-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1741391: support ImageContentSourcePolicy by ImageStreamImport #23
Bug 1741391: support ImageContentSourcePolicy by ImageStreamImport #23
Conversation
@dmage: This pull request references Bugzilla bug 1741391, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sttts this PR is expected eventually to be backported to 4.2.z. Is it ok to change vendor for such PRs? |
ae83a7a
to
1d3fe8b
Compare
1d3fe8b
to
7b0735c
Compare
/bugzilla refresh |
@dmage: This pull request references Bugzilla bug 1741391, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
7b0735c
to
4dad4c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, sure, this is consistent with how the ImageContentSourcePolicy
object only configures accesses by digest.
(I don’t quite understand what the UX is going to look like — will the users be forced to manually update ImageStream* objects with new values all the time? Where will they get the values to use? … This is all very much outside my area of expertise, I just hope that someone is thinking about that.)
// - Implement ImageContentSourcePolicy rules in icspRules. | ||
// “Whole registries” above means that the configuration applies to everything on that registry, including any possible separately-configured | ||
// namespaces/repositories within that registry. | ||
func EditRegistriesConfig(config *sysregistriesv2.V2RegistriesConf, insecureRegistries, blockedRegistries []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please consider vendoring the original (https://github.com/openshift/machine-config-operator/tree/master/pkg/controller/container-runtime-config/registries , or the new repo that is being prepared) so that it is only maintained in one place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't want to vendor any operator into the API server. The repo is not ready yet. But even if this code live in a new repo, I still don't want to vendor it because of its dependency on the all-in-one package sysregistriesv2. It will add dependency on toml, for example, that is not needed for the API server.
/cc @adambkaplan
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mtrmac I'm getting this repo set up. We'll address the refactor in a later PR.
klog.Warningf("failed to merge ImageContentSourcePolicy resources, mirrored images will not be found: %v", err) | ||
} | ||
for i, reg := range v2regConf.Registries { | ||
v2regConf.Registries[i].Prefix = reg.Location |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Strictly speaking, this should happen only if .Prefix == ""
. It doesn’t make a difference with the data built by EditRegistriesConfig
.)
@@ -0,0 +1,260 @@ | |||
package sysregistriesv2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not vendor the original from c/image, and make the relationship and maintenance expectations explicit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because the original package also has V1 types that I don't need. And these types need additional dependencies that may create unnecessary complications for backporting this PR (types.SystemContext, for example).
@adambkaplan It'd be good to make packages more granular in the new repo, so we don't need to import dozen packages only because we need to merge two maps.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough, containers/image#692 really is a pain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, after containers/image#716 , c/image v4.0.0 no longer imports the compression implementations. Sure, there is still the TOML decoder, and of course containers/image/types
, but I can’t see how merely including that code hurts all that much.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mtrmac we also need to backport this change to 4.2.z
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
containers/image does not currently maintain per-OpenShift branches; you can vendor commit df216d7cdc943e3e2ddef7be67a6abdcaf583e61 directly.
(Or use use the later released v4.0.1, but that forces use of Go modules.)
reg := isi.regConf.Registries[i] | ||
|
||
if bestMatch == nil || len(reg.Prefix) > len(bestMatch.Prefix) { | ||
if scopeMatchesRegistry(repoName, reg.Prefix) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
scopeMatchesRegistry
is only correct when the second parameter is a registry, while reg.Prefix
can be a namespace or a repository name. In particular this will break in the most common case, with ref
a repo:
tag or repo@
digest, and ref.Prefix
being repo.
See how c/image/pkg/sysregistriesv2.FindRegistry
works (or, ideally, just call it — right now that would require writing isi.regConf.Registries
to a temporary file, I suppose that could change).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
repoName
doesn't contain :
nor @
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, true. The code is still misusing scopeMatchesRegistry
, though.
if err != nil { | ||
klog.V(5).Infof("unable to access repository %#v: %#v", repository, err) | ||
switch { | ||
case err == reference.ErrReferenceInvalidFormat: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This detailed error handling seems to have been lost in the move to getManifestByDigest
.
s, err := repo.Manifests(ctx) | ||
if err != nil { | ||
klog.V(5).Infof("unable to access manifests for repository %#v: %#v", repository, err) | ||
switch { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This detailed error handling seems to have been lost in the move to getManifestByDigest
.
d7eb564
to
4ec0340
Compare
/assign @adambkaplan @sttts |
@adambkaplan @sttts please take a look |
/hold This is pending architectural discussion. I think wiring operator clients and reading CR's inside openshift-apiserver is not the correct way to deal with changing the configuration for the operand. We already have mechanism to do this via operand config (in this case openshift apiserver config) and the operator should have observer loop and sets the configuration using this mechanism. This is inventing a new "dynamic" config that depends on CRD provided by cluster-config-operator. Also this config is not changed often, I would say in 99% cases this is "one time setting". /cc @derekwaynecarr |
/retest |
|
2cde0e6
to
693bd90
Compare
Regarding debuggability:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgm
ping @mfojtik regarding the hold
/lgtm |
/retest |
693bd90
to
bd7ed3c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/hold cancel |
@dmage please rename the last commit to |
/approve |
/retest Please review the full test history for this PR and help us cut down flakes. |
bd7ed3c
to
138fe24
Compare
138fe24
to
0e6ca42
Compare
/lgtm Last commit renamed per @mfojtik |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, dmage, mfojtik The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@dmage: All pull requests linked via external trackers have merged. Bugzilla bug 1741391 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
No description provided.