[OCPNODE-521] Add CRD ImageDigestMirrorSet and ImageTagMirrorSet #1126
Conversation
QiWang19
force-pushed
the
mirrorset
branch
2 times, most recently
from
430b766 to
ca942a5
Compare
QiWang19
changed the title
|
@umohnani8 @mrunalp PTAL |
config/v1/0000_10_config-operator_01_imagecontentpolicy.crd.yaml
Outdated
Show resolved
Hide resolved
| pattern: ^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$ | ||
| x-kubernetes-list-type: set | ||
| neverContactSource: | ||
| description: When enabled, prevents image pull from the specified repository in the pull spec if the image pull form the mirror list fails. Default is false, the image will continue to be pulled from the pull spec if the image can not be pulled from the mirror list. neverContactSource is valid configuration only when one or more mirrors are in the mirror list. |
There was a problem hiding this comment.
Is pull spec the same as the source here? I think to the blear we should say something like prevents image pull from the source registry if all mirrors fail
@mtrmac wdyt?
There was a problem hiding this comment.
The source here is probably a regex, something like prevents image pull from the pull spec that matches the source?
There was a problem hiding this comment.
The rest of the CR documentation seems to fairly consistently say something like “from the repository specified in the pull spec”, so this should be consistent.
(In other documents we talk about source or primary locations; this CR doesn’t seem to use that terminology right now. I don’t very much care what the name is, but it should be consistent.)
There was a problem hiding this comment.
(And just for the record, the source is a repo or repo namespace, or a wild-carded host name pattern, as documented in the comments; it is never a regex. Though the general point that we might not be pulling from exactly the Source string value is completely correct.)
config/v1/0000_10_config-operator_01_imagedigestmirrorset.crd.yaml
Outdated
Show resolved
Hide resolved
config/v1/0000_10_config-operator_01_imagetagmirrorset.crd.yaml
Outdated
Show resolved
Hide resolved
config/v1/0000_10_config-operator_01_imagetagmirrorset.crd.yaml
Outdated
Show resolved
Hide resolved
QiWang19
force-pushed
the
mirrorset
branch
2 times, most recently
from
8f3df92 to
d5b530a
Compare
|
@mtrmac PTAL. |
config/v1/0000_10_config-operator_01_imagecontentpolicy.crd.yaml
Outdated
Show resolved
Hide resolved
| // https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table | ||
| // +optional | ||
| // +listType=set | ||
| Mirrors []Mirrors `json:"mirrors,omitempty"` |
There was a problem hiding this comment.
Is my registry authentication presented to these mirrors? Given multiple possible tokens, are tokens tried against each mirror first or is a single token tried against all mirrors first?
There was a problem hiding this comment.
tokens tried against each mirror. The order of mirrors in this mirrors list is the desired order. The mirrors will be tried in this order, if you have multiple tokens including the token for the current pulling mirror, the token will be used to access the mirror.
There was a problem hiding this comment.
All of these mirrors configurations are invisible to Kubelet, and the CRI (the Kubelet / CRI-O API) does not currently allow passing credentials for multiple registries.
So, what happens is that the Kubelet reads the Pod’s pull secret, if any, and extracts the credentials only matching source, and provides them in the CRI API. If the Pod’s pull secret contains any credentials for mirrors, those are completely ignored. CRI-O uses the CRI-provided credentials to contact the source only; for mirrors, it uses credentials available in the node-global config.json (in OpenShift, that’s the global cluster pull secret).
(IIRC, if the Pod’s pull secret(s) contain multiple sets of credentials for the same registry, Kubelet tries the pull operation, with each credential. So, in that case, we would try all of the credentials for the source registry; but the mirrors, if any, would all use the global cluster pull secret, repeatedly on each of those retries.)
(The inability of the user to provide mirror credentials via a pod’s pull secret is a known limitation of the mirroring mechanism, and nothing changes about that with this enhancement / these API changes.)
config/v1/0000_10_config-operator_01_imagedigestmirrorset.crd.yaml
Outdated
Show resolved
Hide resolved
|
|
||
| // SourcePolicy defines the fallback policy if fails to pull image from the mirrors. | ||
| // +kubebuilder:validation:Enum=sourceNever;sourceLast | ||
| type SourcePolicy string |
There was a problem hiding this comment.
Non-blocking: SourcePolicy feels a bit too generic of a name to use within the wide scope of of config/v1 . MirrorSourcePolicy at least? ImageMirrorSourceAccess?
| pattern: ^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$ | ||
| x-kubernetes-list-type: set | ||
| neverContactSource: | ||
| description: When enabled, prevents image pull from the specified repository in the pull spec if the image pull form the mirror list fails. Default is false, the image will continue to be pulled from the pull spec if the image can not be pulled from the mirror list. neverContactSource is valid configuration only when one or more mirrors are in the mirror list. |
There was a problem hiding this comment.
The rest of the CR documentation seems to fairly consistently say something like “from the repository specified in the pull spec”, so this should be consistent.
(In other documents we talk about source or primary locations; this CR doesn’t seem to use that terminology right now. I don’t very much care what the name is, but it should be consistent.)
| NeverContactSource MirrorSourcePolicy = "neverContactSource" | ||
|
|
||
| // allowContactingSource allow falling back to the specified repository in the pull spec if the image pull from the mirror list fails. | ||
| AllowContactingSource MirrorSourcePolicy = "allowContactingSource" |
There was a problem hiding this comment.
CamelCase, "AllowContactingSource"
There was a problem hiding this comment.
fixed and the above CamelCase
|
After comments on case, this looks good. |
Add CRD ImageDigestMirrorSet and ImageTagMirrorSet to have API for epics:
https://issues.redhat.com/browse/OCPNODE-521: different API for two saprate lists for digest
image pull and tag image pull using mirrors.
https://issues.redhat.com/browse/OCPNODE-810: add an option for user to choose if the source of
the mirror should be denied if the mirrors pull failed.
Enhancement:
[OCPNODE-747] New CRD ImageDigestMirrorSet and ImageTagMirrorSet to support AllowMirrByTags enhancements#929
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
@QiWang19: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/approve |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, QiWang19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/label docs-approved FYI: @TanyaShearonRH |
openshift-ci
bot
added
the
docs-approved
|
/label |
|
/label px-approved |
openshift-ci
bot
added
px-approved
Update openshift/api dependency to import ImageDigest/TagMirrorSet CRD: openshift/api#1126 Signed-off-by: Qi Wang <qiwan@redhat.com>
Update openshift/api dependency to import ImageDigest/TagMirrorSet CRD: openshift/api#1126 Signed-off-by: Qi Wang <qiwan@redhat.com>
Update openshift/api dependency to import ImageDigest/TagMirrorSet CRD: openshift/api#1126 Signed-off-by: Qi Wang <qiwan@redhat.com>
Add CRD ImageDigestMirrorSet and ImageTagMirrorSet to have API for epics:
image pull and tag image pull using mirrors.
the mirror should be denied if the mirrors pull failed.
Enhancement: [OCPNODE-747] New CRD ImageDigestMirrorSet and ImageTagMirrorSet to support AllowMirrByTags enhancements#929