Bug 1741391: support ImageContentSourcePolicy by ImageStreamImport #23
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
@dmage: This pull request references Bugzilla bug 1741391, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/invalid-bug
|
@sttts this PR is expected eventually to be backported to 4.2.z. Is it ok to change vendor for such PRs? |
dmage
force-pushed
the
import-from-mirrors
branch
from
ae83a7a
to
1d3fe8b
Compare
openshift-ci-robot
added
size/XL
dmage
force-pushed
the
import-from-mirrors
branch
from
1d3fe8b
to
7b0735c
Compare
|
/bugzilla refresh |
openshift-ci-robot
added
the
bugzilla/valid-bug
|
@dmage: This pull request references Bugzilla bug 1741391, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
removed
the
bugzilla/invalid-bug
dmage
force-pushed
the
import-from-mirrors
branch
from
7b0735c
to
4dad4c8
Compare
There was a problem hiding this comment.
Overall, sure, this is consistent with how the ImageContentSourcePolicy object only configures accesses by digest.
(I don’t quite understand what the UX is going to look like — will the users be forced to manually update ImageStream* objects with new values all the time? Where will they get the values to use? … This is all very much outside my area of expertise, I just hope that someone is thinking about that.)
| // - Implement ImageContentSourcePolicy rules in icspRules. | ||
| // “Whole registries” above means that the configuration applies to everything on that registry, including any possible separately-configured | ||
| // namespaces/repositories within that registry. | ||
| func EditRegistriesConfig(config *sysregistriesv2.V2RegistriesConf, insecureRegistries, blockedRegistries []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) error { |
There was a problem hiding this comment.
Please consider vendoring the original (https://github.com/openshift/machine-config-operator/tree/master/pkg/controller/container-runtime-config/registries , or the new repo that is being prepared) so that it is only maintained in one place.
There was a problem hiding this comment.
I don't want to vendor any operator into the API server. The repo is not ready yet. But even if this code live in a new repo, I still don't want to vendor it because of its dependency on the all-in-one package sysregistriesv2. It will add dependency on toml, for example, that is not needed for the API server.
/cc @adambkaplan
There was a problem hiding this comment.
@mtrmac I'm getting this repo set up. We'll address the refactor in a later PR.
| klog.Warningf("failed to merge ImageContentSourcePolicy resources, mirrored images will not be found: %v", err) | ||
| } | ||
| for i, reg := range v2regConf.Registries { | ||
| v2regConf.Registries[i].Prefix = reg.Location |
There was a problem hiding this comment.
(Strictly speaking, this should happen only if .Prefix == "". It doesn’t make a difference with the data built by EditRegistriesConfig.)
| @@ -0,0 +1,260 @@ | |||
| package sysregistriesv2 | |||
There was a problem hiding this comment.
Why not vendor the original from c/image, and make the relationship and maintenance expectations explicit?
There was a problem hiding this comment.
Because the original package also has V1 types that I don't need. And these types need additional dependencies that may create unnecessary complications for backporting this PR (types.SystemContext, for example).
@adambkaplan It'd be good to make packages more granular in the new repo, so we don't need to import dozen packages only because we need to merge two maps.
There was a problem hiding this comment.
Fair enough, containers/image#692 really is a pain.
There was a problem hiding this comment.
FWIW, after containers/image#716 , c/image v4.0.0 no longer imports the compression implementations. Sure, there is still the TOML decoder, and of course containers/image/types, but I can’t see how merely including that code hurts all that much.
There was a problem hiding this comment.
@mtrmac we also need to backport this change to 4.2.z
There was a problem hiding this comment.
containers/image does not currently maintain per-OpenShift branches; you can vendor commit df216d7cdc943e3e2ddef7be67a6abdcaf583e61 directly.
(Or use use the later released v4.0.1, but that forces use of Go modules.)
| reg := isi.regConf.Registries[i] | ||
|
|
||
| if bestMatch == nil || len(reg.Prefix) > len(bestMatch.Prefix) { | ||
| if scopeMatchesRegistry(repoName, reg.Prefix) { |
There was a problem hiding this comment.
scopeMatchesRegistry is only correct when the second parameter is a registry, while reg.Prefix can be a namespace or a repository name. In particular this will break in the most common case, with ref a repo:tag or repo@digest, and ref.Prefix being repo.
See how c/image/pkg/sysregistriesv2.FindRegistry works (or, ideally, just call it — right now that would require writing isi.regConf.Registries to a temporary file, I suppose that could change).
There was a problem hiding this comment.
repoName doesn't contain : nor @ here.
There was a problem hiding this comment.
Ah, true. The code is still misusing scopeMatchesRegistry, though.
| if err != nil { | ||
| klog.V(5).Infof("unable to access repository %#v: %#v", repository, err) | ||
| switch { | ||
| case err == reference.ErrReferenceInvalidFormat: |
There was a problem hiding this comment.
This detailed error handling seems to have been lost in the move to getManifestByDigest.
| s, err := repo.Manifests(ctx) | ||
| if err != nil { | ||
| klog.V(5).Infof("unable to access manifests for repository %#v: %#v", repository, err) | ||
| switch { |
There was a problem hiding this comment.
This detailed error handling seems to have been lost in the move to getManifestByDigest.
dmage
force-pushed
the
import-from-mirrors
branch
2 times, most recently
from
d7eb564
to
4ec0340
Compare
openshift-ci-robot
added
size/XXL
dmage
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/assign @adambkaplan @sttts |
|
@adambkaplan @sttts please take a look |
|
/hold This is pending architectural discussion. I think wiring operator clients and reading CR's inside openshift-apiserver is not the correct way to deal with changing the configuration for the operand. We already have mechanism to do this via operand config (in this case openshift apiserver config) and the operator should have observer loop and sets the configuration using this mechanism. This is inventing a new "dynamic" config that depends on CRD provided by cluster-config-operator. Also this config is not changed often, I would say in 99% cases this is "one time setting". /cc @derekwaynecarr |
|
/retest |
|
dmage
force-pushed
the
import-from-mirrors
branch
from
2cde0e6
to
693bd90
Compare
|
Regarding debuggability:
|
|
/lgtm |
|
/retest |
dmage
force-pushed
the
import-from-mirrors
branch
from
693bd90
to
bd7ed3c
Compare
|
/hold cancel |
|
@dmage please rename the last commit to |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/approve |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
dmage
force-pushed
the
import-from-mirrors
branch
from
bd7ed3c
to
138fe24
Compare
dmage
force-pushed
the
import-from-mirrors
branch
from
138fe24
to
0e6ca42
Compare
|
/lgtm Last commit renamed per @mfojtik |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, dmage, mfojtik The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@dmage: All pull requests linked via external trackers have merged. Bugzilla bug 1741391 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
No description provided.