From 5adf083ba82e2f90cdf2aeb104f390f7ad50677f Mon Sep 17 00:00:00 2001
From: Pablo Rodriguez Nava <pabrodri@redhat.com>
Date: Mon, 6 Oct 2025 11:31:57 +0200
Subject: [PATCH] OCPBUGS-62510: Skip rpm-ostree local rebase if no PIS

This commit slightly changes the behaviour of OS updates if PIS is not
configured.
Before this change, if PIS was enabled we checked if the new OS image
was locally present and if so, the OS rebase was requested to be
performed using the local stored copy, no matter if any PinnedImageSet
was available for the node's pools.
With this change that local check is only performed if PIS is enabled
and configured.

This minor behaviour change helps during upgrades from 4.19.10 to any
version that has PIS enabled (from 4.19.12 it's enabled by default) as
the machine-config-nodes-crd-cleanup job uses the target image to run
before the update, catching the image locally and leading to possible
pull/verify errors if the pull policy is not allowing local pulls.

Clusters with PIS configured won't benefit from this change if their
pull policy is restrictive as this change scope doesn't cover tweaking
the pull policy.

Co-authored-by: Isabella Janssen <ijanssen@redhat.com>
Co-authored-by: Jerry Zhang <jerzhang@redhat.com>
---
 pkg/daemon/update.go | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go
index 2c2ab38f14..e9d0546ebd 100644
--- a/pkg/daemon/update.go
+++ b/pkg/daemon/update.go
@@ -2557,12 +2557,17 @@ func (dn *Daemon) updateLayeredOS(config *mcfgv1.MachineConfig) error {
 		return dn.InplaceUpdateViaNewContainer(newURL)
 	}
 
-	isOsImagePresent := false
+	isPisConfigured, err := dn.isPinnedImageSetConfigured()
+	if err != nil {
+		// Ignore the error and default to remote pull
+		klog.Errorf("Failed to determine if pinned image set is configured: %v", err)
+	}
 
-	// not set during firstboot
-	if dn.fgHandler != nil && dn.fgHandler.Enabled(features.FeatureGatePinnedImages) {
-		isOsImagePresent, err = isImagePresent(newURL)
-		if err != nil {
+	// If PIS is configured check if the image is locally present. If so, rebase using
+	// the local image
+	isOsImagePresent := false
+	if isPisConfigured {
+		if isOsImagePresent, err = isImagePresent(newURL); err != nil {
 			return err
 		}
 	}
@@ -2595,6 +2600,29 @@ func (dn *Daemon) updateLayeredOS(config *mcfgv1.MachineConfig) error {
 	return nil
 }
 
+func (dn *Daemon) isPinnedImageSetConfigured() (bool, error) {
+	if dn.fgHandler == nil || !dn.fgHandler.Enabled(features.FeatureGatePinnedImages) || dn.node == nil || dn.mcpLister == nil {
+		// Two options:
+		// - PIS is not enabled
+		// - MCD first boot run: No connection to the cluster and node not populated -> Cannot check PIS config
+		return false, nil
+	}
+
+	// PIS is enabled. Check if it's configured in any of its pools
+	pools, _, err := helpers.GetPoolsForNode(dn.mcpLister, dn.node)
+	if err != nil {
+		return false, fmt.Errorf("failed to get pools for node %q: %w", dn.node.Name, err)
+	}
+
+	for _, pool := range pools {
+		if pool.Spec.PinnedImageSets != nil && len(pool.Spec.PinnedImageSets) > 0 {
+			return true, nil
+		}
+	}
+	// No pools with PIS configured
+	return false, nil
+}
+
 // Synchronously invoke a command, writing its stdout to our stdout,
 // and gathering stderr into a buffer which will be returned in err
 // in case of error.