MCO-2117: Allow default OSImageStream overrides

Previously the default stream was determined by matching the OS version
in the stream name, without the possibility of telling the MCO which
default stream to use. This change replaces that logic, allowing users
to input the defaultStream they want to use and falling back to the
builtin if necessary. The builtin default stream determination logic
has been improved to avoid hard-coding versions and it now picks the
OSImageStream that points to the images of the default OS tags
in the payload ImageStream.

Signed-off-by: Pablo Rodriguez Nava <git@amail.pablintino.com>

Author: Pablo Rodriguez Nava

go.mod

@@ -37,8 +37,8 @@ require (
 	github.com/onsi/gomega v1.36.2
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835
-	github.com/openshift/api v0.0.0-20260213123447-0246c0ac1a77
-	github.com/openshift/client-go v0.0.0-20260213141500-06efc6dce93b
+	github.com/openshift/api v0.0.0-20260226052804-beff70de904a
+	github.com/openshift/client-go v0.0.0-20260226152647-d8b2196ff0d9
 	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5
 	github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b
 	github.com/prometheus/client_golang v1.22.0
@@ -248,7 +248,7 @@ require (
 	github.com/ashanbrown/makezero v1.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bkielbasa/cyclop v1.2.3 // indirect
-	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/blang/semver/v4 v4.0.0
 	github.com/blizzy78/varnamelen v0.8.0 // indirect
 	github.com/breml/bidichk v0.3.2 // indirect
 	github.com/breml/errchkjson v0.4.0 // indirect

go.sum

@@ -609,10 +609,10 @@ github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplU
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835 h1:rkqIIfdYYkasXbF2XKVgh/3f1mhjSQK9By8WtVMgYo8=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
-github.com/openshift/api v0.0.0-20260213123447-0246c0ac1a77 h1:kAS0KmsQ+HzWUhX6pkGsrrKX8Dx5OKAj93cPNj+RGNs=
-github.com/openshift/api v0.0.0-20260213123447-0246c0ac1a77/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
-github.com/openshift/client-go v0.0.0-20260213141500-06efc6dce93b h1:7rTnxq+haKrzUFKQQDylkklyFRtGFox73dlawRlnTA8=
-github.com/openshift/client-go v0.0.0-20260213141500-06efc6dce93b/go.mod h1:V3s8weD4bKXGXaN7d9g3V1QS2gmlYBRI2i/lfIwmroM=
+github.com/openshift/api v0.0.0-20260226052804-beff70de904a h1:3mBAecolw1crGJR1pUk4YVmFbwt6upeyALOsu6L0MCE=
+github.com/openshift/api v0.0.0-20260226052804-beff70de904a/go.mod h1:ZYAxo9t1AALeEotN07tNzIvqqqWSxcZIqMUKnY/xCeQ=
+github.com/openshift/client-go v0.0.0-20260226152647-d8b2196ff0d9 h1:5gHG1T3PUm5Ly7vILl9+byccl9eAUiV2RZuWXVVNnB4=
+github.com/openshift/client-go v0.0.0-20260226152647-d8b2196ff0d9/go.mod h1:TeUQXSUW0UPXSmEtMZLfTYIE3MajxnziS3lbdH0WSwk=
 github.com/openshift/kubernetes v1.30.1-0.20251028145634-9e794b89909a h1:uaeiYAYOVlXChnGxvsziVTkzaSlBV7h8Y2U2Bc81UKM=
 github.com/openshift/kubernetes v1.30.1-0.20251028145634-9e794b89909a/go.mod h1:w3+IfrXNp5RosdDXg3LB55yijJqR/FwouvVntYHQf0o=
 github.com/openshift/kubernetes/staging/src/k8s.io/api v0.0.0-20251028145634-9e794b89909a h1:hZUZg/qpvT23oUoCkFWe/Q4VNu5zOeqmDOl3f/F6uRk=

pkg/controller/bootstrap/bootstrap.go

@@ -115,6 +115,7 @@ func (b *Bootstrap) Run(destDir string) error {
 		imageStream          *imagev1.ImageStream
 		iri                  *mcfgv1alpha1.InternalReleaseImage
 		iriTLSCert           *corev1.Secret
+		osImageStream        *mcfgv1alpha1.OSImageStream
 	)
 	for _, info := range infos {
 		if info.IsDir() {
@@ -199,6 +200,9 @@ func (b *Bootstrap) Run(destDir string) error {
 				if obj.GetName() == ctrlcommon.InternalReleaseImageTLSSecretName {
 					iriTLSCert = obj
 				}
+			case *mcfgv1alpha1.OSImageStream:
+				// If given, it's treated as user input with config such as the default stream
+				osImageStream = obj
 			default:
 				klog.Infof("skipping %q [%d] manifest because of unhandled %T", file.Name(), idx+1, obji)
 			}
@@ -224,10 +228,17 @@ func (b *Bootstrap) Run(destDir string) error {
 		return fmt.Errorf("error filtering pools: %w", err)
 	}
 
-	var osImageStream *mcfgv1alpha1.OSImageStream
 	// Enable OSImageStreams if the FeatureGate is active and the deployment is not OKD
 	if osimagestream.IsFeatureEnabled(fgHandler) {
-		osImageStream, err = b.fetchOSImageStream(imageStream, cconfig, icspRules, idmsRules, itmsRules, imgCfg, pullSecret)
+		osImageStream, err = b.fetchOSImageStream(
+			imageStream,
+			cconfig,
+			icspRules,
+			idmsRules,
+			itmsRules,
+			imgCfg,
+			pullSecret,
+			osImageStream)
 		if err != nil {
 			return err
 		}
@@ -240,6 +251,9 @@ func (b *Bootstrap) Run(destDir string) error {
 		}
 		cconfig.Spec.BaseOSContainerImage = string(defaultStreamSet.OSImage)
 		cconfig.Spec.BaseOSExtensionsContainerImage = string(defaultStreamSet.OSExtensionsImage)
+	} else {
+		// Just ensuring the osImageStream is nil if the FG is disabled
+		osImageStream = nil
 	}
 
 	pullSecretBytes := pullSecret.Data[corev1.DockerConfigJsonKey]
@@ -462,6 +476,7 @@ func (b *Bootstrap) fetchOSImageStream(
 	itmsRules []*apicfgv1.ImageTagMirrorSet,
 	imgCfg *apicfgv1.Image,
 	pullSecret *corev1.Secret,
+	existingOSImageStream *mcfgv1alpha1.OSImageStream,
 ) (*mcfgv1alpha1.OSImageStream, error) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
@@ -479,15 +494,25 @@ func (b *Bootstrap) fetchOSImageStream(
 		sysCtxBuilder.WithRegistriesConfig(registriesConfig)
 	}
 
-	osImageStream, err := osimagestream.BuildOsImageStreamBootstrap(ctx,
-		sysCtxBuilder,
-		imageStream,
-		&osimagestream.OSImageTuple{
+	sysCtx, err := sysCtxBuilder.Build()
+	if err != nil {
+		return nil, fmt.Errorf("could not prepare for OSImageStream inspection: %w", err)
+	}
+	defer func() {
+		if err := sysCtx.Cleanup(); err != nil {
+			klog.Warningf("Unable to clean resources after OSImageStream inspection: %s", err)
+		}
+	}()
+
+	factory := osimagestream.NewDefaultStreamSourceFactory(&osimagestream.DefaultImagesInspectorFactory{})
+	osImageStream, err := factory.Create(ctx, sysCtx.SysContext, osimagestream.CreateOptions{
+		ExistingOSImageStream: existingOSImageStream,
+		ReleaseImageStream:    imageStream,
+		CliImages: &osimagestream.OSImageTuple{
 			OSImage:           cconfig.Spec.BaseOSContainerImage,
 			OSExtensionsImage: cconfig.Spec.BaseOSExtensionsContainerImage,
 		},
-		osimagestream.NewDefaultStreamSourceFactory(nil, &osimagestream.DefaultImagesInspectorFactory{}),
-	)
+	})
 	if err != nil {
 		return nil, fmt.Errorf("error inspecting available OSImageStreams: %w", err)
 	}

pkg/controller/common/constants.go

@@ -27,6 +27,9 @@ const (
 	// ReleaseImageVersionAnnotationKey is used to tag the rendered machineconfigs & controller config with the release image version.
 	ReleaseImageVersionAnnotationKey = "machineconfiguration.openshift.io/release-image-version"
 
+	// BuiltinDefaultStreamAnnotationKey is the MCO fallback default stream.
+	BuiltinDefaultStreamAnnotationKey = "machineconfiguration.openshift.io/builtin-default-stream"
+
 	// OSImageURLOverriddenKey is used to tag a rendered machineconfig when OSImageURL has been overridden from default using machineconfig
 	OSImageURLOverriddenKey = "machineconfiguration.openshift.io/os-image-url-overridden"
 

pkg/operator/operator.go

@@ -372,6 +372,8 @@ func New(
 	if osImageStreamInformer != nil && osimagestream.IsFeatureEnabled(optr.fgHandler) {
 		optr.osImageStreamLister = osImageStreamInformer.Lister()
 		optr.osImageStreamListerSynced = osImageStreamInformer.Informer().HasSynced
+		// TODO: Move this AddEventHandler to the main loop when the FG is removed
+		osImageStreamInformer.Informer().AddEventHandler(optr.eventHandler())
 	}
 	if iriInformer != nil {
 		optr.iriLister = iriInformer.Lister()

pkg/operator/osimagestream_ocp.go

@@ -32,16 +32,46 @@ func (optr *Operator) syncOSImageStream(_ *renderConfig, _ *configv1.ClusterOper
 	// This sync runs once per version. Before performing the streams fetching
 	// process, that takes time as it requires inspecting images, ensure this function
 	// needs to build the stream.
-	existingOSImageStream, updateRequired, err := optr.isOSImageStreamBuildRequired()
-	if !updateRequired || err != nil {
+	existingOSImageStream, rebuildRequired, err := optr.isOSImageStreamBuildRequired()
+	if err != nil {
 		return err
 	}
 
-	// If the code reaches this point the OSImageStream CR is not
-	// present (new cluster) or it's out-dated (cluster update).
-	// Build the new OSImageStream and push it.
-	return optr.buildOSImageStream(existingOSImageStream)
+	if rebuildRequired {
+		// If the code reaches this point the OSImageStream status containing
+		// the available OS Image Streams is outdated or doesn't exist.
+		return optr.buildOSImageStream(existingOSImageStream)
+	} else if existingOSImageStream != nil {
+		// We didn't require a rebuild, but check if we need to update the default
+		return optr.updateOSImageStream(existingOSImageStream)
+	}
 
+	return err
+}
+
+func (optr *Operator) updateOSImageStream(existingOSImageStream *v1alpha1.OSImageStream) error {
+	requestedDefault := osimagestream.GetOSImageStreamSpecDefault(existingOSImageStream)
+	if requestedDefault == "" {
+		requestedDefault = osimagestream.GetBuiltinDefault(existingOSImageStream)
+	}
+
+	currentDefault := existingOSImageStream.Status.DefaultStream
+	if currentDefault != requestedDefault {
+		if _, err := osimagestream.GetOSImageStreamSetByName(existingOSImageStream, requestedDefault); err != nil {
+			return fmt.Errorf("error syncing default OSImageStream with OSImageStream %s: %v", requestedDefault, err)
+		}
+
+		existingOSImageStream.Status.DefaultStream = requestedDefault
+		if _, err := optr.client.
+			MachineconfigurationV1alpha1().
+			OSImageStreams().
+			UpdateStatus(context.TODO(), existingOSImageStream, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating the default OSImageStream status: %w", err)
+		}
+
+		klog.Infof("OSImageStream default has changed from %s to %s", currentDefault, requestedDefault)
+	}
+	return nil
 }
 
 func (optr *Operator) buildOSImageStream(existingOSImageStream *v1alpha1.OSImageStream) error {
@@ -76,8 +106,25 @@ func (optr *Operator) buildOSImageStream(existingOSImageStream *v1alpha1.OSImage
 		return fmt.Errorf("could not build SysContext for OSImageStream build: %w", err)
 	}
 
-	imageStreamFactory := osimagestream.NewDefaultStreamSourceFactory(optr.mcoCmLister, &osimagestream.DefaultImagesInspectorFactory{})
-	osImageStream, err := osimagestream.BuildOsImageStreamRuntime(buildCtx, sysCtxBuilder, image, imageStreamFactory)
+	sysCtx, err := sysCtxBuilder.Build()
+	if err != nil {
+		return fmt.Errorf("could not prepare for OSImageStream inspection: %w", err)
+	}
+	defer func() {
+		if err := sysCtx.Cleanup(); err != nil {
+			klog.Warningf("Unable to clean resources after OSImageStream inspection: %s", err)
+		}
+	}()
+
+	factory := osimagestream.NewDefaultStreamSourceFactory(&osimagestream.DefaultImagesInspectorFactory{})
+	osImageStream, err := factory.Create(
+		buildCtx,
+		sysCtx.SysContext,
+		osimagestream.CreateOptions{
+			ReleaseImage:          image,
+			ConfigMapLister:       optr.mcoCmLister,
+			ExistingOSImageStream: existingOSImageStream,
+		})
 	if err != nil {
 		return fmt.Errorf("error building the OSImageStream: %w", err)
 	}
@@ -179,9 +226,9 @@ func (optr *Operator) isOSImageStreamBuildRequired() (*v1alpha1.OSImageStream, b
 	}
 
 	// Check if an update is needed
-	if !osImageStreamRequiresUpdate(existingOSImageStream) {
+	if !osImageStreamRequiresRebuild(existingOSImageStream) {
 		klog.V(4).Info("OSImageStream is already up-to-date, skipping sync")
-		return nil, false, nil
+		return existingOSImageStream, false, nil
 	}
 	return existingOSImageStream, true, nil
 }
@@ -235,12 +282,13 @@ func (optr *Operator) getExistingOSImageStream() (*v1alpha1.OSImageStream, error
 	return osImageStream, nil
 }
 
-// osImageStreamRequiresUpdate checks if the OSImageStream needs to be created or updated.
-// Returns true if osImageStream is nil or if its version annotation doesn't match the current version.
-func osImageStreamRequiresUpdate(osImageStream *v1alpha1.OSImageStream) bool {
+// osImageStreamRequiresRebuild checks if the OSImageStream needs to be created or updated.
+// Returns true if osImageStream is nil, if its version annotation doesn't match the current version,
+// or if the builtin default stream annotation is missing.
+func osImageStreamRequiresRebuild(osImageStream *v1alpha1.OSImageStream) bool {
 	if osImageStream == nil {
 		return true
 	}
 	releaseVersion, ok := osImageStream.Annotations[ctrlcommon.ReleaseImageVersionAnnotationKey]
-	return !ok || releaseVersion != version.Hash
+	return !ok || releaseVersion != version.Hash || osimagestream.GetBuiltinDefault(osImageStream) == ""
 }

pkg/osimagestream/helpers.go

@@ -43,3 +43,19 @@ func GetOSImageStreamSetByName(osImageStream *v1alpha1.OSImageStream, name strin
 func IsFeatureEnabled(fgHandler common.FeatureGatesHandler) bool {
 	return fgHandler.Enabled(features.FeatureGateOSStreams) && !version.IsSCOS() && !version.IsFCOS()
 }
+
+// GetBuiltinDefault returns the MCO fallback default stream, or empty string if not available.
+func GetBuiltinDefault(osImageStream *v1alpha1.OSImageStream) string {
+	if osImageStream == nil {
+		return ""
+	}
+	return osImageStream.Annotations[common.BuiltinDefaultStreamAnnotationKey]
+}
+
+// GetOSImageStreamSpecDefault returns the user-requested default stream override, or empty string if not set.
+func GetOSImageStreamSpecDefault(osImageStream *v1alpha1.OSImageStream) string {
+	if osImageStream != nil && osImageStream.Spec != nil {
+		return osImageStream.Spec.DefaultStream
+	}
+	return ""
+}

pkg/osimagestream/imagestream_provider.go

@@ -3,6 +3,7 @@ package osimagestream
 import (
 	"context"
 	"fmt"
+	"sync"
 
 	imagev1 "github.com/openshift/api/image/v1"
 	"github.com/openshift/client-go/image/clientset/versioned/scheme"
@@ -37,6 +38,8 @@ func (i *ImageStreamProviderResource) ReadImageStream(_ context.Context) (*image
 type ImageStreamProviderNetwork struct {
 	imagesInspector ImagesInspector
 	imageName       string
+	cacheLock       sync.Mutex
+	imageStream     *imagev1.ImageStream
 }
 
 // NewImageStreamProviderNetwork creates a new ImageStreamProviderNetwork that will fetch
@@ -46,14 +49,27 @@ func NewImageStreamProviderNetwork(imagesInspector ImagesInspector, imageName st
 }
 
 // ReadImageStream fetches the ImageStream manifest from the container image and decodes it.
-// Returns an error if the file cannot be fetched, is empty, contains invalid YAML,
-// or does not contain an ImageStream resource.
+// The result is cached on success; failures are retried on subsequent calls.
 func (i *ImageStreamProviderNetwork) ReadImageStream(ctx context.Context) (*imagev1.ImageStream, error) {
+	i.cacheLock.Lock()
+	defer i.cacheLock.Unlock()
+	if i.imageStream != nil {
+		return i.imageStream, nil
+	}
+	is, err := i.fetchImageStream(ctx)
+	if err != nil {
+		return nil, err
+	}
+	i.imageStream = is
+	return is, nil
+}
+
+func (i *ImageStreamProviderNetwork) fetchImageStream(ctx context.Context) (*imagev1.ImageStream, error) {
 	imageStreamBytes, err := i.imagesInspector.FetchImageFile(ctx, i.imageName, releaseImageStreamLocation)
 	if err != nil {
 		return nil, err
 	}
-	if imageStreamBytes == nil || len(imageStreamBytes) == 0 {
+	if len(imageStreamBytes) == 0 {
 		return nil, fmt.Errorf("no ImageStream found for %s", i.imageName)
 	}