From 80855341cb1a7f3d131191cfd0075656cc35f2f3 Mon Sep 17 00:00:00 2001 From: Prashant Arya Date: Fri, 3 May 2019 23:12:41 +0530 Subject: [PATCH 1/4] Design for setting proxy for kaniko pod --- docs/design_proposals/kaniko-proxy-setting.md | 122 ++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 docs/design_proposals/kaniko-proxy-setting.md diff --git a/docs/design_proposals/kaniko-proxy-setting.md b/docs/design_proposals/kaniko-proxy-setting.md new file mode 100644 index 00000000000..3760d9760e7 --- /dev/null +++ b/docs/design_proposals/kaniko-proxy-setting.md @@ -0,0 +1,122 @@ +# Title + +* Author(s): Prashant Arya +* Design Shepherd: +* Date: 3rd April 2018 +* Status: + +## Background + +At present if you run skaffold in seperate lab environment which doesn't have direct internet access +and need proxy setting then skaffold can directly access the envrionment variable of the lab and can +access the artifactory or registry but on the other hand builder like kaniko which spins up a seperate +pod fails to build and push the built image to registry as it doesn't have proxy environment set. +Hence skaffold run fails. + +To overcome this problem we can set proxy in environment variable of kaniko pod defination and get the +skaffold running. We can take proxy variable in kaniko config section. + + +Please provide a brief explanation for the following questions: + +1. Why is this required? So that skaffold can run in lab environment where access to internet is via proxy +2. If this is a redesign, what are the drawbacks of the current implementation? I don't have idea about the other builder, +3. Is there any another workaround, and if so, what are its drawbacks? I can't think of drawback +4. Mention related issues, if there are any. NA + +Here is an example snippet for a new feature: + +___ +Setting proxy variable in pod definition +```yaml +Containers: []v1.Container{ + { + Name: constants.DefaultKanikoContainerName, + Image: image, + Args: args, + ImagePullPolicy: v1.PullIfNotPresent, + Env: []v1.EnvVar{ + { + Name: "GOOGLE_APPLICATION_CREDENTIALS", + Value: "/secret/kaniko-secret", + } + { + Name: "http_proxy", + Value: "somevalue", + } + { + Name: "https_proxy", + Value: "somevalue", + } + }, + }, +``` +Setting the proxy would give kaniko pod internet access. Where it can contact gcr or linux update server(any install command). +___ + +## Design + +Please describe your solution. Please list any: + +* new config changes +* interface changes +* design assumptions + +For a new config change, please mention: + +* Is it backwards compatible? If not, what is the deprecation policy? No idea + +```yaml +// ClusterDetails *beta* describes how to do an on-cluster build. +type ClusterDetails struct { + + // http_proxy + http_proxy string `yaml:"http_proxy,omitempty"` + + // https_proxy + https_proxy string `yaml:"http_proxys,omitempty"` + // PullSecret is the path to the secret key file. + PullSecret string `yaml:"pullSecret,omitempty"` + + // PullSecretName is the name of the Kubernetes secret for pulling the files + // from the build context and pushing the final image. + // Defaults to `kaniko-secret`. + PullSecretName string `yaml:"pullSecretName,omitempty"` + + // Namespace is the Kubernetes namespace. + // Defaults to current namespace in Kubernetes configuration. + Namespace string `yaml:"namespace,omitempty"` + + // Timeout is the amount of time (in seconds) that this build is allowed to run. + // Defaults to 20 minutes (`20m`). + Timeout string `yaml:"timeout,omitempty"` + + // DockerConfig describes how to mount the local Docker configuration into a pod. + DockerConfig *DockerConfig `yaml:"dockerConfig,omitempty"` + + // Resources define the resource requirements for the kaniko pod. + Resources *ResourceRequirements `yaml:"resources,omitempty"` +} + +``` + +### Open Issues/Question +#2163 +Please list any open questions here in the format. + +**\** +Do we need to set proxy for other builders as well. + +## Implementation plan +As a team, we've noticed that larger PRs can go unreviewed for long periods of +time. Small incremental changes get reviewed faster and are also easier for +reviewers. + +For a design feature, list a summary of tasks breakdown for e.g.: +For the example artifact sync proposal, some of the smaller tasks could be: +___ + +1. Add new field to cluster struct +2. Add logic to put all the environment variable in collection +3. Pass the collection to kaniko pod definition +___ From b8eecc529bc88d0036939d387349fd06f3f5ef0c Mon Sep 17 00:00:00 2001 From: Tejal Desai Date: Tue, 7 May 2019 08:24:53 +0530 Subject: [PATCH 2/4] Update docs/design_proposals/kaniko-proxy-setting.md Co-Authored-By: prary --- docs/design_proposals/kaniko-proxy-setting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/design_proposals/kaniko-proxy-setting.md b/docs/design_proposals/kaniko-proxy-setting.md index 3760d9760e7..03c5afaa534 100644 --- a/docs/design_proposals/kaniko-proxy-setting.md +++ b/docs/design_proposals/kaniko-proxy-setting.md @@ -1,7 +1,7 @@ # Title * Author(s): Prashant Arya -* Design Shepherd: +* Design Shepherd: Tejal Desai * Date: 3rd April 2018 * Status: From 82fd04278c54808456049a4484496f7ff6975a59 Mon Sep 17 00:00:00 2001 From: Tejal Desai Date: Wed, 15 May 2019 14:08:37 -0700 Subject: [PATCH 3/4] Clean up design proposal --- docs/design_proposals/kaniko-proxy-setting.md | 50 +++++-------------- 1 file changed, 13 insertions(+), 37 deletions(-) diff --git a/docs/design_proposals/kaniko-proxy-setting.md b/docs/design_proposals/kaniko-proxy-setting.md index 03c5afaa534..baa6f7637ad 100644 --- a/docs/design_proposals/kaniko-proxy-setting.md +++ b/docs/design_proposals/kaniko-proxy-setting.md @@ -3,28 +3,15 @@ * Author(s): Prashant Arya * Design Shepherd: Tejal Desai * Date: 3rd April 2018 -* Status: +* Status: Approved/ ## Background -At present if you run skaffold in seperate lab environment which doesn't have direct internet access -and need proxy setting then skaffold can directly access the envrionment variable of the lab and can -access the artifactory or registry but on the other hand builder like kaniko which spins up a seperate -pod fails to build and push the built image to registry as it doesn't have proxy environment set. -Hence skaffold run fails. - -To overcome this problem we can set proxy in environment variable of kaniko pod defination and get the -skaffold running. We can take proxy variable in kaniko config section. +At present if you run skaffold in seperate lab environment without direct internet access, skaffold command with kaniko builds fail. This is because, kaniko spins up a seperate pod which do not have the proxy information set. +To overcome this problem we can add proxy environment setting to kaniko config section to plumb it through to kaniko pod config. -Please provide a brief explanation for the following questions: - -1. Why is this required? So that skaffold can run in lab environment where access to internet is via proxy -2. If this is a redesign, what are the drawbacks of the current implementation? I don't have idea about the other builder, -3. Is there any another workaround, and if so, what are its drawbacks? I can't think of drawback -4. Mention related issues, if there are any. NA - -Here is an example snippet for a new feature: +Here is an example of new kaniko Pod config will look like with http proxy information. ___ Setting proxy variable in pod definition @@ -55,26 +42,20 @@ Setting the proxy would give kaniko pod internet access. Where it can contact gc ___ ## Design - -Please describe your solution. Please list any: - -* new config changes -* interface changes -* design assumptions - +We will be adding 2 new config variables in `ClusterDetails` config section. For a new config change, please mention: -* Is it backwards compatible? If not, what is the deprecation policy? No idea ```yaml // ClusterDetails *beta* describes how to do an on-cluster build. type ClusterDetails struct { - // http_proxy - http_proxy string `yaml:"http_proxy,omitempty"` + // HTTP_PROXY sets the "http_proxy" environment varaible to the pod running cluster build. + HTTP_PROXY string `yaml:"httpProxy,omitempty"` - // https_proxy - https_proxy string `yaml:"http_proxys,omitempty"` + // HTTPS_PROXY sets the "https_proxy" environment varaible to the pod running cluster build. + HTTPS_PROXY string `yaml:"httpsProxy,omitempty"` + // PullSecret is the path to the secret key file. PullSecret string `yaml:"pullSecret,omitempty"` @@ -102,18 +83,13 @@ type ClusterDetails struct { ### Open Issues/Question #2163 -Please list any open questions here in the format. + **\** -Do we need to set proxy for other builders as well. +Do we need to set proxy for other builders as well? +Right now we don't have anyother cluster builder. ## Implementation plan -As a team, we've noticed that larger PRs can go unreviewed for long periods of -time. Small incremental changes get reviewed faster and are also easier for -reviewers. - -For a design feature, list a summary of tasks breakdown for e.g.: -For the example artifact sync proposal, some of the smaller tasks could be: ___ 1. Add new field to cluster struct From c35f6374c981644b13e6e1447a6d616210dfb5ac Mon Sep 17 00:00:00 2001 From: Tejal Desai Date: Wed, 15 May 2019 14:10:25 -0700 Subject: [PATCH 4/4] fix rendering --- docs/design_proposals/kaniko-proxy-setting.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/design_proposals/kaniko-proxy-setting.md b/docs/design_proposals/kaniko-proxy-setting.md index baa6f7637ad..c33c6abce32 100644 --- a/docs/design_proposals/kaniko-proxy-setting.md +++ b/docs/design_proposals/kaniko-proxy-setting.md @@ -86,8 +86,10 @@ type ClusterDetails struct { **\** + Do we need to set proxy for other builders as well? -Right now we don't have anyother cluster builder. + +Resolution: No. As of now we don't have anyother cluster builder. ## Implementation plan ___