-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SmartState: Make docker registry & repo configurable for 'image-inspector'. #8439
Conversation
<pr_mergeability_checker />This pull request is not mergeable. Please rebase and repush. |
429af3f
to
5ea6893
Compare
Now really rebased. Ready for review. Fixed a place where |
5ea6893
to
7483143
Compare
@miq-bot add_label enhancement, providers/containers, smart_state |
LGTM 👍 |
@@ -353,6 +353,8 @@ def add_secret_to_pod_def(pod_def, inspector_admin_secret_name) | |||
end | |||
|
|||
def inspector_image | |||
'docker.io/openshift/image-inspector:v2.0.z' | |||
registry = Settings.ems.ems_kubernetes.image_inspector_registry || INSPECTOR_REGISTRY_FALLBACK | |||
repo = Settings.ems.ems_kubernetes.image_inspector_repository || INSPECTOR_REPOSITORY_FALLBACK |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Current code handles the possibility of leaves missing(e.g :image_inspector_registry) and it would make sense to handle upper level elements as well (e.g ems_kubernetes) I recently came across following code in miq_schedule_worker, maybe you can use something similar?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cben @moolitayer also remember that empty strings are different from nil
:
> nil || "fallback value"
=> "fallback value"
> "" || "fallback value"
=> ""
You may want to use blank?
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAICT Settings has no API like fetch_path. Added .try(:foo)
on all levels.
I dropped the .blank? intentionally. I did test that
:foo:
gets parsed as nil (emtpy value in YAML is shorthand for null
); one has to explicitly write:
:foo: ""
to express an empty string. IMHO that's an explicitly broken config, same as ".#@illegal>"
or "no-such-registry.com"
...
I generally dislike assigning magical behavior to empty string, unless there is no other way to express it. Here, if you want to "leave it unset", you can delete the line, or use empty/null
value.
And remember that we don't really need to support missing options (unless I'm missing something). It was just simpler than signaling errors.
f593e4d
to
0b05edd
Compare
@moolitayer @enoodle @cben please test this thoroughly to make sure it's not breaking SmartState Analysis. |
0b05edd
to
ec8a0e2
Compare
@cben what's missing to get this out of WIP? |
Closing/reopening since #8684 was merged to fix master |
<pr_mergeability_checker />This pull request is not mergeable. Please rebase and repush. |
1b6c245
to
8551ef2
Compare
8551ef2
to
46b3298
Compare
@cben Cannot apply the following label because they are not recognized: smart_state |
Thanks @nimrodshn. (This was never really WIP just neglected) |
46b3298
to
5219697
Compare
@cben if you set The settings were intended to be "overrides": how can you productize |
You can't override the _FALLBACKs, but the idea was you should always have these settings (I'm including them in settings.yml here) and the fallbacks should never come into play. Productiization: The only question that might concern upstream here is whether |
What I don't like of this PR:
So an easier approach that would satisfy (especially) 2 would be: INSPECTOR_REPOSITORY_DEFAULT = 'openshift/image-inspector'
...
repository = Settings.ems.ems_kubernetes.image_inspector_repository.presence || INSPECTOR_REPOSITORY_DEFAULT :ems_kubernetes:
...
:image_inspector_repository: (note that Productization would still happen as for other values using overrides ( In case the new setting mechanism allows us to easily change these values in the future (satisfies 2) then we can continue with what you have here but I suggest to drop the duplication of values (e.g. drop the |
(2) is not a problem since the Configuration Revamp (#7432) — Having defaults in .yml is better than in code, because user can see what's the default behavior and understand what kind of values the setting takes. (1) DRY is undeniable point. |
<pr_mergeability_checker />This pull request is not mergeable. Please rebase and repush. |
5219697
to
27c27d0
Compare
27c27d0
to
d549c55
Compare
Tag (:2.1) deliberately left non-configurable as we depend on a specific version's interface. (Minor 2.1.z versions will be activated simply by re-pointing the 2.1 tag.) https://bugzilla.redhat.com/show_bug.cgi?id=1378007
d549c55
to
63b46ca
Compare
Checked commit cben@63b46ca with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 |
Dropped the FALLBACKs with @nimrodshn, code now assumes these settings exist. |
@cben Cannot apply the following label because they are not recognized: smart_state |
@cben it seems that 4.5 is going to be "the one" :-) LGTM 👍 @miq-bot assign roliveri @lavenel if we want to take advantage of this we would need a QE cycle. Let me know. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
@cben are you planning a subsequent pr to productization?
(do we want to use the settings there? currently we are replacing the entire inspector_image method afair)
RFE BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1378007
Based on #7036 by @dtrieu80 (preserving Author), believe I addressed comments there.
@dtrieu80 Note that this will probably not suffice to do image scanning in a disconnected installation — the image inspector needs internet access to download OpenSCAP definitions.
That part is tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1378007 / openshift/image-inspector#18.
But the actual failure mode if user will delete these settings is bad: nil silently becomes empty string => we do create a pod with malformed image name e.g.
docker.io/:v1.0.z
=> the pod never runs (RunContainerError or ImagePullBackOff state) => wait_pod goes into infinite loop.I didn't want to add exception catching and reporting for a scenario which "shouldn't happen", so made the setting optional with a default value in the code, as already done with
miq_namespace
. Easy but non-DRY...we go into infinite loop. The user gets no diagnostic :-([@moolitayer has some PRs for better error handling, anyway out of scope here.]
P.S. I haven't tested the full scenario of running my own registry.
But I see a pod with customized image name being created: