Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers) #8046

Merged
merged 2 commits into from
Feb 4, 2021
Merged

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers) #8046

merged 2 commits into from
Feb 4, 2021

Conversation

jerolimov
Copy link
Member

@jerolimov jerolimov commented Feb 4, 2021
edited

Fixes:
https://issues.redhat.com/browse/ODC-3062
https://issues.redhat.com/browse/OCPBUGSM-24359
https://bugzilla.redhat.com/show_bug.cgi?id=1924955

Analysis / Root cause:
When the user provides a Image Pull Secret (a Secret with type kubernetes.io/dockerconfigjson) to access private image registry the Add/Import page validates the image name but the Pod doesn't start later.

The "Deploy Image" pages makes an API call to .../$namespace/imagestreamimports to verify if the cluster could connect to the external image registry and which image tags are available. The form could be only submit if this was successful. The imagestreamimports endpoint uses the shared Image Pull Secrets of the namespace.

But after creating this Deployment (or DeploymentConfig) the container image could not be pulled from the private registry. All Pods are failing with ErrImagePull and ImagePullBackOff errors. The reason is that the cluster tries to load the container image directly from the external URL without the provided Secret.

As workaround it was possible to assign the Image Pull Secret as imagePullSecrets: in the "default" ServiceAccount of the name or provide it (also as imagePullSecrets: in the Deployment/DeploymentConfig template section for the Pod.

Solution Description:
Because the imagestreamimports endpoint uses all provided Secrets we decided not to update the page (yet) to select a Secret and assign it to the Deployment.

Instead of that, this PR changes the URL of a Deployment from the external image registry to the internal image registry. We already created a ImageStream which pulls the container image successfully.

For this the console needs just to set the image container name (as it does already). Whenever this image: was changed in a Deployment it was automatically overridden by an ImageStream admission webhook. This webhook supports a referencePolicy which is Source by default. This PR changes this value to Local so that the cluster internal image registry was used instead of the external image registry. Whenever the Deployment or ImageStream was changed or triggered, the Deployment contains now a link to the internal image registry.

See also:

Screen shots / Gifs for design review:
None. UI is not changed.

Unit test coverage report:
Added some tests for createOrUpdateImageStream

Test setup:

  1. You need a private container image on an external registry like Docker Hub or Quay with credentials to read the image. (Feel free to ask me in Slack for some credentials for a code review.)
  2. Open the developer perspective
  3. Select Secrets > Create > Image Pull Secret and add enter your credentials. Use docker.io for the Docker Hub and quay.io for Quay as Registry Server Address.
  4. Go to Add > Container Image and import your private container image as Deployment or DeploymentConfig. (If you have the Serverless Operator installed you can also verify that the Knative Services works already before this change.)
  5. Check in Topology that the Pods can start successful.
  6. I also verified that an updated image in the external image registry could be updated via oc import-image nodeinfo-private.

Browser conformance:

  • Chrome
  • Firefox
  • Safari
  • Edge

/kind bug

@openshift-ci-robot openshift-ci-robot added kind/bug Categorizes issue or PR as related to a bug. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Feb 4, 2021
@openshift-ci-robot
Copy link
Contributor

@jerolimov: This pull request references Bugzilla bug 1924955, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the component/dev-console Related to dev-console label Feb 4, 2021
@openshift-ci-robot
Copy link
Contributor

@jerolimov: This pull request references Bugzilla bug 1924955, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jerolimov
Copy link
Member Author

/assign @christianvogt
/cc @invincibleJai

@jerolimov
Copy link
Member Author

/retest

@openshift-ci-robot
Copy link
Contributor

@jerolimov: This pull request references Bugzilla bug 1924955, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

1 similar comment
@openshift-ci-robot
Copy link
Contributor

@jerolimov: This pull request references Bugzilla bug 1924955, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jerolimov jerolimov mentioned this pull request Feb 4, 2021
Merged
4 tasks
@openshift-ci-robot
Copy link
Contributor

@jerolimov: This pull request references Bugzilla bug 1924955, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

rottencandy
rottencandy approved these changes Feb 4, 2021
View reviewed changes
Copy link
Contributor

@rottencandy rottencandy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested. Works fine
/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 4, 2021
invincibleJai
invincibleJai reviewed Feb 4, 2021
View reviewed changes
Copy link
Member

@invincibleJai invincibleJai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jerolimov 🎉

Looks good and have verified works as expected, one nit see if it make sense

frontend/packages/dev-console/src/components/import/__tests__/deployImage-submit-utils.spec.ts Outdated
Comment on lines 85 to 112
const mockImageStreamData = {
apiVersion: 'image.openshift.io/v1',
kind: 'ImageStream',
metadata: {
labels: {
app: 'test-app',
'app.kubernetes.io/component': 'test-app',
'app.kubernetes.io/instance': 'test-app',
'app.kubernetes.io/part-of': 'mock-app',
},
name: 'test-app',
namespace: 'mock-project',
},
spec: {
tags: [
{
name: 'latest',
annotations: {
'openshift.io/generated-by': 'OpenShiftWebConsole',
'openshift.io/imported-from': 'myimage',
},
from: { kind: 'DockerImage', name: 'myimage' },
importPolicy: { insecure: false },
referencePolicy: { type: 'Local' },
},
],
},
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this data is used even in below it blocks , we can have it in separate mock data file or before each and use it (update only particular spec field if needed) WDYT?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+:100: Absolutely. Extracted this into the mock file which contains also the form data. PTAL

@jerolimov
Add unit test for createOrUpdateImageStream
9c2c452
@jerolimov
Force referencePolicy to to use cluster image registry
1c60af2 
With this option (Local) the ImageStream admission webhook creates a cluster internal URL for the Deployment container template. So images will be downloaded from the internal registry (similar to Knative Services) instead of from the external Image registry. This fixes an issue that external private images could not be downloaded from the Pod with additional changes on the Deployment (define imagePullSecrets) or the ServiceAccount (shared imagePullSecrets)
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Feb 4, 2021
@christianvogt
Copy link
Contributor

/approve

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 4, 2021
@invincibleJai
Copy link
Member

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 4, 2021
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: christianvogt, invincibleJai, jerolimov, rottencandy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 809e2da into openshift:master Feb 4, 2021
@openshift-ci-robot
Copy link
Contributor

@jerolimov: All pull requests linked via external trackers have merged:

Bugzilla bug 1924955 has been moved to the MODIFIED state.

In response to this:

Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@spadgett spadgett added this to the v4.7 milestone Feb 5, 2021
@jerolimov
Copy link
Member Author

/cherry-pick release-4.6

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 8, 2021
Merged
@openshift-cherrypick-robot
Copy link

@jerolimov: new pull request created: #8098

In response to this:

/cherry-pick release-4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karthikjeeyar karthikjeeyar Awaiting requested review from karthikjeeyar

@nemesis09 nemesis09 Awaiting requested review from nemesis09

@rottencandy rottencandy Awaiting requested review from rottencandy

@invincibleJai invincibleJai Awaiting requested review from invincibleJai

Assignees

@invincibleJai invincibleJai

@christianvogt christianvogt

@rottencandy rottencandy

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. component/dev-console Related to dev-console kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
v4.7
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@jerolimov @openshift-ci-robot @christianvogt @invincibleJai @openshift-cherrypick-robot @rottencandy @spadgett @openshift-merge-robot