Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Injected oauth imagepullpolicy change and sha256 digest #119

Open
wants to merge 5 commits into
base: v1.6-branch
Choose a base branch
from
Open

[WIP] Injected oauth imagepullpolicy change and sha256 digest #119

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
042ad6b
use v4.10 tag digest from July 6 for all ose-oauth container image re…
shalberd Jul 6, 2023
9e50be6
odh notebook controller test createOAuthContainer IfNotPresent imagrP…
shalberd Jul 12, 2023
990a1b1
odh notebook controller webhook injected oauth imagepullpolicy ifnotp…
shalberd Jul 12, 2023
4363e29
reverted change to digest in odh notebook controller manager pod caus…
shalberd Jul 24, 2023
434756d
changed comment in odh notebook-oauth injection in sha256 format gola…
shalberd Jul 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion components/odh-notebook-controller/config/manager/manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ spec:
imagePullPolicy: Always
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kept Always here because this seems to be used internally, not in releases, for testing with the :latest image-tag of odh-notebook-controller, which necessitates imagePullPolicy: Always

command:
- /manager
args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy:v4.10"]
# latest v4.10 manifest list digest for architecture AMD64. Used instead of tag format to be compatible with imagePullPolicy: IfNotPresent
args: ["--oauth-proxy-image", "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"]
Copy link
Author

@shalberd shalberd Jul 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)

@LaVLaS suggested leaving the notebook controller main management pod oauth proxy image topic (changes in line 28 and 29) out of the PR for now. That makes sense in that this PR here is about the injection of ose-oauth-proxy into Notebook pods under /controllers.

@harshad16 @atheo89 Also, @LaVLaS suggested for odh notebook controller manager itself here:

While we should be updating the ose-oauth-proxy image at a regular cadence, we should not be hardcoding the image digest into the container command argument of the Deployment object. This should be replaced with an environment variable that can be configured at when the kustomize manifest is parsed. This would also allow us to replace with as a CSV relatedImage or modified by the new operator.

opendatahub-io/odh-manifests#868 (comment)

I suggest to handle that in a separate PR. Created an issue #132

securityContext:
allowPrivilegeEscalation: false
ports:
Expand Down
2 changes: 1 addition & 1 deletion components/odh-notebook-controller/controllers/notebook_controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -740,7 +740,7 @@ func createOAuthContainer(name, namespace string) corev1.Container {
return corev1.Container{
Name: "oauth-proxy",
Image: OAuthProxyImage,
ImagePullPolicy: corev1.PullAlways,
ImagePullPolicy: corev1.PullIfNotPresent,
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

previously, test did not run thru because it was still assuming imagePullPolicy Always in IS vs MUST BE comparision during testing

Env: []corev1.EnvVar{{
Name: "NAMESPACE",
ValueFrom: &corev1.EnvVarSource{
Expand Down
4 changes: 3 additions & 1 deletion components/odh-notebook-controller/controllers/notebook_oauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,9 @@ import (
const (
OAuthServicePort = 443
OAuthServicePortName = "oauth-proxy"
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
// use sha256 manifest link digest value of v4.10 image for AMD64 as default to be compatible with imagePullPolicy: IfNotPresent, overridable
// taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti
OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)

Copy link
Author

@shalberd shalberd Jul 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@VaishnaviHire @cfchase @harshad16 @atheo89

question: is the value of OAuthProxyImage set or overridden by the argument of odh notebook controller manager?

I am asking because I've never seen ose-oauth-proxy:latest in injected notebook oauth sidecars.

kubeflow/components/odh-notebook-controller/main.go

Line 68 in 92739d6

flag.StringVar(&oauthProxyImage, "oauth-proxy-image", controllers.OAuthProxyImage,

instead, what seems to be used is the version of ose-oauth defined here:

https://github.com/opendatahub-io/kubeflow/blob/master/components/odh-notebook-controller/config/manager/manager.yaml#L24

)

type OAuthConfig struct {
Expand Down
2 changes: 1 addition & 1 deletion components/odh-notebook-controller/controllers/notebook_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func InjectOAuthProxy(notebook *nbv1.Notebook, oauth OAuthConfig) error {
proxyContainer := corev1.Container{
Name: "oauth-proxy",
Image: oauth.ProxyImage,
ImagePullPolicy: corev1.PullAlways,
ImagePullPolicy: corev1.PullIfNotPresent,
Env: []corev1.EnvVar{{
Name: "NAMESPACE",
ValueFrom: &corev1.EnvVarSource{
Expand Down