search

cilium / cilium-olm

Other
10 stars 13 forks source link

enable offline deployments #29

Closed errordeveloper closed 2 years ago

errordeveloper commented 3 years ago

CSV has spec.relatedImages where all Cilium images can be listed.

errordeveloper commented 3 years ago

https://redhat-connect.gitbook.io/certified-operator-guide/appendix/offline-enabled-operators

montaguethomas commented 3 years ago

In addition, the image references should be using Image Digest references and not tags. While OKE is planning to add support for tags in 4.9, it is most likely best to pin to image digests as other operators do.

errordeveloper commented 3 years ago

...the image references should be using Image Digest references and not tags.

See the operator image referenced here:

https://github.com/cilium/cilium-olm/blob/93a536575ca7d7a48c38dc2f3ee507263cfeeb64/manifests/cilium.v1.10.3/cluster-network-06-cilium-00002-cilium-olm-deployment.yaml#L31

The tag used here is generated based on git tree hash, and that allows us to check the manifest before image itself is build.

It maybe possible to implement a two-phase process, where manifests are updated with the digests once digests are known. It shouldn't be too difficult, but will probably need to be done via automated commit. At the moment all commits in the repo are driven by maintainers, we should move to a more automated model, but it requires creating machinery for automated commits, which is non-trivial due to that GitHub Actions don't automatically enable SSH access. Last time I checked, I wasn't able to push a commit using GITHUB_TOKEN. Once I've automated opening a PR using TypeScript, but don't have access to that code any more.

errordeveloper commented 3 years ago

It maybe possible to implement a two-phase process...

We already have a two-phase process for certification of the operator and the bundle (see https://github.com/cilium/cilium-olm/#common-workflows). This was undesired originally, but had to be done due to an implicit dependency in the certification process. When this process was split, it was only split around pushing to certification registry, while pushing to Quay remained single-phased. It sounds like offline requirements will imply having to split git commit sequence also. Bundle image certification scans are very time-consuming, so doing that twice is definitely not desirable. We really may end-up with potentially 3 phases actually...

christarazi commented 2 years ago

@nathanjsweet Could you update yourself as assignee if you're working on this? I can't update the assignees for some reason

nathanjsweet commented 2 years ago

This is done.