New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
operator-sdk: run bundle{-upgrade} support insecure registry server #4816
Conversation
e78295e
to
07bd720
Compare
@@ -51,6 +51,7 @@ func (i *Install) BindFlags(fs *pflag.FlagSet) { | |||
|
|||
// --mode is hidden so only users who know what they're doing can alter add mode. | |||
fs.StringVar((*string)(&i.BundleAddMode), "mode", "", "mode to use for adding bundle to index") | |||
fs.BoolVar(&i.IndexImageCatalogCreator.AllowInsecure, "allow-insecure", false, "allows pulling bundle image from an insecure registry server") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about mirroring opm
and naming this
fs.BoolVar(&i.IndexImageCatalogCreator.AllowInsecure, "allow-insecure", false, "allows pulling bundle image from an insecure registry server") | |
fs.BoolVar(&i.IndexImageCatalogCreator.SkipTLS, "skip-tls", false, "skip authentication of image registry TLS certificate when pulling a bundle image in-cluster") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about mirroring
opm
and naming this
Sounds good, i will update the PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed the option as suggested. Also moved the flag to IndexImageCatalogCreator
in internal/olm/operator/registry/index_image.go
so the option will be available to both run bundle
and run bundle-upgrade
.
07bd720
to
caf2c69
Compare
7d1fdc2
to
dc4c035
Compare
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
@@ -50,6 +50,8 @@ type BundleItem struct { | |||
ImageTag string `json:"imageTag"` | |||
// AddMode describes how the bundle should be added to an index image. | |||
AddMode BundleAddMode `json:"mode"` | |||
// SkipTLS controls wether to ignore SSL errors while pulling bundle image from registry server. | |||
SkipTLS bool `json:"SkipTLS"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This field should be added to RegistryPod
not BundleItem
since it's globally configured and not on a per-bundle basis.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's also where the preexisting cert stuff is anyway 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Changed as @estroz suggested.
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All in all a GREAT PR. I have 2 items:
- the custom DB path should be a separate PR
- the SkipTLS field should be on RegistryPod like others mentioned.
@@ -50,6 +50,8 @@ type BundleItem struct { | |||
ImageTag string `json:"imageTag"` | |||
// AddMode describes how the bundle should be added to an index image. | |||
AddMode BundleAddMode `json:"mode"` | |||
// SkipTLS controls wether to ignore SSL errors while pulling bundle image from registry server. | |||
SkipTLS bool `json:"SkipTLS"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed
@@ -302,7 +304,7 @@ func newBool(b bool) *bool { | |||
|
|||
const cmdTemplate = `/bin/mkdir -p {{ dirname .DBPath }} && \ | |||
{{- range $i, $item := .BundleItems }} | |||
/bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} && \ | |||
/bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls={{ $item.SkipTLS }} && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Great catch. When I was playing around to add this locally I didn't notice having to do this.
BundleItem{ | ||
ImageTag: "localhost/example-operator-bundle:1.0.1", | ||
AddMode: SemverBundleAddMode, | ||
SkipTLS: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like was said earlier, this field should be on RegistryPod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -91,6 +92,14 @@ var _ = Describe("RegistryPod", func() { | |||
Expect(rp.DBPath).To(Equal("/database/index.db")) | |||
}) | |||
|
|||
It("should create a registry with custom database path", func() { | |||
customDBPath := "/foo/bar/database.db" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we allow a custom database? This seems like we're mixing 2 different items.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we allow a custom database?
I am not sure, in case, we don't support then we could remove dbPath
parameter from containerCommandFor
in the unit tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the same time, I don't see any logical reason for not supporting the custom database path.
} | ||
return fmt.Sprintf("/bin/mkdir -p /database && \\\n%s/bin/opm registry serve -d /database/index.db -p 50051\n", additions.String()) | ||
return fmt.Sprintf("/bin/mkdir -p %s && \\\n%s/bin/opm registry serve -d %s -p 50051\n", filepath.Dir(dbPath), additions.String(), dbPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't think we were allowing custom database path. I think that should be a separate PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this custom database change in this PR as the CI reported a failure:
go vet ./...
tools/scripts/fetch golangci-lint 1.31.0 && tools/bin/golangci-lint run
golangci-lint missing or not version '1.31.0', downloading...
golangci/golangci-lint info checking GitHub for tag 'v1.31.0'
golangci/golangci-lint info found version: 1.31.0 for v1.31.0/linux/amd64
golangci/golangci-lint info installed /home/runner/work/operator-sdk/operator-sdk/tools/bin/golangci-lint
internal/olm/operator/registry/index/registry_pod_test.go:234:26: `containerCommandFor` - `dbPath` always receives `defaultDBPath` (`"/database/index.db"`) (unparam)
func containerCommandFor(dbPath string, items []BundleItem, hasCA bool) string {
^
Makefile:122: recipe for target 'test-sanity' failed
make: *** [test-sanity] Error 1
Error: Process completed with exit code 2.
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
dc4c035
to
e6ce4a3
Compare
Thanks! for your review time. Sorry for late responce.
I removed this change from this PR. I will try to send it as a separate PR.
Changed as suggested. |
e6ce4a3
to
76d64ad
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Supporting insecure registry is useful for testing operator installation from bundle image stored at local registry. Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
Supporting insecure registry is useful for testing operator installation
from a bundle image stored at the local registry.
Closes #4815
Description of the change:
Add a new boolean command-line option(defaults to false) named
--allow-insecure
for bothoperator-sdk run bundle
andoperator-sdk run bundle-upgrade
. When enabled this argument the commands ignores the SSL errors that occurred while communicating the docker registry. This allows pulling the bundle images from insecure(usually local) docker registries.Motivation for the change:
Using a local insecure registry is a possible case for storing the generated bundle image, and test the operator installation.
Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments
(seechangelog/fragments/00-template.yaml
)website/content/en/docs