New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Registry Configuration for Builds #144
Registry Configuration for Builds #144
Conversation
config/v1/types_build.go
Outdated
// RegistriesConfig is a reference to a ConfigMap containing the registry configuration | ||
// for image search, allowed insecure registries, and blocked registries. | ||
// +optional | ||
RegistriesConfig ConfigMapReference `json:"registriesConfig,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm torn over whether this should be top level, or put in BuildDefaults so that we can later allow end-users to provide their own value if they want to.... i'm leaning towards the latter for flexibility, even if we decide we never want to expose it.
Similarly, while you're in here, can you add HTTP/HTTPS/NOPROXY settings to BuildDefaults? (Same logic.. we may or may not want to let end-users specify their own proxy settings on a per build basis in the future).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(we may also want to revisit moving additionalTrustedCA into BuildDefaults for the same reason, but for now i'm content to leave it while we get things working)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had similar thoughts about the HTTP proxies - these should be first-class in some capacity, rather than buried in an ENV var. I'll add those.
Adding to build defaults does give us flexibility. In the long run I'd be worried about security concerns/pushback for such a feature. At present, though, I don't think there is harm going with this approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, the security concerns are why i'm not sure we'd ever allow end-users to set these, but again i don't want to paint ourselves into a corner in case we do decide it is an ok thing to do.
for now it'll be a "default" that is effectively the enforced setting.
When you add the proxies please make a struct, so we don't have 3 new top-level fields.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(gitproxy should have been done that way too. if we get time we might want to fix that for 4.0)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there is also merit in-lining the registries.conf
file, rather than referencing a ConfigMap. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with it, though i think @deads2k has been against inlining content like that historically, i can't remember the reasoning though. It certainly would make the consuming logic a lot simpler.
nits, otherwise lgtm |
423a18a
to
5fec18e
Compare
config/v1/types_build.go
Outdated
type RegistriesConfig struct { | ||
// SearchRegistries lists the registries to search for images if an image repository is not specified in an image pull spec | ||
// +optional | ||
SearchRegistries []string `json:"searchRegistries,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bparees I feel giving RegistriesConfig
first-class support will be more consumer-friendly and resilient to change in the long run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems reasonable to me, but it means you're going to have to reconstruct the registries.conf file in the build controller
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, but that isn't hard and isolates tooling changes from cluster admins (YAML yesterday, TOML today, tomorrow who knows...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think SearchRegistries should have a default value of:
registry.redhat.io, quay.io, registry.access.redhat.com, docker.io
so that it "just works" out of the box.
you'll need to make it a pointer so users can differentiate between "i didn't provide a value and so i get the default" and "i provided an empty array, i don't want any search behavior"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(I want to stop embedding a registries.conf in our builder image)
config/v1/types_build.go
Outdated
type RegistriesList []string | ||
|
||
var ( | ||
DefaultSearchRegistries RegistriesList = []string{"registry.redhat.io", "quay.io", "registry.access.redhat.com", "docker.io"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We disabled these defaults in 3.x - why would we need to have them here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, just say no to registry search lists. embrace the fully qualified image pull spec. we painted ourselves into a corner by doing this in the past.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nm, this is search.
Search is pretty fraught. I'm not sure I want to support that in the future. We agreed in 3.10 / 3.11 that search is counter to our goals with Kubernetes and so endorsing and future tolerating global search is counter to our goals.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this has been (and would continue to be) a pain point, how big of a pain would we create by removing this as a confg option?
I think we're in agreement that the sane default is nil
, but I'm hesitant to remove search as a config option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to what @adambkaplan said. our main concern here is people who already have buildconfigs with non-qualified pullspecs. Those people are either going to have to go fix those buildconfigs, or (if we have this field) the admin can go setup an appropriate search to make things work.
If we are comfortable telling them that what worked in 3.11 (because we did have search, or at least configurable search by tweaking the docker config on the nodes) won't work in 4.0, i'm happy to ditch this option...
Remember that build pull is not identical to kubernetes pull behavior, though (wasn't in 3.11, won't be in 4.0).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@smarterclayton so is the the final decision? People using un-qualified image specs in 4.0 get broken and told to fix it?
Another item that we need to address is the "block all registries but X, Y, Z" that was available in 3.x: https://docs.okd.io/3.11/day_two_guide/docker_tasks.html#docker-external-registries-whitelist-and-blacklist I don't think we have this capability with the IMO I think setting up an HTTP proxy that whitelists the allowed registries would be a better approach if someone wants to only allow pulls from specific repositories. |
/hold Scoping this PR back down to the registry config. Waiting on containers/image#548 to see best course of action to enable white-list behavior. |
a268694
to
0453796
Compare
/hold cancel |
/approve |
config/v1/types_build.go
Outdated
type RegistriesConfig struct { | ||
// SearchRegistries lists the registries to search for images if an image repository is not specified in an image pull spec | ||
// +optional | ||
SearchRegistries RegistriesList `json:"searchRegistries,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This discussion doesn't seem to be resolved:
#144 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is that we shouldn't have default search repos - if we're in agreement on that then I think we need to doc the behavior change (alongside the new process for updating the search registries).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There will be no default search behavior:
https://coreos.slack.com/archives/CE4L0F143/p1547071004002600
/hold we need a way to default to docker.io. So either this goes in as is, and we treat an empty array as "default to docker.io", or the searchregistry field needs to be a pointer so users can explicitly set the search list as empty if they so choose. My preference is the latter. |
57e8758
to
43f5071
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bparees @smarterclayton updated to use pointers for the registry list.
config/v1/types_build.go
Outdated
type RegistriesConfig struct { | ||
// SearchRegistries lists the registries to search for images if an image repository is not specified in an image pull spec | ||
// +optional | ||
SearchRegistries *RegistriesList `json:"searchRegistries,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Builds will default to using docker.io
for the search registry. Pointer here allows cluster admins to override this behavior. See openshift/builder#36
Others use pointers for API consistency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think making the rest pointers for consistency(when we don't otherwise have a good reason to make them pointers) is appropriate but i'll let @openshift/api-reviewers make that call.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Builds will default to using
docker.io
for the search registry. Pointer here allows cluster admins to override this behavior. See openshift/builder#36
This implies that nil and empty slice have different behavior. Please document the difference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think making the rest pointers for consistency(when we don't otherwise have a good reason to make them pointers) is appropriate but i'll let @openshift/api-reviewers make that call.
Correct. Only things that must be pointers should be pointers and the difference in behavior should be clearly documented
config/v1/types_build.go
Outdated
@@ -72,6 +76,27 @@ type ImageLabel struct { | |||
Value string `json:"value,omitempty"` | |||
} | |||
|
|||
type RegistriesList []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RegistryList (a list of rats is a RatList, not a RatsList)
config/v1/types_build.go
Outdated
@@ -72,6 +76,27 @@ type ImageLabel struct { | |||
Value string `json:"value,omitempty"` | |||
} | |||
|
|||
type RegistriesList []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, are you sure you want this? No reason you can't have it, but it may mean a bunch of casts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean vs just using a string type directly? I assume this was following a pattern we've established elsewhere, i don't have a preference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean vs just using a string type directly? I assume this was following a pattern we've established elsewhere, i don't have a preference.
We've done it both ways and unless we're enumerating valid values, I've found []string
to be easier to deal with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought it would be easier to work with, but truthfully there isn't much difference. Ranging over the slice will still require the dereference.
looks like all comments have been addressed, @adambkaplan please squash and we'll get this merged. |
* Enable support for configuring container registries for builds. See docker day-two tasks. * Document default search behavior. JIRA-ID: DEVEXP-154
0fc5341
to
ec43dc9
Compare
@openshift/api-reviewers squashed & ready to merge. |
/lgtm |
/hold cancel |
/unassign @jwforres |
/retest |
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: adambkaplan, bparees The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
JIRA-ID: DEVEXP-226