Installer images use sha256 #2967
Conversation
bennerv
requested review from
jewzaam,
hawkowl,
rogbas,
petrkotas,
jharrington22,
cblecker,
facchettos,
cadenmarchese,
UlrichSchlueter,
s-amann,
SudoBrendan and
ellis-johnson
as code owners
| @@ -31,11 +31,19 @@ func getLatestOCPVersions(ctx context.Context, log *logrus.Entry) ([]api.OpenShi | |||
| ocpVersions := []api.OpenShiftVersion{} | |||
|
|
|||
| for _, vers := range version.HiveInstallStreams { | |||
| installerPullSpec := fmt.Sprintf("%s/aro-installer:%s", dstRepo, vers.Version.MinorVersion()) | |||
There was a problem hiding this comment.
Initially, I was planning that this would come from RP-Config (so that we can update the versions w/o a new code artifact). Should we do that instead, or after this PR?
There was a problem hiding this comment.
Good idea. I think it makes sense to do this after to get the installer AAD migration changes in first.
mbarnes
force-pushed
the
installer-images-use-sha256
branch
from
e52a714
to
3817007
Compare
mbarnes
force-pushed
the
installer-images-use-sha256
branch
from
3817007
to
9e5b413
Compare
bennerv
force-pushed
the
installer-images-use-sha256
branch
from
b0a6ecd
to
1d66f54
Compare
The CosmosDB "OpenShiftVersions" container in all environments is now primed with supported OCP versions. RP no longer needs to hard code a default in enabledOcpVersions.
bennerv
force-pushed
the
installer-images-use-sha256
branch
from
3402a4d
to
099ecc5
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| cli := &http.Client{ | ||
| Transport: &http.Transport{ | ||
| TLSClientConfig: &tls.Config{ | ||
| InsecureSkipVerify: true, |
Check failure
Code scanning / CodeQL
Disabled TLS certificate check
bennerv
force-pushed
the
installer-images-use-sha256
branch
from
099ecc5
to
6580b43
Compare
|
Verified Hive is using a SHA-based installer image for the default image after deploying this PR to our INT environment.
|
| // add the default OCP version as we require it as an install target | ||
| // if this is removed, we need to also update the logic in | ||
| // pkg/frontend/frontend.go, pkg/frontend/validate.go | ||
| defaultVersion := &api.OpenShiftVersion{ |
There was a problem hiding this comment.
do we need to double check we have versions in all regions?
There was a problem hiding this comment.
That's my only concern with this change. Essentially if we don't have any version within a region no clusters will successfully install with this change.
If we don't have a version though, both the frontend and backend should return that the version doesn't exist, which I think is okay because it should pop up on our cluster install failure dashboard and we can catch it.
Additionally, e2e will fail to run.
| @@ -205,13 +205,12 @@ func validateAdminMasterVMSize(vmSize string) error { | |||
| func (f *frontend) validateInstallVersion(ctx context.Context, doc *api.OpenShiftCluster) error { | |||
| // If this request is from an older API or the user never specified | |||
| // the version to install we default to the DefaultInstallStream.Version | |||
| // TODO: We should set default version in cosmosdb instead of hardcoding it in golang code | |||
There was a problem hiding this comment.
is this TODO already in JIRA?
There was a problem hiding this comment.
no i need to create it.
Which issue this PR addresses:
Fixes https://issues.redhat.com/browse/ARO-3276
What this PR does / why we need it:
Allows us to push installer images without having them affect the entire fleet at once and in an inconsistent manner.
Right now here's how it happens:
IfNotPresentour e2e will be inconsistent after an installer image push, and there's no guarantee around which image is used and when only the newer images are used.
Test plan for issue:
update_ocp_versionsIs there any documentation that needs to be updated for this
Yes. TBD
High level:
There's some docs needed on how to pull the imagedigest for a new image.