Add neverContactSource field to CRDs

neverContactSource to satisfy the use case in epic:https://issues.redhat.com/browse/OCPNODE-810 Signed-off-by: Qi Wang <qiwan@redhat.com>
openshift · Feb 28, 2022 · 62b98af · 62b98af
1 parent 8aea177
commit 62b98af
Showing 1 changed file with 27 additions and 7 deletions.
diff --git a/...dd-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshift.io.md b/...dd-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshift.io.md
@@ -3,15 +3,17 @@ title: add-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshif
 authors:
   - "@QiWang19"
 reviewers:
-  - TBD
+  - "@mtrmac"
+  - "@kikisdeliveryservice"
+  - "@sttts"
 approvers:
   - TBD
 api-approvers:
   - TBD
   - "@sttts"
   - "@oscardoe"
 creation-date: 2021-03-10
-last-updated: 2021-12-10
+last-updated: 2022-02-28
 status: implementable
 ---
 
@@ -59,7 +61,6 @@ that. So a new CRD should be created, and ImageContentSourcePolicy(ICSP) under o
 ## Proposal
 
 The New CRD `ImageDigestMirrorSet` will be added to config.openshift.io/v1.
-The schema of `ImageDigestMirrorSet` is same as `ImageContentSourcePolicy`.
 
 ```go
 // ImageDigestMirrorSetSpec is the specification of the ImageDigestMirrorSet CRD.
@@ -130,6 +131,11 @@ type RepositoryDigestMirrors struct {
 	// +optional
 	// +listType=set
 	Mirrors []Mirror `json:"mirrors,omitempty"`
+	// When enabled, prevents image pull from the specified repository in the pull spec if the image pull form the mirror list fails.
+	// Default is false, the image will continue to be pulled from the pull spec if the image can not be pulled from the mirror list.
+	// neverContactSource is valid configuration only when one or more mirrors are in the mirror list. 
+	// +optional
+	NeverContactSource bool	`json:"neverContactSource,omitempty"`
 }
 
 // +kubebuilder:validation:Pattern=`^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$`
@@ -225,6 +231,11 @@ type RepositoryTagMirrors struct {
 	// +optional
 	// +listType=set
 	Mirrors []Mirrors `json:"mirrors,omitempty"`
+	// When enabled, prevents image pull from the specified repository in the pull spec if the image pull form the mirror list fails.
+	// Default is false, the image will continue to be pulled from the pull spec if the image can not be pulled from the mirror list.
+	// neverContactSource is valid configuration only when one or more mirrors are in the mirror list. 
+	// +optional
+	NeverContactSource bool	`json:"neverContactSource,omitempty"`
 }
 
 // +kubebuilder:validation:Pattern=`^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$`
@@ -259,6 +270,11 @@ For users with upgraded clusters that suppport the `ImageTagMirrorSet` CRD, if t
 effect. The user will need to configure mirrors using `ImageTagMirrorSet` CRD on the upgraded cluster to use tags.
 The MCO will consume the ImageTagMirrorSet object. Once this is done, the images can be pulled from the mirrors without the digest referenced.
 
+#### As a user， I would like to pull image from mirrors and block the repository in the pull spec
+
+The user can set neverContactSource to true in ImageTagMirrorSet or ImageDigestMirrorSet, depending on which CR the user uses to configure the mirror. The image will still use mirrors to pull imgae, but the pull will not be redirceted to the pull spec if the
+mirrors fail.
+
 #### As a user using ICSP, I would like to use ICSP pull images using digest by default from mirrors
 
 The user can still define ICSP CR before its deprecation. After the deprecation of ICSP, the user will need to use
@@ -280,13 +296,14 @@ and a list of mirrors require digest specification, or have different boolean va
 - [openshift/client-go](https://github.com/openshift/client-go), [openshift/cluster-config-operator](https://github.com/openshift/cluster-config-operator/pull/220): rebase the openshift/api version in these repositories to apply the new CRD
 to the cluster.
 - [openshift/runtime-utils/pkg/registries](https://github.com/openshift/runtime-utils/tree/master/pkg/registries): helper functions to edit registries.conf.
-- [openshift/machine-config-operator](https://github.com/openshift/machine-config-operator): MCO needs watch for the ImageDigestMirrorSet and ImageTagMirrorSet. The machine-config-operator/pkg/controller/container-runtime-config controller needs to operate the ImageDigestMirrorSet and ImageTagMirrorSet CRDs.
-Converts the existing ImageContenSourcePolicy objects to objects of new CRD.
+- [openshift/machine-config-operator](https://github.com/openshift/machine-config-operator): the container runtime config controller that currently watches ICSP wil
+also watch needs watch for the ImageDigestMirrorSet and ImageTagMirrorSet. The machine-config-operator/pkg/controller/container-runtime-config controller needs to operate the ImageDigestMirrorSet and ImageTagMirrorSet CRDs.
+Converts the existing ImageContentSourcePolicy objects to objects of new CRD.
 - This [document](https://docs.google.com/document/d/11FJPpIYAQLj5EcYiJtbi_bNkAcJa2hCLV63WvoDsrcQ/edit?usp=sharing) keeps a list of components that use operator.openshift.io/v1alpha1 ImageContentSourcePolicy. Need to change those repositories to upgrade to ImageDigestMirrorSet.
 
 #### Notes
 
-1. During the upgrade path, MCO can watch for both old CR ImageContentSourcePolicy and new CRs and create objects.
+1. During the upgrade path, the container runtime config controller of MCO can watch for both old CR ImageContentSourcePolicy and new CRs and create objects.
 
 2. The merge order of mirrors for the same source is deterministic by topological sorting:<br/>
 Order is preserving the relative order of the mirrors using topological sorting. A graph is formed using each mirror as a
@@ -311,6 +328,9 @@ requires digest specification for mirrors configured through ImageDigestMirrorSe
 Update the container runtime config controller unit tests that are currently in the MCO to verify that registries.conf does not
 require digest specification for mirrors configured through ImageTagMirrorSet.
 
+Update the container runtime config controller unit tests that are currently in the MCO to verify that registries.conf blocks
+the primary registry of the mirrors.
+
 ### Graduation Criteria
 
 #### Dev Preview -> Tech Preview
@@ -349,7 +369,7 @@ During the development on the release that one release ahead of deprecating `ima
 MCO will copy existing ImageContentSourcePolicy objects to ImageDigestMirrorSet and create new objects, and delete the
 ImageContentSourcePolicy objects. If any errors appear during the process, MCO should report `Upgradeable=False`.
 
-On the release that the ImageContentSourcePolicy CRD is removed from the API, the MCO will update its clusteroperator object to reflect a degrade state if it still finds objects of
+On the release that the ImageContentSourcePolicy CRD is removed from the API, the MCO will update its clusteroperator object to reflect a degraded state if it still finds objects of
 ImageContentSourcePolicy. The MCO should report that the ImageContentSourcePolicy is orphaned and let the user know they should create new objects
 using the new ImageDigestMirrorSet or ImageTagMirrorSet CRDs.