Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use quay.io for third-party images to avoid rate limiting. Fixes #10807 #14239

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix: use quay.io for third-party images to avoid rate limiting. Fixes #10807 #14239

wants to merge 5 commits into from

Conversation

MasonM
Copy link
Member

@MasonM MasonM commented Mar 2, 2025
edited
Loading

Partial fix for #10807

Motivation

A major source of flaky CI builds for Argo Workflows is Docker Hub image limits. Here's an example:

[port-forward] (starting) [pods/minio-769877b9db-6j8gt] (Waiting) ErrImagePull: container "main" is waiting: Error response from daemon: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

On April 1st, Docker Hub is further reducing the limits, so I expect this is going to get worse.

Modifications

This switches the images used in the manifests (which are in turn used by the E2E tests) to use equivalent images on quay.io:

I also switched all images to use the manifest digest so we don't need to worry about an image suddenly changing and causing all builds to fail (and also partly for security).

Verification

E2E tests

Documentation

I couldn't find anything that needs to change, but let me know if I missed anything

@MasonM
fix: use quay.io for third-party images to avoid rate limiting
b20b4d4 
A major source of flaky CI builds for Argo Workflows is Docker Hub image limits. Here's an example:
> [port-forward] (starting) [pods/minio-769877b9db-6j8gt] (Waiting) ErrImagePull: container "main" is waiting: Error response from daemon: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

Source: https://github.com/argoproj/argo-workflows/actions/runs/13519739393/job/37776381312?pr=14215

On April 1st, Docker Hub is further reducing the limits, so I expect
this is going to get worse. This switches the images used in the
manifests (which are in turn used by the E2E tests) to use equivalent
images on quay.io:
* https://hub.docker.com/r/minio/minio -> https://quay.io/minio/minio
* https://hub.docker.com/r/kong/httpbin - quay.io/holos/mccutchen/go-httpbin
* https://hub.docker.com/_/mysql/tags?name=8 - https://quay.io/fedora/mysql-80
* https://hub.docker.com/_/postgres/tags?name=12-alpine - https://quay.io/repository/fedora/postgresql-12
* https://hub.docker.com/r/prom/prometheus/ - https://quay.io/repository/prometheus/prometheus

I also switched all images to use the manifest digest so we don't need
to worry about an image suddenly changing and causing all builds to fail
(and also partly for security).

Signed-off-by: Mason Malone <651224+MasonM@users.noreply.github.com>
terrytangyuan
terrytangyuan approved these changes Mar 2, 2025
View reviewed changes
Copy link
Member

@terrytangyuan terrytangyuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Let's see if this works.

@MasonM
fix: fix postgres and httpbin images
0491155 
Signed-off-by: Mason Malone <651224+MasonM@users.noreply.github.com>
@MasonM
fix: correct token URL
fbf05e1 
Signed-off-by: Mason Malone <651224+MasonM@users.noreply.github.com>
@MasonM
Copy link
Member Author

MasonM commented Mar 2, 2025

/retest

MasonM
MasonM commented Mar 2, 2025
View reviewed changes
manifests/quick-start/base/httpbin/my-httpbin-cred-secret.yaml
@@ -12,7 +12,7 @@ stringData:
# for oauth2 authentication
clientID: admin
clientSecret: password
tokenURL: "http://httpbin:9100/response-headers?access_token=faketoken&token_type=Bearer" # this URL will return a body with the "access_token" field set and can simulate an oauth token flow
tokenURL: "http://httpbin:9100/base64/YWNjZXNzX3Rva2VuPWZha2V0b2tlbg==" # this URL will return a body with the "access_token" field set and can simulate an oauth token flow
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to change this because go-httpbin gives different responses for this endpoint: mccutchen/go-httpbin#141

@MasonM MasonM marked this pull request as ready for review March 2, 2025 05:50
@MasonM MasonM requested a review from terrytangyuan March 2, 2025 05:53
@MasonM
fix: switch back postgres user to avoid breaking compatibility
03e41eb 
Signed-off-by: Mason Malone <651224+MasonM@users.noreply.github.com>
@MasonM
Copy link
Member Author

MasonM commented Mar 2, 2025

/retest

@MasonM
Copy link
Member Author

MasonM commented Mar 2, 2025

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blkperl blkperl blkperl approved these changes

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MasonM @blkperl @terrytangyuan