Inject global OpenShift pull-secret for Konflux deployment mode#186
Inject global OpenShift pull-secret for Konflux deployment mode#186mclasmeier wants to merge 19 commits into
Conversation
mclasmeier
added
the
ci-rollout
Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com>
Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com> Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
mclasmeier
force-pushed
the
mc/inject-global-pull-secret
branch
from
8b06e58 to
bca8987
Compare
Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com>
porridge
left a comment
porridge
left a comment
There was a problem hiding this comment.
@mclasmeier you say [REVIEW RELATIVE TO https://github.com/stackrox/roxie/commit/44be07b7d65bdd98ab8299e1d19916bc1697568a] but I cannot see this commit in the list...
Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com> Co-authored-by: Marcin Owsiany <porridge@redhat.com>
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com>
Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Fix test
mclasmeier
force-pushed
the
mc/inject-global-pull-secret
branch
from
bca8987 to
446e42b
Compare
Updated commit in description! |
porridge
left a comment
porridge
left a comment
There was a problem hiding this comment.
Are you aware that updating the global image pull secret requires a rolling restart of all nodes? Maybe it would be better to integrate with the image prefetcher for speed instead?
| d.kubeContext = env.GetCurrentContext() | ||
|
|
||
| // Created eagerly (not lazily on first use) because | ||
| // 1. we expect to make more extensive use of it |
There was a problem hiding this comment.
So are we now going to migrate uses of kubectl into direct calls to kube API server from Go?
If not, where do we draw the line?
There was a problem hiding this comment.
I think it's something to consider.
But I don't see any urgency in doing so.
For certain new use-cases, like my conflict handling in this PR, i think it makes sense to use client-go.
|
|
||
| // Created eagerly (not lazily on first use) because | ||
| // 1. we expect to make more extensive use of it | ||
| // 2. we need a working connection to the API server anyway. |
There was a problem hiding this comment.
AFAICT we only need the connection in a very narrow case: downstream images on an OpenShift cluster, and only until https://redhat.atlassian.net/browse/RFE-1956 is shipped (already in dev preview in 4.21 judging by the comments there), so this comment seems like a stretch.
There was a problem hiding this comment.
Well, that is currently exactly the use-case I am trying to wrap up. 🤷
I haven't been aware of this requirement for the nodes. I haven't run experiments with the image prefetcher as of now. |
2 participants
This PR is based on:
PR #184 (f9ce245)
When deploying Konflux-built images on OpenShift 4, the standard namespace-level pull secret mechanism doesn't work for CRI-O due to a known limitation. This PR works around this by injecting registry credentials for quay.io/rhacs-eng into OpenShift's global pull secret (
openshift-config/pull-secret) before deployment.For reliable patching of an externally-owned resource we use a proper Kubernetes client, allowing for precise retry-in-conflict behavior.
Detailed changes: