[WIP] (proposal) Make bundle accessible to a cluster #1054
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
size/M
| └── annotations.yaml | ||
|
|
||
| $ cat /annotations.yaml | ||
| annotations: |
There was a problem hiding this comment.
I'm thinking that we don't need this line. More importantly, I think the below lines should be in the format of <key>="value" to mirror how annotations are projected to the filesystem.
There was a problem hiding this comment.
We discussed this will remain in yaml format to allow extending with additional sections later on.
There was a problem hiding this comment.
to allow extending with additional sections later on.
Could you elaborate what you mean by this?
There was a problem hiding this comment.
What I was led to believe is another section like:
annotations:
key: value
moredata:
...
But I don't understand how that makes sense in the context of a file called "annotations.yaml".
| └── annotations.yaml | ||
|
|
||
| $ cat /annotations.yaml | ||
| annotations: |
There was a problem hiding this comment.
to allow extending with additional sections later on.
Could you elaborate what you mean by this?
openshift-ci-robot
added
size/L
|
|
||
| ## Serving the bundle data | ||
|
|
||
| New code will be made in operator-registry to provide functionality for traversing the directies of the bundle image for writing to a configmap (example above is "operator-registry serve"), the format for which is discussed in more detail below. The configmap will also use a generated name to avoid collisions and will be labeled to match the requested bundle image. It will be the responsibility of the caller to 1) launch the job, 2) watch for the target configmap to be created 3) to delete the job (until ttlSecondsAfterFinished is available) 4) delete the configmap after reading. |
There was a problem hiding this comment.
Alternatively, instead of generating a name for the configmap, could use a sanitized version of the bundle image name and use that (can't use colons, but maybe that's the only unacceptable character. also 253 character limit might be worth worrying about). Either way, I don't think specifying the name of the configmap by the caller is the correct approach.
There was a problem hiding this comment.
Hrm, labels are actually restricted to 63 characters. Docker registry names are limited to 256 characters. And quay names seem to be even potentially longer (https://coreos.com/quay-enterprise/releases/#2.0.4).
There was a problem hiding this comment.
You could always create a shortened hash of the fully qualified image name -- that would help you meet both the length and character-set restrictions.
There was a problem hiding this comment.
That's a good idea, however, I pivoted a little bit.
I ended up retracting my original aversion to specifying a configmap, at least within the bundle image. Rather than worrying about character limits I ended up putting the configmap creation code in the "launch" function, so that the caller doesn't have to worry about configmap naming. I'll update the proposal here shortly that hopefully fully clarifies the new/final direction.
| spec: | ||
| containers: | ||
| - name: bundle-image | ||
| image: &image bundle-image |
There was a problem hiding this comment.
Were you wanting a more realistic pull spec? It's what I used for testing since I was using local images.
| command: ['/injected/operator-registry', 'serve'] | ||
| env: | ||
| - name: CONTAINER_IMAGE | ||
| value: *image |
There was a problem hiding this comment.
This also seems like an odd example
There was a problem hiding this comment.
I thought it was a clever usage of repeated nodes, but the implementation won't use this.
| command: ['/bin/cp', '/operator-registry', '/copy-dest'] | ||
| volumeMounts: | ||
| - name: copydir | ||
| mountPath: /copy-dest |
There was a problem hiding this comment.
is there a reason to do this instead of, say, /bin?
There was a problem hiding this comment.
It reduces the likelihood of conflicts.
| ``` | ||
|
|
||
| Notes: | ||
| * The resource file name needs to be manipulated if it contains special characters. |
There was a problem hiding this comment.
What if we made restrictions on the bundle format side?
There was a problem hiding this comment.
That would be nice, but given that we aren't actually remounting the configmap data (yet) I think handling the translation instead of just failing is best. What do you think?
|
|
||
| ## Serving the bundle data | ||
|
|
||
| New code will be made in operator-registry to provide functionality for traversing the directies of the bundle image for writing to a configmap (example above is "operator-registry serve"), the format for which is discussed in more detail below. The configmap will also use a generated name to avoid collisions and will be labeled to match the requested bundle image. It will be the responsibility of the caller to 1) launch the job, 2) watch for the target configmap to be created 3) to delete the job (until ttlSecondsAfterFinished is available) 4) delete the configmap after reading. |
There was a problem hiding this comment.
You could always create a shortened hash of the fully qualified image name -- that would help you meet both the length and character-set restrictions.
|
|
||
| ## Serving the bundle data | ||
|
|
||
| New code will be made in operator-registry to provide functionality for traversing the directies of the bundle image for writing to a configmap (example above is "operator-registry serve"), the format for which is discussed in more detail below. The configmap will also use a generated name to avoid collisions and will be labeled to match the requested bundle image. It will be the responsibility of the caller to 1) launch the job, 2) watch for the target configmap to be created 3) to delete the job (until ttlSecondsAfterFinished is available) 4) delete the configmap after reading. |
There was a problem hiding this comment.
- to delete the job (until ttlSecondsAfterFinished is available)
Is there any reason the caller can't just delete the job when it reaches Completed? Why wait?
- delete the configmap after reading.
I think we want to keep the ConfigMap around as an on-cluster cache.
There was a problem hiding this comment.
I think (3) is:
- the caller will be responsible for deleting the job
- when ttlSecondsAfterfinished is available, the caller will no longer be required to delete the job.
There was a problem hiding this comment.
Yeah, I was referring to the ttlSecondAfterFinished feature being non-alpha. I've tried to rewrite the proposal in such a way that makes it clear that deletion is up to the caller.
| operators.coreos.com.bundle.resources: "manifests+metadata" | ||
| operators.coreos.com.bundle.mediatype: "registry+v1" | ||
| data: | ||
| testbackup.crd.yaml: content of testbackup.crd.yaml |
There was a problem hiding this comment.
I think we should shard files across multiple ConfigMaps to avoid hitting the resource size limit (RSL). A simple strategy we could use is to generate a ConfigMap per file (assume |single file| < RSL - |metadata+kind+etc...|).
There was a problem hiding this comment.
Interesting idea. At a minimum the data usage should be checked. If this is a huge concern though, should configmaps even be used for storing the data?
| * The consumer of the `ConfigMap` does not use the key name in `Data` section to identify the type of resource. It should inspect the content. | ||
| * The consumer will iterate through the `Data` section and and add each resource to the bundle. | ||
| * The annotations from the `annotations.yaml` file is copied to `metadata.annotations` to the `ConfigMap`. | ||
| * The `ConfigMap` may have a resource that contains a `PackageManifest` resource. The consumer needs to handle this properly. |
There was a problem hiding this comment.
Can you elaborate on this for me? When does this happen and is it something consumers would trip on?
There was a problem hiding this comment.
Consumers being OLM applying the manifests to a cluster?
fixes a few syntax errors too
|
@tkashem: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| // Data contains the configuration data. | ||
| // Each key must consist of alphanumeric characters, '-', '_' or '.'. | ||
| // Values with non-UTF-8 byte sequences must use the BinaryData field. | ||
| // The keys stored in Data must not overlap with the keys in | ||
| // the BinaryData field, this is enforced during validation process. | ||
| // +optional |
There was a problem hiding this comment.
We could use a validation webhook to do this.
|
/lgtm We may make some minor changes to this over time (esp. w.r.t. sharding) but I think this proposal is good to go, and we should merge it. Doc-only, merging without tests. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ecordell, tkashem The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Make bundle accessible to a cluster