From 042ad6bece2310d2c2f586fceb5ae6f6e600d808 Mon Sep 17 00:00:00 2001 From: Sven Thoms <21118431+shalberd@users.noreply.github.com> Date: Thu, 6 Jul 2023 21:19:58 +0200 Subject: [PATCH 1/5] use v4.10 tag digest from July 6 for all ose-oauth container image references --- .../odh-notebook-controller/config/manager/manager.yaml | 3 ++- .../odh-notebook-controller/controllers/notebook_oauth.go | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/components/odh-notebook-controller/config/manager/manager.yaml b/components/odh-notebook-controller/config/manager/manager.yaml index 7038db98a84..7b4680ad4ef 100644 --- a/components/odh-notebook-controller/config/manager/manager.yaml +++ b/components/odh-notebook-controller/config/manager/manager.yaml @@ -25,7 +25,8 @@ spec: imagePullPolicy: Always command: - /manager - args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy:v4.10"] + # latest v4.10 manifest list digest for architecture AMD64. Used instead of tag format to be compatible with imagePullPolicy: IfNotPresent + args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"] securityContext: allowPrivilegeEscalation: false ports: diff --git a/components/odh-notebook-controller/controllers/notebook_oauth.go b/components/odh-notebook-controller/controllers/notebook_oauth.go index e67b7683dd3..6646415d04b 100644 --- a/components/odh-notebook-controller/controllers/notebook_oauth.go +++ b/components/odh-notebook-controller/controllers/notebook_oauth.go @@ -35,7 +35,9 @@ import ( const ( OAuthServicePort = 443 OAuthServicePortName = "oauth-proxy" - OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy:latest" + // use sha256 manifest link digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable + // taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti + OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33" ) type OAuthConfig struct { From 9e50be69b35a7895668879e8ef95bcf36aa73f60 Mon Sep 17 00:00:00 2001 From: Sven Thoms <21118431+shalberd@users.noreply.github.com> Date: Wed, 12 Jul 2023 22:57:01 +0200 Subject: [PATCH 2/5] odh notebook controller test createOAuthContainer IfNotPresent imagrPullPolicy --- .../controllers/notebook_controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/odh-notebook-controller/controllers/notebook_controller_test.go b/components/odh-notebook-controller/controllers/notebook_controller_test.go index 5782d09aee4..76a82f4b150 100644 --- a/components/odh-notebook-controller/controllers/notebook_controller_test.go +++ b/components/odh-notebook-controller/controllers/notebook_controller_test.go @@ -740,7 +740,7 @@ func createOAuthContainer(name, namespace string) corev1.Container { return corev1.Container{ Name: "oauth-proxy", Image: OAuthProxyImage, - ImagePullPolicy: corev1.PullAlways, + ImagePullPolicy: corev1.PullIfNotPresent, Env: []corev1.EnvVar{{ Name: "NAMESPACE", ValueFrom: &corev1.EnvVarSource{ From 990a1b128abe3716752d2051798daf43baae6921 Mon Sep 17 00:00:00 2001 From: Sven Thoms <21118431+shalberd@users.noreply.github.com> Date: Wed, 12 Jul 2023 23:34:50 +0200 Subject: [PATCH 3/5] odh notebook controller webhook injected oauth imagepullpolicy ifnotpresent --- .../odh-notebook-controller/controllers/notebook_webhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/odh-notebook-controller/controllers/notebook_webhook.go b/components/odh-notebook-controller/controllers/notebook_webhook.go index 3eef73b311e..0413ebf4aef 100644 --- a/components/odh-notebook-controller/controllers/notebook_webhook.go +++ b/components/odh-notebook-controller/controllers/notebook_webhook.go @@ -70,7 +70,7 @@ func InjectOAuthProxy(notebook *nbv1.Notebook, oauth OAuthConfig) error { proxyContainer := corev1.Container{ Name: "oauth-proxy", Image: oauth.ProxyImage, - ImagePullPolicy: corev1.PullAlways, + ImagePullPolicy: corev1.PullIfNotPresent, Env: []corev1.EnvVar{{ Name: "NAMESPACE", ValueFrom: &corev1.EnvVarSource{ From 4363e29860512c4b0fd6909cbe009083ede29614 Mon Sep 17 00:00:00 2001 From: Sven Thoms <21118431+shalberd@users.noreply.github.com> Date: Mon, 24 Jul 2023 14:54:08 +0200 Subject: [PATCH 4/5] reverted change to digest in odh notebook controller manager pod cause not related to oauth sidecar injection --- components/odh-notebook-controller/config/manager/manager.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/odh-notebook-controller/config/manager/manager.yaml b/components/odh-notebook-controller/config/manager/manager.yaml index 7b4680ad4ef..7038db98a84 100644 --- a/components/odh-notebook-controller/config/manager/manager.yaml +++ b/components/odh-notebook-controller/config/manager/manager.yaml @@ -25,8 +25,7 @@ spec: imagePullPolicy: Always command: - /manager - # latest v4.10 manifest list digest for architecture AMD64. Used instead of tag format to be compatible with imagePullPolicy: IfNotPresent - args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"] + args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy:v4.10"] securityContext: allowPrivilegeEscalation: false ports: From 434756d8844229f10bc089154d706a2f36e3ef57 Mon Sep 17 00:00:00 2001 From: Sven Thoms <21118431+shalberd@users.noreply.github.com> Date: Mon, 24 Jul 2023 15:01:09 +0200 Subject: [PATCH 5/5] changed comment in odh notebook-oauth injection in sha256 format golang code --- .../odh-notebook-controller/controllers/notebook_oauth.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/odh-notebook-controller/controllers/notebook_oauth.go b/components/odh-notebook-controller/controllers/notebook_oauth.go index 6646415d04b..c697ee6361d 100644 --- a/components/odh-notebook-controller/controllers/notebook_oauth.go +++ b/components/odh-notebook-controller/controllers/notebook_oauth.go @@ -35,8 +35,8 @@ import ( const ( OAuthServicePort = 443 OAuthServicePortName = "oauth-proxy" - // use sha256 manifest link digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable - // taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti + // use sha256 manifest list digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable + // taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000>i-tabs=get-the-source&container-tabs=gti OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33" )