Add tag-based image resolution to the controller (milestone 5a)#75
Add tag-based image resolution to the controller (milestone 5a)#75alicefr wants to merge 10 commits into
Conversation
Introduce TagResolver interface and GGCRResolver implementation in internal/registry/ that resolves container image tags to digests via remote.Get. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
Test tag resolution against GGCR's in-memory registry, invalid reference parsing, and unreachable registry errors. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
New Degraded condition reason for when the controller fails to resolve a tag from the container registry. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
@jlebon I opened this draft PR to discuss with you a couple of design points, and I'd love to hear you opinion. First, how to we expose the time when the tag resolution will take place. In this version, the users see when the next resolution will take place in the bootc pool status in the field Secondly, the polling time interval is configurable on the operator side by a flag. IMO, this is something the cluster admin needs to configure. But an alternative could be that it is the user who decides. In this case, we could expose the polling time under the pool spec. Additionally, I added the supported for untrusted registry if the cluster admin configures the operator with Please, let me know what you think |
Tracks when the controller will next resolve a tag-based image ref to a digest. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
Add TagResolver and TagResolutionInterval to the reconciler struct. Rewrite resolveTargetDigest to resolve tag refs via the registry with periodic re-resolution, and set Degraded/RegistryError on failure. Wire GGCRResolver and --tag-resolution-interval flag in main.go. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
Returns the tag-based image reference for the seeded node image, for use in tag resolution e2e tests. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
Create a pool with a tag ref, verify the controller resolves it to the correct digest, then retag to an update image and verify re-resolution triggers a rollout. The test patches the controller deployment to use a short tag-resolution-interval (10s) and restores the original args on cleanup. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
Allow falling back to HTTP when resolving tag-based image refs against registries that do not serve TLS. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
Generalize the helper to accept arbitrary extra flags via variadic args instead of hardcoding the tag-resolution-interval flag. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
The bink in-cluster registry serves HTTP only, so the test needs the insecure fallback when patching the controller deployment. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
We also need to move away from alicefr/bink repository and include the fix bootc-dev/bink#71 |
➡️ #76 |
2 participants
Pools can now reference node images by tag (e.g. registry.example.com/node:latest) instead of requiring a pinned digest. The controller periodically resolves tags to digests using go-containerregistry and updates the pool status with the resolved digest.
The resolution interval is configurable via --tag-resolution-interval (default 5m). Resolution failures are surfaced as a PoolRegistryError degraded condition. An
--allow-insecure-registryflag enables fallback to HTTP for registries that do not serve TLS.