search

elyra-ai / elyra

Elyra extends JupyterLab with an AI centric approach.
https://elyra.readthedocs.io/en/stable/
Apache License 2.0
1.86k stars 344 forks source link

Define runtime images in sha256 digest instead of tag format #3074

Closed shalberd closed 1 year ago

shalberd commented 1 year ago

Is your feature request related to a problem? Please describe. @akchinSTC @Hema-Mathiyazhagan

for openshift ImageContentSourcePolicy / airgapped / restricted network environments referral from a certain source of an image to a custom target location in e.g. a Harbor container registry, the image-references in basic Kubernetes objects need to be in sha256 digest format. The main goal is to enable lookup from public internet repo images to custom repo locations, and that is only possible when images are referenced in digest-format.

Could you modify the runtime images https://github.com/elyra-ai/elyra/tree/main/etc/config/metadata/runtime-images image_name field to refer to the images in digest-format?

e.g. anaconda repo

implicit here (docker.io) / path:tag from the regular tag notation

continuumio/anaconda3:2021.11

instead to

docker.io/continuumio/anaconda3@sha256:a2816acd3acda208d92e0bf6c11eb41fda9009ea20f24e123dbf84bb4bd4c4b8

Describe the solution you'd like

Images are referenced in digest format so as to support the overall initiative for airgapped / disconnected mode including Openshift image mirroring and ImageContentSourcePolicy. See also https://github.com/opendatahub-io/odh-dashboard/issues/855 and https://github.com/opendatahub-io/opendatahub-operator/issues/182

Describe alternatives you've considered Considered building a custom elyra image wiht own runtime-images config. However, I think having the default to digest format from now on should be no issue for main branch elyra, too.

Additional context A big overall wish in the community to support airgapped and make ready image-references, as one part of that. https://github.com/opendatahub-io/odh-manifests/issues/567 Part of ODH 1.5.0 milestone. Also good to ensure images are what they pretend to be, as a tag can be the same even after updates to an image, but image sha256 digests are always unique and I guess also OS-specific (Linux/AMD64).

akchinSTC commented 1 year ago

@shalberd -Ill start working on the changes =)

shalberd commented 1 year ago

Awesome, thank you very much. About not using docker.io for the full path, I guess that is ok, as in Opensource Openshift OKD and OCP, there is a setting called unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] that works with ImageContentSourcePolicy as well. You just need to change to the @sha256: format everywhere. It is pretty special. Usually, it is image_name:image_tag, but with digest format, the @sha256: comes right after the image name and before the hash.