Registry Configuration for Builds #144
Conversation
openshift-ci-robot
added
the
size/XS
config/v1/types_build.go
Outdated
| // RegistriesConfig is a reference to a ConfigMap containing the registry configuration | ||
| // for image search, allowed insecure registries, and blocked registries. | ||
| // +optional | ||
| RegistriesConfig ConfigMapReference `json:"registriesConfig,omitempty"` |
There was a problem hiding this comment.
i'm torn over whether this should be top level, or put in BuildDefaults so that we can later allow end-users to provide their own value if they want to.... i'm leaning towards the latter for flexibility, even if we decide we never want to expose it.
Similarly, while you're in here, can you add HTTP/HTTPS/NOPROXY settings to BuildDefaults? (Same logic.. we may or may not want to let end-users specify their own proxy settings on a per build basis in the future).
There was a problem hiding this comment.
(we may also want to revisit moving additionalTrustedCA into BuildDefaults for the same reason, but for now i'm content to leave it while we get things working)
There was a problem hiding this comment.
I had similar thoughts about the HTTP proxies - these should be first-class in some capacity, rather than buried in an ENV var. I'll add those.
Adding to build defaults does give us flexibility. In the long run I'd be worried about security concerns/pushback for such a feature. At present, though, I don't think there is harm going with this approach.
There was a problem hiding this comment.
yes, the security concerns are why i'm not sure we'd ever allow end-users to set these, but again i don't want to paint ourselves into a corner in case we do decide it is an ok thing to do.
for now it'll be a "default" that is effectively the enforced setting.
When you add the proxies please make a struct, so we don't have 3 new top-level fields.
There was a problem hiding this comment.
(gitproxy should have been done that way too. if we get time we might want to fix that for 4.0)
There was a problem hiding this comment.
I think there is also merit in-lining the registries.conf file, rather than referencing a ConfigMap. Thoughts?
There was a problem hiding this comment.
I'm fine with it, though i think @deads2k has been against inlining content like that historically, i can't remember the reasoning though. It certainly would make the consuming logic a lot simpler.
openshift-ci-robot
added
size/M
|
nits, otherwise lgtm |
adambkaplan
force-pushed
the
build-reg-conf
branch
from
423a18a
to
5fec18e
Compare
config/v1/types_build.go
Outdated
| type RegistriesConfig struct { | ||
| // SearchRegistries lists the registries to search for images if an image repository is not specified in an image pull spec | ||
| // +optional | ||
| SearchRegistries []string `json:"searchRegistries,omitempty"` |
There was a problem hiding this comment.
@bparees I feel giving RegistriesConfig first-class support will be more consumer-friendly and resilient to change in the long run.
There was a problem hiding this comment.
seems reasonable to me, but it means you're going to have to reconstruct the registries.conf file in the build controller
There was a problem hiding this comment.
correct, but that isn't hard and isolates tooling changes from cluster admins (YAML yesterday, TOML today, tomorrow who knows...)
There was a problem hiding this comment.
I think SearchRegistries should have a default value of:
registry.redhat.io, quay.io, registry.access.redhat.com, docker.io
so that it "just works" out of the box.
you'll need to make it a pointer so users can differentiate between "i didn't provide a value and so i get the default" and "i provided an empty array, i don't want any search behavior"
There was a problem hiding this comment.
(I want to stop embedding a registries.conf in our builder image)
openshift-ci-robot
added
size/L
config/v1/types_build.go
Outdated
| type RegistriesList []string | ||
|
|
||
| var ( | ||
| DefaultSearchRegistries RegistriesList = []string{"registry.redhat.io", "quay.io", "registry.access.redhat.com", "docker.io"} |
There was a problem hiding this comment.
We disabled these defaults in 3.x - why would we need to have them here?
There was a problem hiding this comment.
yes, just say no to registry search lists. embrace the fully qualified image pull spec. we painted ourselves into a corner by doing this in the past.
There was a problem hiding this comment.
Nm, this is search.
Search is pretty fraught. I'm not sure I want to support that in the future. We agreed in 3.10 / 3.11 that search is counter to our goals with Kubernetes and so endorsing and future tolerating global search is counter to our goals.
There was a problem hiding this comment.
If this has been (and would continue to be) a pain point, how big of a pain would we create by removing this as a confg option?
I think we're in agreement that the sane default is nil, but I'm hesitant to remove search as a config option.
There was a problem hiding this comment.
+1 to what @adambkaplan said. our main concern here is people who already have buildconfigs with non-qualified pullspecs. Those people are either going to have to go fix those buildconfigs, or (if we have this field) the admin can go setup an appropriate search to make things work.
If we are comfortable telling them that what worked in 3.11 (because we did have search, or at least configurable search by tweaking the docker config on the nodes) won't work in 4.0, i'm happy to ditch this option...
Remember that build pull is not identical to kubernetes pull behavior, though (wasn't in 3.11, won't be in 4.0).
There was a problem hiding this comment.
@smarterclayton so is the the final decision? People using un-qualified image specs in 4.0 get broken and told to fix it?
|
Another item that we need to address is the "block all registries but X, Y, Z" that was available in 3.x: https://docs.okd.io/3.11/day_two_guide/docker_tasks.html#docker-external-registries-whitelist-and-blacklist I don't think we have this capability with the IMO I think setting up an HTTP proxy that whitelists the allowed registries would be a better approach if someone wants to only allow pulls from specific repositories. |
|
/hold Scoping this PR back down to the registry config. Waiting on containers/image#548 to see best course of action to enable white-list behavior. |
openshift-ci-robot
added
the
do-not-merge/hold
openshift-ci-robot
added
the
needs-rebase
adambkaplan
force-pushed
the
build-reg-conf
branch
from
a268694
to
0453796
Compare
openshift-ci-robot
added
size/M
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/approve |
config/v1/types_build.go
Outdated
| type RegistriesConfig struct { | ||
| // SearchRegistries lists the registries to search for images if an image repository is not specified in an image pull spec | ||
| // +optional | ||
| SearchRegistries RegistriesList `json:"searchRegistries,omitempty"` |
There was a problem hiding this comment.
This discussion doesn't seem to be resolved:
#144 (comment)
There was a problem hiding this comment.
My understanding is that we shouldn't have default search repos - if we're in agreement on that then I think we need to doc the behavior change (alongside the new process for updating the search registries).
There was a problem hiding this comment.
There will be no default search behavior:
https://coreos.slack.com/archives/CE4L0F143/p1547071004002600
|
/hold we need a way to default to docker.io. So either this goes in as is, and we treat an empty array as "default to docker.io", or the searchregistry field needs to be a pointer so users can explicitly set the search list as empty if they so choose. My preference is the latter. |
openshift-ci-robot
added
the
do-not-merge/hold
adambkaplan
force-pushed
the
build-reg-conf
branch
from
57e8758
to
43f5071
Compare
There was a problem hiding this comment.
@bparees @smarterclayton updated to use pointers for the registry list.
config/v1/types_build.go
Outdated
| type RegistriesConfig struct { | ||
| // SearchRegistries lists the registries to search for images if an image repository is not specified in an image pull spec | ||
| // +optional | ||
| SearchRegistries *RegistriesList `json:"searchRegistries,omitempty"` |
There was a problem hiding this comment.
Builds will default to using docker.io for the search registry. Pointer here allows cluster admins to override this behavior. See openshift/builder#36
Others use pointers for API consistency.
There was a problem hiding this comment.
I don't think making the rest pointers for consistency(when we don't otherwise have a good reason to make them pointers) is appropriate but i'll let @openshift/api-reviewers make that call.
There was a problem hiding this comment.
Builds will default to using
docker.iofor the search registry. Pointer here allows cluster admins to override this behavior. See openshift/builder#36
This implies that nil and empty slice have different behavior. Please document the difference.
There was a problem hiding this comment.
I don't think making the rest pointers for consistency(when we don't otherwise have a good reason to make them pointers) is appropriate but i'll let @openshift/api-reviewers make that call.
Correct. Only things that must be pointers should be pointers and the difference in behavior should be clearly documented
config/v1/types_build.go
Outdated
| @@ -72,6 +76,27 @@ type ImageLabel struct { | |||
| Value string `json:"value,omitempty"` | |||
| } | |||
|
|
|||
| type RegistriesList []string | |||
There was a problem hiding this comment.
RegistryList (a list of rats is a RatList, not a RatsList)
config/v1/types_build.go
Outdated
| @@ -72,6 +76,27 @@ type ImageLabel struct { | |||
| Value string `json:"value,omitempty"` | |||
| } | |||
|
|
|||
| type RegistriesList []string | |||
There was a problem hiding this comment.
Also, are you sure you want this? No reason you can't have it, but it may mean a bunch of casts.
There was a problem hiding this comment.
you mean vs just using a string type directly? I assume this was following a pattern we've established elsewhere, i don't have a preference.
There was a problem hiding this comment.
you mean vs just using a string type directly? I assume this was following a pattern we've established elsewhere, i don't have a preference.
We've done it both ways and unless we're enumerating valid values, I've found []string to be easier to deal with.
There was a problem hiding this comment.
I thought it would be easier to work with, but truthfully there isn't much difference. Ranging over the slice will still require the dereference.
openshift-ci-robot
added
size/M
|
looks like all comments have been addressed, @adambkaplan please squash and we'll get this merged. |
* Enable support for configuring container registries for builds. See docker day-two tasks. * Document default search behavior. JIRA-ID: DEVEXP-154
adambkaplan
force-pushed
the
build-reg-conf
branch
from
0fc5341
to
ec43dc9
Compare
|
@openshift/api-reviewers squashed & ready to merge. |
|
/lgtm |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/unassign @jwforres |
|
/retest |
bparees
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: adambkaplan, bparees The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
JIRA-ID: DEVEXP-226