Inject global OpenShift pull-secret for Konflux deployment mode#186
Inject global OpenShift pull-secret for Konflux deployment mode#186mclasmeier wants to merge 7 commits into
Conversation
mclasmeier
added
the
ci-rollout
mclasmeier
force-pushed
the
mc/inject-global-pull-secret
branch
from
8b06e58 to
bca8987
Compare
porridge
left a comment
porridge
left a comment
There was a problem hiding this comment.
@mclasmeier you say [REVIEW RELATIVE TO https://github.com/stackrox/roxie/commit/44be07b7d65bdd98ab8299e1d19916bc1697568a] but I cannot see this commit in the list...
mclasmeier
force-pushed
the
mc/inject-global-pull-secret
branch
from
bca8987 to
446e42b
Compare
Updated commit in description! |
porridge
left a comment
porridge
left a comment
There was a problem hiding this comment.
Are you aware that updating the global image pull secret requires a rolling restart of all nodes? Maybe it would be better to integrate with the image prefetcher for speed instead?
| d.kubeContext = env.GetCurrentContext() | ||
|
|
||
| // Created eagerly (not lazily on first use) because | ||
| // 1. we expect to make more extensive use of it |
There was a problem hiding this comment.
So are we now going to migrate uses of kubectl into direct calls to kube API server from Go?
If not, where do we draw the line?
There was a problem hiding this comment.
I think it's something to consider.
But I don't see any urgency in doing so.
For certain new use-cases, like my conflict handling in this PR, i think it makes sense to use client-go.
|
|
||
| // Created eagerly (not lazily on first use) because | ||
| // 1. we expect to make more extensive use of it | ||
| // 2. we need a working connection to the API server anyway. |
There was a problem hiding this comment.
AFAICT we only need the connection in a very narrow case: downstream images on an OpenShift cluster, and only until https://redhat.atlassian.net/browse/RFE-1956 is shipped (already in dev preview in 4.21 judging by the comments there), so this comment seems like a stretch.
There was a problem hiding this comment.
Well, that is currently exactly the use-case I am trying to wrap up. 🤷
I haven't been aware of this requirement for the nodes. I haven't run experiments with the image prefetcher as of now. |
mclasmeier
force-pushed
the
mc/inject-global-pull-secret
branch
from
446e42b to
0974da6
Compare
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
rebased on current main. |
2 participants
When deploying Konflux-built images on OpenShift 4, the standard namespace-level pull secret mechanism doesn't work for CRI-O due to a known limitation. This PR works around this by injecting registry credentials for quay.io/rhacs-eng into OpenShift's global pull secret (
openshift-config/pull-secret) before deployment.For reliable patching of an externally-owned resource we use a proper Kubernetes client, allowing for precise retry-in-conflict behavior.
Detailed changes: