Add ImageContentSourcePolicy to operator/v1alpha1 #354
Conversation
openshift-ci-robot
added
the
size/M
|
Talking with @smarterclayton it seemed like we don't want to add this API object to config/v1 as that has very high guarantee .. Why not it to mirror.openshift.io v1alpha1 or v1beta1 ? |
|
@abhinavdahiya should I rename the CRD to |
| } | ||
|
|
||
| type ImageContentSourcePolicySpec struct { | ||
| // DigestMappingRules holds the registry mirroring rules that are written to |
There was a problem hiding this comment.
We can add a line saying that we only support pulling by digests from the mirrors and hence the name.
I think just moving this type to a new directory |
|
Or operators.openshift.io (which is our private api) in v1alpha1?
On Jun 18, 2019, at 10:59 AM, Abhinav Dahiya <[email protected]> wrote:
Talking with @smarterclayton <https://github.com/smarterclayton> it seemed
like we don't want to add this API object to config/v1 as that has very
high guarantee ..
Why not it to mirror.openshift.io v1alpha1 or v1beta1 ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#354?email_source=notifications&email_token=AAI37JYM66JDDLWY434UNJLP3DZ5DA5CNFSM4HYZIPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODX65PIA#issuecomment-503175072>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAI37J3XJEKXSVRC5SNQZ7DP3DZ5DANCNFSM4HYZIPIA>
.
|
+1 for |
|
|
||
| // DigestMappingRules holds cluster-wide information about how to handle mirros in the registries config. | ||
| type DigestMappingRules struct { | ||
| // Sources are registries that are mirrors of each other. |
There was a problem hiding this comment.
Should this say “registries and/or repositories [(depending on the container runtime)]”, or something like that? (Per earlier conversations, CRI-O will support this at the level of individual repositories, and containerd could support this at registry level.)
| } | ||
|
|
||
| type ImageContentSourcePolicySpec struct { | ||
| // DigestMappingRules holds the registry mirroring rules that are written to |
There was a problem hiding this comment.
Do we want to document this as a general-purpose facility, or specifically restricted to OpenShift product images? It works just the same for both for unauthenticated registries, but we can only supply mirror credentials via a CRI-O-wide option (not via the CRI). Or maybe we don’t need to restrict this to OpenShift only, but say that non-OpenShift repositories that require credentials are {problematic,not recommended,not supported}.
| // DigestMappingRules holds the registry mirroring rules that are written to | ||
| // /etc/containers/registries.conf to be used by the runtime to determine which | ||
| // repo to fall back on, if the original repo cannot be accessed. | ||
| // Will also be used for offline installs/upgrades. |
There was a problem hiding this comment.
I think this should be changed to for example,
|
Will the openshift apiserver need to consume this for image pullthrough? fyi @dmage |
|
How will it be coordinated with Lines 241 to 253 in a77179b |
umohnani8
changed the title
|
@abhinavdahiya @smarterclayton moved it to operator/v1alpha1 |
|
/lgtm |
| // We only support pulling by digests for mirrors, hence the name. | ||
| // Will also be used in cases such as offline installs/upgrades. | ||
| // +optional | ||
| DigestMappingRules DigestMappingRules `json:"digestMappingRules"` |
There was a problem hiding this comment.
Other possible names repositoryDigestMappings
There was a problem hiding this comment.
imageDigestMappings. imageDigestRetrieval.
There was a problem hiding this comment.
(To me as a non-native speaker), all of these names seem to say that digests are mapped, but they are not; digests are the only part of the image reference that don’t change.
mirroredRepositories, mirrorSets? OTOH to ensure that the digest restriction is not overlooked, that could end up with mirrorredRepositoriesInDigestReferences or something similarly horrible.
There was a problem hiding this comment.
Changed it to MirrorReposForDigests
There was a problem hiding this comment.
For digests is probably not accurate - you're not mirroring for digests, your mirroring digests by mirrors. We generally do not use short names inside api objects (reference instead of ref, for example).
There was a problem hiding this comment.
(I don’t really want to restart the naming discussion for this field, the current name is acceptable and I don’t think we’ll get a perfect one, just to minimize the use of this figure of speech:
We are never “mirroring digests”, we may not be mirroring [complete] repositories, we are mirroring OpenShift releases = sets of individual container images.
|
|
||
| // DigestMappingRules holds cluster-wide information about how to handle mirros in the registries config. | ||
| type DigestMappingRules struct { | ||
| // Sources are registries and/or repositories depending on the container runtime |
There was a problem hiding this comment.
Can we/should we document that these must be repositories (a.com/b/c) to start with, before we support wildcards in the future?
There was a problem hiding this comment.
In the current implementation, there are no wildcards. There are hierarchical namespaces, i.e. you can say example.com to match example.com/*/…/*, or you can say example.com/mirror-of-red-hat to match example.com/mirror-of-red-hat/*/…/* including example.com/mirror-of-redhat/openshift.
There isn’t a way to express example.com/*/mirror-of-red-hat, and I hope we won’t need that. Do we need that?
There was a problem hiding this comment.
I mean, I don't even want to support example.com from this API for now. So I would prefer to explicitly exclude that until we need it.
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
|
|
||
| // ImageContentSourcePolicy holds cluster-wide information about how to handle registry mirror rules. The canonical name is `cluster` | ||
| type ImageContentSourcePolicy struct { |
There was a problem hiding this comment.
Any other possible names we could use? Policy is fairly common. Is content source the best name? I don't want to be specific about "mirroring" or "disconnected", so trying out a name that implies "you can change where we source images" was the initial argument.
Maybe future might be "you have to have signatures from X for Y"
There was a problem hiding this comment.
Just ImageContentSource or ImageSources?
There was a problem hiding this comment.
Changed it to ImageContentSource
There was a problem hiding this comment.
By "policy is fairly common" I meant "It's good to have Policy in there to distinguish this from a more concrete object". I don't think you have to change the name, just want to see some suggestions about what names could be that better describe what this object does.
There was a problem hiding this comment.
changed the name back
There was a problem hiding this comment.
You’re right that “content source” is not a commonly used term for this. I’d just say one of “image {repositories,locations,(servers,storage?)}”; the “content” word adds nothing.
Per #354 (comment):
Do we want to document this as a general-purpose facility, or specifically restricted to OpenShift product images?
do we want this to be generic for all kinds of images, or actually say something entirely specific to the contemplated use, in the ballpark of OpenShiftReleasedImageLocations?
There was a problem hiding this comment.
I think making it generic will allow us to reuse it for other use cases in the future.
There was a problem hiding this comment.
The resource group usually contains the product namespace (operator.openshift.io) so it is redundant in the title.
|
@abhinavdahiya @smarterclayton fixed up based on reviews, PTAL |
|
/lgtm |
|
@smarterclayton @abhinavdahiya comments addressed, PTAL. |
/lgtm :) |
| type ImageContentSourcePolicySpec struct { | ||
| // repositoryDigestMirrors allows images referneced by image digests in pods to be | ||
| // pulled from alternative mirrored repository locations. The image pull specification | ||
| // provided to the pod will be compare to the source locations described in RepositoryDigestMirrors |
|
@abhinavdahiya @smarterclayton @mrunalp addressed the comments. If we are good with this, can we get it in. |
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
|
|
||
| // ImageContentSourcePolicy holds cluster-wide information about how to handle registry mirror rules. | ||
| // The canonical name is `cluster` |
There was a problem hiding this comment.
There should be no canonical name for this - clients may create multiple of these, it is not a singleton. We want individual components to be able to register their policies and manage them independently (trying to join a bunch of policies in a doc is very difficult to do with decelerate config models). That means that we have to define how merging happens, which should be done in the godoc for each field (repositoryDigestMirrors)
Please change the doc to "When multiple policies are defined, the outcome of the behavior is defined on each field". For the repositoryDigestMirrors field, add a sentence defining how this will work.
For instance, if I have
sources:
- a
- b
- c
in one object (provided by the installer) and
sources:
- c
- d
- e
in a second (provided by an operator)
we need to define how they are merged (probably by a zip merge with duplicates removed - a c b d e, although we can be loose about the ordering).
There was a problem hiding this comment.
Keep in mind the use cases we're trying to target when you consider merging:
- operator on cluster potentially inserts the local registry as a targeted mirror (which probably means it wants to go first)
- OLM in the future may manage these objects, so it'll be adding them post-install
There was a problem hiding this comment.
Merged as in when we write these mirror rules to /etc/containers/registries.conf?
There was a problem hiding this comment.
Merged as when they are written and interpreted by all consumers (whether it's registries.conf today, or a future image controller use case like image import). Documenting the rules of merging makes it clear to consumers and helps clarify the design of components
There was a problem hiding this comment.
As a counter, does it make sense to disallow having common repos between each config object? That way the administrator can be explicit in how they want the repos ordered.
There was a problem hiding this comment.
I am thinking of a case where one user of the feature creates an ordering and then a second user comes up with an ordering that has the elements reversed. It might be better to just disallow so they can communicate with first user and come up with a commonly agreed ordering for the repos.
There was a problem hiding this comment.
I find it a bit attractive to make all of this undefined (explicitly, if necessary).
Let the user declaratively define that some set of repositories is equivalent; let the cluster worry about checking whether they are up, ordering them, possibly load balancing between them, … . Sure, we do nothing of that kind now, but if we define the mirror set to have some kind of strict ordering and strict merging semantics, we’ll lose the opportunity to do something smart in the future (without an explicit opt-in, at least).
I’m especially dubious about the idea of transitively merging mirror sets; sure, it’s trivial to implement, but intuitively it seems to me that if something creates two mirror sets that have a common element but are otherwise distinct (neither a subset of the other), it’s more likely than not that something got very confused and the mirrors are not actually operated to be transitively equivalent that way.
Or is the idea that the OpenShift product will ship, and manage, a CRD object that claims the equivalence of r.a.rh.com/foo with r.rh.io/bar (and OpenShift the organization will commit to keeping the repositories in sync), while the local administrator will set up, and manage, the equivalence of r.a.rh.com/$foo with local-mirror.example.com/baz (and commit to keeping the two repositories in sync), and therefore we need merging to exist because we don’t want the administrator to edit the OpenShift-product-managed object?
If that is the case, does the administrator need to be able to say “only ever use my mirror without reaching to the internet at all”? That can only work if we define the order of accesses both within a mirror set, and between all the CRD objects (how? based on their name?). (And without an explicit “don’t use those mirrors at all”, the administrator can only put them at the end of the list, to be never contacted unless the local mirror is down. That seems good enough for me, at least in the initial version of this object; registries.conf can express “redirect all references to foo to bar without ever contacting foo”, but we’ll have enough trouble defining the semantics of merging of the ordering without having to worry about three CRD objects, setting up strict redirects of A→B, B→C, B→A.)
(Or, sure, we could leave the internet-accessible mirrors in and accept them being in the first locations, and just let pulls fail because the DNS or firewall rejects the connection attempts. It could easily be fast enough, but it will cause noise on the firewalls.)
(FWIW openshift/machine-config-operator#805 currently sets up the mirrors in registries.conf in a rotated fashion, so that different pull specs will result in different order of attempts. That’s just an initial guess, and there’s nothing at all to say that it matters because the pull specs from the different mirrors should not really exist in the cluster at the same time, it can of course be changed to any other semantics.)
There was a problem hiding this comment.
Or is the idea that the OpenShift product will ship, and manage, a CRD object that claims the equivalence of r.a.rh.com/foo with r.rh.io/bar (and OpenShift the organization will commit to keeping the repositories in sync),
this is the most likely near term. The most likely case will be r.rh.io/* to registry.internal.svc/x/y for digest mirroring of core public resources.
I’m especially dubious about the idea of transitively merging mirror sets; sure, it’s trivial to implement, but intuitively it seems to me that if something creates two mirror sets that have a common element but are otherwise distinct (neither a subset of the other), it’s more likely than not that something got very confused and the mirrors are not actually operated to be transitively equivalent that way.
Since we're pulling by digest the only expense is check time (which agree can be left as weakly undefined behavior). If you say A and B are candidates for pull by digest and B and C are candidates by digest and A and B are down I would prefer to check C (this feature is about availability first, performance / local pulls second).
I am not opposed to leaving it weakly undefined, but it needs to satisfy the intent.
As far as order, I would prefer that we preserve preferential rather than round robin, the requirements for this feature are to let you preferentially use a local proxy for performance, and round robin does not satisfy that.
Adding a new operator/v1alpha1 definition caled ImageContentSource which will be used when using a CR to set the registry mirror rules for resiliency and offline installs/upgrades. A new CRD will be created to encompass this. Signed-off-by: Urvashi Mohnani <[email protected]>
|
@abhinavdahiya @smarterclayton can we please get this in so we can continue the work that is relying on this. We can figure out the merging criteria later if that is okay? It would just be a PR to update the comments here. |
| // When multiple policies are defined, any overlaps found will be merged together when the mirror | ||
| // rules are written to `/etc/containers/registries.conf`. For example, if policy A has sources `a, b, c` | ||
| // and policy B has sources `c, d, e`. Then the mirror rule written to `registries.conf` will be `a, b, c, d, e` | ||
| // where the duplicate `c` is removed. |
There was a problem hiding this comment.
This comment is fine for now, I'm ok with discussing the policy in a follow up before 4.2 GA but after this feature has been prototyped.
|
Sufficient for first round of prototyping (with the known topics still to be resolved for 4.2) /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, smarterclayton, umohnani8 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
9 participants
Adding a new operator/v1alpha1 definition caled ImageContentSourcePolicy
which will be used when using a CR to set the registry mirror rules
for resiliency and offline installs/upgrades.
A new CRD will be created to encompass this.
Signed-off-by: Urvashi Mohnani [email protected]