Bug 1939855: controllers/new: Always pull graph-data images #133
Conversation
Official docs recommend [1]: graphDataImage: registry.example.com/openshift/graph-data:latest That's a mutable tag, so pull-if-not-present will not fetch new data when graph-data changes. Moving to 'Always' will ensure we have fresh data. Before this commit, the tedious mitigation is to use by-digest pullspecs instead of by-tag pullspecs, and to explicitly bump the digest to push out your fresh graph-data. This can create some slight overhead when the target container has not changed since the last pull. And in extreme cases where the canonical registry and all configured mirrors are down, it would prevent the operand pod from launching entirely. But I think the appropriate mitigation for that is to configure a working mirror registry. And though the upstream docs [2] are not clear on this point, I see no benefit to contacting a registry about a by-digest pullspec that is already available locally; perhaps the kubelet will not attempt registry access if you use a by-digest pullspec. [1]: https://docs.openshift.com/container-platform/4.8/updating/installing-update-service.html#update-service-create-service [2]: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
wking
changed the title
wking
changed the title
|
@wking: This pull request references Bugzilla bug 2009651, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (jiajliu@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
bugzilla/severity-high
wking
changed the title
openshift-ci
bot
removed
the
bugzilla/severity-high
|
@wking: This pull request references Bugzilla bug 1939855, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (jiajliu@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
bugzilla/severity-medium
|
/lgtm |
|
@wking: All pull requests linked via external trackers have merged: Bugzilla bug 1939855 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherrypick release-4.9 |
|
@wking: new pull request created: #142 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Official docs recommend:
That's a mutable tag, so pull-if-not-present will not fetch new data when graph-data changes. Moving to
Alwayswill ensure we have fresh data. Before this commit, the tedious mitigation is to use by-digest pullspecs instead of by-tag pullspecs, and to explicitly bump the digest to push out your fresh graph-data.This can create some slight overhead when the target container has not changed since the last pull. And in extreme cases where the canonical registry and all configured mirrors are down, it would prevent the operand pod from launching entirely. But I think the appropriate mitigation for that is to configure a working mirror registry. And though the upstream docs are not clear on this point, I see no benefit to contacting a registry about a by-digest pullspec that is already available locally; perhaps the kubelet will not attempt registry access if you use a by-digest pullspec.