New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating TLSOptions in favor of PullOptions and PushOptions. #86
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ybettan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
2df4d5c
to
faf02aa
Compare
If we change the CRD now, we probably need to implement a conversion webhook to avoid breaking clients. |
faf02aa
to
5a19643
Compare
5a19643
to
3f9c7f3
Compare
Codecov ReportBase: 71.86% // Head: 71.88% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #86 +/- ##
==========================================
+ Coverage 71.86% 71.88% +0.02%
==========================================
Files 25 25
Lines 2417 2419 +2
==========================================
+ Hits 1737 1739 +2
Misses 597 597
Partials 83 83
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
4d8aba7
to
02978ac
Compare
@qbarrand @yevgeny-shnaidman Are we OK to merge it without a conversion webhook at this point? |
b11cfdd
to
f5d6f5d
Compare
f5d6f5d
to
8a18fae
Compare
Should we also define |
8a18fae
to
6fbf202
Compare
6fbf202
to
58ed292
Compare
I don't think we do. @chr15p Am I missing something here? |
58ed292
to
ab57f90
Compare
/hold |
/unhold |
Signing pulls an image, signs its kmods, then pushes it back again. So it both pulls and pushes, and theoretically they could be to/from different registrys. We're currently using spec.ImageRepoSecret for the creds to do the pushing and pulling which it doesn't look like you're changing so I think we're ok. We might want to add per sign pull/push secrets, it would probably be a good thing, but at the moment we dont do that. |
This PR isn't about secret but rather about transport (TLS) options. We can discuss adding secrets to the sign if needed but I don't think is has the same context as this PR does. |
The `build` object, always push to the same registry that the `kernelMapping` will pull from, therefore, there is not need to duplicate the config. In addition that, I have also renamed some of the fields for better self-documented code. Here is how this field is used in the module: * `kernelMapping[].build.baseImageRegistryTLS` is only meant for pulling the base image of the Dockerfile specified in the build. * `kernelMapping[].registryTLS` is meant for specifying the TLS options for pulling the image we want to deploy or for pushing it in case we are building it in-cluster (because they will always be the same). * `moduleLoaderContainerSpec.registryTLS` is just the global value of all kernelMapping[]'s entries. Signed-off-by: Yoni Bettan <yonibettan@gmail.com>
ab57f90
to
08c4be5
Compare
Signing does essentially the same as building, I don't see any reason why we shouldn't have the same TLS options. |
Signing is accessing the same registry as building. Do you see any scenario where we execute sign without build? |
Signing isn't pulling any "base image" as
|
As agree with @qbarrand TLS options doesn't exist for signing in this PR, therefore, they will be added separately in a different PR. |
/lgtm |
yes, if a vendor distributes a their own pre-built driver container and it needs to be signed to run on the users cluster. and yes, sorry pull options not secrets, but signing still doesn't use them, and maybe it should, but that is a separate issue/PR |
…ernetes-sigs#86) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.9.0 to 0.10.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.24.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.20.2...v1.24.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ernetes-sigs#86) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.9.0 to 0.10.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The
build
object, always push to the same registry that thekernelMapping
will pull from, therefore, there is not need toduplicate the config.
In addition that, I have also renamed some of the fields for better
self-documented code.
Here is how this field is used in the module:
kernelMapping[].build.baseImageRegistryTLS
is only meant for pulling thebase image of the Dockerfile specified in the build.
kernelMapping[].registryTLS
is meant for specifying the TLS options forpulling the image we want to deploy or for pushing it in case we are building
it in-cluster (because they will always be the same).
moduleLoaderContainerSpec.registryTLS
is just the global value of allkernelMapping[]'s entries.
Signed-off-by: Yoni Bettan yonibettan@gmail.com