-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config indy generic proxy as a sidecar of buildah task #1815
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are the implications if we add this sidecar to every single buildah task that is created? Will this result in a drastic increase in cluster utilization?
if [ "$(params.ENABLE_INDY_PROXY)" == "true" ]; then | ||
export QUARKUS_OIDC_CLIENT_CLIENT_ID="$(params.INDY_PROXY_CLIENT_ID)" | ||
export QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET="$(params.INDY_PROXY_CLIENT_CREDENTIAL)" | ||
/deployment/start-service.sh | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are to implement a sidecar like this, is there any reason why it needs to be specific to Quarkus/INDY? Would this have value as a generalization?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The service is implemented upon quarkus and both QUARKUS_OIDC_CLIENT_CLIENT_ID
and QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET
are supported in quarkus that we can declare the variable as env, which can be declared in the config file as following:
BTW, the client ID(service account) is used to access Indy.
quarkus
oidc-client:
auth-server-url: ""
client-id:
credentials:
secret:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
QUARKUS_* are internal, I believe it doesn't really matter how they are called.
*_INDY_* should these be renamed to more generic name like HTTP_PROXY_* ?
@@ -725,3 +754,26 @@ spec: | |||
requests: | |||
cpu: 100m | |||
memory: 256Mi | |||
sidecars: | |||
- name: indy-generic-proxy | |||
image: quay.io/factory2/indy-generic-proxy-service:latest-prod |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the provenance of this image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we need to follow konflux pattern to build the image if we agree the sidecar proposal.
Seems there is no feature flag in tekton to control the sidecar, so yeah it will result in downloading the image for every single buildah task . Hm.. do we have cache for the image ? if so, it may not download it every time, and we have flag Another way to make this is to deploy it in the cluster as a service, like what we are doing in MP+. |
@@ -139,6 +139,18 @@ spec: | |||
description: The name of the ConfigMap to read CA bundle data from. | |||
type: string | |||
default: trusted-ca | |||
- name: ENABLE_HTTP_PROXY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear from the name nor description which proxy is used and for what purposes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The description could be updated, but it's a generic http proxy, which in our case provides persistent cache per build.
type: string | ||
description: Enable the http proxy (true/false) | ||
default: "false" | ||
- name: HTTP_PROXY_CLIENT_ID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The name is too generic for a specific use-case in a common flow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we change it to HTTP_PROXY_SSO_CLIENT_ID ?
@@ -725,3 +754,36 @@ spec: | |||
requests: | |||
cpu: 100m | |||
memory: 256Mi | |||
sidecars: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Despite the functionality is behind a feature flag, it's still specific to PNC only.
I think we should keep the buildah task generic and create a dedicated pipeline for specific purposes (like FBC, Java, etc.)
Middleware build pipeline needs to access indy for generic proxy requests (like non-java & non-npm artifacts), and it requires the indy generic proxy deployed together with the builder in the same cluster to handle the proxy http format, which openshift routers don't allow.
In MP+, we deployed this as a standalone service, and in Konflux, the sidecar way maybe a better option, but we hope to start discussing based on this PR, to see which one is better. Or if we need a dedicated task to avoid introducing this to all of the users even there are feature flag.