New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add parsing for registries.conf wildcard entries #2689
Conversation
@umohnani8 is this... the minimum set of changes for the re-vendoring? Because I'm kind of concerned at updating& adding 1200 files. |
/retest |
@kikisdeliveryservice yup, I just had to update two repos and go mod pulled in everything else on its own based on that. |
We are now also parsing /etc/containers/registries.conf to determine whether a change made is safe to skip node drain or not https://github.com/openshift/machine-config-operator/blob/master/pkg/daemon/drain.go#L166 , especially, for icsp related changes. Do you think this PR may require some update in our logic? |
A lot of that is a problematic dependency chain that brings the full containers/storage driver set, via containers/image#1146 . It’s not fundamentally necessary, but I’m also not sure we can fix it today. I can take a stab at it if it is important. |
Is this supposed to work only on MCO-generated data, or in general, including user-provided ignition files? If the latter, oh boy, that looks rather brittle, possibly breaking any time a new option is added to the config file. Either way, the code that uses |
This doesn't come into picture for initial boot. MCO is parsing and determining the change performed on cluster as a day2 operation if registries.conf content changed between old and newly generated rendered-config.
+1 |
To be very explicit, I think this is a blocker for merging. |
0938a49
to
ec6040a
Compare
@mtrmac I accounted for the Prefix if it has a value 3e408f1#diff-58db213cf6f6259a621f8d3421b5e8af55ed71c9f52c15b255f66f0b1e78a946R226, PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, one more location.
Yes, but users can add new MachineConfig resources that contain ignition content, overriding what the MCO runtime-config mechanism creates, can’t they? (I don’t know, that might be unsupported, but IIRC some people are sharing such recipes.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks!
@sinnykumari @kikisdeliveryservice can I please get an approve here :) |
Possible but are they supported? I don't have full picture. I thought in OCP this would ideally be managed only by MCO by applying ctrcfg. @umohnani8 can you confirm this? If this is true, I would suggest to hold this PR for 4.10 where we can work on improving drain behaviour accordingly. |
Users can override the registries.conf setting by applying a MC that adds a drop-in file at We don't recommend and support the MC way, but I believe that method has been shared in the past when the user absolutely had to use it. I don't think we need to hold this PR because of that. if the MC method is being used at all, it would be for only a limited number of clusters (most probably less than 5 cases). |
Thanks @umohnani8 for confirming! I am fine with this to go in as we don't see any known issues.
|
The registries.conf file now supports wildcard entries. Add validation for possible entries for insecure, blocked, and allowed and vendor in updated runtime-utils for handling the wildcard entries correctly. Add some more test cases for wildcard entries. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Pulls in changes to handle wildcard entries for registries.conf Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
@sinnykumari the test should be fixed now. Can I please get an approve and lgtm here |
Yeah, looks like test is fixed now. Since, later changes made was only in Makefile to fix gcp-op test and @mtrmac has already added lgtm for container runtime specific changes. Should be good to get merged. /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac, sinnykumari, umohnani8 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@umohnani8: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
containers/storage#972 + containers/image#1312 will reduce the effect, with that this PR would count 749 modified files (and a lot of that is dependency upgrades, not just net-new additions). We should go further than that to exclude the compression implementations entirely, but that part of containers/image#1146 (and its impact on the stable API) looks much more difficult. |
#2695 . |
... to remove a lot of the c/storage dependencies added in openshift#2689 . Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Urvashi Mohnani umohnani@redhat.com
- What I did
The registries.conf file now supports wildcard entries.
Add validation for possible entries for insecure, blocked,
and allowed and vendor in updated runtime-utils for handling
the wildcard entries correctly.
Add some more test cases for wildcard entries.
- How to verify it
Add wildcard entries such as ".foo.com" to the cluster wide Image CR for insecure, blocked, or allowed registries. When matching certificates, if we are pulling from "example.foo.com", it will match the settings for ".foo.com" to it. So users don't need to have a long list of entries in their registries.conf file if they all match to a common dns name.
- Description for the changelog
Add support for registries.conf wildcard entries.