Jump to: Incomplete Features | Complete Epics | Incomplete Epics | Other Complete |
Note: this page shows the Feature-Based Change Log for a release
When this image was assembled, these features were not yet completed. Therefore, only the Jira Cards included here are part of this release
This section includes Jira cards that are linked to an Epic, but the Epic itself is not linked to any Feature. These epics were completed when this image was assembled
Goal: as a cluster admin, I want to registry credentials across a cluster so that teams can use the credentials for importing images and in builds (pull/push) without having to configure secrets within every project.
Red Hat registry authorization rules have changed which is not required when images are pulled from registry.access.redhat.com. Given that new Red Hat images are only available via registry.redhat.io which requires authentication, users are not able to just pull and use (deploy or use with builds) OpenShift images from the Red Hat registry in their namespaces like they did before and have to ask a cluster admin to import them into the openshift namespace. The openshift namespace contains a secret called samples-registry-credentials with the Red Hat registry credentials which is created by the samples-operator. That facilitates image stream import in that particular project but nothing more.
MCO is able to put the installer pull secret and any user specified credentials on the nodes. Taking advantage of that, Build and ImageStream controllers could leverage these credentials to handle the complete set of desired scenarios.
A developer should be able to pull images from either the Red Hat registry or users’ specific registries that require credentials (where they have provided those credentials to the MCO) without any extra steps (e.g. configuring extra secrets). The targeted scenarios in this epic are:
When the above works, users should be able to successfully run the following commands on a vanilla OpenShift 4 cluster:
Problem: accessing Red Hat registry content (even images that are part of OpenShift) is cumbersome, and requires each user to acquire Red Hat registry credentials and perform a number of cumbersome steps to configure the credential in each namespace. Alternatively, they have to ask the cluster admin to the same for each namespace and skip acquiring their own credentials. The same problem applies to access other private registries.
Why is this important: to allow OpenShift users to consume Red Hat registry content on OpenShift in a self-service manner and simplify accessing private image registries.
Dependencies (internal and external):
Prioritized epics + deliverables (in scope / not in scope):
Estimate (XS, S, M, L, XL, XXL): M
Previous Work:
Customers:
Open questions:
As an OpenShift user
I want the node credentials to be available for all builds
So that builds can always pull from registry.redhat.io
And other registries which require a pull secret
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Related to using mirrors in builds.
It is possible that the user-provided creds and node creds can have overlapping registries.
We should submit an enhancement proposal - done.
Code needs to comment where we are mounting items from the host for future unprivileged/secured builds.
In a follow-up story we can add the ability to opt in/out of this feature.
As an OpenShift user
I want the node credentials to be used in imagestream pull-through
So that I can import images from registry.redhat.io
And other registries which require a pull secret
And cache the content on the internal registry
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Existing issues with multiple creds for same registry are out of scope.
Potentially reuse code in DEVEXP-423 via github.com/openshift/runtime-utils repo or library-go.
(docker client used to be shared in origin).
As an OpenShift user
I want the node credentials to be used in imagestream import
So that I can import images from registry.redhat.io
And other registries which require a pull secret
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Needs input from the node and apiserver teams.
Existing issues with multiple creds for same registry are out of scope.
Potentially reuse code in DEVEXP-423 via github.com/openshift/runtime-utils repo.
Goal: Rebase to Kubernetes 1.18
Problem: DevExp components include control plane operators. These should be kept up with the upstream release to ensure these do not fall more than 1 release behind.
Why is this important: Rebasing reduces tech debt in future releases.
Dependencies (internal and external):
Prioritized epics + deliverables (in scope / not in scope):
Estimate (XS, S, M, L, XL, XXL): M
Previous Work:
Customers:
Open questions:
As a developer using OpenShift
I want the image registry to use k8s 1.18 libraries
So that the image registry can take advantage of the latest Kubernetes features.
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Add pertinent notes here:
As a developer using OpenShift
I want the image registry operator to use k8s 1.18 libraries
So that the image registry operator can take advantage of the latest Kubernetes features.
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Add pertinent notes here:
As a developer using OpenShift
I want the the samples operator to use k8s 1.18 libraries
So that the samples operator s can take advantage of the latest Kubernetes features.
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Add pertinent notes here:
As a developer using OpenShift
I want the builder image to use k8s 1.18 libraries
So that builds can take advantage of the latest Kubernetes features.
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Add pertinent notes here:
This section includes Jira cards that are linked to an Epic, but the Epic itself is not linked to any Feature. These epics were not completed when this image was assembled
Applying pre-existing IAM roles will require some new fields in the install-config.yaml and a list of required permissions for each IAM role that are unique for each cloud platform. This applies for only AWS; work for supporting this for Azure and GCP have been broken out into a future release.
This section includes Jira cards that are not linked to either an Epic or a Feature. These tickets were completed when this image was assembled
Right now the CRD supports nodeSelector and tolerations.
We'd like to use nodeAffinity to ensure if we cannot land on infra nodes, that it lands somewhere else.
Background / discussion: https://coreos.slack.com/archives/CFJD1NZFT/p1580422383093000
Risk with nodeSelector is we'll have no image-registry if infra are offline.
Also look into bootstrapping such that image registry pods do not want to land on the same node.