have non-DockerImage Kind values to verify
they are filtered out and not included in the returned map, and calling
renderManifest with template variables that reference missing image keys to
verify the missingkey=zero option causes them to render as empty strings instead
of causing template errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/payload/render.go`:
- Around line 194-210: The imagesFromImageRef function and renderManifest
function have new logic that needs test coverage to prevent regressions. Add
unit tests that cover: calling imagesFromImageRef with a nil imageRef parameter
to verify it returns an empty map, calling imagesFromImageRef with tags that
have non-DockerImage Kind values to verify they are filtered out and not
included in the returned map, and calling renderManifest with template variables
that reference missing image keys to verify the missingkey=zero option causes
them to render as empty strings instead of causing template errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f6c9aa5e-9edb-48df-9c96-5c90eecc01a9

📥 Commits

Reviewing files that changed from the base of the PR and between 810bfc1 and 32c326c.

📒 Files selected for processing (2)

• pkg/payload/payload.go
• pkg/payload/render.go