Skip to content

[OCPNODE-747] New CRD ImageDigestMirrorSet and ImageTagMirrorSet to support AllowMirrByTags #929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 3 commits into from
Mar 28, 2022
Merged

[OCPNODE-747] New CRD ImageDigestMirrorSet and ImageTagMirrorSet to support AllowMirrByTags #929

openshift-merge-robot merged 3 commits into from
Mar 28, 2022

Conversation

@QiWang19
Copy link
Member

@QiWang19 QiWang19 commented Oct 10, 2021
edited
Loading

We can continue the discussions from the current design.

Signed-off-by: Qi Wang [email protected]

@openshift-ci openshift-ci bot requested review from dgoodwin and sttts October 10, 2021 03:39
@QiWang19 QiWang19 mentioned this pull request Oct 10, 2021
Merged
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from e86c4dd to 13729d0 Compare October 10, 2021 03:49
@QiWang19
Copy link
Member Author

QiWang19 commented Oct 11, 2021

@mtrmac @smarterclayton PTAL

mtrmac
mtrmac reviewed Oct 12, 2021
View reviewed changes
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from 13729d0 to 45efed5 Compare October 15, 2021 04:20
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from 45efed5 to b7ea2c4 Compare October 15, 2021 14:52
@QiWang19
Copy link
Member Author

QiWang19 commented Oct 15, 2021

@mtrmac PTAL.

mtrmac
mtrmac reviewed Oct 18, 2021
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Various questions from my previous review seem to remain outstanding.)

enhancements/api-review/add-new-CRD-ImageContentPolicy(ICP)-to-config.openshift.io.md Outdated
// host[:port]
// host[:port]/namespace[/namespace…]
// host[:port]/namespace[/namespace…]/repo
// host[:port]/namespace[/namespace…]/repo(:_tag|@digest)
Copy link
Contributor

@mtrmac mtrmac Oct 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unlike containers-registries.conf(5), https://github.com/openshift/runtime-utils/blob/8b8348d80d1d1e7b6cf06fb009d5965e0b55baa2/pkg/registries/registries.go#L19 doesn’t currently support the :tag|@digest part; it can be a host[:port][[/namespace…]/repo] only.

(I don’t think single-image mirrors are worth worrying about… unless we needed to allow them now because we won’t be allowed to change the validation rules again?)

Copy link
Member Author

@QiWang19 QiWang19 Oct 27, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed host[:port]/namespace[/namespace…]/repo(:_tag|@digest)

enhancements/api-review/add-new-CRD-ImageContentPolicy(ICP)-to-config.openshift.io.md Outdated
// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`(^(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])(:[0-9]+)?(\/[^\/:\n]+)*(\/[^\/:\n]+((:[^\/:\n]+)|(@[^\n]+)))?$)|(^(([a-zA-Z\*]|[a-zA-Z\*][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)?(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])$)`
Copy link
Contributor

@mtrmac mtrmac Oct 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems incorrect, in that it allows *a.; wildcards are supported only with the exact *. prefix.

Even with the explanation, validating the regex feels like too much work (which I didn’t do now). Does the API annotation have any mechanisms that could help?

If not, building the regex from components somehow would be nice. Maybe something similar to the way https://github.com/containers/image/blob/main/docker/reference/regexp.go does it — that’s admittedly extreme in being literal, but it does have the nice property that it results in a Go program that can be reviewed in small pieces, and then run with a value.String() to get a pattern.

Copy link
Member Author

@QiWang19 QiWang19 Oct 19, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the kubebuilder doc has a mechanism helper for regex. I can use some containers/image helpers in goplayground here to define the pattern https://play.golang.org/p/NO9_2LmqPiu

@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch 2 times, most recently from a0cc302 to ecb2599 Compare October 19, 2021 04:00
@QiWang19
Copy link
Member Author

QiWang19 commented Oct 19, 2021

@mtrmac could you have another round of review?

kikisdeliveryservice
kikisdeliveryservice reviewed Nov 3, 2021
View reviewed changes
Copy link
Contributor

@kikisdeliveryservice kikisdeliveryservice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@QiWang19 I think it makes sense to update this enhancement at some point to pick up the new template changes (8d07520) involving API extensions since this will be adding a new CRD

Template link for ref: https://github.com/openshift/enhancements/blob/master/guidelines/enhancement_template.md

@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch 3 times, most recently from e030049 to f325e8b Compare November 8, 2021 22:01
@QiWang19
Copy link
Member Author

QiWang19 commented Nov 8, 2021

@mtrmac Could you review? Updated:

  • Mentioned registries.conf should support digest required mirrors and tags allowed mirrors in the separated list.
  • ImageContentPolicy API change to have new mirrorsByTgas for using mirror by tags.

@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from f325e8b to 70f41ac Compare November 9, 2021 16:05
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from 1e36840 to bec341f Compare November 11, 2021 15:25
@QiWang19 QiWang19 changed the title [OCPNODE-521] New CRD ImageContentPolicy(ICP) to support AllowMirrByTags [OCPNODE-521] New CRD ImageSourceDigestPolicy and ImageSourceTagPolicy to support AllowMirrByTags Nov 11, 2021
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from 555a3de to 37f4713 Compare November 11, 2021 23:41
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch 2 times, most recently from 2738eed to abf342e Compare February 15, 2022 21:44
@QiWang19
Copy link
Member Author

QiWang19 commented Feb 16, 2022

@umohnani8 @mrunalp @mtrmac PTAL.

@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from abf342e to 62b98af Compare February 28, 2022 18:18
QiWang19 added a commit to QiWang19/api that referenced this pull request Feb 28, 2022
@QiWang19
Add CRD ImageDigestMirrorSet and ImageTagMirrorSet
b8281fa 
Add CRD ImageDigestMirrorSet and ImageTagMirrorSet to have API for epics:
- https://issues.redhat.com/browse/OCPNODE-521: different API for two saprate lists for digest
  image pull and tag image pull using mirrors.
- https://issues.redhat.com/browse/OCPNODE-810: add an option for user to choose if the source of
  the mirror should be denied if the mirrors pull failed.

Enhancement: openshift/enhancements#929

Signed-off-by: Qi Wang <[email protected]>
@QiWang19 QiWang19 mentioned this pull request Feb 28, 2022
Merged
QiWang19 added a commit to QiWang19/api that referenced this pull request Feb 28, 2022
@QiWang19
Add CRD ImageDigestMirrorSet and ImageTagMirrorSet
430b766 
Add CRD ImageDigestMirrorSet and ImageTagMirrorSet to have API for epics:
- https://issues.redhat.com/browse/OCPNODE-521: different API for two saprate lists for digest
  image pull and tag image pull using mirrors.
- https://issues.redhat.com/browse/OCPNODE-810: add an option for user to choose if the source of
  the mirror should be denied if the mirrors pull failed.

Enhancement: openshift/enhancements#929

Signed-off-by: Qi Wang <[email protected]>
@QiWang19
Copy link
Member Author

QiWang19 commented Feb 28, 2022

@umohnani8 @mrunalp PTAL

@umohnani8
Copy link
Contributor

umohnani8 commented Mar 1, 2022

Proposal around neverContactSource LGTM
Thanks @QiWang19!

@mtrmac mtrmac mentioned this pull request Mar 4, 2022
Merged
mtrmac
mtrmac reviewed Mar 12, 2022
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, mostly trivial typos.

(Noting that more discussion is happening in openshift/api#1126 .)

QiWang19 added 2 commits March 14, 2022 16:26
@QiWang19
Add CRD ImageContentPolicy(ICP) to config.openshift.io/v1 to support …
179d83e 
…AllowMirrByTags

Update the enhancement to describe the work has been done based on the previous discussions for Epic https://issues.redhat.com/browse/OCPNODE-521
We can continue the discussions from the current design.

Signed-off-by: Qi Wang <[email protected]>
@QiWang19
CRD ImageSourceDigestPolicy and ImageSourceTagPolicy
74d816c 
New CRD ImageSourceDigestPolicy and ImageSourceTagPolicy to support AllowMirrByTags

Signed-off-by: Qi Wang <[email protected]>
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from 62b98af to c0504c9 Compare March 14, 2022 20:28
@QiWang19
CRD ImageDigestMirrorSet and ImageTagMirrorSet
cc9b39e 
    New CRD ImageDigestMirrorSet and ImageTagMirrorSet to support AllowMirrByTags

Signed-off-by: Qi Wang <[email protected]>
@QiWang19 QiWang19 force-pushed the allow-mirror-by-tags branch from c0504c9 to cc9b39e Compare March 14, 2022 20:35
mtrmac
mtrmac reviewed Mar 14, 2022
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thanks for all the updates!

@rphillips
Copy link
Contributor

rphillips commented Mar 28, 2022

/lgtm

Awesome Job!

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 28, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 28, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrunalp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 28, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 28, 2022

@QiWang19: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit ad0d7b2 into openshift:master Mar 28, 2022
soltysh
soltysh reviewed Apr 6, 2022
View reviewed changes
.../api-review/add-new-CRD-ImageDigestMirrorSet-and-ImageTagMirrorSet-to-config.openshift.io.md
- [Cluster-config-operator](https://github.com/openshift/cluster-config-operator)
- [Openshift-api-server](https://github.com/openshift/openshift-apiserver/blob/98786f917ffc7d3dc3b05893f405970b87a419b9/pkg/image/apiserver/registries/registries.go)
- [Runtime utils](https://github.com/openshift/runtime-utils/blob/8b8348d80d1d1e7b6cf06fb009d5965e0b55baa2/pkg/registries/registries.go#L50)
- [Openshift-controller-manager](https://github.com/openshift/openshift-controller-manager/blob/2a11f145ad7fcf3e92460800de1d13ba7fbb90b0/pkg/build/controller/build/build_controller.go#L20943)
Copy link

@soltysh soltysh Apr 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rphillips @QiWang19 oc and oc-mirror is missing here, and both of those tools heavily rely on the current ICSP implementation for all of image mirroring, this also includes our docs. Based on below note I can assume that the node team will also handle all the appropriate changes for oc and oc-mirror, is that correct?

Copy link
Member Author

@QiWang19 QiWang19 Apr 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I will handle the related changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bparees bparees bparees left review comments

@mrunalp mrunalp mrunalp approved these changes

@dgoodwin dgoodwin Awaiting requested review from dgoodwin

+6 more reviewers

@soltysh soltysh soltysh left review comments

@cdjohnson cdjohnson cdjohnson left review comments

@saschagrunert saschagrunert saschagrunert left review comments

@sttts sttts sttts left review comments

@kikisdeliveryservice kikisdeliveryservice kikisdeliveryservice left review comments

@mtrmac mtrmac mtrmac left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@rphillips rphillips

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.