Bug 1816534: DEVEXP-424: Leveraging node credentials during image stream import #83
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
|
/retest |
|
/test verify |
|
/test unit |
|
/test e2e-aws |
|
/retest |
|
/test images |
|
/test e2e-aws-serial |
ricardomaraschini
changed the title
|
/retest |
1 similar comment
|
/retest |
|
/test e2e-aws |
|
/retest |
ricardomaraschini
changed the title
ricardomaraschini
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/retest |
|
/test e2e-aws |
1 similar comment
|
/test e2e-aws |
|
/assign @dmage @adambkaplan @mfojtik |
|
/assign @sttts |
| @@ -258,24 +257,6 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation | |||
| } | |||
| } | |||
|
|
|||
| // if we encountered an error loading credentials and any images could not be retrieved with an access | |||
There was a problem hiding this comment.
this code was there to get proper error messages from the API. How is this done now?
There was a problem hiding this comment.
This is part of a behavioral change. Now if we can't load the secrets we return an API error to the user and don't create any image streams. With that out of the way(error retrieving secrets) future StatusReasonUnauthorized and StatusReasonForbidden would be correct so no need to overwrite them by Unable to load secrets for this image error.
Let me know what you reckon and I will adjust appropriately.
This commit vendors github.com/docker/docker/registry as we are going to start to leverage type registry.StaticCredentialStore when creating a registryclient.Context.
| imageapi "github.com/openshift/openshift-apiserver/pkg/image/apis/image" | ||
| dockerregistry "github.com/openshift/openshift-apiserver/pkg/image/apiserver/importer/dockerv1client" | ||
| "github.com/openshift/openshift-apiserver/pkg/image/apiserver/sysregistriesv2" | ||
| ) | ||
|
|
||
| func init() { | ||
| runtime.Must(userapi.Install(legacyscheme.Scheme)) |
There was a problem hiding this comment.
why is the legacy scheme used? Installing anything into that is suspicious. Just create a new scheme object and install into it what you need.
There was a problem hiding this comment.
Functions[1] such as schema1ToImage or schema2ToImage on this package rely on the legacyscheme, not sure what the options were when they got developed. I don't mind at all fixing this to use a new scheme but it goes over the scope of this feature and I would address it as technical debt. If you are OK with leaving this as is for now I will create a new front to address this issue. You may even see TODO comments[2] talking about the legacyscheme.
[1] https://github.com/openshift/openshift-apiserver/blob/master/pkg/image/apiserver/importer/image.go#L88
[2] https://github.com/openshift/openshift-apiserver/blob/master/pkg/image/apiserver/importer/dockerv1client/client.go#L34
There was a problem hiding this comment.
ok, fine for me as a follow-up.
| }) | ||
| } | ||
|
|
||
| importCtx := registryclient.NewContext( |
There was a problem hiding this comment.
By recreating Context all the time, you are losing all caching features. Essentially you'll make a lot of ping requests to the /v2/ endpoint for every tag in ImageStreamImport.
There was a problem hiding this comment.
I can lay down a cache layer here and reuse them, what do you think? Ideally I would add this logic on library-go but unfortunately i can't as it includes k8s keyrings and I am not supposed to add these dependencies there.
There was a problem hiding this comment.
Could you PTAL ? I have added a code to reuse contexts.
There was a problem hiding this comment.
getting credentials using ref and then caching them by regurl definitely needs to be covered by tests. It can cause authentication problems.
There was a problem hiding this comment.
/hold
I am investigating what is the best way of achieving this.
There was a problem hiding this comment.
@dmage I have updated the indexing to use the repository name instead of the URL. Could you PTAL?
ricardomaraschini
changed the title
|
/retest |
| @@ -273,7 +273,7 @@ func (i *ImageStreamImporter) importFromRepository(ctx gocontext.Context, retrie | |||
|
|
|||
| key := repositoryKey{url: *registryURL, name: repoName} | |||
| repo := &importRepository{ | |||
| Ref: ref, | |||
| Ref: defaultRef, | |||
There was a problem hiding this comment.
what is implication of this change?
There was a problem hiding this comment.
As far as I checked the only side effect is some error strings, see here for an example.
What changes is that:
- If no registry is present,
docker.iois used. - If no
Namespaceis set on the registry being imported and the repository is docker hub,libraryis used on the repository URL. - If no tag is set,
latestis used.
Do you see any problem with this approach? Let me know if you have an use case where this can cause issues and I will make sure it works.
There was a problem hiding this comment.
If it's for error strings, then it should contain the name as it was entered by the user
There was a problem hiding this comment.
Yes, you are right. I have reverted this change and now the error string is the same as it used to be. Please let me know if it is OK for you.
| }) | ||
| } | ||
|
|
||
| importCtx := registryclient.NewContext( |
There was a problem hiding this comment.
getting credentials using ref and then caching them by regurl definitely needs to be covered by tests. It can cause authentication problems.
|
Looks good, we'll need to create BZs to track follow-up tech debt addressing. /lgtm |
I have already opened a JIRA card for the tech debt, thanks for the heads-up. |
openshift-ci-robot
added
the
do-not-merge/hold
Starting to merge node pull secrets with kubernetes docker secrets during image stream import. Implementation details may be found at: openshift/enhancements/node-pull-credentials/pull-credentials.md
|
/retest |
|
/retitle Bug 1816534: DEVEXP-424: Leveraging node credentials during image stream import |
openshift-ci-robot
changed the title
|
@ricardomaraschini: This pull request references Bugzilla bug 1816534, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
bugzilla/valid-bug
|
/lgtm |
|
/unhold |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dmage, ricardomaraschini, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
@ricardomaraschini: All pull requests linked via external trackers have merged: openshift/openshift-apiserver#83. Bugzilla bug 1816534 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
With this PR we start to use node's pull secrets during image stream import process as described on the enhancement proposal. We prioritize namespace secrets over node pull secrets.
Note: Please review openshift/cluster-openshift-apiserver-operator#284 as well.