From 62b98afc975fef0686445edcf809885a56c910f4 Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Tue, 15 Feb 2022 16:38:33 -0500 Subject: [PATCH] Add neverContactSource field to CRDs neverContactSource to satisfy the use case in epic:https://issues.redhat.com/browse/OCPNODE-810 Signed-off-by: Qi Wang --- ...mageTagMirrorSet-to-config.openshift.io.md | 34 +++++++++++++++---- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/enhancements/api-review/add-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshift.io.md b/enhancements/api-review/add-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshift.io.md index e399c2a7b6b..3c2e98f4daa 100644 --- a/enhancements/api-review/add-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshift.io.md +++ b/enhancements/api-review/add-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshift.io.md @@ -3,7 +3,9 @@ title: add-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshif authors: - "@QiWang19" reviewers: - - TBD + - "@mtrmac" + - "@kikisdeliveryservice" + - "@sttts" approvers: - TBD api-approvers: @@ -11,7 +13,7 @@ api-approvers: - "@sttts" - "@oscardoe" creation-date: 2021-03-10 -last-updated: 2021-12-10 +last-updated: 2022-02-28 status: implementable --- @@ -59,7 +61,6 @@ that. So a new CRD should be created, and ImageContentSourcePolicy(ICSP) under o ## Proposal The New CRD `ImageDigestMirrorSet` will be added to config.openshift.io/v1. -The schema of `ImageDigestMirrorSet` is same as `ImageContentSourcePolicy`. ```go // ImageDigestMirrorSetSpec is the specification of the ImageDigestMirrorSet CRD. @@ -130,6 +131,11 @@ type RepositoryDigestMirrors struct { // +optional // +listType=set Mirrors []Mirror `json:"mirrors,omitempty"` + // When enabled, prevents image pull from the specified repository in the pull spec if the image pull form the mirror list fails. + // Default is false, the image will continue to be pulled from the pull spec if the image can not be pulled from the mirror list. + // neverContactSource is valid configuration only when one or more mirrors are in the mirror list. + // +optional + NeverContactSource bool `json:"neverContactSource,omitempty"` } // +kubebuilder:validation:Pattern=`^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$` @@ -225,6 +231,11 @@ type RepositoryTagMirrors struct { // +optional // +listType=set Mirrors []Mirrors `json:"mirrors,omitempty"` + // When enabled, prevents image pull from the specified repository in the pull spec if the image pull form the mirror list fails. + // Default is false, the image will continue to be pulled from the pull spec if the image can not be pulled from the mirror list. + // neverContactSource is valid configuration only when one or more mirrors are in the mirror list. + // +optional + NeverContactSource bool `json:"neverContactSource,omitempty"` } // +kubebuilder:validation:Pattern=`^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$` @@ -259,6 +270,11 @@ For users with upgraded clusters that suppport the `ImageTagMirrorSet` CRD, if t effect. The user will need to configure mirrors using `ImageTagMirrorSet` CRD on the upgraded cluster to use tags. The MCO will consume the ImageTagMirrorSet object. Once this is done, the images can be pulled from the mirrors without the digest referenced. +#### As a user, I would like to pull image from mirrors and block the repository in the pull spec + +The user can set neverContactSource to true in ImageTagMirrorSet or ImageDigestMirrorSet, depending on which CR the user uses to configure the mirror. The image will still use mirrors to pull imgae, but the pull will not be redirceted to the pull spec if the +mirrors fail. + #### As a user using ICSP, I would like to use ICSP pull images using digest by default from mirrors The user can still define ICSP CR before its deprecation. After the deprecation of ICSP, the user will need to use @@ -280,13 +296,14 @@ and a list of mirrors require digest specification, or have different boolean va - [openshift/client-go](https://github.com/openshift/client-go), [openshift/cluster-config-operator](https://github.com/openshift/cluster-config-operator/pull/220): rebase the openshift/api version in these repositories to apply the new CRD to the cluster. - [openshift/runtime-utils/pkg/registries](https://github.com/openshift/runtime-utils/tree/master/pkg/registries): helper functions to edit registries.conf. -- [openshift/machine-config-operator](https://github.com/openshift/machine-config-operator): MCO needs watch for the ImageDigestMirrorSet and ImageTagMirrorSet. The machine-config-operator/pkg/controller/container-runtime-config controller needs to operate the ImageDigestMirrorSet and ImageTagMirrorSet CRDs. -Converts the existing ImageContenSourcePolicy objects to objects of new CRD. +- [openshift/machine-config-operator](https://github.com/openshift/machine-config-operator): the container runtime config controller that currently watches ICSP wil +also watch needs watch for the ImageDigestMirrorSet and ImageTagMirrorSet. The machine-config-operator/pkg/controller/container-runtime-config controller needs to operate the ImageDigestMirrorSet and ImageTagMirrorSet CRDs. +Converts the existing ImageContentSourcePolicy objects to objects of new CRD. - This [document](https://docs.google.com/document/d/11FJPpIYAQLj5EcYiJtbi_bNkAcJa2hCLV63WvoDsrcQ/edit?usp=sharing) keeps a list of components that use operator.openshift.io/v1alpha1 ImageContentSourcePolicy. Need to change those repositories to upgrade to ImageDigestMirrorSet. #### Notes -1. During the upgrade path, MCO can watch for both old CR ImageContentSourcePolicy and new CRs and create objects. +1. During the upgrade path, the container runtime config controller of MCO can watch for both old CR ImageContentSourcePolicy and new CRs and create objects. 2. The merge order of mirrors for the same source is deterministic by topological sorting:
Order is preserving the relative order of the mirrors using topological sorting. A graph is formed using each mirror as a @@ -311,6 +328,9 @@ requires digest specification for mirrors configured through ImageDigestMirrorSe Update the container runtime config controller unit tests that are currently in the MCO to verify that registries.conf does not require digest specification for mirrors configured through ImageTagMirrorSet. +Update the container runtime config controller unit tests that are currently in the MCO to verify that registries.conf blocks +the primary registry of the mirrors. + ### Graduation Criteria #### Dev Preview -> Tech Preview @@ -349,7 +369,7 @@ During the development on the release that one release ahead of deprecating `ima MCO will copy existing ImageContentSourcePolicy objects to ImageDigestMirrorSet and create new objects, and delete the ImageContentSourcePolicy objects. If any errors appear during the process, MCO should report `Upgradeable=False`. -On the release that the ImageContentSourcePolicy CRD is removed from the API, the MCO will update its clusteroperator object to reflect a degrade state if it still finds objects of +On the release that the ImageContentSourcePolicy CRD is removed from the API, the MCO will update its clusteroperator object to reflect a degraded state if it still finds objects of ImageContentSourcePolicy. The MCO should report that the ImageContentSourcePolicy is orphaned and let the user know they should create new objects using the new ImageDigestMirrorSet or ImageTagMirrorSet CRDs.