Invalid=True, Failing=True, and Progressing=True are all reasons we
might want to delay a transition to multi-arch.  Copy over the block
from the version-bumping switch case, so we get the usual checks for
--to-multi-arch too.  The user may opt to waive these guards with
--allow-upgrade-with-warnings as usual, but at least they'll be aware
that there are issues they may want to look into.

…en appending to specific arch images

The keep-manifest-list option for the append command was not exposed externally and only used in the
case of creating the release image. This PR aims to expose this option while also keeping functionality
intact. So, this means:
 - keep-manifest-list will always preserve the manifestlist when appending images. when used with
   --filter-by-os, the append will only happen for filtered images.
 - if keep-manifest-list is not specified, functionality will be same as before.

Reconciling with https://github.com/openshift/ocp-build-data/tree/e18d948b6ec9fc99c368102cffc1eea0c01f5765/images/openshift-enterprise-cli.yml

Add microshift into generate-docs

Reconciling with https://github.com/openshift/ocp-build-data/tree/7ce51feaf65258715109cad8d18b1bd0db0fbb2e/images/openshift-enterprise-deployer.yml

Reconciling with https://github.com/openshift/ocp-build-data/tree/7ce51feaf65258715109cad8d18b1bd0db0fbb2e/images/ose-tools.yml

…he one of the built image

Refers OCPBUGS-1117

Update the list of commands excluded from MicroShift documentation so
that the autoscale command is also excluded.

test

OCPBUGS-10622: bump repo sclorg/s2i-ruby-container location for newapp test

Newer git versions default to not trusting cloning over the file transport. We now need to explicitly turn it on for this test, which we know is safe because we just created both repos.

More info: https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253

Currently, the original index digest is maintained because the variable containing the digest is incorrectly scoped instead of being overwritten.

We only need to tell the registry we accept them, the registry client code already handles OCI manifests transparently for us.

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>

The assuption that the manifest existing means that the blobs exist only works when the target is a registry that will validate that the blobs have been uploaded before the manifest. On other targets, we should check for layer existence each time because the user may have used "--continue-on-error" and end up with missing layers.

- add new flag --import-mode=Legacy or --import-mode=PreserveOriginal
- the default is Legacy

Signed-off-by: Paul Bastide <pbastide@redhat.com>

…build

- support Legacy and PreserveOriginal import-mode with oc new-build
- add a guard to protect a panic when no DockerConfig exists
- add a PreserveOriginal guard for IsBuilderImage

Signed-off-by: Paul Bastide <pbastide@redhat.com>

OCPBUGS-1117: The architecture of oc in the cli-artifacts' /usr/bin folder should to the one of the built image

Reconciling with https://github.com/openshift/ocp-build-data/tree/8b1a74dceea1a289bee2412844cdc5f960df7d56/images/ose-cli-artifacts.yml

…-4.14-ose-cli-artifacts

Updating ose-cli-artifacts images to be consistent with ART

OCPBUGS-3393: Always copy the blobs if the target isn't a registry

…-4.14-openshift-enterprise-cli

Updating openshift-enterprise-cli images to be consistent with ART

…-4.14-openshift-enterprise-deployer

Updating openshift-enterprise-deployer images to be consistent with ART

Test Fix: Allow submodule using file transport with newer git

Currently when user runs `oc status --suggest` if misconfigured
registry is detected, `oc` suggests to run `oc adm registry -h` command.
However, this command is deprecated and removed, this PR instead suggests
correct command `oc registry -h`.

Exclude irrelevant commands from MicroShift documentation

OCPBUGS-10879: Fix deprecated oc command suggestion

`--preserve-pod` flag in oc debug is used to prevent deletion of pod.
However, if temporary namespace is created to run this privileged pod,
oc debug removes this namespace in any case and that causes pod trying
to be prevented also garbage collected.

This PR prevents deletion of namespace if the `--preserve-pod` flag is
passed to keep debug pod in cluster.

…-4.14-ose-tools

Updating ose-tools images to be consistent with ART

append: expose keep-manifest-list option and preserve manifestlist when appending to specific arch images

When extracting 'oc' from a manifest listed image, if the
--no-filter-by-os flag was not used and an image could not be found for
the runtime OS/runtime arch combination, warn the user a manifest image
could not be found for this combination and try searching for a
linux/runtime arch combination again in the manifest listed image.

Signed-off-by: Bryan Cox <brcox@redhat.com>

Remove already deprecated adm create-kubeconfig command

story: https://issues.redhat.com/browse/OCPNODE-1581

This PR migrates oc adm catalog mirror command to use IDMS:
mark icsp flags as deprecated.
add corresponding flags for idms
oc adm catalog mirror generate ImageContentSourcePolicy file currnetly. Update the comment to generate ImageDigestMirrorSet yaml file.

After this patch:

```
$ ./oc adm catalog mirror -a=config.json --insecure=true --max-icsp-size=19000 --icsp-scope=repository  localhost:5000/olm-mirror/my-redhat-operator-index:v4.7 quay.io/qiwanredhat/my-redhat-operator-index:v4.7
Flag --max-icsp-size has been deprecated, support for it will be removed in a future release. Use --max-idms-size instead.
Flag --icsp-scope has been deprecated, support for it will be removed in a future release.Use --idms-scope instead.
```

generated files:

```
total 252K
-rwxr-xr-x. 1 qiwan qiwan  260 Mar 28 11:55 catalogSource.yaml
-rwxr-xr-x. 1 qiwan qiwan  21K Mar 28 11:55 imageContentSourcePolicy.yaml
-rwxr-xr-x. 1 qiwan qiwan  21K Mar 28 11:55 imageDigestMirrorSet.yaml
-rw-r--r--. 1 qiwan qiwan 200K Mar 28 11:55 mapping.txt
```

Signed-off-by: Qi Wang <qiwan@redhat.com>

OCPBUGS-1115: Use linux/arch when user's OS isn't in manifests

[OCPNODE-1581] adm catalog mirror generates idms manifest

OCPBUGS-10843: oc debug unique pod name

This is follow-up of #1389 comments #1389 (review)

Signed-off-by: Qi Wang <qiwan@redhat.com>

adm catalog mirror update example to idms

OCPBUGS-8004: Fix bug when recreating an index with fewer images

Support OCI manifest lists in image mirror

replace trimLeft with trimPrefix

…-server-guards

pkg/cli/admin/upgrade: Clarify client-side vs. server-side docs

Currently, `oc login` has some logic when user gets x509 certificate errors.
However in Go 1.20 and upward versions, these certificate errors are wrapped in
`tls.CertificateVerificationError`. In order to keep the same functionality,
`oc login` needs to detect this type and extract correct error.

This PR adds that.

OCPBUGS-12143: oc login: unwrap tls.CertificateVerificationError to use x509 errors

OCPBUGS-11632: Improve error log messages in event filtering

OCPBUGS-13355: Use RequestToken functions from library-go

…d to the same ldap uid

The original design limited the ldap to openshift group mapping to a single
group: https://github.com/openshift/api/blob/4f3c947a2271264efd787eebeec05deb141e0333/legacyconfig/v1/types.go#L1306

The current implementation does not allow to cleanly error without disrupting already existing automation
which is either not aware of this restriction or willingly ignores it. We can only print a warning.

…for-multiple-groups

OCPBUGS-11123: oc adm groups sync: print a warning when two or more groups are mapped to the same ldap uid