[WIP] Injected oauth imagepullpolicy change and sha256 digest

[shalberd]

@atheo89 new PR due to rebase chaos

@harshad16 Currently, the ose-oauth-proxy sidecar container of a running notebook, handled by odh notebook controller, always pulls the image from an external location. Current ose-oauth-proxy image is v4.10.
This always image pulling is problematic from a stability perspective, as, should connectivity to an external repo ever cease, no image pulling on notebook pod start is possible.

Also, providing the image in tag format is not compatible with disconnected cluster installs that use mirroring and soft-linking from source to target. Those on-prem installs need image references to be in sha256 digest format.

Another reason for changing to sha256 digest format: Tag ose-oauth-proxy:v4.10 changes. If imagePullPolicy is set to IfNotPresent, what matters is that an image with that tag is already cached on one of the cluster nodes. So, to keep a unique image version and build status for ose-oauth-proxy, we need to go with sha256 digest format as well.

Description

changed from tag format to digest format in odh notebook controller webhook that adds an ose-oauth-proxy sidecar to a Notebook CR

Manifest link digest of v4.10 from July 6 2023:

ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33

https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?architecture=amd64&tag=v4.10.0-202306170106.p0.g799d414.assembly.stream&push_date=1688610772000&container-tabs=gti

Put in comments with respect to actual tag used and location to look at for details. Changed imagepullPolicy from Always to IfNotPresent.

Related PR in odh-manifests:

opendatahub-io/odh-manifests#868

How Has This Been Tested?

Please mark with ok to test.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• [] The developer has manually tested the changes and verified that the changes work

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vaishnavihire for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @shalberd. Thanks for your PR.

I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[shalberd]

@atheo89 found an odh notebook controller test was looking for old imagePullPolicy and thus did not run though. Furthermore, due to ServiceMesh recent changes, a whole bunch of stuff changed, so I just rebased and then created this new PR. Can you do an ok to test, please?

[shalberd]

discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)

@LaVLaS suggested leaving the notebook controller main management pod oauth proxy image topic (changes in line 28 and 29) out of the PR for now. That makes sense in that this PR here is about the injection of ose-oauth-proxy into Notebook pods under /controllers.

@harshad16 @atheo89 Also, @LaVLaS suggested for odh notebook controller manager itself here:

While we should be updating the ose-oauth-proxy image at a regular cadence, we should not be hardcoding the image digest into the container command argument of the Deployment object. This should be replaced with an environment variable that can be configured at when the kustomize manifest is parsed. This would also allow us to replace with as a CSV relatedImage or modified by the new operator.

opendatahub-io/odh-manifests#868 (comment)

I suggest to handle that in a separate PR. Created an issue #132

[shalberd]

previously, test did not run thru because it was still assuming imagePullPolicy Always in IS vs MUST BE comparision during testing

[atheo89]

/ok-to-test

[shalberd]

kept Always here because this seems to be used internally, not in releases, for testing with the :latest image-tag of odh-notebook-controller, which necessitates imagePullPolicy: Always

[shalberd]

@atheo89 @LaVLaS do you know what is going on with test infra? All tests and checks are pending ...

[shalberd]

/retest

[shalberd]

@atheo89 @harshad16 tests turned out ok

main changes to summarize:

• oauth proxy container ref in sha256 digest format, latest v4.10 digest as base.
• change imagePullPolicy of injected oauth container of notebook CRs from Always to IfNotPresent

[shalberd]

discussion on manifest list digest vs image digest at opendatahub-io/odh-manifests#868 (comment)

[shalberd]

@VaishnaviHire @cfchase @harshad16 @atheo89

question: is the value of OAuthProxyImage set or overridden by the argument of odh notebook controller manager?

I am asking because I've never seen ose-oauth-proxy:latest in injected notebook oauth sidecars.

kubeflow/components/odh-notebook-controller/main.go

Line 68 in 92739d6

flag.StringVar(&oauthProxyImage, "oauth-proxy-image", controllers.OAuthProxyImage,

instead, what seems to be used is the version of ose-oauth defined here:

https://github.com/opendatahub-io/kubeflow/blob/master/components/odh-notebook-controller/config/manager/manager.yaml#L24