operator-sdk: run bundle{-upgrade} support insecure registry server #4816
Conversation
avalluri
force-pushed
the
insecure-registry
branch
2 times, most recently
from
e78295e
to
07bd720
Compare
| @@ -51,6 +51,7 @@ func (i *Install) BindFlags(fs *pflag.FlagSet) { | |||
|
|
|||
| // --mode is hidden so only users who know what they're doing can alter add mode. | |||
| fs.StringVar((*string)(&i.BundleAddMode), "mode", "", "mode to use for adding bundle to index") | |||
| fs.BoolVar(&i.IndexImageCatalogCreator.AllowInsecure, "allow-insecure", false, "allows pulling bundle image from an insecure registry server") | |||
There was a problem hiding this comment.
How about mirroring opm and naming this
| fs.BoolVar(&i.IndexImageCatalogCreator.AllowInsecure, "allow-insecure", false, "allows pulling bundle image from an insecure registry server") | |
| fs.BoolVar(&i.IndexImageCatalogCreator.SkipTLS, "skip-tls", false, "skip authentication of image registry TLS certificate when pulling a bundle image in-cluster") |
There was a problem hiding this comment.
How about mirroring
opmand naming this
Sounds good, i will update the PR.
There was a problem hiding this comment.
Renamed the option as suggested. Also moved the flag to IndexImageCatalogCreator in internal/olm/operator/registry/index_image.go so the option will be available to both run bundle and run bundle-upgrade.
avalluri
force-pushed
the
insecure-registry
branch
from
07bd720
to
caf2c69
Compare
avalluri
force-pushed
the
insecure-registry
branch
from
7d1fdc2
to
dc4c035
Compare
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
| @@ -50,6 +50,8 @@ type BundleItem struct { | |||
| ImageTag string `json:"imageTag"` | |||
| // AddMode describes how the bundle should be added to an index image. | |||
| AddMode BundleAddMode `json:"mode"` | |||
| // SkipTLS controls wether to ignore SSL errors while pulling bundle image from registry server. | |||
| SkipTLS bool `json:"SkipTLS"` | |||
There was a problem hiding this comment.
This field should be added to RegistryPod not BundleItem since it's globally configured and not on a per-bundle basis.
There was a problem hiding this comment.
that's also where the preexisting cert stuff is anyway 👍
There was a problem hiding this comment.
Done. Changed as @estroz suggested.
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
|
/lgtm |
| @@ -50,6 +50,8 @@ type BundleItem struct { | |||
| ImageTag string `json:"imageTag"` | |||
| // AddMode describes how the bundle should be added to an index image. | |||
| AddMode BundleAddMode `json:"mode"` | |||
| // SkipTLS controls wether to ignore SSL errors while pulling bundle image from registry server. | |||
| SkipTLS bool `json:"SkipTLS"` | |||
| @@ -302,7 +304,7 @@ func newBool(b bool) *bool { | |||
|
|
|||
| const cmdTemplate = `/bin/mkdir -p {{ dirname .DBPath }} && \ | |||
| {{- range $i, $item := .BundleItems }} | |||
| /bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} && \ | |||
| /bin/opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls={{ $item.SkipTLS }} && \ | |||
There was a problem hiding this comment.
👍 Great catch. When I was playing around to add this locally I didn't notice having to do this.
| BundleItem{ | ||
| ImageTag: "localhost/example-operator-bundle:1.0.1", | ||
| AddMode: SemverBundleAddMode, | ||
| SkipTLS: true, |
There was a problem hiding this comment.
Like was said earlier, this field should be on RegistryPod.
| @@ -91,6 +92,14 @@ var _ = Describe("RegistryPod", func() { | |||
| Expect(rp.DBPath).To(Equal("/database/index.db")) | |||
| }) | |||
|
|
|||
| It("should create a registry with custom database path", func() { | |||
| customDBPath := "/foo/bar/database.db" | |||
There was a problem hiding this comment.
Do we allow a custom database? This seems like we're mixing 2 different items.
There was a problem hiding this comment.
Do we allow a custom database?
I am not sure, in case, we don't support then we could remove dbPath parameter from containerCommandFor in the unit tests.
There was a problem hiding this comment.
At the same time, I don't see any logical reason for not supporting the custom database path.
| } | ||
| return fmt.Sprintf("/bin/mkdir -p /database && \\\n%s/bin/opm registry serve -d /database/index.db -p 50051\n", additions.String()) | ||
| return fmt.Sprintf("/bin/mkdir -p %s && \\\n%s/bin/opm registry serve -d %s -p 50051\n", filepath.Dir(dbPath), additions.String(), dbPath) |
There was a problem hiding this comment.
I didn't think we were allowing custom database path. I think that should be a separate PR.
There was a problem hiding this comment.
I added this custom database change in this PR as the CI reported a failure:
go vet ./...
tools/scripts/fetch golangci-lint 1.31.0 && tools/bin/golangci-lint run
golangci-lint missing or not version '1.31.0', downloading...
golangci/golangci-lint info checking GitHub for tag 'v1.31.0'
golangci/golangci-lint info found version: 1.31.0 for v1.31.0/linux/amd64
golangci/golangci-lint info installed /home/runner/work/operator-sdk/operator-sdk/tools/bin/golangci-lint
internal/olm/operator/registry/index/registry_pod_test.go:234:26: `containerCommandFor` - `dbPath` always receives `defaultDBPath` (`"/database/index.db"`) (unparam)
func containerCommandFor(dbPath string, items []BundleItem, hasCA bool) string {
^
Makefile:122: recipe for target 'test-sanity' failed
make: *** [test-sanity] Error 1
Error: Process completed with exit code 2.
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
avalluri
force-pushed
the
insecure-registry
branch
from
dc4c035
to
e6ce4a3
Compare
Thanks! for your review time. Sorry for late responce.
I removed this change from this PR. I will try to send it as a separate PR.
Changed as suggested. |
avalluri
force-pushed
the
insecure-registry
branch
from
e6ce4a3
to
76d64ad
Compare
Supporting insecure registry is useful for testing operator installation from bundle image stored at local registry. Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Released operator-sdk binary does not support running bundle image from local insecure registry. The fix has submitted to upstream: operator-framework/operator-sdk#4816 Till this fix is available in release binary we have to build from source.
Supporting insecure registry is useful for testing operator installation
from a bundle image stored at the local registry.
Closes #4815
Description of the change:
Add a new boolean command-line option(defaults to false) named
--allow-insecurefor bothoperator-sdk run bundleandoperator-sdk run bundle-upgrade. When enabled this argument the commands ignores the SSL errors that occurred while communicating the docker registry. This allows pulling the bundle images from insecure(usually local) docker registries.Motivation for the change:
Using a local insecure registry is a possible case for storing the generated bundle image, and test the operator installation.
Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments(seechangelog/fragments/00-template.yaml)website/content/en/docs