IR-21: Leveraging image config for "insecure" registries during ImageStreamImport #111
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
ricardomaraschini
changed the title
|
/test e2e-aws |
1 similar comment
|
/test e2e-aws |
|
/test e2e-aws-upgrade |
|
/test e2e-aws |
|
/retest |
ricardomaraschini
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
| @@ -116,6 +116,39 @@ func (config *V2RegistriesConf) Nonempty() bool { | |||
| len(config.UnqualifiedSearchRegistries) != 0) | |||
| } | |||
|
|
|||
| // Insecure returns if access to registry at location is flagged as insecure, i.e. invalid | |||
There was a problem hiding this comment.
This implementation doesn't match the registries.conf documentation.
Please keep it in sync with https://github.com/containers/image/blob/master/pkg/sysregistriesv2/system_registries_v2.go
You may want to import this package directly, AFAIK they fixed their "types" package and it shouldn't have 100500 dependencies anymore.
There was a problem hiding this comment.
I did not know this package was copied from somewhere else. I have updated this PR to vendor the package and remove the copy&pasta we had.
|
/assign @dmage |
|
/assign @mfojtik |
|
/lgtm |
|
/assign @sttts |
| @@ -81,38 +89,68 @@ func NewImageStreamImporter(retriever RepositoryRetriever, regConf *sysregistrie | |||
| limiter: limiter, | |||
| regConf: regConf, | |||
|
|
|||
| digestToRepositoryCache: make(map[gocontext.Context]map[manifestKey]*imageapi.Image), | |||
| digestToRepositoryCache: make(map[context.Context]map[manifestKey]*imageapi.Image), | |||
There was a problem hiding this comment.
that's interesting type. Which context ends up here? The one of the request?
There was a problem hiding this comment.
I had the same impression when I came across this construction for the first time, seems rather interesting. I did some digging and I discovered that this is entangled with the client request's context. The next obvious question I had was: "what?!". I could not find where this was freed so I thought this would grow indefinitely, a real memory hoarder eating everything on its way. Well, this is not the case because the object holding it is created in a per request basis, so the next obvious question was "why?", if it is based on a per request basis why to index per context? My guess is that this object was planned to handle multiple requests at the same time but never got finished.
@dmage Am I missing something here? I think we could have a task to check(fix?) this as tech-debt, what do you think?
There was a problem hiding this comment.
while we touch this, can you add a comment? This has big code smell.
There was a problem hiding this comment.
I created a tech-debt card: https://issues.redhat.com/browse/IR-116
| @@ -11,7 +12,7 @@ import ( | |||
| "testing" | |||
| "time" | |||
|
|
|||
| "golang.org/x/net/context" | |||
| "github.com/containers/image/pkg/sysregistriesv2" | |||
|
|
|||
| @@ -223,7 +237,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation | |||
| r.transport, r.insecureTransport, secretsList.Items, | |||
| ) | |||
| imports := r.importFn(importCtx, v2regConf) | |||
| if err := imports.Import(ctx.(gocontext.Context), isi, stream); err != nil { | |||
| if err := imports.Import(ctx.(context.Context), isi, stream); err != nil { | |||
There was a problem hiding this comment.
Nice catch, removed it.
| @@ -246,7 +260,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation | |||
| r.transport, r.insecureTransport, nil, | |||
| ) | |||
| imports := r.importFn(importCtx, v2regConf) | |||
| if err := imports.Import(ctx.(gocontext.Context), isi, stream); err != nil { | |||
| if err := imports.Import(ctx.(context.Context), isi, stream); err != nil { | |||
There was a problem hiding this comment.
Nice catch, removed it.
|
/retest |
1 similar comment
|
/retest |
|
@dmage: dmage unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/override e2e-cmd |
|
@sttts: /override requires a failed status context to operate on.
Only the following contexts were expected:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override ci/prow/e2e-cmd |
|
@sttts: Overrode contexts on behalf of sttts: ci/prow/e2e-cmd In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
13 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/hold If the test is broken then there's no point in retesting. Either button merge it or /override after a failure is reported and then unhold (but Tide may decide to re-run the tests before merge so button merge is probably better). |
openshift-ci-robot
added
the
do-not-merge/hold
|
/override ci/prow/e2e-cmd |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
@sttts: Overrode contexts on behalf of sttts: ci/prow/e2e-cmd In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
By leveraging
images.config.openshift.io/cluster"insecure" registry configuration we now can flag a registry as insecure for all image stream imports. Without this patch users had to set the registry as "insecure" on the ImageStreamImport request, regardless of what was defined onimages.config.openshift.io/cluster.I have chosen to include here some other housekeeping changes:
golang.org/x/net/contexttocontextAll four changes above were constricted into their own commits (plus commits where we vendor stuff) in an attempt to make the review easier.
Tests for this feature were implemented through openshift/origin#25058