Don't require registry during reboot and upgrade #1483
Conversation
This patch adds an enhancement that describes the need to be able to boot and upgrade clusters without a registry server when all the required images have already been pulled. Related: https://issues.redhat.com/browse/OCPBUGS-13219 Related: openshift#1481 Related: openshift/cluster-network-operator#1803 Signed-off-by: Juan Hernandez <[email protected]>
| approvers: | ||
| - "@sdodson" | ||
| - "@zaneb" | ||
| - "@LalatenduMohanty" |
There was a problem hiding this comment.
as with the other EP, can we get this down to a single approver? the other two can be reviewers
There was a problem hiding this comment.
Yes, who should be that approver?
There was a problem hiding this comment.
well since you've got 3 candidates listed, i suggest you ask them who amongst them would like to take point and if none of them feel they are the right person hopefully they can make another suggestion.
There was a problem hiding this comment.
@sdodson @zaneb @LalatenduMohanty do you want to be the approver for this?
There was a problem hiding this comment.
I can not be approver for this enhancement as this does not need any changes in clusterversion object or cluster version operator.
There was a problem hiding this comment.
Having read through the EP am I correct in summarizing this as a CI testing effort only? We put in place CI jobs that ensure that e2e tests pass without any remote registry access and we're done?
Do we expect a future coordination EP between CVO and PinnedImageSet implementation that would allow something like the PinnedImageSet to assert that a given release's pullspec has been mirrored and then a webhook or pre-apply step could be added to the CVO to go check the PinnedImageSet for it to assert that all nodes have mirrored the desired content?
There was a problem hiding this comment.
Yes, this is mostly about testing in CI that we can reboot nodes and do upgrades without a registry server. Note that it is not about ensuring that existing end to end tests are able to run without a registry server, rather introducing new tests to verify these specific cases: reboot and upgrade. For example, we may have an end to end test that runs a workload with images that don't exist in the cluster yet. That will require a registry server to pull those images. We are not trying to address that.
Yes, once this and #1481 are accepted we will work on a new EP (based on the now closed #1432) that will introduce the orchestration of an upgrade without a registry server.
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
This patch adds YAML comments explaining what is the reason to add specific reviewers. Signed-off-by: Juan Hernandez <[email protected]>
This patch removes the mention of the test to scan source code for the `Always` pull policy, as that would be hard to implement and unreliable for pods that are dynamically generated by operators. Signed-off-by: Juan Hernandez <[email protected]>
This patch adds a paragraph to the non-goals section to explicitly state that eliminating the requirement for a registry for other operations is a non-goal. Signed-off-by: Juan Hernandez <[email protected]>
jhernand
force-pushed
the
dont_require_registry_during_boot_and_upgrade
branch
from
3425309
to
c77ae4a
Compare
This patch adds a paragraph to the open questions section about image streams. Do they block upgrades if there is no registry server available? Signed-off-by: Juan Hernandez <[email protected]>
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
enhancements/update/dont-require-registry-during-boot-and-upgrade.md
Outdated
Show resolved
Hide resolved
Signed-off-by: Juan Hernandez <[email protected]>
|
@bparees Thanks! I see Juan addressed the comments. |
that's up to approver(s) you listed in the EP |
This patch changes the document to use `reboot` instead of `boot` to make it clear that this is about reboots of existing nodes, not about initial boots of new nodes. Signed-off-by: Juan Hernandez <[email protected]>
jhernand
changed the title
| upgrades less fragile we should have a test that gates the OpenShift release and | ||
| that verifies that reboots of nodes and upgrades can be performed without a | ||
| registry server. One way to ensure this is to run in CI an admission hook that | ||
| rejects/warns about any spec that uses the `Always` pull policy. |
There was a problem hiding this comment.
It may be worth thinking about adding something to the test that blocks access to the registry till the update is done.
There was a problem hiding this comment.
Yeah that was the only way I could think of to test this. Blackhole registry.access.rdhat.com registry.redhat.io and quay.io after images are pinned to all nodes, rolling restart of all nodes or upgrade.
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sdodson The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@jhernand: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This patch adds an enhancement that describes the need to be able to boot and upgrade clusters without a registry server when all the required images have already been pulled.
Related: https://issues.redhat.com/browse/OCPBUGS-13219
Related: #1481
Related: openshift/cluster-network-operator#1803