-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(openshift): container Build action #4726
Conversation
function isLocalHostname(hostname: string) { | ||
return hostname === "localhost" || hostname.startsWith("127.") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function name sounds way more generic than its actual use was, and it was used only in one place. Inlined to getManifestInspectArgs
(with a descriptive comment) to avoid accidental wrong use in other places
# FIXME: this config option is overloaded | ||
# in different places, it is used for both force HTTP as well as skip TLS verify on HTTPS | ||
insecure: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See core/src/plugins/kubernetes/container/build/kaniko.ts
_TODO: we should fix this properly by editing the `garden-util` image, and make this section obsolete_ | ||
|
||
```bash | ||
oc login -u kubeadmin https://api.crc.testing:6443 | ||
oc adm policy add-scc-to-user anyuid -z default --namespace demo-project | ||
oc logout | ||
oc login -u developer -p developer | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Task for later: make the garden-util
pod run happily in a more security-constrained context, and remove the need for this workaround / additional permissions.
# FIXME: currently this is required, otherwise you get an ENOENT when calling | ||
# containerHelpers.dockerCli({cwd: action.getBuildPath() ... }) | ||
# because the .garden/build directory is not created | ||
buildAtSource: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When trying to do local-docker
builds but having the deploymentRegistry
set, various methods in our codebase threw ENOENT due to spawn
attempting to use a cwd
of .garden/build/buildname
but nothing had created it in advance. Took a quick look into it but didn't find anything obvious, decided to move on with a workaround to prioritize getting something done.
// TODO: if a registry does not have an image with the name at all, we throw here | ||
// This isn't a great first-time-use experience (or after you've reset a registry) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A task for later. This isn't critical, as the process actually continues afterwards, happily building and pushing the first image, but it isn't the best first-use experience to see a large red error on your first build.
// Allow insecure connections on local registry | ||
if ( | ||
hostname === "localhost" || | ||
hostname.startsWith("127.") || | ||
hostname === "default-route-openshift-image-registry.apps-crc.testing" | ||
) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fun fact: here insecure
means e.g. allowing self-signed certs etc
} | ||
|
||
// TODO: do we support the garden-provided in-cluster registry anymore, or could this be deleted? | ||
if (provider.config.deploymentRegistry?.insecure === true && !isOpenShiftLocal) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fun fact: here insecure
is used to force kaniko
to use HTTP instead of HTTPS.
But OpenShift requires HTTPS (the registry is only served over it, you'll just get 503 service unavailable on HTTP).
We should probably make the config flag a bit clearer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the in-cluster registry was removed in 67047e68.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another potential case here is if people are using kaniko
build and some self-deployed registry over HTTP - but not sure if that's too far-fetched.
Maybe we can leave this code as it is to avoid breaking changes, and potentially clean up later?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think it's better to leave this code.
import { getLocalBuildStatus, localBuild } from "../kubernetes/container/build/local" | ||
|
||
export const openshiftContainerBuildExtension = (): BuildActionExtension<ContainerBuildAction> => ({ | ||
name: "container", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a question. Does name
here always equal the value of the corresponding action type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is directly based on
garden/core/src/plugins/kubernetes/container/extensions.ts
Lines 40 to 42 in 47c8584
export const k8sContainerBuildExtension = (): BuildActionExtension<ContainerBuildAction> => ({ | |
name: "container", | |
handlers: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the great job! 👍
* chore(openshift): rename container.ts -> deploy.ts * feat(openshift): container Build action, buildmode local-docker * chore: fix lint on openshift/build.ts * feat(openshift): in-cluster container Build using kaniko * chore(openshift): add openshift logo to example web page * chore(openshift): update demo-project readme
What this PR does / why we need it:
Enables the use of a container Build action on OpenShift, with both
local-docker
and in-clusterkaniko
builders.Which issue(s) this PR fixes:
Fixes #4625
Special notes for your reviewer:
Instructions contained in the readme.