The application is meant to be used in conjunction with fabric-oso-proxy and fabric8-auth.
Fabric8-auth is used to obtain a service account token, which is used along with an impersonate header to create resources in other clusters/namespaces as directed by fabric8-oso-proxy.
For everything to function, it is necessary to have
- A user in fabric8-auth for the serviceaccount used by this app
- Users in fabric8-oso-proxy that can be impersonated to create resources on other clusters
- These users require
create,delete,watch,getpermissions fordaemonset.appsin their respective clusters and the specified namespace
To cache images, this app goes through oso-proxy to create daemonsets on desired clusters, which in turn create a pod on each node in the cluster consisting of a list of containers with command sleep infinity. This ensures that all nodes in the cluster have those images cached. We also periodically check the health of the daemonset and re-create it if necessary.
Configuration is done via env vars pulled from ./openshift/configmap.yaml.
The config values to be set are
| Env Var | Usage |
|---|---|
CACHING_INTERVAL_HOURS |
Interval, in hours, between checking health of daemonsets |
DAEMONSET_NAME |
Name of daemonset to be created |
NAMESPACE |
Namespace where daemonset is to be created. Shared for all users |
IMPERSONATE_USERS |
Comma-separated list of users to impersonate when creating daemonsets |
OPENSHIFT_PROXY_URL |
URL of oso-proxy |
IMAGES |
List of images to be cached, in the format <name>=<image>;... |
OIDC_PROVIDER |
URL of token provider for service account |
MULTICLUSTER |
Run in multi cluster mode; default is true |
Additionally, ./openshift/app.yaml has a few parameters:
| Parameter | Usage |
|---|---|
SERVICEACCOUNT_NAME |
Name of service account used by main pod |
SERVICE_ACCT_CREDENTIALS_SECRET |
Name of secret storing service account details (see below) |
IMAGE |
Name of image used for main pod |
IMAGE_TAG |
Tag of image used for main pod |
Finally, a secret containing the pod's serviceaccount's secret and id should be created with the data
| Key | Value |
|---|---|
service.account.secret |
Service account token |
service.account.id |
User id for service account |
# Build Go binary:
make build
# Make docker image:
make docker
# The above:
make
# Clean:
make cleanThe provided Makefile has two parameters:
DOCKERIMAGE_NAME: name for docker imageDOCKERIMAGE_TAG: tag for docker image
Build:
GOOS=linux go build -v -o ./bin/che-image-caching ./cmd/main.goMake docker image:
docker build -t ${DOCKERIMAGE_NAME}:${DOCKERIMAGE_TAG} .It's possible to run a simplified version of kubernetes-image-puller locally in minishift. This version avoids most of the complexity in the oso-proxy version, so its usefulness is limited.
Note: to run the commands below, you will need to be an admin user.
oc adm policy add-cluster-role-to-user cluster-admin admin
oc login -u admin -p any
oc new-project k8s-image-puller
make docker
make local-setup
make local-deploy
This uses the yaml files in the ./deploy directory to create a kubernetes image puller locally, that, in turn, creates a daemonset in the current namespace.