kubernetes-csi: promote existing releases #934
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
@msau42: the I am not sure how you want to handle this in the future; if this script would be useful, then I can add it as k8s.gcr.io/images/k8s-staging-csi/generate.sh to this repo. Beware that I have not verified whether the hashes match the ones from quay.io. I am assuming that whoever pushed to staging hasn't made a mistake or maliciously pushed different images. |
|
/hold I think it makes sense to promote these images, but let's hear from @msau42 whether she agrees. |
k8s-ci-robot
added
the
do-not-merge/hold
I think we can trust @dims: kubernetes/kubernetes#91257 😁 |
|
LOL, i am 100% legit :) More seriously here's the script i used to move things over - https://gist.github.com/dims/0aef844c22af80ed3637745071c8854c |
|
I don't think we should promote these images that were copied over from quay because they were not built using the same infra. Also, we shouldn't promote the "-rc*" images which are not meant for public consumption. |
Does that matter? We expect consumers of those images to trust that they contain what we claim that they contain, regardless of how they were built or where they are currently hosted. The advantage of promoting the images is that consumers get a choice between pulling from the potentially flaky quay.io and the (hopefully) more reliable gcr.io; that's my motivation for this PR. We still see test failures from intermittent image pull errors for the sidecars from quay.io. We could do the same as the Kubernetes CI and pull from the staging area, but that feels wrong. |
|
Hosting an image in k8s infra means that we've used k8s infra to build them. We can't guarantee that with the images we temporarily copied from quay. If we don't want to wait until we release the next set of sidecars to use this, then can we manually trigger building and pushing these tags in cloudbuild (and update k8s CI to not use any "rc" tags)? |
Not exactly. AFAIK, it means that an image was pushed to staging and promoted to prod, but some trusted set of people. There are likely a few subprojects that have a staging project and don't yet use GCB for building/pushing.
Agreed on the fact that you probably don't need the RC tags, but I don't think the images should be rebuilt. For context, I've backfilled a few images for RelEng. I'd suggest backfilling one or two of the most recent images; we did this to ensure that people who might be changing their registry endpoint could move to K8s Infra w/o necessarily needing to move to a newer image at the same time. One thing to be careful of, as @listx mentions:
There's a good chance your digests will change, which might be unavoidable, but be sure to check up on any code you have that's doing digest verification. |
We have no such code in Kubernetes or the sidecars. We have advocated using the version tags and promised that we will never rebuilt those images, so I suspect most users will use that to pull a deterministic image. But it wouldn't matter anyway, because it seems that the sha256 digests have not changed. I only checked one image (csi-node-driver-registrar:v1.3.0) and it had the same digest on quay.io (https://quay.io/repository/k8scsi/csi-node-driver-registrar?tab=tags) and gcr.io (https://console.cloud.google.com/gcr/images/k8s-staging-csi/GLOBAL/csi-node-driver-registrar@sha256:9622c6a6dac7499a055a382930f4de82905a3c5735c0753f7094115c9c871309/details?tab=info). |
|
If there's consensus that promoting the release images is worthwhile, then I can update the PR to exclude the -rc images. |
|
Sounds like there's precedent to backfilling images when migrating over to gcr, so promoting this older tags (minus rc) sgtm. Thanks @justaugustus for the clarification! |
These images were previously published on quay.io, except for nfs-provisioner:v2.2.2.
pohly
force-pushed
the
kubernetes-csi-releases
branch
from
254e145
to
e8903a0
Compare
|
I've used an updated script to re-generate the images.yaml file. The script now compares the checksums or (if those differ) the content of the images to verify that they are the same as the ones previously hosted on quay.io. I know that we can trust @dims, but it doesn't hurt to be extra careful, right? 😛 The result is that newer images were moved entirely unchanged, while older ones were apparently repacked and thus have a different sha256. The content is exactly the same, though. nfs-provisioner wasn't on quay.io; I've included it anyway in the images.yaml: Script: #! /bin/sh
# List of repos under https://console.cloud.google.com/gcr/images/k8s-staging-csi/GLOBAL
repos="
csi-attacher
csi-node-driver-registrar
csi-provisioner
csi-resizer
csi-snapshotter
hostpathplugin
livenessprobe
mock-driver
nfs-provisioner
snapshot-controller
"
tmp=$(mktemp -d)
trap "rm -rf $tmp" EXIT
for repo in $repos; do
echo "- name: $repo"
echo " dmap:"
gcloud container images list-tags gcr.io/k8s-staging-csi/$repo --format='get(digest, tags)' --filter='tags~v.* AND NOT tags~v2020.* AND NOT tags~.*-rc.*' | while read sha tag; do
quay=$(docker pull quay.io/k8scsi/$repo:$tag | grep ^Digest: | sed -e 's/^Digest: //')
if [ "$sha" != "$quay" ]; then
if [ "$quay" ]; then
echo >&2 "WARNING: $repo:$tag: sha56 does not match."
container=$(docker create gcr.io/k8s-staging-csi/$repo:$tag)
mkdir $tmp/gcr.io
docker export $container | tar -C $tmp/gcr.io -xf -
docker rm $container >/dev/null
container=$(docker create quay.io/k8scsi/$repo:$tag)
mkdir $tmp/quay.io
docker export $container | tar -C $tmp/quay.io -xf -
docker rm $container >/dev/null
if diff -r $tmp/quay.io $tmp/gcr.io >&2; then
echo >&2 " Content is the same."
else
echo >&2 " Content differs."
fi
rm -rf $tmp/quay.io $tmp/gcr.io
else
echo >&2 "WARNING: quay.io/k8scsi/$repo:$tag not found."
fi
else
echo >&2 "OKAY: $repo:$tag: sha56 matches"
fi
echo " \"$sha\": [ \"$tag\" ]"
done
done |
|
Also note that we need to do something about Kubernetes CI: the staging images will be deleted after 60 days, i.e. around July 19th. Let's promote the images and then switch the CI to use the promoted images. |
|
@pohly 100% +1 to "trust but verify" :) |
| - name: mock-driver | ||
| dmap: | ||
| "sha256:0b4273abac4c241fa3d70aaf52b0d79a133d2737081f4a5c5dea4949f6c45dc3": [ "v3.1.0" ] | ||
| - name: nfs-provisioner |
There was a problem hiding this comment.
I'm not sure we should promote nfs-provisioner since it's not related to csi. We should find a better permanent home for it. cc @kmova
|
I think the script would be useful to check in, to make promoting future images easier. |
It doesn't belong under the CSI repository.
Kubernetes-CSI produces a lot of different images. This script simplifies promotion of the release images by printing the images.yaml content to stdout.
|
Removed nfs-provisioner, added the script in the version without the comparison against quay.io (that was a one-time thing). |
|
/lgtm |
k8s-ci-robot
removed
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
/assign @dims |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, msau42, pohly The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
These images were previously published on quay.io.
This is the first time that we are using the image promoter and we still had to define approvers.