Re: OKD 3.10 : imagestream tag issue with sha

[Ben Parees]

On Thu, Jun 11, 2020 at 1:24 PM Marcello Lorenzi  wrote:

> Hi All,
> we use Helm 2.x to create new deployment configs on OKD 3.10 cluster and
> we configure the image stream tag to deploy a new application pointing to a
> specific tag. The template used for a deploy is reported below as example:
>
> # Source: ocp-generic/templates/04_service.yaml
> apiVersion: v1
> kind: Service
> metadata:
>   name: "test-api-dev"
>   namespace: "ocp-dev"
>   labels:
> application: "test-api-dev"
> spec:
>   ports:
>- name: "http"
>  port: 8080
>  targetPort: 8080
>  protocol: "TCP"
>- name: "https"
>  port: 443
>  targetPort: 443
>  protocol: "TCP"
>   selector:
> deploymentconfig: "test-api-dev"
>   sessionAffinity: None
>   type: ClusterIP
> ---
> # Source: ocp-generic/templates/03_deploymentconfig.yaml
> apiVersion: apps.openshift.io/v1
> kind: DeploymentConfig
> metadata:
>   name: "test-api-dev"
>   namespace: "ocp-dev"
>   labels:
> application: "test-api-dev"
> spec:
>   replicas: 1
>   selector:
> deploymentConfig: "test-api-dev"
>   strategy:
> type: Rolling
> rollingParams:
>   updatePeriodSeconds: 1
>   intervalSeconds: 1
>   timeoutSeconds: 180
>   triggers:
>- type: ConfigChange
>- type: ImageChange
>  imageChangeParams:
>automatic: false
>containerNames:
> - "test-api-dev"
>from:
>  kind: ImageStreamTag
>  name: "test-api:latest"
>  namespace: "ocp-dev"
>   template:
> metadata:
>   labels:
> deploymentConfig: "test-api-dev"
> application: "test-api-dev"
> date: "1591894524"
> spec:
>   dnsPolicy: ClusterFirst
>   restartPolicy: Always
>   hostAliases:
>   securityContext: {}
>   terminationGracePeriodSeconds: 60
>   terminationMessagePath: /dev/termination-log
>   containers:
>- name: "test-api-dev"
>  image: "docker-registry.default.svc:5000/ocp-dev/test-api:latest"
>  imagePullPolicy: Always
>  ports:
>   - containerPort: 8080
> protocol: "TCP"
>   - containerPort: 443
> protocol: "TCP"
>  env:
>   - name: "SYSLOG_LOGLEVEL"
> value: "DEBUG"
>  readinessProbe:
>   initialDelaySeconds: 20
>   timeoutSeconds: 5
>   periodSeconds: 30
>   httpGet:
>  path: /actuator/health
>  port: 8080
>  scheme: HTTP
> ---
> # Source: ocp-generic/templates/02_imagestream.yaml
> kind: ImageStream
> apiVersion: image.openshift.io/v1
> metadata:
>   name: "test-api"
>   namespace: "ocp-dev"
>   labels:
> application: "test-api-dev"
> spec:
>   dockerImageRepository:
> "docker-registry.default.svc:5000/ocp-dev/test-api"
>   tags:
> - name: "latest"
> ---
> # Source: ocp-generic/templates/05_route.yaml
> apiVersion: route.openshift.io/v1
> kind: Route
> metadata:
>   name: "test-api-dev"
>   namespace: "ocp-dev"
>   labels:
> application: "test-api-dev"
> spec:
>   host: "test-api-dev.test.local"
>   port:
> targetPort: "http"
>   path: "/"
>   tls:
> termination:  edge
> insecureEdgeTerminationPolicy: Redirect
> certificate: |-
>
> key: |-
>
> caCertificate: |-
>
> destinationCACertificate: |-
>
>   to:
> kind: Service
> name: "test-api-dev"
> weight: 100
>   wildcardPolicy: None
>
> After the first deploy we noticed that the configuration of deployments
> config reports the image parameter under container section with the sha256
> value and not the image tag value.
>

Correct, that's what imagestreamtag reference resolution does:  it gives
you an immutable sha reference based on where the imagestreamtag was
pointing at the time you referenced it (in this case, at the time the
deploymentconfig was created).


We also noticed that the configuration reports the lastTriggerImage
> parameter with the same value. If we tried to release a new DC the
> configuration points to the first shs256 and not the new one.
>

what do you mean "release a new DC"?  Do you mean publish a new image?

If you publish a new image, you need to refresh the imagestreamtag, which
will cause it to import the new image SHA, which in turn will trigger your
deploymentconfig to redeploy with the new image.

you can use "oc import-image" to force the imagestreamtag to be refreshed,
or you can setup scheduled imports on your imagestream.



> If we remove manually from the DC YAML config the lastTriggerImage param
> and we override the image sha256 tag with the image stream tag the
> deployment work fine and doesn't change the config.
>
> Is it a normal behavior? Is it possible to avoid this config with the
> sha256?
>

if you don't want this behavior, remove the imagechangetrigger from your
deploymentconfig.



>
> Thanks a lot in advance,
> Marcello
> ___
> users mailing list
> 

OKD 3.10 : imagestream tag issue with sha

[Marcello Lorenzi]

Hi All,
we use Helm 2.x to create new deployment configs on OKD 3.10 cluster and we
configure the image stream tag to deploy a new application pointing to a
specific tag. The template used for a deploy is reported below as example:

# Source: ocp-generic/templates/04_service.yaml
apiVersion: v1
kind: Service
metadata:
  name: "test-api-dev"
  namespace: "ocp-dev"
  labels:
application: "test-api-dev"
spec:
  ports:
   - name: "http"
 port: 8080
 targetPort: 8080
 protocol: "TCP"
   - name: "https"
 port: 443
 targetPort: 443
 protocol: "TCP"
  selector:
deploymentconfig: "test-api-dev"
  sessionAffinity: None
  type: ClusterIP
---
# Source: ocp-generic/templates/03_deploymentconfig.yaml
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
  name: "test-api-dev"
  namespace: "ocp-dev"
  labels:
application: "test-api-dev"
spec:
  replicas: 1
  selector:
deploymentConfig: "test-api-dev"
  strategy:
type: Rolling
rollingParams:
  updatePeriodSeconds: 1
  intervalSeconds: 1
  timeoutSeconds: 180
  triggers:
   - type: ConfigChange
   - type: ImageChange
 imageChangeParams:
   automatic: false
   containerNames:
- "test-api-dev"
   from:
 kind: ImageStreamTag
 name: "test-api:latest"
 namespace: "ocp-dev"
  template:
metadata:
  labels:
deploymentConfig: "test-api-dev"
application: "test-api-dev"
date: "1591894524"
spec:
  dnsPolicy: ClusterFirst
  restartPolicy: Always
  hostAliases:
  securityContext: {}
  terminationGracePeriodSeconds: 60
  terminationMessagePath: /dev/termination-log
  containers:
   - name: "test-api-dev"
 image: "docker-registry.default.svc:5000/ocp-dev/test-api:latest"
 imagePullPolicy: Always
 ports:
  - containerPort: 8080
protocol: "TCP"
  - containerPort: 443
protocol: "TCP"
 env:
  - name: "SYSLOG_LOGLEVEL"
value: "DEBUG"
 readinessProbe:
  initialDelaySeconds: 20
  timeoutSeconds: 5
  periodSeconds: 30
  httpGet:
 path: /actuator/health
 port: 8080
 scheme: HTTP
---
# Source: ocp-generic/templates/02_imagestream.yaml
kind: ImageStream
apiVersion: image.openshift.io/v1
metadata:
  name: "test-api"
  namespace: "ocp-dev"
  labels:
application: "test-api-dev"
spec:
  dockerImageRepository: "docker-registry.default.svc:5000/ocp-dev/test-api"
  tags:
- name: "latest"
---
# Source: ocp-generic/templates/05_route.yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: "test-api-dev"
  namespace: "ocp-dev"
  labels:
application: "test-api-dev"
spec:
  host: "test-api-dev.test.local"
  port:
targetPort: "http"
  path: "/"
  tls:
termination:  edge
insecureEdgeTerminationPolicy: Redirect
certificate: |-

key: |-

caCertificate: |-

destinationCACertificate: |-

  to:
kind: Service
name: "test-api-dev"
weight: 100
  wildcardPolicy: None

After the first deploy we noticed that the configuration of deployments
config reports the image parameter under container section with the sha256
value and not the image tag value. We also noticed that the configuration
reports the lastTriggerImage parameter with the same value. If we tried to
release a new DC the configuration points to the first shs256 and not the
new one.
If we remove manually from the DC YAML config the lastTriggerImage param
and we override the image sha256 tag with the image stream tag the
deployment work fine and doesn't change the config.

Is it a normal behavior? Is it possible to avoid this config with the
sha256?

Thanks a lot in advance,
Marcello
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users