Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

karmadactl: add image pull secret flags for karmadactl init #3237

Merged
merged 1 commit into from
Mar 13, 2023
Merged

karmadactl: add image pull secret flags for karmadactl init #3237

merged 1 commit into from
Mar 13, 2023

Conversation

my-git9
Copy link
Member

@my-git9 my-git9 commented Mar 5, 2023
edited by RainbowMango
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:
In a production environment, registry are generally non-public. If the registry we get from the administrator is private, we need to configure the imagepullsecret in the application's yaml file.
So I think it would be better if karmadactl init could specify imagepullsecret.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

`karmadactl`: Introduced `--image-pull-secrets` flag to `init` command to specify the secret.`

@karmada-bot karmada-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 5, 2023
@karmada-bot karmada-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 5, 2023
@codecov-commenter
Copy link

Codecov Report

Merging #3237 (efd0beb) into master (17533ac) will increase coverage by 0.00%.
The diff coverage is 50.00%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##           master    #3237   +/-   ##
=======================================
  Coverage   49.20%   49.21%           
=======================================
  Files         203      203           
  Lines       18354    18372   +18     
=======================================
+ Hits         9032     9041    +9     
- Misses       8835     8843    +8     
- Partials      487      488    +1
Flag Coverage Δ
unittests 49.21% <50.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/karmadactl/cmdinit/kubernetes/statefulset.go 0.00% <0.00%> (ø)
pkg/karmadactl/cmdinit/kubernetes/deploy.go 7.84% <20.00%> (+0.30%) ⬆️
pkg/karmadactl/cmdinit/cmdinit.go 73.07% <100.00%> (+0.34%) ⬆️
pkg/karmadactl/cmdinit/kubernetes/deployments.go 100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@RainbowMango
Copy link
Member

Hi @my-git9 Can you explain more about why we need this flag in the PR description?

@my-git9
Copy link
Member Author

my-git9 commented Mar 6, 2023

Hi @my-git9 Can you explain more about why we need this flag in the PR description?

The description has been updated, thanks

@RainbowMango
Copy link
Member

In a production environment, registry are generally non-public. If the registry we get from the administrator is private, we need to configure the imagepullsecret in the application's yaml file.

It makes sense to me. I guess it should be used along with --private-image-registry, right?
But, what if people also specified --kube-image-registry? Should we set the imagePullSecrets for all components in that case?

@my-git9
Copy link
Member Author

my-git9 commented Mar 6, 2023
edited
Loading

--kube-image-registry

The --kube-image-registry parameter seems to be more designed for the public network environment, if it seems that there is no need to specify imagepullsecret in the public network environment.
In a production environment, the image of kube's k8s should also be managed by a private registry, and imagepullsecret should be required. If both --private-image-registry and --kube-image-registry are specified and from different registry, we can specify two imagepullsecret. What you think?

@RainbowMango
Copy link
Member

I'd like to invite @lonelyCZ for comments.

@lonelyCZ
Copy link
Member

lonelyCZ commented Mar 7, 2023

If both --private-image-registry and --kube-image-registry are specified and from different registry, we can specify two imagepullsecret. What you think?

I think it seems rare for using --private-image-registry and --kube-image-registry togather.

--kube-image-registry is mainly designed for solving that some people can't access k8s.gcr.io registry.

We should only consider a common case, otherwise it even need to set different pull secret for each image. So I this it only set one flag pull secrets for all components. In my opinion, if the registry need secret, it will found a matched secret in ImagePullSecrets, otherwise it don't need a secret even if already set this field.

lonelyCZ
lonelyCZ reviewed Mar 7, 2023
View reviewed changes
pkg/karmadactl/cmdinit/cmdinit.go Outdated Show resolved Hide resolved
pkg/karmadactl/cmdinit/kubernetes/deploy.go Outdated Show resolved Hide resolved
pkg/karmadactl/cmdinit/kubernetes/deploy.go Outdated Show resolved Hide resolved
@RainbowMango
Copy link
Member

In my opinion, if the registry need secret, it will found a matched secret in ImagePullSecrets, otherwise it don't need a secret even if already set this field.

Do you mean the kubelet knows if the specified registry requires a secret? For public registry, the ImagePullSecrets will not be used even it is set, right?

@jwcesign
Copy link
Member

jwcesign commented Mar 7, 2023
edited
Loading

Do you mean the kubelet knows if the specified registry requires a secret? For public registry, the ImagePullSecrets will not be used even it is set, right?

kubelet will try to select the secret by matching the registry. If not match, it will try without secrets.

https://github.com/kubernetes/kubernetes/blob/a55bd631728590045b51a4f65bba31aed1415571/pkg/kubelet/kuberuntime/kuberuntime_image.go#L45

@lonelyCZ
Copy link
Member

lonelyCZ commented Mar 7, 2023

Do you mean the kubelet knows if the specified registry requires a secret? For public registry, the ImagePullSecrets will not be used even it is set, right?

Yes, I just tried it that was ok.

@RainbowMango
Copy link
Member

Thanks, I get it. Then, we don't need two flags for the pull secrets.

@my-git9 my-git9 force-pushed the karmadactl-pullsecret branch 2 times, most recently from 48f7af8 to f217d22 Compare March 7, 2023 13:09
@my-git9 my-git9 requested review from RainbowMango and lonelyCZ and removed request for carlory, prodanlabs, RainbowMango and lonelyCZ March 7, 2023 13:09
RainbowMango
RainbowMango reviewed Mar 9, 2023
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please share a test report here.
I wonder how to use it, especially how to prepare the secrets.

pkg/karmadactl/cmdinit/kubernetes/deploy.go Outdated Show resolved Hide resolved
pkg/karmadactl/cmdinit/cmdinit.go Outdated Show resolved Hide resolved
@my-git9
Copy link
Member Author

my-git9 commented Mar 9, 2023
edited
Loading

If we want to use this parameter, we should have the following steps:

  1. Create a namespace in advance, such as karmada-system
  2. Create the required pullsecret in the namespace in advance, such as pullsecret1
  3. Execute the installation command: karmactl init --image-pull-secrets=pullsecret1

The result:

$  ./karmadactl init --image-pull-secrets PullSecret1,PullSecret --crds /tmp/xx.tar.gz --kube-image-registry=registry.cn-hangzhou.aliyuncs.com/google_containers
....
$
$kubectl -nkarmada-system get po -oyaml |grep -A 1 imagePullSecrets
    imagePullSecrets:
    - name: PullSecret1
--
    imagePullSecrets:
    - name: PullSecret1
--
    imagePullSecrets:
    - name: PullSecret1

@RainbowMango

@RainbowMango
Copy link
Member

OK, I get it. I guess we can explain it in the flag usage.

@my-git9 my-git9 force-pushed the karmadactl-pullsecret branch from f217d22 to 2d2b053 Compare March 9, 2023 12:23
@my-git9 my-git9 requested review from RainbowMango and removed request for lonelyCZ March 9, 2023 12:24
@my-git9
Copy link
Member Author

my-git9 commented Mar 9, 2023

OK, I get it. I guess we can explain it in the flag usage.

Updated, thanks

RainbowMango
RainbowMango reviewed Mar 10, 2023
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good to me.

Please @lonelyCZ take a look.
And consider if we need to add validation for checking the existence of the secret.

pkg/karmadactl/cmdinit/cmdinit.go Outdated Show resolved Hide resolved
@my-git9 my-git9 force-pushed the karmadactl-pullsecret branch from 2d2b053 to 37aca6f Compare March 10, 2023 02:15
@my-git9 my-git9 force-pushed the karmadactl-pullsecret branch from 37aca6f to a26c3dd Compare March 10, 2023 02:38
@my-git9 my-git9 requested a review from lonelyCZ March 10, 2023 03:50
@RainbowMango RainbowMango added this to the v1.6 milestone Mar 10, 2023
@my-git9 my-git9 force-pushed the karmadactl-pullsecret branch from a26c3dd to 97306d6 Compare March 10, 2023 04:50
RainbowMango
RainbowMango reviewed Mar 10, 2023
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good to me now.
/assign @lonelyCZ

pkg/karmadactl/cmdinit/kubernetes/deploy.go Outdated Show resolved Hide resolved
@my-git9
feat: add image pull secret flags for karmadactl init
0065f18 
Signed-off-by: xin.li <xin.li@daocloud.io>
@my-git9 my-git9 force-pushed the karmadactl-pullsecret branch from 97306d6 to 0065f18 Compare March 12, 2023 10:10
@my-git9 my-git9 requested review from RainbowMango and removed request for lonelyCZ March 12, 2023 10:11
RainbowMango
RainbowMango reviewed Mar 13, 2023
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @lonelyCZ

Thanks.

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 13, 2023
@lonelyCZ
Copy link
Member

I just tested it in my env that worked fine!

/approve

@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lonelyCZ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 13, 2023
@karmada-bot karmada-bot merged commit fff859d into karmada-io:master Mar 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lonelyCZ lonelyCZ lonelyCZ left review comments

@RainbowMango RainbowMango RainbowMango left review comments

Assignees

@RainbowMango RainbowMango

@lonelyCZ lonelyCZ

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.6
Development

Successfully merging this pull request may close these issues.
6 participants
@my-git9 @codecov-commenter @RainbowMango @lonelyCZ @jwcesign @karmada-bot