-
Notifications
You must be signed in to change notification settings - Fork 603
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1924955: Fix that image containers are fetched from external container registries (which doesn't work for private image containers) #8046
Conversation
@jerolimov: This pull request references Bugzilla bug 1924955, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jerolimov: This pull request references Bugzilla bug 1924955, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @christianvogt |
/retest |
@jerolimov: This pull request references Bugzilla bug 1924955, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
@jerolimov: This pull request references Bugzilla bug 1924955, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jerolimov: This pull request references Bugzilla bug 1924955, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested. Works fine
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jerolimov 🎉
Looks good and have verified works as expected, one nit see if it make sense
const mockImageStreamData = { | ||
apiVersion: 'image.openshift.io/v1', | ||
kind: 'ImageStream', | ||
metadata: { | ||
labels: { | ||
app: 'test-app', | ||
'app.kubernetes.io/component': 'test-app', | ||
'app.kubernetes.io/instance': 'test-app', | ||
'app.kubernetes.io/part-of': 'mock-app', | ||
}, | ||
name: 'test-app', | ||
namespace: 'mock-project', | ||
}, | ||
spec: { | ||
tags: [ | ||
{ | ||
name: 'latest', | ||
annotations: { | ||
'openshift.io/generated-by': 'OpenShiftWebConsole', | ||
'openshift.io/imported-from': 'myimage', | ||
}, | ||
from: { kind: 'DockerImage', name: 'myimage' }, | ||
importPolicy: { insecure: false }, | ||
referencePolicy: { type: 'Local' }, | ||
}, | ||
], | ||
}, | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this data is used even in below it blocks , we can have it in separate mock data file or before each and use it (update only particular spec field if needed) WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+:100: Absolutely. Extracted this into the mock file which contains also the form data. PTAL
With this option (Local) the ImageStream admission webhook creates a cluster internal URL for the Deployment container template. So images will be downloaded from the internal registry (similar to Knative Services) instead of from the external Image registry. This fixes an issue that external private images could not be downloaded from the Pod with additional changes on the Deployment (define imagePullSecrets) or the ServiceAccount (shared imagePullSecrets)
0a0790c
to
1c60af2
Compare
/approve |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: christianvogt, invincibleJai, jerolimov, rottencandy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@jerolimov: All pull requests linked via external trackers have merged: Bugzilla bug 1924955 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.6 |
@jerolimov: new pull request created: #8098 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fixes:
https://issues.redhat.com/browse/ODC-3062
https://issues.redhat.com/browse/OCPBUGSM-24359
https://bugzilla.redhat.com/show_bug.cgi?id=1924955
Analysis / Root cause:
When the user provides a Image Pull Secret (a Secret with type
kubernetes.io/dockerconfigjson
) to access private image registry the Add/Import page validates the image name but the Pod doesn't start later.The "Deploy Image" pages makes an API call to
.../$namespace/imagestreamimports
to verify if the cluster could connect to the external image registry and which image tags are available. The form could be only submit if this was successful. The imagestreamimports endpoint uses the shared Image Pull Secrets of the namespace.But after creating this Deployment (or DeploymentConfig) the container image could not be pulled from the private registry. All Pods are failing with
ErrImagePull
andImagePullBackOff
errors. The reason is that the cluster tries to load the container image directly from the external URL without the provided Secret.As workaround it was possible to assign the Image Pull Secret as
imagePullSecrets:
in the "default" ServiceAccount of the name or provide it (also asimagePullSecrets:
in the Deployment/DeploymentConfig template section for the Pod.Solution Description:
Because the
imagestreamimports
endpoint uses all provided Secrets we decided not to update the page (yet) to select a Secret and assign it to the Deployment.Instead of that, this PR changes the URL of a Deployment from the external image registry to the internal image registry. We already created a ImageStream which pulls the container image successfully.
For this the console needs just to set the image container name (as it does already). Whenever this
image:
was changed in a Deployment it was automatically overridden by an ImageStream admission webhook. This webhook supports areferencePolicy
which isSource
by default. This PR changes this value toLocal
so that the cluster internal image registry was used instead of the external image registry. Whenever the Deployment or ImageStream was changed or triggered, the Deployment contains now a link to the internal image registry.See also:
Screen shots / Gifs for design review:
None. UI is not changed.
Unit test coverage report:
Added some tests for
createOrUpdateImageStream
Test setup:
docker.io
for the Docker Hub andquay.io
for Quay as Registry Server Address.oc import-image nodeinfo-private
.Browser conformance:
/kind bug