Skip to content

Commit

Permalink
feat: deprecate Openshift specific features
Browse files Browse the repository at this point in the history
* S2I, use Jib instead
* Route, use Ingress instead

Likely to be supported until a new major release.

Closes #5771
  • Loading branch information
squakez committed Dec 3, 2024
1 parent f96f01a commit bc7c2dd
Show file tree
Hide file tree
Showing 38 changed files with 250 additions and 126 deletions.
6 changes: 3 additions & 3 deletions addons/master/master_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func TestMasterOn(t *testing.T) {
Spec: v1.IntegrationPlatformSpec{
Cluster: v1.IntegrationPlatformClusterOpenShift,
Build: v1.IntegrationPlatformBuildSpec{
PublishStrategy: v1.IntegrationPlatformBuildPublishStrategyS2I,
PublishStrategy: v1.IntegrationPlatformBuildPublishStrategyJib,
Registry: v1.RegistrySpec{Address: "registry"},
RuntimeVersion: catalog.Runtime.Version,
},
Expand Down Expand Up @@ -161,7 +161,7 @@ func TestMasterOff(t *testing.T) {
Spec: v1.IntegrationPlatformSpec{
Cluster: v1.IntegrationPlatformClusterOpenShift,
Build: v1.IntegrationPlatformBuildSpec{
PublishStrategy: v1.IntegrationPlatformBuildPublishStrategyS2I,
PublishStrategy: v1.IntegrationPlatformBuildPublishStrategyJib,
Registry: v1.RegistrySpec{Address: "registry"},
RuntimeVersion: catalog.Runtime.Version,
},
Expand Down Expand Up @@ -223,7 +223,7 @@ func TestMasterAuto(t *testing.T) {
Spec: v1.IntegrationPlatformSpec{
Cluster: v1.IntegrationPlatformClusterOpenShift,
Build: v1.IntegrationPlatformBuildSpec{
PublishStrategy: v1.IntegrationPlatformBuildPublishStrategyS2I,
PublishStrategy: v1.IntegrationPlatformBuildPublishStrategyJib,
Registry: v1.RegistrySpec{Address: "registry"},
RuntimeVersion: catalog.Runtime.Version,
},
Expand Down
2 changes: 0 additions & 2 deletions docs/modules/ROOT/pages/contributing/developers.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -227,8 +227,6 @@ When configuring the IDE task, make sure to add all required environment variabl

After you set up the IDE task, with Java 11+ to be used by default, you can run and debug the operator process.

NOTE: The operator can be fully debugged in CRC, because it uses OpenShift S2I binary builds under the hood.

[[publishing]]
== Building Metadata for Publishing the Operator in Operator Hub

Expand Down
21 changes: 19 additions & 2 deletions docs/modules/ROOT/pages/contributing/local-development.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ This command will build and publish your actual Camel K development version to t
----
make install-k8s-global (default in camel-k namespace)
make install-k8s-ns (default in default namespace)
make install-openshift-global (default in camel-k namespace)
make install-openshift-ns (default in default namespace)
----

Those targets may use two variables, `NAMESPACE` and `REGISTRY` in order to let you specify the namespace where to install the operator and the container registry to use. For instance:
Expand All @@ -45,6 +43,25 @@ Will install a global operator in the `test` namespace with the registry located

In order to uninstall the local operator you can also run `make uninstall` (will keep CRDs) and `make uninstall-all` (will remove CRDs and consequently any running Integration). You can use variable `NAMESPACE` as well if the operator was installed in a namespace different than default.

=== CRC special requirement

You may need to test the operator on CRC. In such case you can login to the Openshift registry accessing its local interface:

```
docker login -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing
```

At this stage you will need to hack a little bit in order to be able to push the operator image to the registry:
```
CUSTOM_IMAGE=default-route-openshift-image-registry.apps-crc.testing/camel-k/camel-k make bundle
NOTEST=true CUSTOM_IMAGE=default-route-openshift-image-registry.apps-crc.testing/camel-k/camel-k make images
docker push default-route-openshift-image-registry.apps-crc.testing/camel-k/camel-k:2.6.0-SNAPSHOT
```

With the steps above you should have available a local operator into CRC and proceed normally with the `make install-k8s-global` procedure.

NOTE: you will need to configure the IntegrationPlatform and the registry as required for Openshift and the operator Deployment may fail due to high amount of resources limit (which you can remove to let the operator start).

[[local-camel-k-runtime]]
=== Local Camel K runtime

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,8 @@ The most relevant are the `resource` and `limit` parameters which can be used to

The publish strategy is used to control the behavior of the creation of the container after a build. Basically it create a container image from the application built in the previous step and store as a container in the xref:installation/registry/registry.adoc[registry] configured.

The operator has 2 different strategy which you can adopt: Jib (default in plain Kubernetes profile) and S2I (default in Openshift profile).
The operator has one unique strategy which you can adopt: Jib. Alternatively you can provide your own publishing strategy (although this is not recommended).

https://cloud.google.com/java/getting-started/jib[Jib] is a technology that transform a Java project into a container image and is configurable directly in Maven.

https://access.redhat.com/documentation/es-es/openshift_container_platform/4.2/html/builds/understanding-image-builds#build-strategy-s2i_understanding-image-builds[S2I] is an efficient technology integrated in Openshift, reason why it is enabled by default in such a profile.

NOTE: you may define your own publishing technology by using xref:pipeline/pipeline.adoc[pipelines].
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ In some cases, you might already have a push/pull secret for your container regi

[source,bash]
----
kubectl create secret docker-registry your-secret-name --docker-username your-user --docker-password your-pass
kubectl create secret docker-registry registry --docker-server <my-server> --docker-username <my-user> --docker-password <my-password>
----

Another possibility is to upload to the cluster your entire list of push/pull secrets:
Expand All @@ -34,8 +34,8 @@ spec:
build:
registry:
address: <my-registry-address>
organization: <my-organization>
organization: <my-organization> (optional)
secret: <my-secret-credentials>
----

NOTE: make sure any credential contains the valid authentication servers: `docker.io` is used by **Jib**. Other publishing strategies may instead require to use a different endpoint, ie, `https://index.docker.io/v1/`.
NOTE: make sure any credential contains the valid authentication servers: for instance, `docker.io` is used by **Jib**.
26 changes: 22 additions & 4 deletions docs/modules/ROOT/pages/installation/registry/registry.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,26 @@ The Camel K operator is in charge to build a Camel application and to "container

For the reason above it's important that you provide a container registry which is accessible from both the operator Pod and the cluster internal mechanisms. However, a **default registry** is present in certain platforms such as _Minikube_, _Openshift_ or _Docker Desktop_.

For any other platform that do not provide a default container registry, then, a registry must be provided accordingly.
For any other platform that do not provide a default container registry, then, a container registry must be provided accordingly.

[[how-to-configure]]
== How to configure Camel K container registry

When running a production grade installation, you'll be probably using a private container registry which is accessible via authenticated method. The secret is something that will be https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret[included at deployment time] as `imagePullSecret` configuration.

As each registry may have a slightly different way of securing the access you can use the generic guidelines provided in xref:installation/registry/registry-secret.adoc[Secret registry configuration] and adjust accordingly. We expect that at the end of the process you have a public address (1) an _organization_ (2) and a _secret_ (3) values that will be used to configure the registry.
[[kubernetes-secret]]
=== Create a secret for your registry

The easiest way to create a Secret is to leverage the `kubectl` CLI:

[source,bash]
----
kubectl create secret docker-registry registry --docker-server <my-registry-address> --docker-username <my-user> --docker-password <my-password>
----

NOTE: you must include `--docker-server docker.io` value also if you're using Docker Hub. The default value provided by `kubectl` won't.

As each registry may have a slightly different way of securing the access you can use the generic guidelines provided in and adjust accordingly (more information in the xref:installation/registry/registry-secret.adoc[Secret registry configuration] guide). We expect that at the end of the process you have a public address (1) an _organization_ (2) (optional, see details below) and a _secret_ (3) values that will be used to configure the registry.

You will need to create or edit any existing `IntegrationPlatform` custom resource with the values as expected in the `.spec.build.registry`.

Expand All @@ -31,13 +43,18 @@ spec:
build:
registry:
address: <my-registry-address>
organization: <my-organization>
organization: <my-organization> (optional)
secret: <my-secret-credentials>
----

The changes will be immediately reconciled and the operator will be able to push and pull resources in a secure manner.

[[configuring-registry]]
[[organization]]
=== Role of the organization parameter

The `organization` parameter is optional. When it's missing, the operator will use the namespace name to create an image within such organization name. When you're using an container registry you may be limited to store image in a given organization only. In this case, you must provide the name of such `organization` with this option.

[[requirements]]
== Container registry requirements
Each platform may have its default registry of choice. And each container registry may have a slight different configuration. Please, be aware that we won't be able to support all the available solutions.

Expand All @@ -57,6 +74,7 @@ We have some hints that can help you configuring on the most common platforms:
- xref:installation/registry/special/icr.adoc[IBM Container Registry]
- xref:installation/registry/special/kind.adoc[Kind]
- xref:installation/registry/special/minikube.adoc[Minikube]
- xref:installation/registry/special/openshift.adoc[Openshift]

[[configuring-registry-run-it-yours]]
== Run your own container registry
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
= Configuring Openshift registry

Openshift has an embedded container registry you can use to store the images produced by Camel K build process. The full details required to provide access to the registry are available in the https://docs.openshift.com/container-platform/4.17/registry/accessing-the-registry.html[Openshift registry documentation].

NOTE: before version 2.6, Camel K used S2I as a default publishing strategy against the embedded registry. Any upgrade from S2I to Jib should work out of the box.

== Service Account secret credentials

The first thing you need to do is to create an access token for the service account you want to use to pull/push images from the registry. We suggest to use the `camel-k-builder` Service Account which was created during the installation procedure and is normally used to perform "building" operations.

```bash
oc serviceaccounts new-token camel-k-builder -n camel-k
eyJhb[...]Uhz0
```

WARNING: treat the token with the due level of confidentiality.

You will need to use this token to create a secret:
```bash
oc create secret docker-registry ocp-registry --docker-server image-registry.openshift-image-registry.svc:5000 --docker-username camel-k-builder --docker-password eyJhb[...]Uhz0 -n camel-k
```

NOTE: `image-registry.openshift-image-registry.svc:5000` is the default internal route exposed by Openshift. You may need to use an alternative route according to the configuration of your cluster.

== Service account pull and push permissions

Before being able to pull and push containers images to the registry, you need to provide the proper privileges to access:

```bash
oc policy add-role-to-user registry-viewer -z camel-k-builder -n camel-k
oc policy add-role-to-user registry-editor -z camel-k-builder -n camel-k
```

NOTE: `-z` identifies a Service Account.

== Configure the IntegrationPlatform

Now you should have all the authorizations required to pull and push containers to the image registry. In order to do that you will need to provide the Secret created above into your IntegrationPlatform configuration:

[source,yaml]
----
apiVersion: camel.apache.org/v1
kind: IntegrationPlatform
metadata:
name: camel-k
namespace: camel-k
spec:
build:
registry:
address: image-registry.openshift-image-registry.svc:5000
secret: ocp-registry
----

NOTE: make sure to use the same address provided in the secret above.
9 changes: 6 additions & 3 deletions docs/modules/ROOT/partials/apis/camel-k-crds.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -5696,30 +5696,31 @@ a PackageTask, used to package the project
a BuildahTask, for Buildah strategy
Deprecated: use jib, s2i or a custom publishing strategy instead
Deprecated: use jib or a custom publishing strategy instead
|`kaniko` +
*xref:#_camel_apache_org_v1_KanikoTask[KanikoTask]*
|
a KanikoTask, for Kaniko strategy
Deprecated: use jib, s2i or a custom publishing strategy instead
Deprecated: use jib or a custom publishing strategy instead
|`spectrum` +
*xref:#_camel_apache_org_v1_SpectrumTask[SpectrumTask]*
|
a SpectrumTask, for Spectrum strategy
Deprecated: use jib, s2i or a custom publishing strategy instead
Deprecated: use jib or a custom publishing strategy instead
|`s2i` +
*xref:#_camel_apache_org_v1_S2iTask[S2iTask]*
|
a S2iTask, for S2I strategy
Deprecated: use jib or a custom publishing strategy instead
|`jib` +
*xref:#_camel_apache_org_v1_JibTask[JibTask]*
Expand Down Expand Up @@ -8525,6 +8526,8 @@ as a Maven repository.
* <<#_camel_apache_org_v1_Traits, Traits>>
WARNING: The Route trait is **deprecated** and will removed in future release versions: use Ingress trait istead.
The Route trait can be used to configure the creation of OpenShift routes for the integration.
The certificate and key contents may be sourced either from the local filesystem or in a OpenShift `secret` object.
Expand Down
4 changes: 4 additions & 0 deletions docs/modules/traits/pages/route.adoc
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
= Route Trait

// Start of autogenerated code - DO NOT EDIT! (badges)
[.badges]
[.badge-key]##Deprecated since##[.badge-unsupported]##2.6.0##
// End of autogenerated code - DO NOT EDIT! (badges)
// Start of autogenerated code - DO NOT EDIT! (description)
WARNING: The Route trait is **deprecated** and will removed in future release versions: use Ingress trait istead.

The Route trait can be used to configure the creation of OpenShift routes for the integration.

The certificate and key contents may be sourced either from the local filesystem or in a OpenShift `secret` object.
Expand Down
2 changes: 1 addition & 1 deletion e2e/install/helm/setup_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ import (
func TestHelmInstallation(t *testing.T) {
WithNewTestNamespace(t, func(ctx context.Context, g *WithT, ns string) {
containerRegistry, ok := os.LookupEnv("KAMEL_INSTALL_REGISTRY")
g.Expect(ok).To(BeTrue())
g.Expect(ok).To(BeTrue(), "This test requires setting KAMEL_INSTALL_REGISTRY variable.")
// Let's make sure no CRD is yet available in the cluster
// as we must make the procedure to install them accordingly
g.Eventually(CRDs(t)).Should(BeNil(), "No Camel K CRDs should be previously installed for this test")
Expand Down
10 changes: 6 additions & 4 deletions helm/camel-k/crds/camel-k-crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ spec:
buildah:
description: |-
a BuildahTask, for Buildah strategy
Deprecated: use jib, s2i or a custom publishing strategy instead
Deprecated: use jib or a custom publishing strategy instead
properties:
baseImage:
description: base image layer
Expand Down Expand Up @@ -1071,7 +1071,7 @@ spec:
kaniko:
description: |-
a KanikoTask, for Kaniko strategy
Deprecated: use jib, s2i or a custom publishing strategy instead
Deprecated: use jib or a custom publishing strategy instead
properties:
baseImage:
description: base image layer
Expand Down Expand Up @@ -1798,7 +1798,9 @@ spec:
type: array
type: object
s2i:
description: a S2iTask, for S2I strategy
description: |-
a S2iTask, for S2I strategy
Deprecated: use jib or a custom publishing strategy instead
properties:
baseImage:
description: base image layer
Expand Down Expand Up @@ -1901,7 +1903,7 @@ spec:
spectrum:
description: |-
a SpectrumTask, for Spectrum strategy
Deprecated: use jib, s2i or a custom publishing strategy instead
Deprecated: use jib or a custom publishing strategy instead
properties:
baseImage:
description: base image layer
Expand Down
2 changes: 1 addition & 1 deletion helm/camel-k/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Thanks for installing Camel K version {{ .Chart.Version }}!

{{- if .Values.platform }}
WARNING: you're setting some IntegrationPlatform values. This is deprecated and may remove in future releases. Make sure to install an IntegrationPlatform as a separate process.
WARNING: you're setting some IntegrationPlatform values. This is deprecated and may be removed in future releases. Make sure to install an IntegrationPlatform as a separate process.
{{- end }}

{{- if not (.Values.platform) }}
Expand Down
23 changes: 23 additions & 0 deletions helm/camel-k/templates/builder-service-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# ---------------------------------------------------------------------------
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ---------------------------------------------------------------------------

apiVersion: v1
kind: ServiceAccount
metadata:
name: camel-k-builder
labels:
app: "camel-k"
17 changes: 17 additions & 0 deletions helm/camel-k/templates/operator-role-binding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,21 @@ roleRef:
kind: Role
name: camel-k-operator
apiGroup: rbac.authorization.k8s.io

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-builder-openshift
labels:
app: "camel-k"
{{- include "camel-k.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: camel-k-builder
roleRef:
kind: Role
name: camel-k-builder-openshift
apiGroup: rbac.authorization.k8s.io

{{- end }}
7 changes: 4 additions & 3 deletions pkg/apis/camel/v1/build_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,15 +67,16 @@ type Task struct {
// Application Publishing

// a BuildahTask, for Buildah strategy
// Deprecated: use jib, s2i or a custom publishing strategy instead
// Deprecated: use jib or a custom publishing strategy instead
Buildah *BuildahTask `json:"buildah,omitempty"`
// a KanikoTask, for Kaniko strategy
// Deprecated: use jib, s2i or a custom publishing strategy instead
// Deprecated: use jib or a custom publishing strategy instead
Kaniko *KanikoTask `json:"kaniko,omitempty"`
// a SpectrumTask, for Spectrum strategy
// Deprecated: use jib, s2i or a custom publishing strategy instead
// Deprecated: use jib or a custom publishing strategy instead
Spectrum *SpectrumTask `json:"spectrum,omitempty"`
// a S2iTask, for S2I strategy
// Deprecated: use jib or a custom publishing strategy instead
S2i *S2iTask `json:"s2i,omitempty"`
// a JibTask, for Jib strategy
Jib *JibTask `json:"jib,omitempty"`
Expand Down
Loading

0 comments on commit bc7c2dd

Please sign in to comment.