Skip to content

Clarify that the image mirroring requirement applies to conformance tests only #26912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 1 commit into from
Mar 29, 2022
Merged

Clarify that the image mirroring requirement applies to conformance tests only #26912

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions test/extended/util/image/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Images used by e2e tests

We limit the set of images used by e2e to reduce duplication and to allow us to provide offline mirroring of images for customers and restricted test environments. Every image used in e2e must be part of this utility package or referenced by the upstream `k8s.io/kubernetes/test/utils/image` package.
We limit the set of images used by conformance e2e to reduce duplication and to allow us to provide offline mirroring of images for customers and restricted test environments. Every image used in e2e must be part of this utility package or referenced by the upstream `k8s.io/kubernetes/test/utils/image` package.
Copy link
Contributor

@soltysh soltysh Mar 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this applies to conformance tests only, the way we have it configured we don't differentiate between conformance and non-conformance images.

Copy link
Contributor Author

@bparees bparees Mar 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pulledInvalidImages allows pulls from registry.redhat.io, among other places (for particular images), it is not enforcing that everything come from quay.io/openshift/community-e2e-images

Copy link
Contributor Author

@bparees bparees Mar 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in fact weirdly, that code does not allow quay.io/openshift/community-e2e-images which raises a whole other set of questions about how the jobs are being run:

origin/cmd/openshift-tests/images.go

Line 190 in 1c7bf01

allowedPrefixes := sets.NewString(

Copy link
Contributor Author

@bparees bparees Mar 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(guessing maybe quay.io/openshift/community-e2e-images is being passed in as the arg to pulledInvalidImages so it gets added as a valid prefix?)

regardless, we definitely have tests that run today that pull from other locations and aren't being flagged by this. Possibly because it is builds that are pulling the image, not pods.

Copy link
Contributor Author

@bparees bparees Mar 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and as another example of the murky waters we are currently in, take this test fixture for example:

origin/test/extended/testdata/deployments/deployment-example.yaml

Lines 43 to 50 in 3b2752d

- imageChangeParams:
automatic: true
containerNames:
- postgresql
from:
kind: ImageStreamTag
name: postgresql:latest
namespace: openshift

technically this is ok(passed image prefix validation) because it results in a pod that pulls from the internal registry because the imagestream it references is configured with local reference policy(i.e. it uses pullthrough). But the reality is that the image being pulled is coming from registry.redhat.io and unless someone mirrored the content and configured the samples operator to ref the mirror for the imagestreams it manages, it won't actually work in a disconnected environment.

It certainly isn't meeting the currently stated policy of "All images used by e2e are mirrored to quay.io/openshift/community-e2e-images:tag"


All images used by e2e are mirrored to:
All images used by e2e tests that are part of the `conformance` suite are mirrored to:

quay.io/openshift/community-e2e-images:TAG

Expand Down