cmd/cluster-version-operator/render: Add --cluster-version-manifest-path option

Like a3a6a16 (cmd/render: Add --feature-gate-manifest-path option,
2024-08-07, #1078), but for ClusterVersion spec.overrides.  We need
this in place to avoid bootstrapping failure when the CVO renders the
ClusterImagePolicy despite
OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY having been set to
trigger the installer to set an override waiving the
ClusterImagePolicy [1]:

  $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-1of2/2020129461281755136/artifacts/e2e-aws-ovn-serial/ipi-install-install/artifacts/log-bundle-20260207143404.tar | tar -tvz | grep 'cluster.*image.*polic'
  -rw-r--r-- core/core          1678 2026-02-07 06:34 log-bundle-20260207143404/rendered-assets/openshift/cvo-bootstrap/manifests/0000_90_openshift-cluster-image-policy.yaml
  -rw-r--r-- core/core          1678 2026-02-07 06:34 log-bundle-20260207143404/rendered-assets/openshift/manifests/0000_90_openshift-cluster-image-policy.yaml

The rendered ClusterImagePolicy is consumed by the bootstrap
machine-config operator, and it breaks the ability of unsigned nightly
control-plane nodes to launch [1]:

  $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-1of2/2020129461281755136/artifacts/e2e-aws-ovn-serial/ipi-install-install/artifacts/log-bundle-20260207143404.tar | tar -tvz | grep 'control-plane.*journal.log.gz'
  -rw-r--r-- core/core         98143 2026-02-07 06:34 log-bundle-20260207143404/control-plane/10.0.110.120/journals/journal.log.gz
  -rw-r--r-- core/core        101064 2026-02-07 06:34 log-bundle-20260207143404/control-plane/10.0.5.2/journals/journal.log.gz
  -rw-r--r-- core/core         96700 2026-02-07 06:34 log-bundle-20260207143404/control-plane/10.0.71.227/journals/journal.log.gz
  $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-1of2/2020129461281755136/artifacts/e2e-aws-ovn-serial/ipi-install-install/artifacts/log-bundle-20260207143404.tar | tar -xOz log-bundle-20260207143404/control-plane/10.0.5.2/journals/journal.log.gz | zgrep 'signature was required' | head -n4
  Sat 2026-02-07 13:51:08 UTC ip-10-0-5-2 machine-config-daemon-pull.service[2026]: Error: Source image rejected: A signature was required, but no signature exists
  Sat 2026-02-07 13:51:08 UTC ip-10-0-5-2 machine-config-daemon-pull.service[2026]: 2026-02-07 13:51:08.129594235 +0000 UTC m=+0.399222333 image pull-error  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b4b3cc836d480ea7156ea797712e9af742fb73e5fb56a9cf9e63aeae11875315 Source image rejected: A signature was required, but no signature exists
  Sat 2026-02-07 13:51:09 UTC ip-10-0-5-2 machine-config-daemon-pull.service[2037]: Error: Source image rejected: A signature was required, but no signature exists
  Sat 2026-02-07 13:51:09 UTC ip-10-0-5-2 machine-config-daemon-pull.service[2037]: 2026-02-07 13:51:09.533298454 +0000 UTC m=+0.389622944 image pull-error  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b4b3cc836d480ea7156ea797712e9af742fb73e5fb56a9cf9e63aeae11875315 Source image rejected: A signature was required, but no signature exists

[1]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-1of2/2020129461281755136

Author: wking

cmd/cluster-version-operator/render.go

@@ -19,16 +19,18 @@ var (
 	}
 
 	renderOpts struct {
-		releaseImage            string
-		featureGateManifestPath string
-		outputDir               string
+		releaseImage               string
+		clusterVersionManifestPath string
+		featureGateManifestPath    string
+		outputDir                  string
 	}
 )
 
 func init() {
 	rootCmd.AddCommand(renderCmd)
 	renderCmd.PersistentFlags().StringVar(&renderOpts.outputDir, "output-dir", "", "The output directory where the manifests will be rendered.")
 	renderCmd.PersistentFlags().StringVar(&renderOpts.releaseImage, "release-image", "", "The Openshift release image url.")
+	renderCmd.PersistentFlags().StringVar(&renderOpts.clusterVersionManifestPath, "cluster-version-manifest-path", "", "ClusterVersion manifest input path.")
 	renderCmd.PersistentFlags().StringVar(&renderOpts.featureGateManifestPath, "feature-gate-manifest-path", "", "FeatureGate manifest input path.")
 }
 
@@ -42,7 +44,7 @@ func runRenderCmd(cmd *cobra.Command, args []string) {
 	if renderOpts.releaseImage == "" {
 		klog.Fatalf("missing --release-image flag, it is required")
 	}
-	if err := payload.Render(renderOpts.outputDir, renderOpts.releaseImage, renderOpts.featureGateManifestPath, clusterProfile()); err != nil {
+	if err := payload.Render(renderOpts.outputDir, renderOpts.releaseImage, renderOpts.clusterVersionManifestPath, renderOpts.featureGateManifestPath, clusterProfile()); err != nil {
 		klog.Fatalf("Render command failed: %v", err)
 	}
 }

pkg/payload/render.go

@@ -21,7 +21,7 @@ import (
 )
 
 // Render renders critical manifests from /manifests to outputDir.
-func Render(outputDir, releaseImage, featureGateManifestPath, clusterProfile string) error {
+func Render(outputDir, releaseImage, clusterVersionManifestPath, featureGateManifestPath, clusterProfile string) error {
 	var (
 		manifestsDir        = filepath.Join(DefaultPayloadDir, CVOManifestDir)
 		releaseManifestsDir = filepath.Join(DefaultPayloadDir, ReleaseManifestDir)
@@ -35,6 +35,11 @@ func Render(outputDir, releaseImage, featureGateManifestPath, clusterProfile str
 		}
 	)
 
+	overrides, err := parseClusterVersionManifest(clusterVersionManifestPath)
+	if err != nil {
+		return fmt.Errorf("error parsing cluster version manifest: %w", err)
+	}
+
 	requiredFeatureSet, enabledFeatureGates, err := parseFeatureGateManifest(featureGateManifestPath)
 	if err != nil {
 		return fmt.Errorf("error parsing feature gate manifest: %w", err)
@@ -70,7 +75,7 @@ func Render(outputDir, releaseImage, featureGateManifestPath, clusterProfile str
 	}}
 	var errs []error
 	for _, task := range tasks {
-		if err := renderDir(renderConfig, task.idir, task.odir, requiredFeatureSet, enabledFeatureGates, &clusterProfile, task.processTemplate, task.skipFiles, task.filterGroupKind); err != nil {
+		if err := renderDir(renderConfig, task.idir, task.odir, overrides, requiredFeatureSet, enabledFeatureGates, &clusterProfile, task.processTemplate, task.skipFiles, task.filterGroupKind); err != nil {
 			errs = append(errs, err)
 		}
 	}
@@ -82,7 +87,7 @@ func Render(outputDir, releaseImage, featureGateManifestPath, clusterProfile str
 	return nil
 }
 
-func renderDir(renderConfig manifestRenderConfig, idir, odir string, requiredFeatureSet *string, enabledFeatureGates sets.Set[string], clusterProfile *string, processTemplate bool, skipFiles sets.Set[string], filterGroupKind sets.Set[schema.GroupKind]) error {
+func renderDir(renderConfig manifestRenderConfig, idir, odir string, overrides []configv1.ComponentOverride, requiredFeatureSet *string, enabledFeatureGates sets.Set[string], clusterProfile *string, processTemplate bool, skipFiles sets.Set[string], filterGroupKind sets.Set[schema.GroupKind]) error {
 	klog.Infof("Filtering manifests in %s for feature set %v, cluster profile %v and enabled feature gates %v", idir, *requiredFeatureSet, *clusterProfile, enabledFeatureGates.UnsortedList())
 
 	if err := os.MkdirAll(odir, 0666); err != nil {
@@ -133,7 +138,7 @@ func renderDir(renderConfig manifestRenderConfig, idir, odir string, requiredFea
 		for _, manifest := range manifests {
 			if len(filterGroupKind) > 0 && !filterGroupKind.Has(manifest.GVK.GroupKind()) {
 				klog.Infof("excluding %s because we do not render that group/kind", manifest.String())
-			} else if err := manifest.Include(nil, requiredFeatureSet, clusterProfile, nil, nil, enabledFeatureGates); err != nil {
+			} else if err := manifest.Include(nil, requiredFeatureSet, clusterProfile, nil, overrides, enabledFeatureGates); err != nil {
 				klog.Infof("excluding %s: %v", manifest.String(), err)
 			} else {
 				filteredManifests = append(filteredManifests, string(manifest.Raw))
@@ -185,6 +190,35 @@ func renderManifest(config manifestRenderConfig, manifestBytes []byte) ([]byte,
 	return buf.Bytes(), nil
 }
 
+func parseClusterVersionManifest(clusterVersionManifestPath string) ([]configv1.ComponentOverride, error) {
+	if clusterVersionManifestPath == "" {
+		return nil, nil
+	}
+
+	manifests, err := manifest.ManifestsFromFiles([]string{clusterVersionManifestPath})
+	if err != nil {
+		return nil, fmt.Errorf("loading ClusterVersion manifest: %w", err)
+	}
+
+	if len(manifests) != 1 {
+		return nil, fmt.Errorf("ClusterVersion manifest %s contains %d manifests, but expected only one", clusterVersionManifestPath, len(manifests))
+	}
+
+	clusterVersionManifest := manifests[0]
+	expectedGVK := schema.GroupVersionKind{Kind: "ClusterVersion", Version: configv1.GroupVersion.Version, Group: config.GroupName}
+	if clusterVersionManifest.GVK != expectedGVK {
+		return nil, fmt.Errorf("ClusterVersion manifest %s GroupVersionKind %v, but expected %v", clusterVersionManifest.OriginalFilename, clusterVersionManifest.GVK, expectedGVK)
+	}
+
+	// Convert unstructured object to structured ClusterVersion
+	var clusterVersion configv1.ClusterVersion
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(clusterVersionManifest.Obj.Object, &clusterVersion); err != nil {
+		return nil, fmt.Errorf("failed to convert ClusterVersion manifest %s to structured object: %w", clusterVersionManifest.OriginalFilename, err)
+	}
+
+	return clusterVersion.Spec.Overrides, nil
+}
+
 func parseFeatureGateManifest(featureGateManifestPath string) (*string, sets.Set[string], error) {
 	if featureGateManifestPath == "" {
 		return ptr.To(""), sets.Set[string]{}, nil