Bug 1823143: oc adm release mirror|extract allow user to force from image prefix #427
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sallyom The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
sallyom
changed the title
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/severity-medium
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
But then your suggestion doesn't mention |
pkg/cli/admin/release/info.go
Outdated
| return true, nil | ||
| } | ||
| for _, tag := range is.Spec.Tags { | ||
| // If ForcePrefix true, use user-provided image rather than it's mirrored source |
There was a problem hiding this comment.
To test this PR, do something like this...
But then your suggestion doesn't mention
--force-prefix?
oops, fixed.. plus, I am going to rework this to use ICSP, but wanted to push this in the meantime bc it's simpler than the other PR.
There was a problem hiding this comment.
nit: "it's" -> "its"
thanks, fixed, that one always gets me
| // If ForcePrefix true, use user-provided image rather than it's mirrored source | ||
| // imagereference.Parse returns the digest ID of each component in the release image-reference. | ||
| // If can't get digest ID, skip this tag, this happens when user has built a payload by | ||
| // replacing component images in the release with a new image |
There was a problem hiding this comment.
Is this "user builds a release replacing a component image with a by-tag pullspec"? Can we forbid that? I would hope users replacing component images would use by-digest pullspecs, and expect the new release image to include digests for those images too.
There was a problem hiding this comment.
When I create a release payload w/ a substituted image I pass something like cli=quay.io/sallyom/cli:test I think that's what most devs would do? That's the case I added that skip for. 🤷 I figured the best thing to do there is ignore this tag(component image) and if the user has access to that, all good, but if not, that's on them anyways
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
|
||
| func (o *SecurityOptions) Bind(flags *pflag.FlagSet) { | ||
| flags.StringVarP(&o.RegistryConfig, "registry-config", "a", o.RegistryConfig, "Path to your registry credentials (defaults to ~/.docker/config.json)") | ||
| flags.BoolVar(&o.ForcePrefix, "force-prefix", o.ForcePrefix, "Force lookup of named prefix (registry/repository/name) for an image source") |
There was a problem hiding this comment.
It feels strange to me to have this flag down on oc image info ... and such but have handling only up under oc adm release ....
There was a problem hiding this comment.
yes, wasn't sure where to place the flag. I was going to take suggestions. I'm reworking this to use the ImageContentSourcePolicy information, though, and possibly remove the need for a user to pass a flag at all - working on that now
…ory/name instead of defaulting to mirrored source from image reference When extracting from the mirrored registry, pass "force-prefix=true" to force lookup of user-given registry/repo/name instead of mirrored source image reference. In disconnected environments, currently, oc adm release extract fails. When working with mirrored release payloads, a release from a mirrored registry, mylocalregistry/ocp/release:4.5.0-0.nightly-2020-04-18-093630 mirrored from registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-04-18-093630 - Both reference 'quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2eb0a51...'. In case of disconnected, pass 'force-prefix=true' to use prefix 'mylocalregistry/ocp/release' instead of 'quay.io/openshift-release-dev/ocp-v4.0-art-dev'
fixed it, added to the description, thanks, and oops |
|
@sallyom: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
Direction of this PR has changed, closing this in favor of #439 and openshift/enhancements#334 |
|
@sallyom: This pull request references Bugzilla bug 1823143. The bug has been updated to no longer refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
4 participants
@smarterclayton while thinking about the flag suggestion from #395 I quickly modified that PR to use a flag instead. I'm still looking at how this can happen at a lower level, but this is less ugly of a hack - still too ugly, though?
To test this PR, do something like this:
you'll find the failure from master, fixed w /this PR