-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SHA Digests for container image in the device plugin CRD #1390
Comments
This alone won't be enough because it breaks "seamless upgrades". My question how it's done with SHAs has not been answered but after doing some reading I found what OLM documentation suggests as the answer. What this doc does not answer is how to get these automatically changed when the images are automatically built for UBI base image updates. This will be a bit of work for us to get all 10+ images to be added but let me draft a detailed plan and see what can be done. |
@mythi Can we split this into two steps: So with this two steps plan, we will not block the coming GA 1.0 Release of Intel Technology Enabling for Openshift project. And also we have enough time to work on the Seamless Upgrading features. BTW, we also working on figuring out who the owner from Red Hat can help with this. |
I think it should be possible to deliver this as a stand-alone fix/feature. See "Proposed Tasklist" I added earlier this afternoon. It has the same split. |
Details -
We found a design difference between the requirements of the upstream community operator and the requirements of RedHat certification. Specifically, the way that container images are referenced in the operator bundle is different.
As per the upstream community operator design, image tags are used to reference all container images in the operator bundle, However, RedHat certification requires that all images be referenced by SHA digest instead of image tags since SHAs are a more secure way of identifying images. Refer Digest Pinning
Reason as per RedHat: the reason a image SHA is used instead of a tag is because a tag can be pushed to a disconnected mirror and be overwritten, making it challenging to diagnose issues in knowing what content is being run.
By identifying containers by their hash, it helps to ensure that the operator bundle (and therefore the operator) are always referring to the exact containers that the bundle was certified with.
Other links for reference -
Image SHA digest vs Image tags
More details here #03270409
Solution suggestions -
To resolve the issue and comply with RedHat certification requirements, the Intel Device Plugin Operator should support SHA Digests validation in the device plugin CRD.
To workaround this issue, we are currently asking users to replace the SHAs by image tags while deploying the device plugin CRs. For example - Change
intel-sgx-plugin@sha256:c0423b149b909472460f84a299b087a5104ed40a3572687d6b450609e3bb3076
tointel-sgx-plugin:0.24.0
manually.Proposed Tasklist
validatePluginImage
to checkexpectedMinVersion
only if the version is a semver AND if not a semver, checkversionStr
is a sha256 regexp. Other conditions return fail<Kind>_IMAGE
or<Kind>_INITIMAGE
(e.g.,SGXDEVICEPLUGIN_IMAGE
) env vars are set and if differs. If not, default to current semver based upgrade.make bundle
with an overlay that adds the env variablesThe text was updated successfully, but these errors were encountered: