-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Injected oauth imagepullpolicy change and sha256 digest #119
base: v1.6-branch
Are you sure you want to change the base?
[WIP] Injected oauth imagepullpolicy change and sha256 digest #119
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @shalberd. Thanks for your PR. I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@atheo89 found an odh notebook controller test was looking for old imagePullPolicy and thus did not run though. Furthermore, due to ServiceMesh recent changes, a whole bunch of stuff changed, so I just rebased and then created this new PR. Can you do an ok to test, please? |
@@ -25,7 +25,8 @@ spec: | |||
imagePullPolicy: Always | |||
command: | |||
- /manager | |||
args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy:v4.10"] | |||
# latest v4.10 manifest list digest for architecture AMD64. Used instead of tag format to be compatible with imagePullPolicy: IfNotPresent | |||
args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)
@LaVLaS suggested leaving the notebook controller main management pod oauth proxy image topic (changes in line 28 and 29) out of the PR for now. That makes sense in that this PR here is about the injection of ose-oauth-proxy into Notebook pods under /controllers.
@harshad16 @atheo89 Also, @LaVLaS suggested for odh notebook controller manager itself here:
While we should be updating the ose-oauth-proxy image at a regular cadence, we should not be hardcoding the image digest into the container command argument of the Deployment object. This should be replaced with an environment variable that can be configured at when the kustomize manifest is parsed. This would also allow us to replace with as a CSV relatedImage or modified by the new operator.
opendatahub-io/odh-manifests#868 (comment)
I suggest to handle that in a separate PR. Created an issue #132
@@ -740,7 +740,7 @@ func createOAuthContainer(name, namespace string) corev1.Container { | |||
return corev1.Container{ | |||
Name: "oauth-proxy", | |||
Image: OAuthProxyImage, | |||
ImagePullPolicy: corev1.PullAlways, | |||
ImagePullPolicy: corev1.PullIfNotPresent, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
previously, test did not run thru because it was still assuming imagePullPolicy Always in IS vs MUST BE comparision during testing
/ok-to-test |
@@ -25,7 +25,8 @@ spec: | |||
imagePullPolicy: Always |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kept Always here because this seems to be used internally, not in releases, for testing with the :latest image-tag of odh-notebook-controller, which necessitates imagePullPolicy: Always
/retest |
@atheo89 @harshad16 tests turned out ok main changes to summarize:
|
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy:latest" | ||
// use sha256 manifest link digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable | ||
// taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti | ||
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)
…e not related to oauth sidecar injection
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy:latest" | ||
// use sha256 manifest list digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable | ||
// taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000>i-tabs=get-the-source&container-tabs=gti | ||
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@VaishnaviHire @cfchase @harshad16 @atheo89
question: is the value of OAuthProxyImage set or overridden by the argument of odh notebook controller manager?
I am asking because I've never seen ose-oauth-proxy:latest in injected notebook oauth sidecars.
flag.StringVar(&oauthProxyImage, "oauth-proxy-image", controllers.OAuthProxyImage, |
instead, what seems to be used is the version of ose-oauth defined here:
…lu-labels update LABELs and remove unwanted ARGs for konflux builds
@atheo89 new PR due to rebase chaos
@harshad16 Currently, the ose-oauth-proxy sidecar container of a running notebook, handled by odh notebook controller, always pulls the image from an external location. Current ose-oauth-proxy image is v4.10.
This always image pulling is problematic from a stability perspective, as, should connectivity to an external repo ever cease, no image pulling on notebook pod start is possible.
Also, providing the image in tag format is not compatible with disconnected cluster installs that use mirroring and soft-linking from source to target. Those on-prem installs need image references to be in sha256 digest format.
Another reason for changing to sha256 digest format: Tag ose-oauth-proxy:v4.10 changes. If imagePullPolicy is set to IfNotPresent, what matters is that an image with that tag is already cached on one of the cluster nodes. So, to keep a unique image version and build status for ose-oauth-proxy, we need to go with sha256 digest format as well.
Description
changed from tag format to digest format in odh notebook controller webhook that adds an ose-oauth-proxy sidecar to a Notebook CR
Manifest link digest of v4.10 from July 6 2023:
ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33
https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti
Put in comments with respect to actual tag used and location to look at for details. Changed imagepullPolicy from Always to IfNotPresent.
Related PR in odh-manifests:
opendatahub-io/odh-manifests#868
How Has This Been Tested?
Please mark with ok to test.
Merge criteria: