feat(openshift): container Build action #4726
Conversation
| function isLocalHostname(hostname: string) { | ||
| return hostname === "localhost" || hostname.startsWith("127.") | ||
| } | ||
|
|
There was a problem hiding this comment.
This function name sounds way more generic than its actual use was, and it was used only in one place. Inlined to getManifestInspectArgs (with a descriptive comment) to avoid accidental wrong use in other places
| # FIXME: this config option is overloaded | ||
| # in different places, it is used for both force HTTP as well as skip TLS verify on HTTPS | ||
| insecure: true |
There was a problem hiding this comment.
See core/src/plugins/kubernetes/container/build/kaniko.ts
| _TODO: we should fix this properly by editing the `garden-util` image, and make this section obsolete_ | ||
|
|
||
| ```bash | ||
| oc login -u kubeadmin https://api.crc.testing:6443 | ||
| oc adm policy add-scc-to-user anyuid -z default --namespace demo-project | ||
| oc logout | ||
| oc login -u developer -p developer | ||
| ``` |
There was a problem hiding this comment.
Task for later: make the garden-util pod run happily in a more security-constrained context, and remove the need for this workaround / additional permissions.
| # FIXME: currently this is required, otherwise you get an ENOENT when calling | ||
| # containerHelpers.dockerCli({cwd: action.getBuildPath() ... }) | ||
| # because the .garden/build directory is not created | ||
| buildAtSource: true |
There was a problem hiding this comment.
When trying to do local-docker builds but having the deploymentRegistry set, various methods in our codebase threw ENOENT due to spawn attempting to use a cwd of .garden/build/buildname but nothing had created it in advance. Took a quick look into it but didn't find anything obvious, decided to move on with a workaround to prioritize getting something done.
| // TODO: if a registry does not have an image with the name at all, we throw here | ||
| // This isn't a great first-time-use experience (or after you've reset a registry) |
There was a problem hiding this comment.
A task for later. This isn't critical, as the process actually continues afterwards, happily building and pushing the first image, but it isn't the best first-use experience to see a large red error on your first build.
| // Allow insecure connections on local registry | ||
| if ( | ||
| hostname === "localhost" || | ||
| hostname.startsWith("127.") || | ||
| hostname === "default-route-openshift-image-registry.apps-crc.testing" | ||
| ) { |
There was a problem hiding this comment.
Fun fact: here insecure means e.g. allowing self-signed certs etc
| } | ||
|
|
||
| // TODO: do we support the garden-provided in-cluster registry anymore, or could this be deleted? | ||
| if (provider.config.deploymentRegistry?.insecure === true && !isOpenShiftLocal) { |
There was a problem hiding this comment.
Fun fact: here insecure is used to force kaniko to use HTTP instead of HTTPS.
But OpenShift requires HTTPS (the registry is only served over it, you'll just get 503 service unavailable on HTTP).
We should probably make the config flag a bit clearer.
There was a problem hiding this comment.
It looks like the in-cluster registry was removed in 67047e68.
There was a problem hiding this comment.
Another potential case here is if people are using kaniko build and some self-deployed registry over HTTP - but not sure if that's too far-fetched.
Maybe we can leave this code as it is to avoid breaking changes, and potentially clean up later?
There was a problem hiding this comment.
Yes, I think it's better to leave this code.
| import { getLocalBuildStatus, localBuild } from "../kubernetes/container/build/local" | ||
|
|
||
| export const openshiftContainerBuildExtension = (): BuildActionExtension<ContainerBuildAction> => ({ | ||
| name: "container", |
There was a problem hiding this comment.
Just a question. Does name here always equal the value of the corresponding action type?
There was a problem hiding this comment.
This is directly based on
garden/core/src/plugins/kubernetes/container/extensions.ts
Lines 40 to 42 in 47c8584
* chore(openshift): rename container.ts -> deploy.ts * feat(openshift): container Build action, buildmode local-docker * chore: fix lint on openshift/build.ts * feat(openshift): in-cluster container Build using kaniko * chore(openshift): add openshift logo to example web page * chore(openshift): update demo-project readme
What this PR does / why we need it:
Enables the use of a container Build action on OpenShift, with both
local-dockerand in-clusterkanikobuilders.Which issue(s) this PR fixes:
Fixes #4625
Special notes for your reviewer:
Instructions contained in the readme.