Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Injected oauth imagepullpolicy change and sha256 digest #119

Open
wants to merge 5 commits into
base: v1.6-branch
Choose a base branch
from

Conversation

shalberd
Copy link

@shalberd shalberd commented Jul 12, 2023

@atheo89 new PR due to rebase chaos

@harshad16 Currently, the ose-oauth-proxy sidecar container of a running notebook, handled by odh notebook controller, always pulls the image from an external location. Current ose-oauth-proxy image is v4.10.
This always image pulling is problematic from a stability perspective, as, should connectivity to an external repo ever cease, no image pulling on notebook pod start is possible.

Also, providing the image in tag format is not compatible with disconnected cluster installs that use mirroring and soft-linking from source to target. Those on-prem installs need image references to be in sha256 digest format.

Another reason for changing to sha256 digest format: Tag ose-oauth-proxy:v4.10 changes. If imagePullPolicy is set to IfNotPresent, what matters is that an image with that tag is already cached on one of the cluster nodes. So, to keep a unique image version and build status for ose-oauth-proxy, we need to go with sha256 digest format as well.

Description

changed from tag format to digest format in odh notebook controller webhook that adds an ose-oauth-proxy sidecar to a Notebook CR

Manifest link digest of v4.10 from July 6 2023:

ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33

https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti

Put in comments with respect to actual tag used and location to look at for details. Changed imagepullPolicy from Always to IfNotPresent.

Related PR in odh-manifests:

opendatahub-io/odh-manifests#868

How Has This Been Tested?

Please mark with ok to test.

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • [] The developer has manually tested the changes and verified that the changes work

@openshift-ci openshift-ci bot requested review from LaVLaS and VaishnaviHire July 12, 2023 21:36
@openshift-ci
Copy link

openshift-ci bot commented Jul 12, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vaishnavihire for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Jul 12, 2023

Hi @shalberd. Thanks for your PR.

I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@shalberd
Copy link
Author

@atheo89 found an odh notebook controller test was looking for old imagePullPolicy and thus did not run though. Furthermore, due to ServiceMesh recent changes, a whole bunch of stuff changed, so I just rebased and then created this new PR. Can you do an ok to test, please?

@@ -25,7 +25,8 @@ spec:
imagePullPolicy: Always
command:
- /manager
args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy:v4.10"]
# latest v4.10 manifest list digest for architecture AMD64. Used instead of tag format to be compatible with imagePullPolicy: IfNotPresent
args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"]
Copy link
Author

@shalberd shalberd Jul 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)

@LaVLaS suggested leaving the notebook controller main management pod oauth proxy image topic (changes in line 28 and 29) out of the PR for now. That makes sense in that this PR here is about the injection of ose-oauth-proxy into Notebook pods under /controllers.

@harshad16 @atheo89 Also, @LaVLaS suggested for odh notebook controller manager itself here:

While we should be updating the ose-oauth-proxy image at a regular cadence, we should not be hardcoding the image digest into the container command argument of the Deployment object. This should be replaced with an environment variable that can be configured at when the kustomize manifest is parsed. This would also allow us to replace with as a CSV relatedImage or modified by the new operator.

opendatahub-io/odh-manifests#868 (comment)

I suggest to handle that in a separate PR. Created an issue #132

@@ -740,7 +740,7 @@ func createOAuthContainer(name, namespace string) corev1.Container {
return corev1.Container{
Name: "oauth-proxy",
Image: OAuthProxyImage,
ImagePullPolicy: corev1.PullAlways,
ImagePullPolicy: corev1.PullIfNotPresent,
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

previously, test did not run thru because it was still assuming imagePullPolicy Always in IS vs MUST BE comparision during testing

@atheo89
Copy link
Member

atheo89 commented Jul 13, 2023

/ok-to-test

@@ -25,7 +25,8 @@ spec:
imagePullPolicy: Always
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kept Always here because this seems to be used internally, not in releases, for testing with the :latest image-tag of odh-notebook-controller, which necessitates imagePullPolicy: Always

@shalberd
Copy link
Author

@atheo89 @LaVLaS do you know what is going on with test infra? All tests and checks are pending ...

@shalberd
Copy link
Author

/retest

@shalberd
Copy link
Author

@atheo89 @harshad16 tests turned out ok

main changes to summarize:

  • oauth proxy container ref in sha256 digest format, latest v4.10 digest as base.
  • change imagePullPolicy of injected oauth container of notebook CRs from Always to IfNotPresent

OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
// use sha256 manifest link digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable
// taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)

OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
// use sha256 manifest list digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable
// taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&gti-tabs=get-the-source&container-tabs=gti
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"
Copy link
Author

@shalberd shalberd Jul 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@VaishnaviHire @cfchase @harshad16 @atheo89

question: is the value of OAuthProxyImage set or overridden by the argument of odh notebook controller manager?

I am asking because I've never seen ose-oauth-proxy:latest in injected notebook oauth sidecars.

flag.StringVar(&oauthProxyImage, "oauth-proxy-image", controllers.OAuthProxyImage,

instead, what seems to be used is the version of ose-oauth defined here:

https://github.com/opendatahub-io/kubeflow/blob/master/components/odh-notebook-controller/config/manager/manager.yaml#L24

@shalberd shalberd changed the title Injected oauth imagepullpolicy change and sha256 digest [WIP] Injected oauth imagepullpolicy change and sha256 digest Oct 25, 2023
atheo89 pushed a commit to atheo89/kubeflow that referenced this pull request Nov 7, 2024
…lu-labels

update LABELs and remove unwanted ARGs for konflux builds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants