Skip to content

pkg/cli/admin/upgrade: Reject by-tag pullspecs #238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wking wants to merge 1 commit into from
Closed

pkg/cli/admin/upgrade: Reject by-tag pullspecs #238

wking wants to merge 1 commit into from

Conversation

@wking
Copy link
Member

@wking wking commented Jan 2, 2020

The cluster-version operator requires by-digest pullspecs since verification landed in the CVO. oc could translate by-tag pullspecs into by-digest pullspecs before updating the ClusterVersion
object, but we might want it to perform some local validation first (e.g. checking that the tag matched the version name compiled into release-metadata). Until we have oc-side translation (which we may never have), add a client-side guard that explains the limitation so the user can find a by-digest pullspec themselves. That might be annoying, but it's nicer than happily passing the by-tag pullspec into ClusterVersion and waiting for them to notice the generic the image may not be safe to use failure message.

@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 2, 2020
@wking wking force-pushed the oc-adm-upgrade-by-tag-guard branch from 8a2ac41 to 689e779 Compare January 2, 2020 20:30
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 2, 2020

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wking
To complete the pull request process, please assign tnozicka
You can assign the PR to them by writing /assign @tnozicka in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wking
Copy link
Member Author

wking commented Jan 2, 2020

CC @smarterclayton, since you hit this when we were updating the CI build cluster.

@wking
pkg/cli/admin/upgrade: Reject by-tag pullspecs
d08a4e7 
The cluster-version operator requires by-digest pullspecs [1,2] since
verification landed in the CVO [3].  oc could translate by-tag
pullspecs into by-digest pullspecs before updating the ClusterVersion
object, but we might want it to perform some local validation first
(e.g. checking that the tag matched the version name compiled into
release-metadata).  Until we have oc-side translation (which we may
never have), add a client-side guard that explains the limitation so
the user can find a by-digest pullspec themselves.  That might be
annoying, but it's nicer than happily passing the by-tag pullspec into
ClusterVersion and waiting for them to notice the generic "the image
may not be safe to use" failure message [4].

[1]: https://github.com/openshift/cluster-version-operator/blob/a45fa12c42047b24a70d8edaa17b85a7eaf6ad38/pkg/cvo/updatepayload.go#L87-L91
[2]: https://github.com/openshift/cluster-version-operator/blob/a45fa12c42047b24a70d8edaa17b85a7eaf6ad38/pkg/verify/verify.go#L218-L220
[3]: openshift/cluster-version-operator@55e3cb4#diff-15212450f32771cf972f0f81d63c78c0R212
[4]: https://github.com/openshift/cluster-version-operator/blob/a45fa12c42047b24a70d8edaa17b85a7eaf6ad38/pkg/payload/task.go#L188-L189
@wking wking force-pushed the oc-adm-upgrade-by-tag-guard branch from 689e779 to d08a4e7 Compare January 2, 2020 20:48
@wking
Copy link
Member Author

wking commented Jan 2, 2020

e2e-cmd:

Jan  2 21:35:09.527: INFO: lookupDiskImageSources: gcloud error with [[]string{"instance-groups", "list-instances", "", "--format=get(instance)"}]; err:exit status 1
Jan  2 21:35:09.527: INFO:  > ERROR: (gcloud.compute.instance-groups.list-instances) could not parse resource []
Jan  2 21:35:09.527: INFO:  > 
Jan  2 21:35:09.527: INFO: Cluster image sources lookup failed: exit status 1

Dunno what that's about. Maybe a flake.

/retest

@wking
Copy link
Member Author

wking commented Apr 16, 2020

@smarterclayton might feel like this blanket block is too strong. #390 has a softer version. I'm fine with either, but would like to land something in this space ;).

@wking
Copy link
Member Author

wking commented May 19, 2020

The softer #390 landed. I wish we could reject like this PR, but I guess we need to maintain backwards compat for crazy people who are used to updating to by-tag digests :p.

/close

@openshift-ci-robot
Copy link

openshift-ci-robot commented May 19, 2020

@wking: Closed this PR.

Details

In response to this:

The softer #390 landed. I wish we could reject like this PR, but I guess we need to maintain backwards compat for crazy people who are used to updating to by-tag digests :p.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking deleted the oc-adm-upgrade-by-tag-guard branch May 19, 2020 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

No one assigned

Labels

size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wking @openshift-ci-robot