New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix catsrc pod hash logic #3102
Fix catsrc pod hash logic #3102
Conversation
/hold I'll remove this when I'm ready to merge. |
1529781
to
df14862
Compare
Er sorry - |
@stevekuznetsov I can move it to its own test suite, but functionally the existing implementation guarantees that the pod is constructed with the proper imagePullSecrets defined by the serviceAccount, is the reason for the change request just to avoid muddying the purpose of a test? |
Yes, that's all. |
df14862
to
15f881b
Compare
15f881b
to
dc9fc50
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awgreene The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold Good to go! |
Problem: Commit 95405d81e4c87c8113ccd7a95ba4d088b200a42ai updated the catalog operator's logic so it does not delete the pod associated with a catalogSource while it is in a Pending state. Unfortunately, there is a race condition in which the pod may be admitted to the cluster without the imagePullSecrets specified for it's serviceAccount by the admission controller, preventing the pod from pulling its image from registries that require authentication and causing the pod to never reach a successful state. Solution: Update the catalog operator to detect when a pod is missing the imagePullSecrets granted to its serviceAccount. Signed-off-by: Alexander Greene <greene.al1991@gmail.com>
dc9fc50
to
8a52c14
Compare
@@ -192,6 +201,9 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img, | |||
"kubernetes.io/os": "linux", | |||
}, | |||
ServiceAccountName: saName, | |||
// If this field is not set, there that the is a chance that pod will be created without the imagePullSecret | |||
// defined by the serviceAccount | |||
ImagePullSecrets: saImagePullSecrets, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line change is more or less the purpose for the entire PR.
0e1e089
No description provided.