WIP: Add controller to update cross image stream tag aliases #13595
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This is currently blocked on 1.6 rebase (I need update to clientset generator to get I'm still not sure what to do when the source image stream tag is deleted (should we just stop tracking? should we put some special annotation or status on saying the source image stream was deleted?...) Also we should probably add shared informer for ImageStreams and re-use it in image import controller (that is the highest PM tech-debt in 3.7). |
mfojtik
force-pushed
the
update-aliased-is
branch
from
b353e02 to
5e6b4d1
Compare
|
You will be getting generated shared informers for all origin types for free in 3.6. |
|
The generic trigger controller will require a shared informer and will remove the deployment and build trigger controllers watch on images. How do you handle security on this? It looks like I can use this to steal images I don't have access to in other namespaces? |
|
Also, we really need to collapse the secret informers. Probably the most expensive single type right now |
If you had an access to create an alias for the image stream tag that lives in a namespace you have access to, don't you expect that alias to update when the source image stream tag change? But I see your point, I can change the "from" to point to an image stream that exists in a namespace I don't have access to and the controller will update it to match the tag... I guess I can just forbid updating cross-namespace? (or is there a SAR check if an user who created this image stream have access to other image stream?). |
|
I think this is the reason we didn't do aliases outside of an image stream.
:)
Do we have a strong use case for aliases inside the namespace? Why
wouldn't I just use the image stream as is?
On Apr 3, 2017, at 10:54 AM, Michal Fojtik <[email protected]> wrote:
How do you handle security on this? It looks like I can use this to steal
images I don't have access to in other namespaces?
If you had an access to create an alias for the image stream tag that lives
in a namespace you have access to, don't you expect that alias to update
when the source image stream tag change?
But I see your point, I can change the "from" to point to an image stream
that exists in a namespace I don't have access to and the controller will
update it to match the tag... I guess I can just forbid updating
cross-namespace? (or is there a SAR check if an user who created this image
stream have access to other image stream?).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13595 (comment)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pzOP-UnlWXQtlsxwEA4_UhIC7Agjks5rsLOwgaJpZM4Mvz9p>
.
|
|
@smarterclayton in that case, maybe we should remove the and I think I agree, I don't see much use-cases for in-namespace cross-imagestream alias... it kind of make sense for |
|
It's primary use case is to support virtual tags like :latest, :stable, :qa
which point to other tags. The intent is that callers resolve it at use
time (UI, new-app) to get a long term tag. So if we need to communicate
that better we should.
On Apr 3, 2017, at 12:21 PM, Michal Fojtik <[email protected]> wrote
@smarterclayton <https://github.com/smarterclayton> in that case, maybe we
should remove the --alias completely? or at least change the message to
tell users that tag will not be "tracked" but just copied and never updated
:-)
and I think I agree, I don't see much use-cases for in-namespace
cross-imagestream alias... it kind of make sense for :latest inside image
stream...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13595 (comment)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p516vPbEdu8sF_TJ5MQBsBksQLGhks5rsMgbgaJpZM4Mvz9p>
.
|
jlebon
added a commit
to jlebon/fedora-coreos-pipeline
that referenced
this pull request
Dec 1, 2023
…eam tags In the case where we don't need custom certs, we had the `openshift/jenkins:2` imagestream feed into the `jenkins:latest` imagestream, which then was the input to the S2I build. And similarly, we had `openshift/jenkins-agent-base:latest` feed into `jenkins-agent-base:latest`. In eb70bf7 ("manifests/jenkins-s2i: set `scheduled` on our imagestreams"), we added `scheduled: true` for those tags thinking they would keep those imagestreams up to date with the `openshift/` ones. But in fact, `scheduled: true` only works when an imagestream tracks an image in an external registry. There is no way as far as I can tell to have an imagestream tag track another imagestream tag. The closest is aliases, but those only work for tags within the same imagestream, not different imagestreams. This is by design (see openshift/origin#13595). So we'd have to periodically manually `oc tag` ourselves to keep them up to date, and that doesn't seem worth it. Instead, cut it out entirely. So now, in the non-cert case, we really just have our buildconfig output to an imagestream and that's it. The cert flow remains unchanged. To deal with the agent image being *either* the `openshift/jenkins-agent-base` one or our custom one with a cert, we have to parameterize the `defaultImage` property of the Kubernetes plugin in `jenkins.yaml`.
jlebon
added a commit
to jlebon/fedora-coreos-pipeline
that referenced
this pull request
Dec 1, 2023
…eam tags In the case where we don't need custom certs, we had the `openshift/jenkins:2` imagestream feed into the `jenkins:latest` imagestream, which then was the input to the S2I build. And similarly, we had `openshift/jenkins-agent-base:latest` feed into `jenkins-agent-base:latest`. In eb70bf7 ("manifests/jenkins-s2i: set `scheduled` on our imagestreams"), we added `scheduled: true` for those tags thinking they would keep those imagestreams up to date with the `openshift/` ones. But in fact, `scheduled: true` only works when an imagestream tracks an image in an external registry. There is no way as far as I can tell to have an imagestream tag track another imagestream tag. The closest is aliases, but those only work for tags within the same imagestream, not different imagestreams. This is by design (see openshift/origin#13595). So we'd have to add more code to periodically `oc tag` them to keep them up to date, and that doesn't seem worth it. Instead, cut it out entirely. So now, in the non-cert case, we really just have our buildconfig output to an imagestream and that's it. The cert flow remains unchanged. To deal with the agent image being *either* the `openshift/jenkins-agent-base` one or our custom one with a cert, we have to parameterize the `defaultImage` property of the Kubernetes plugin in `jenkins.yaml`.
jlebon
added a commit
to jlebon/fedora-coreos-pipeline
that referenced
this pull request
Dec 1, 2023
…eam tags In the case where we don't need custom certs, we had the `openshift/jenkins:2` imagestream feed into the `jenkins:latest` imagestream, which then was the input to the S2I build. And similarly, we had `openshift/jenkins-agent-base:latest` feed into `jenkins-agent-base:latest`. In eb70bf7 ("manifests/jenkins-s2i: set `scheduled` on our imagestreams"), we added `scheduled: true` for those tags thinking they would keep those imagestreams up to date with the `openshift/` ones. But in fact, `scheduled: true` only works when an imagestream tracks an image in an external registry. There is no way as far as I can tell to have an imagestream tag track another imagestream tag. The closest is aliases, but those only work for tags within the same imagestream, not different imagestreams. This is by design (see openshift/origin#13595). So we'd have to add more code to periodically `oc tag` them to keep them up to date, and that doesn't seem worth it. Instead, cut it out entirely. So now, in the non-cert case, we really just have our buildconfig output to an imagestream and that's it. The cert flow remains unchanged. To deal with the agent image being *either* the `openshift/jenkins-agent-base` one or our custom one with a cert, we have to parameterize the `defaultImage` property of the Kubernetes plugin in `jenkins.yaml`.
jlebon
added a commit
to coreos/fedora-coreos-pipeline
that referenced
this pull request
Feb 13, 2024
…eam tags In the case where we don't need custom certs, we had the `openshift/jenkins:2` imagestream feed into the `jenkins:latest` imagestream, which then was the input to the S2I build. And similarly, we had `openshift/jenkins-agent-base:latest` feed into `jenkins-agent-base:latest`. In eb70bf7 ("manifests/jenkins-s2i: set `scheduled` on our imagestreams"), we added `scheduled: true` for those tags thinking they would keep those imagestreams up to date with the `openshift/` ones. But in fact, `scheduled: true` only works when an imagestream tracks an image in an external registry. There is no way as far as I can tell to have an imagestream tag track another imagestream tag. The closest is aliases, but those only work for tags within the same imagestream, not different imagestreams. This is by design (see openshift/origin#13595). So we'd have to add more code to periodically `oc tag` them to keep them up to date, and that doesn't seem worth it. Instead, cut it out entirely. So now, in the non-cert case, we really just have our buildconfig output to an imagestream and that's it. The cert flow remains unchanged. To deal with the agent image being *either* the `openshift/jenkins-agent-base` one or our custom one with a cert, we have to parameterize the `defaultImage` property of the Kubernetes plugin in `jenkins.yaml`.
aaradhak
pushed a commit
to aaradhak/fedora-coreos-pipeline
that referenced
this pull request
May 14, 2024
…eam tags In the case where we don't need custom certs, we had the `openshift/jenkins:2` imagestream feed into the `jenkins:latest` imagestream, which then was the input to the S2I build. And similarly, we had `openshift/jenkins-agent-base:latest` feed into `jenkins-agent-base:latest`. In eb70bf7 ("manifests/jenkins-s2i: set `scheduled` on our imagestreams"), we added `scheduled: true` for those tags thinking they would keep those imagestreams up to date with the `openshift/` ones. But in fact, `scheduled: true` only works when an imagestream tracks an image in an external registry. There is no way as far as I can tell to have an imagestream tag track another imagestream tag. The closest is aliases, but those only work for tags within the same imagestream, not different imagestreams. This is by design (see openshift/origin#13595). So we'd have to add more code to periodically `oc tag` them to keep them up to date, and that doesn't seem worth it. Instead, cut it out entirely. So now, in the non-cert case, we really just have our buildconfig output to an imagestream and that's it. The cert flow remains unchanged. To deal with the agent image being *either* the `openshift/jenkins-agent-base` one or our custom one with a cert, we have to parameterize the `defaultImage` property of the Kubernetes plugin in `jenkins.yaml`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Today, when you create imagestreamtag alias like:
The message above is a lie, no tracking is setupped for the origin-pod:latest, the "second:foo" will never update. To prove this:
Then check the
second:fooand you will see it still points to previous version oforigin-pod:latest.To fix this we should have a controller that handles relations between aliased image stream and automatically update the status of the aliased image stream to reflect an update in the source image stream.