2nd try at using a vanity GCR name #57824
Conversation
k8s-ci-robot
added
release-note
thockin
added
the
do-not-merge/hold
CHANGELOG-1.4.md
Outdated
| @@ -177,15 +177,15 @@ filename | sha256 hash | |||
| ### Other notable changes | |||
|
|
|||
| * kube-apiserver now drops unneeded path information if an older version of Windows kubectl sends it. ([#44586](https://github.com/kubernetes/kubernetes/pull/44586), [@mml](https://github.com/mml)) | |||
| * Bump gcr.io/google_containers/glbc from 0.8.0 to 0.9.2. Release notes: [0.9.0](https://github.com/kubernetes/ingress/releases/tag/0.9.0), [0.9.1](https://github.com/kubernetes/ingress/releases/tag/0.9.1), [0.9.2](https://github.com/kubernetes/ingress/releases/tag/0.9.2) ([#43098](https://github.com/kubernetes/kubernetes/pull/43098), [@timstclair](https://github.com/timstclair)) | |||
| * Bump k8s.gcr.io/glbc from 0.8.0 to 0.9.2. Release notes: [0.9.0](https://github.com/kubernetes/ingress/releases/tag/0.9.0), [0.9.1](https://github.com/kubernetes/ingress/releases/tag/0.9.1), [0.9.2](https://github.com/kubernetes/ingress/releases/tag/0.9.2) ([#43098](https://github.com/kubernetes/kubernetes/pull/43098), [@timstclair](https://github.com/timstclair)) | |||
There was a problem hiding this comment.
Is it worth updating historial changelogs?
There was a problem hiding this comment.
I waffle on this. The image may eventually cease to exist at the old URL? Or maybe we simply say it won't?
There was a problem hiding this comment.
My thought is, the application configuration and manifests for, say 1.4, will still be looking for the image at gcr.io/google_containers/glbc. Modifying the changelog, doesn't go back and create a new patch release of 1.4 updating the config/manifests to look at the new place.
I'd say it would be worth doing for any version we are actually going to go back and change. If this is just for 1.10 forward, then I'd suggest leaving the historical change logs be.
|
FYI cross is failing across the board: #57822 |
build/build-image/cross/Makefile
Outdated
|
|
||
| push: build | ||
| gcloud docker -- push gcr.io/google_containers/$(IMAGE):$(TAG) | ||
| gcloud docker -- push k8s-staging.gcr.io/$(IMAGE):$(TAG) |
There was a problem hiding this comment.
Thinking about it now, I think it's a good idea to manually authenticate for k8s-staging for as long as the workflow continues to use gcloud. This makes the registry change backwards-compatible with older versions of gcloud.
s/gcloud docker -- push k8s-staging.gcr.io/gcloud docker -s k8s-staging -- push k8s-staging.gcr.io/g
build/debian-base/Makefile
Outdated
| @@ -14,7 +14,7 @@ | |||
|
|
|||
| all: build | |||
|
|
|||
| REGISTRY ?= gcr.io/google-containers | |||
| REGISTRY ?= k8s-staging.gcr.io | |||
There was a problem hiding this comment.
I'd modify this and other similar Makefiles to use gcloud docker -s $(REGISTRY) -- push (subbing REGISTRY for PREFIX or whatever the case may be, but I understand that this is a more involved change.
Otherwise, it'll require another gcloud docker update to be pushed to authenticate to k8s-staging.gcr.io, which wouldn't be the end of the world.
cluster/common.sh
Outdated
| @@ -478,7 +478,7 @@ function stage-images() { | |||
|
|
|||
| local docker_cmd=("docker") | |||
|
|
|||
| if [[ "${KUBE_DOCKER_REGISTRY}" == "gcr.io/"* ]]; then | |||
| if [[ "${KUBE_DOCKER_REGISTRY}" =~ "gcr.io/" ]]; then | |||
| local docker_push_cmd=("gcloud" "docker") | |||
There was a problem hiding this comment.
surprised this works without gcloud getting angry at the lack of --, but this might have to change as well depending on what the value of KUBE_DOCKER_REGISTRY is. How's this:
if [[ "${KUBE_DOCKER_REGISTRY}" =~ "staging-k8s\.gcr\.io/" ]]; then
local docker_push_cmd=("gcloud" "docker" "-s" "staging-k8s.gcr.io" "--")
elif [[ "${KUBE_DOCKER_REGISTRY}" =~ "gcr\.io/" ]]; then
local docker_push_cmd=("gcloud" "docker" "--")
else
local docker_push_cmd=("${docker_cmd[@]}")
fiThere was a problem hiding this comment.
Once staging becomes a default, we only need the -- part, right?
k8s-github-robot
added
the
needs-rebase
|
Pushes should now be made to |
k8s-github-robot
removed
the
needs-rebase
|
/retest |
thockin
removed
the
do-not-merge/hold
|
Un-holding this. I think it works now. Let's see what tests say. PTAL |
|
/retest |
|
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/lgtm cancel |
k8s-ci-robot
removed
the
lgtm
| @@ -221,7 +221,7 @@ function create-and-upload-hollow-node-image { | |||
| function create-and-upload-hollow-node-image-bazel { | |||
| RETRIES=3 | |||
| for attempt in $(seq 1 ${RETRIES}); do | |||
| if ! bazel run //cluster/images/kubemark:push --define PROJECT="${PROJECT}"; then | |||
| if ! bazel run //cluster/images/kubemark:push --define REGISTRY="${FULL_REGISTRY}"; then | |||
There was a problem hiding this comment.
This works with the current implementation of docker_build, since it's just concatenating the strings under the covers, but it would be good to be able to be able to assign $PROJECT/ as a base repository for kubemark in the BUILD target, in case that ever changes in the future.
There was a problem hiding this comment.
? PROJECT is a faux construct, AFAICT. gcr.io/google_containers is the registry. If you want something else, specify the whole thing.
There was a problem hiding this comment.
In the Docker sense, 'registry' == hostname[:port] and 'repository' == path of the URLesque image name: https://docs.docker.com/registry/spec/api/#overview
I'm worried that the a future implementation of docker_push might make use of that assumption.
Suggestions added in the relevant places...
| registry = "gcr.io", | ||
| repository = "$(PROJECT)/kubemark", | ||
| registry = "$(REGISTRY)", | ||
| repository = "kubemark", |
There was a problem hiding this comment.
@ixdy @BenTheElder Does this look okay from the bazel side?
There was a problem hiding this comment.
This looks like valid bazel, seems fine to me.
Edit: typically repository is foo/bar but it looks like this has already been discussed so.
|
/retest |
|
/retest |
|
@thockin If the test failure is a flake, you should be good to squash |
|
All green ✅ |
| registry = "gcr.io", | ||
| repository = "$(PROJECT)/kubemark", | ||
| registry = "$(REGISTRY)", | ||
| repository = "kubemark", |
There was a problem hiding this comment.
registry = "$(REGISTRY)",
repository = "$(REPO_PATH_BASE)kubemark",
| echo "Copying kubemark binary to ${MAKE_DIR}" | ||
| cp "${KUBEMARK_BIN}" "${MAKE_DIR}" | ||
| CURR_DIR=`pwd` | ||
| cd "${MAKE_DIR}" | ||
| RETRIES=3 | ||
| for attempt in $(seq 1 ${RETRIES}); do | ||
| if ! REGISTRY="${CONTAINER_REGISTRY}" PROJECT="${PROJECT}" make "${KUBEMARK_IMAGE_MAKE_TARGET}"; then | ||
| if ! REGISTRY="${FULL_REGISTRY}" make "${KUBEMARK_IMAGE_MAKE_TARGET}"; then |
There was a problem hiding this comment.
if ! REGISTRY="${REGISTRY}" REPO_PATH_BASE="${REPO_PATH_BASE}" make "${KUBEMARK_IMAGE_MAKE_TARGET}"; then
| else | ||
| FULL_REGISTRY=staging-k8s.gcr.io | ||
| fi | ||
|
|
There was a problem hiding this comment.
# TODO: Simplify. The caller should have to pass a full registry or nothing.
if [[ -n "${CONTAINER_REGISTRY}" ]]; then
REGISTRY="${CONTAINER_REGISTRY}"
else
REGISTRY=staging-k8s.gcr.io
fi
if [[ -n "${PROJECT}" ]]; then
REPO_PATH_BASE="${PROJECT}/"
fi
| @@ -221,7 +221,7 @@ function create-and-upload-hollow-node-image { | |||
| function create-and-upload-hollow-node-image-bazel { | |||
| RETRIES=3 | |||
| for attempt in $(seq 1 ${RETRIES}); do | |||
| if ! bazel run //cluster/images/kubemark:push --define PROJECT="${PROJECT}"; then | |||
| if ! bazel run //cluster/images/kubemark:push --define REGISTRY="${FULL_REGISTRY}"; then | |||
There was a problem hiding this comment.
if ! bazel run //cluster/images/kubemark:push --define REGISTRY="${REGISTRY}" --define REPO_PATH_BASE ="${REPO_PATH_BASE}"; then
This is the 2nd attempt. The previous was reverted while we figured out the regional mirrors (oops). New plan: k8s.gcr.io is a read-only facade that auto-detects your source region (us, eu, or asia for now) and pulls from the closest. To publish an image, push k8s-staging.gcr.io and it will be synced to the regionals automatically (similar to today). For now the staging is an alias to gcr.io/google_containers (the legacy URL). When we move off of google-owned projects (working on it), then we just do a one-time sync, and change the google-internal config, and nobody outside should notice. We can, in parallel, change the auto-sync into a manual sync - send a PR to "promote" something from staging, and a bot activates it. Nice and visible, easy to keep track of.
|
squashed. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these OWNERS Files:
Approvers can indicate their approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
@thockin: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 57824, 58806, 59410, 59280). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
Oops.. seems like I failed to stop it on time. IIUC this would create problems with our kubemark setup. See point 3 on #59567. |
|
Sorry, I think I misunderstood the change. You seem to define a FULL_REGISTRY that composes REGISTRY and PROJECT, and those value are taken from here which luckily also continues to take the same previous values here. I'll however send a PR to unify these values into one single source of truth to avoid bugs in future. |
|
Thanks Shyam - Composing REGISTRY and PROJECT makes assumptions that no longer hold :) |
|
@shyamjvs would be good to split on the first '/' of the new single source of truth, when passing values to |
The 2nd commit here is the changes relative to the reverted PR. Please focus review attention on that.
This is the 2nd attempt. The previous try (#57573) was reverted while we
figured out the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
xref kubernetes/release#281
TL;DR:
staging-k8s.gcr.iois where we push images. It is literally an alias togcr.io/google_containers(the existing repo) and is hosted in the US.staging-k8s.gcr.ioare automatically synced to{asia,eu,us)-k8s.gcr.io.k8s.gcr.iowill be a read-only alias to whichever regional repo is closest to you.stagingto regional "prod" more explicitly and auditably.