Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MGMT-19708: Ignore mirrored registries when validating pull secrets #7193

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

MGMT-19708: Ignore mirrored registries when validating pull secrets #7193

wants to merge 6 commits into from

Conversation

CrystalChun
Copy link
Contributor

@CrystalChun CrystalChun commented Jan 15, 2025
edited
Loading

When a mirror registry configuration is provided to assisted, we will assume that the registry does not require authentication. This is a better user experience so that the user will not have to provide credentials for a registry if a mirror registry will be used in its place.

I've broken up the commits so that the first commit is for mirror configuration in assisted (globally) and the following commits are for mirror configurations per cluster.

List all the issues related to this PR

  • New Feature
  • Enhancement
  • Bug fix
  • Tests
  • Documentation
  • CI/CD

What environments does this code impact?

  • Automation (CI, tools, etc)
  • Cloud
  • Operator Managed Deployments
  • None

How was this code tested?

  • assisted-test-infra environment
  • dev-scripts environment
  • Reviewer's test appreciated
  • Waiting for CI to do a full test run
  • Manual (Elaborate on how it was tested)
  • No tests needed

Checklist

  • Title and description added to both, commit and PR.
  • Relevant issues have been associated (see CONTRIBUTING guide)
  • This change does not require a documentation update (docstring, docs, README, etc)
  • Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

  • Are the title and description (in both PR and commit) meaningful and clear?
  • Is there a bug required (and linked) for this change?
  • Should this PR be backported?

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 15, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 15, 2025
edited by openshift-ci bot
Loading

@CrystalChun: This pull request references MGMT-19708 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.19.0" version, but no target version was set.

In response to this:

When a mirror registry configuration is provided to assisted, we will assume that the registry does not require authentication. This is a better user experience so that the user will not have to provide credentials for a registry if a mirror registry will be used in its place.

List all the issues related to this PR

  • New Feature
  • Enhancement
  • Bug fix
  • Tests
  • Documentation
  • CI/CD

What environments does this code impact?

  • Automation (CI, tools, etc)
  • Cloud
  • Operator Managed Deployments
  • None

How was this code tested?

  • assisted-test-infra environment
  • dev-scripts environment
  • Reviewer's test appreciated
  • Waiting for CI to do a full test run
  • Manual (Elaborate on how it was tested)
  • No tests needed

Checklist

  • Title and description added to both, commit and PR.
  • Relevant issues have been associated (see CONTRIBUTING guide)
  • This change does not require a documentation update (docstring, docs, README, etc)
  • Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

  • Are the title and description (in both PR and commit) meaningful and clear?
  • Is there a bug required (and linked) for this change?
  • Should this PR be backported?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 15, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 15, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jan 15, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 15, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CrystalChun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 15, 2025
@openshift-ci openshift-ci bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 15, 2025
@CrystalChun
Copy link
Contributor Author

/test ?

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 15, 2025

@CrystalChun: The following commands are available to trigger required jobs:

/test e2e-agent-compact-ipv4

/test edge-assisted-operator-catalog-publish-verify

/test edge-ci-index

/test edge-e2e-ai-operator-ztp

/test edge-e2e-ai-operator-ztp-sno-day2-workers

/test edge-e2e-ai-operator-ztp-sno-day2-workers-late-binding

/test edge-e2e-metal-assisted-4-12

/test edge-e2e-metal-assisted-4-18

/test edge-e2e-metal-assisted-4-control-planes-4-18

/test edge-e2e-metal-assisted-5-control-planes-4-18

/test edge-e2e-metal-assisted-cnv-4-16

/test edge-e2e-metal-assisted-cnv-4-17

/test edge-e2e-metal-assisted-lvm-4-18

/test edge-e2e-metal-assisted-mtv-4-17

/test edge-e2e-metal-assisted-odf-4-16

/test edge-e2e-metal-assisted-odf-4-17

/test edge-images

/test edge-lint

/test edge-operator-publish-verify

/test edge-subsystem-aws

/test edge-subsystem-kubeapi-aws

/test edge-unit-test

/test edge-verify-generated-code

/test images

/test mce-images

The following commands are available to trigger optional jobs:

/test e2e-agent-4control-ipv4

/test e2e-agent-5control-ipv4

/test e2e-agent-ha-dualstack

/test e2e-agent-sno-ipv6

/test edge-e2e-ai-operator-disconnected-capi

/test edge-e2e-ai-operator-ztp-3masters

/test edge-e2e-ai-operator-ztp-4masters

/test edge-e2e-ai-operator-ztp-5masters

/test edge-e2e-ai-operator-ztp-capi

/test edge-e2e-ai-operator-ztp-compact-day2-masters

/test edge-e2e-ai-operator-ztp-compact-day2-workers

/test edge-e2e-ai-operator-ztp-disconnected

/test edge-e2e-ai-operator-ztp-hypershift-zero-nodes

/test edge-e2e-ai-operator-ztp-multiarch-3masters-ocp

/test edge-e2e-ai-operator-ztp-multiarch-sno-ocp

/test edge-e2e-ai-operator-ztp-node-labels

/test edge-e2e-ai-operator-ztp-remove-node

/test edge-e2e-ai-operator-ztp-sno-day2-masters

/test edge-e2e-ai-operator-ztp-sno-day2-workers-ignitionoverride

/test edge-e2e-metal-assisted-4-13

/test edge-e2e-metal-assisted-4-14

/test edge-e2e-metal-assisted-4-15

/test edge-e2e-metal-assisted-4-16

/test edge-e2e-metal-assisted-4-17

/test edge-e2e-metal-assisted-4-masters-none-4-18

/test edge-e2e-metal-assisted-bond-4-14

/test edge-e2e-metal-assisted-bond-4-18

/test edge-e2e-metal-assisted-day2-4-18

/test edge-e2e-metal-assisted-day2-arm-workers-4-18

/test edge-e2e-metal-assisted-day2-sno-4-18

/test edge-e2e-metal-assisted-external-4-14

/test edge-e2e-metal-assisted-external-4-18

/test edge-e2e-metal-assisted-ipv4v6-4-18

/test edge-e2e-metal-assisted-ipv6-4-18

/test edge-e2e-metal-assisted-kube-api-late-binding-sno-4-18

/test edge-e2e-metal-assisted-kube-api-late-unbinding-sno-4-18

/test edge-e2e-metal-assisted-kube-api-net-suite-4-18

/test edge-e2e-metal-assisted-kube-api-umlb-4-18

/test edge-e2e-metal-assisted-mce-4-16

/test edge-e2e-metal-assisted-mce-sno-4-16

/test edge-e2e-metal-assisted-metallb-4-18

/test edge-e2e-metal-assisted-none-4-18

/test edge-e2e-metal-assisted-onprem-4-18

/test edge-e2e-metal-assisted-osc-4-18

/test edge-e2e-metal-assisted-osc-sno-4-18

/test edge-e2e-metal-assisted-sno-4-18

/test edge-e2e-metal-assisted-static-ip-suite-4-14

/test edge-e2e-metal-assisted-static-ip-suite-4-18

/test edge-e2e-metal-assisted-tang-4-18

/test edge-e2e-metal-assisted-tpmv2-4-18

/test edge-e2e-metal-assisted-umlb-4-18

/test edge-e2e-metal-assisted-upgrade-agent-4-18

/test edge-e2e-nutanix-assisted-2workers-4-18

/test edge-e2e-nutanix-assisted-4-14

/test edge-e2e-nutanix-assisted-4-18

/test edge-e2e-oci-assisted-4-14

/test edge-e2e-oci-assisted-4-18

/test edge-e2e-oci-assisted-iscsi-4-18

/test edge-e2e-vsphere-assisted-4-14

/test edge-e2e-vsphere-assisted-4-15

/test edge-e2e-vsphere-assisted-4-16

/test edge-e2e-vsphere-assisted-4-18

/test edge-e2e-vsphere-assisted-umn-4-18

/test okd-scos-e2e-aws-ovn

/test okd-scos-images

/test push-pr-image

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-assisted-service-master-e2e-agent-compact-ipv4

pull-ci-openshift-assisted-service-master-edge-ci-index

pull-ci-openshift-assisted-service-master-edge-e2e-ai-operator-ztp

pull-ci-openshift-assisted-service-master-edge-e2e-metal-assisted-4-18

pull-ci-openshift-assisted-service-master-edge-images

pull-ci-openshift-assisted-service-master-edge-lint

pull-ci-openshift-assisted-service-master-edge-subsystem-aws

pull-ci-openshift-assisted-service-master-edge-subsystem-kubeapi-aws

pull-ci-openshift-assisted-service-master-edge-unit-test

pull-ci-openshift-assisted-service-master-edge-verify-generated-code

pull-ci-openshift-assisted-service-master-images

pull-ci-openshift-assisted-service-master-mce-images

pull-ci-openshift-assisted-service-master-okd-scos-e2e-aws-ovn

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@CrystalChun
Copy link
Contributor Author

/test edge-subsystem-kubeapi-aws

@CrystalChun CrystalChun force-pushed the no-auth-mirror branch 13 times, most recently from 19290db to 2810932 Compare January 17, 2025 00:08
@openshift-ci openshift-ci bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 17, 2025
@openshift-ci openshift-ci bot removed the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jan 17, 2025
@openshift-ci openshift-ci bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 17, 2025
@CrystalChun CrystalChun force-pushed the no-auth-mirror branch 2 times, most recently from 72bda3b to 6bb5c8d Compare January 17, 2025 22:58
@openshift-ci openshift-ci bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 17, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 17, 2025
edited by openshift-ci bot
Loading

@CrystalChun: This pull request references MGMT-19708 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.19.0" version, but no target version was set.

In response to this:

When a mirror registry configuration is provided to assisted, we will assume that the registry does not require authentication. This is a better user experience so that the user will not have to provide credentials for a registry if a mirror registry will be used in its place.

I've broken up the commits so that the first commit is for mirror configuration in assisted (globally) and the following commits are for mirror configurations per cluster.

List all the issues related to this PR

  • New Feature
  • Enhancement
  • Bug fix
  • Tests
  • Documentation
  • CI/CD

What environments does this code impact?

  • Automation (CI, tools, etc)
  • Cloud
  • Operator Managed Deployments
  • None

How was this code tested?

  • assisted-test-infra environment
  • dev-scripts environment
  • Reviewer's test appreciated
  • Waiting for CI to do a full test run
  • Manual (Elaborate on how it was tested)
  • No tests needed

Checklist

  • Title and description added to both, commit and PR.
  • Relevant issues have been associated (see CONTRIBUTING guide)
  • This change does not require a documentation update (docstring, docs, README, etc)
  • Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

  • Are the title and description (in both PR and commit) meaningful and clear?
  • Is there a bug required (and linked) for this change?
  • Should this PR be backported?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@CrystalChun
MGMT-19708: Add assisted mirror registries to public registries list
ee03ec4 
When a mirror registry configuration is provided to assisted, we
will assume that the registry does not require authentication.
This will take any mirror registry that assisted is configured with
and will add it to the public registries list in the pull secret
validator. That way, any pull secret being validated will not
be required to have authentication credentials for the registry
since it's pulling from the mirror.
This is a better user experience so that the user will not have
to provide credentials for a registry if a mirror registry will
be used in its place.
@CrystalChun
MGMT-19708: Pass in additional public registries to validate pull secret
603458b 
This allows additional public registries to be specified
when validating pull secrets. One case is when a cluster has
a mirror registry configuration.
@CrystalChun
MGMT-19708: Use mirror registries when validating pull secret
56ba13e 
If a cluster or infra env has a mirror registry configuration,
we'll parse those to create a list of additional registries
that can be ignored when validating the pull secret.
@CrystalChun
MGMT-19708: Generate mock files
f921938 
Updates the installer and the pull secret validation mock files
for the new parameter.
@CrystalChun
MGMT-19708: Update tests that use ValidatePullSecret
f55a9d4 
To use the new parameter
@CrystalChun
MGMT-19708: Add unit tests for pull secret validation
8d2866e
@CrystalChun CrystalChun marked this pull request as ready for review January 17, 2025 23:22
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 17, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 18, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 67.24138% with 19 lines in your changes missing coverage. Please review.

Project coverage is 67.69%. Comparing base (d966ae9) to head (8d2866e).

Files with missing lines Patch % Lines
internal/bminventory/inventory.go 69.76% 5 Missing and 8 partials ⚠️
...rnal/cluster/validations/pull_secret_validation.go 57.14% 6 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7193      +/-   ##
==========================================
- Coverage   67.70%   67.69%   -0.02%     
==========================================
  Files         296      296              
  Lines       40459    40497      +38     
==========================================
+ Hits        27394    27413      +19     
- Misses      10605    10617      +12     
- Partials     2460     2467       +7
Files with missing lines Coverage Δ
...ernal/controller/controllers/pullsecret_handler.go 68.00% <100.00%> (ø)
...rnal/cluster/validations/pull_secret_validation.go 71.77% <57.14%> (-4.55%) ⬇️
internal/bminventory/inventory.go 71.73% <69.76%> (-0.10%) ⬇️

... and 2 files with indirect coverage changes

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 18, 2025

@CrystalChun: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/edge-e2e-ai-operator-disconnected-capi 8d2866e link false /test edge-e2e-ai-operator-disconnected-capi
ci/prow/edge-lint 8d2866e link true /test edge-lint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlorenzofr mlorenzofr Awaiting requested review from mlorenzofr

@paul-maidment paul-maidment Awaiting requested review from paul-maidment

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CrystalChun @openshift-ci-robot