[update] Skip customContainerImages webhook validation in CI

Starting with openstack-operator FR4
(openstack-k8s-operators/openstack-operator#1569, merged Oct 2025),
the `OpenStackVersion` admission webhook rejects `targetVersion`
changes when `spec.customContainerImages` are identical to those
tracked for the previously deployed version.

In CI, the greenfield deployment and the simulated version bump
share the same delorean hash, so `customContainerImages` are
legitimately identical across versions -- there are no new
container builds to reference. Retagging is a no-op.

Add the operator-provided `skip-custom-images-validation` annotation
before patching `targetVersion` in both update scripts. This
annotation is the intended escape hatch for automation where the
images are intentionally unchanged (see `ValidateUpdate` in
`openstackversion_webhook.go`).

The intermediate `openstackversionpatch.yaml` file is no longer
generated; the patch is passed inline instead.

Assisted-by: Cursor (claude-4.6-opus-high)

Signed-off-by: Roberto Alfieri <ralfieri@redhat.com>

Author: rebtoor

scripts/openstack-update-services.sh

@@ -62,15 +62,17 @@ oc wait $OPENSTACK_VERSION_CR --for=jsonpath='{.status.availableVersion}'=$OPENS
 
 OPENSTACK_DEPLOYED_VERSION=$(oc get $OPENSTACK_VERSION_CR --template={{.status.deployedVersion}})
 
-cat <<EOF >openstackversionpatch.yaml
-    "spec": {
-      "targetVersion": "$OPENSTACK_VERSION"
-      }
-EOF
-
 update_event Patching the Openstack Version
 
-oc patch $OPENSTACK_VERSION_CR  --type=merge  --patch-file openstackversionpatch.yaml
+# In CI the same container images are used for both the initial deployment and
+# the simulated version bump, so customContainerImages are identical across
+# versions.  The admission webhook (FR4+, upstream PR #1569) rejects
+# targetVersion changes in that case.  The operator provides this annotation
+# to skip the check when the images are intentionally unchanged.
+oc annotate $OPENSTACK_VERSION_CR \
+  core.openstack.org/skip-custom-images-validation="" --overwrite
+
+oc patch $OPENSTACK_VERSION_CR --type=merge -p '{"spec":{"targetVersion":"'"$OPENSTACK_VERSION"'"}}'
 
 # wait for ovn update on control plane
 oc wait $OPENSTACK_VERSION_CR --for=condition=MinorUpdateOVNControlplane --timeout=$TIMEOUT

scripts/openstack-update.sh

@@ -74,15 +74,17 @@ oc wait $OPENSTACK_VERSION_CR --for=jsonpath='{.status.availableVersion}'=$OPENS
 
 OPENSTACK_DEPLOYED_VERSION=$(oc get $OPENSTACK_VERSION_CR --template={{.spec.targetVersion}})
 
-cat <<EOF >openstackversionpatch.yaml
-    "spec": {
-      "targetVersion": "$OPENSTACK_VERSION"
-      }
-EOF
-
 update_event Patching the Openstack Version
 
-oc patch $OPENSTACK_VERSION_CR  --type=merge  --patch-file openstackversionpatch.yaml
+# In CI the same container images are used for both the initial deployment and
+# the simulated version bump, so customContainerImages are identical across
+# versions.  The admission webhook (FR4+, upstream PR #1569) rejects
+# targetVersion changes in that case.  The operator provides this annotation
+# to skip the check when the images are intentionally unchanged.
+oc annotate $OPENSTACK_VERSION_CR \
+  core.openstack.org/skip-custom-images-validation="" --overwrite
+
+oc patch $OPENSTACK_VERSION_CR --type=merge -p '{"spec":{"targetVersion":"'"$OPENSTACK_VERSION"'"}}'
 
 # wait for ovn update on control plane
 oc wait $OPENSTACK_VERSION_CR --for=condition=MinorUpdateOVNControlplane --timeout=$TIMEOUT