Skip to content

ROX-9249: Allow override Central DB image #1030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
c-du merged 7 commits into from
Mar 24, 2022
Merged

ROX-9249: Allow override Central DB image #1030

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a19039b
ROX-9249: Allow override Central DB image
c-du Mar 22, 2022
d7cc79c
fix
c-du Mar 22, 2022
89cc1e0
Fix unit test
c-du Mar 22, 2022
e65e8e6
comment
c-du Mar 22, 2022
66215d2
Merge branch 'master' into cong/image-sel
c-du Mar 22, 2022
b65a5c2
todo
c-du Mar 23, 2022
269e9df
Add bats tests
c-du Mar 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions deploy/common/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ echo "StackRox image tag set to $MAIN_IMAGE_TAG"
export MAIN_IMAGE="${MAIN_IMAGE_REPO}:${MAIN_IMAGE_TAG}"
echo "StackRox image set to $MAIN_IMAGE"

export CENTRAL_DB_IMAGE_REPO="${CENTRAL_DB_IMAGE_REPO:-stackrox/central-db}"
echo "CENTRAL_DB_IMAGE_REPO set to $CENTRAL_DB_IMAGE_REPO"

export CENTRAL_DB_IMAGE="${CENTRAL_DB_IMAGE:-${CENTRAL_DB_IMAGE_REPO}:${MAIN_IMAGE_TAG}}"
echo "StackRox central db image set to $CENTRAL_DB_IMAGE"

export ROXCTL_IMAGE_REPO="${ROXCTL_IMAGE_REPO:-stackrox/roxctl}"
echo "ROXCTL_IMAGE_REPO set to $ROXCTL_IMAGE_REPO"

Expand Down
4 changes: 4 additions & 0 deletions deploy/common/k8sbased.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,10 @@ function launch_central {

add_args -i "${MAIN_IMAGE}"

if [[ "${ROX_POSTGRES_DATASTORE}" == "true" && -n "${CENTRAL_DB_IMAGE}" ]]; then
add_args "--central-db-image=${CENTRAL_DB_IMAGE}"
fi

pkill -f kubectl'.*port-forward.*' || true # terminate stale port forwarding from earlier runs
pkill -9 -f kubectl'.*port-forward.*' || true
command -v oc && pkill -f oc'.*port-forward.*' || true # terminate stale port forwarding from earlier runs
Expand Down
5 changes: 5 additions & 0 deletions image/templates/helm/stackrox-central/internal/config-shape.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ central:
name: null # string
tag: null # string
fullRef: null # string
dbImage:
registry: null # string
name: null # string
tag: null # string
fullRef: null # string
adminPassword:
value: null # string
generate: null # bool
Expand Down
6 changes: 6 additions & 0 deletions image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ defaults:
image:
name: [< required "" .ImageRemote >]
tag: [< required "" .ImageTag >]
[<- if .FeatureFlags.ROX_POSTGRES_DATASTORE >]
dbImage:
name: [< required "" .CentralDBImageRemote >]
tag: [< required "" .CentralDBImageTag >]

[<- end >]

resources:
requests:
Expand Down
2 changes: 1 addition & 1 deletion image/templates/helm/stackrox-central/templates/01-central-11-pvc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ spec:
storage: {{ include "srox.formatStorageSize" $pvcCfg.size }}
{{ if ._rox.central.enableCentralDB -}}
---
{{- /* TODO(ROX-9249): Configure PVC for both Central and Central DB */}}
{{- /* TODO(ROX-9807): Move customized PVC from Central to Central DB */}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
Expand Down
5 changes: 2 additions & 3 deletions image/templates/helm/stackrox-central/templates/01-central-12-central-db.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ spec:
serviceAccountName: central-db
initContainers:
- name: init-db
image: {{ ._rox.central.image.fullRef | replace "main" "central-db" | quote }}
image: {{ ._rox.central.dbImage.fullRef | quote }}
Copy link
Copy Markdown
Contributor

@fredrb fredrb Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we wrap this with a meta template feature flag check? At least until the image is available downstream. If this is released prior to rhacs-central-db-rhel8 being available, the init container will crash when on rhacs flavor.

The meta template would look something like this:

[<- if .FeatureFlags.FLAG_NAME >]
...
[<- else >]
...
[<- end >]

Copy link
Copy Markdown
Contributor Author

@c-du c-du Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to release upstream only? We use enableCentralDB flag, which will block this template file entirely. See line #2.

Copy link
Copy Markdown
Contributor

@fredrb fredrb Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh ok. That makes sense. I missed the conditional check on line 2.

Is it possible to release upstream only?

I'm not sure if it is. Technically the downstream release (registry.redhat.io) is our official release. I think it should be fine as long as:

  1. This file isn't included if enableCentralDB is not enabled (which is covered by line 2).
  2. We create a rhacs-central-db-rhel8 image downstream once this needs to be released (covered by the task you created ROX-9858).

Copy link
Copy Markdown
Contributor

@fredrb fredrb Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible, please update the JIRA description with a pointer to this PR and mention that the image that needs to be written is for rhacs-central-db-rhel8.

env:
- name: PGDATA
value: "/var/lib/postgresql/data/pgdata"
Expand All @@ -52,8 +52,7 @@ spec:
runAsGroup: 70
containers:
- name: central-db
{{- /* TODO(ROX-9249): Need to provide Central DB configuration. Use the same image registry and tag for Central DB image for now. */}}
image: {{ ._rox.central.image.fullRef | replace "main" "central-db" | quote }}
image: {{ ._rox.central.dbImage.fullRef | quote }}
env:
- name: POSTGRES_HOST_AUTH_METHOD
value: "password"
Expand Down
1 change: 1 addition & 0 deletions image/templates/helm/stackrox-central/templates/_central_setup.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

{{/* Image settings */}}
{{ include "srox.configureImage" (list $ $centralCfg.image) }}
{{ include "srox.configureImage" (list $ $centralCfg.dbImage) }}

{{/* Admin password */}}
{{ include "srox.configurePassword" (list $ "central.adminPassword" "admin") }}
Expand Down
4 changes: 4 additions & 0 deletions pkg/helm/charts/meta.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ type MetaValues struct {
Versions version.Versions
MainRegistry string
ImageRemote string
CentralDBImageTag string
CentralDBImageRemote string
CollectorRegistry string
CollectorFullImageRemote string
CollectorSlimImageRemote string
Expand Down Expand Up @@ -60,6 +62,8 @@ func GetMetaValuesForFlavor(imageFlavor defaults.ImageFlavor) *MetaValues {
MainRegistry: imageFlavor.MainRegistry,
ImageRemote: imageFlavor.MainImageName,
ImageTag: imageFlavor.MainImageTag,
CentralDBImageTag: imageFlavor.CentralDBImageTag,
CentralDBImageRemote: imageFlavor.CentralDBImageName,
CollectorRegistry: imageFlavor.CollectorRegistry,
CollectorFullImageRemote: imageFlavor.CollectorImageName,
CollectorSlimImageRemote: imageFlavor.CollectorSlimImageName,
Expand Down
2 changes: 2 additions & 0 deletions pkg/helm/charts/tests/centralservices/flavor/flavor_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ func customFlavor(t *testing.T) defaults.ImageFlavor {
MainRegistry: "example.io",
MainImageName: "custom-main",
MainImageTag: "1.2.3",
CentralDBImageName: "custom-central-db",
CentralDBImageTag: "1.2.4",
ScannerImageName: "custom-scanner",
ScannerSlimImageName: "scanner-slim",
ScannerImageTag: "3.2.1",
Expand Down
39 changes: 27 additions & 12 deletions pkg/images/defaults/flavor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,11 @@ type ImagePullSecrets struct {
// ImageFlavor represents default settings for pulling images.
type ImageFlavor struct {
// MainRegistry is a registry for all images except of collector.
MainRegistry string
MainImageName string
MainImageTag string
MainRegistry string
MainImageName string
MainImageTag string
CentralDBImageTag string
CentralDBImageName string

// CollectorRegistry may be different from MainRegistry in case of stackrox.io.
CollectorRegistry string
Expand All @@ -95,9 +97,11 @@ type ImageFlavor struct {
func DevelopmentBuildImageFlavor() ImageFlavor {
v := version.GetAllVersionsDevelopment()
return ImageFlavor{
MainRegistry: "docker.io/stackrox",
MainImageName: "main",
MainImageTag: v.MainVersion,
MainRegistry: "docker.io/stackrox",
MainImageName: "main",
MainImageTag: v.MainVersion,
CentralDBImageTag: v.MainVersion,
CentralDBImageName: "central-db",

CollectorRegistry: "docker.io/stackrox",
CollectorImageName: "collector",
Expand Down Expand Up @@ -125,9 +129,11 @@ func DevelopmentBuildImageFlavor() ImageFlavor {
func StackRoxIOReleaseImageFlavor() ImageFlavor {
v := version.GetAllVersionsUnified()
return ImageFlavor{
MainRegistry: "stackrox.io",
MainImageName: "main",
MainImageTag: v.MainVersion,
MainRegistry: "stackrox.io",
MainImageName: "main",
MainImageTag: v.MainVersion,
CentralDBImageTag: v.MainVersion,
CentralDBImageName: "central-db",

CollectorRegistry: "collector.stackrox.io",
CollectorImageName: "collector",
Expand Down Expand Up @@ -155,9 +161,13 @@ func StackRoxIOReleaseImageFlavor() ImageFlavor {
func RHACSReleaseImageFlavor() ImageFlavor {
v := version.GetAllVersionsUnified()
return ImageFlavor{
MainRegistry: "registry.redhat.io/advanced-cluster-security",
MainImageName: "rhacs-main-rhel8",
MainImageTag: v.MainVersion,
MainRegistry: "registry.redhat.io/advanced-cluster-security",
MainImageName: "rhacs-main-rhel8",
MainImageTag: v.MainVersion,
/* TODO(ROX-9858): Create repo rhacs-central-db-rhel8 when starting building rhacs */
CentralDBImageTag: v.MainVersion,
CentralDBImageName: "rhacs-central-db-rhel8",
Copy link
Copy Markdown
Contributor

@fredrb fredrb Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just keep in mind that this image has to be built downstream (CPaaS). I assume this was not done yet.

Copy link
Copy Markdown
Contributor Author

@c-du c-du Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I will put a TODO tag with jira blocker.


CollectorRegistry: "registry.redhat.io/advanced-cluster-security",
CollectorImageName: "rhacs-collector-rhel8",
CollectorImageTag: v.CollectorVersion,
Expand Down Expand Up @@ -264,6 +274,11 @@ func (f *ImageFlavor) MainImageNoTag() string {
return fmt.Sprintf("%s/%s", f.MainRegistry, f.MainImageName)
}

// CentralDBImage is the container image reference (full name) for the central-db image.
func (f *ImageFlavor) CentralDBImage() string {
return fmt.Sprintf("%s/%s:%s", f.MainRegistry, f.CentralDBImageName, f.CentralDBImageTag)
}

// CollectorFullImage is the container image reference (full name) for the "collector" image
func (f *ImageFlavor) CollectorFullImage() string {
return fmt.Sprintf("%s/%s:%s", f.CollectorRegistry, f.CollectorImageName, f.CollectorImageTag)
Expand Down
2 changes: 2 additions & 0 deletions pkg/images/defaults/testutils/flavor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ func MakeImageFlavorForTest(t *testing.T) defaults.ImageFlavor {
MainRegistry: "test.registry",
MainImageName: "main",
MainImageTag: "1.2.3",
CentralDBImageTag: "1.2.4",
CentralDBImageName: "central-db",
CollectorRegistry: "test.registry",
CollectorImageName: "collector",
CollectorImageTag: "3.2.1-latest",
Expand Down
17 changes: 16 additions & 1 deletion pkg/renderer/helm_values.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,22 @@ central:
tag: {{ .K8sConfig.ImageOverrides.Main.Tag }}
{{- end }}
{{- end }}

{{- if .K8sConfig.ImageOverrides.CentralDB }}
dbImage:
{{- if .K8sConfig.ImageOverrides.CentralDB.Registry }}
registry: {{ .K8sConfig.ImageOverrides.CentralDB.Registry }}
{{- end }}
{{- if .K8sConfig.ImageOverrides.CentralDB.Name }}
name: {{ .K8sConfig.ImageOverrides.CentralDB.Name }}
{{- end }}
{{- if .K8sConfig.ImageOverrides.CentralDB.Tag }}
# WARNING: You are using a non-default Central DB image tag. Upgrades via
# 'helm upgrade' will not work as expected. To ensure a smooth upgrade experience,
# make sure StackRox images are mirrored with the same tags as in the stackrox.io
# registry.
tag: {{ .K8sConfig.ImageOverrides.CentralDB.Tag }}
{{- end }}
{{- end }}
persistence:
{{- if .HostPath }}
hostPath: {{ .HostPath.HostPath }}
Expand Down
6 changes: 5 additions & 1 deletion pkg/renderer/images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package renderer
import (
"strings"

"github.com/stackrox/rox/pkg/features"
"github.com/stackrox/rox/pkg/images/defaults"
"github.com/stackrox/rox/pkg/stringutils"
)
Expand Down Expand Up @@ -86,7 +87,10 @@ func configureImageOverrides(c *Config, imageFlavor defaults.ImageFlavor) {
delete(mainOverrides, "Registry")
}
imageOverrides["Main"] = mainOverrides

if features.PostgresDatastore.Enabled() {
imageOverrides["CentralDB"] = ComputeImageOverrides(c.K8sConfig.CentralDBImage, registry, imageFlavor.CentralDBImageName,
imageFlavor.CentralDBImageTag)
}
imageOverrides["Scanner"] = ComputeImageOverrides(c.K8sConfig.ScannerImage, registry, imageFlavor.ScannerImageName,
imageFlavor.ScannerImageTag)
imageOverrides["ScannerDB"] = ComputeImageOverrides(c.K8sConfig.ScannerDBImage, registry, imageFlavor.ScannerDBImageName,
Expand Down
3 changes: 3 additions & 0 deletions pkg/renderer/kubernetes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ func postProcessConfig(c *Config, mode mode, imageFlavor defaults.ImageFlavor) e
if c.K8sConfig.MainImage == "" {
c.K8sConfig.MainImage = imageFlavor.MainImage()
}
if c.K8sConfig.CentralDBImage == "" {
c.K8sConfig.CentralDBImage = imageFlavor.CentralDBImage()
}
if c.K8sConfig.ScannerImage == "" {
c.K8sConfig.ScannerImage = imageFlavor.ScannerImage()
}
Expand Down
1 change: 1 addition & 0 deletions pkg/renderer/templater.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ func (h *HostPathPersistence) WithNodeSelector() bool {
// at the top level
type CommonConfig struct {
MainImage string
CentralDBImage string
ScannerImage string
ScannerDBImage string
}
Expand Down
6 changes: 5 additions & 1 deletion roxctl/central/generate/interactive.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,7 @@ func processFlagWraps(argSlice *argSlice, fws []flagWrap) {
}

// set default values for image-{main,scanner,scanner-db} flags
if fw.Flag.Name == flags.FlagNameMainImage || fw.Flag.Name == flags.FlagNameScannerImage || fw.Flag.Name == flags.FlagNameScannerDBImage {
if fw.Flag.Name == flags.FlagNameMainImage || fw.Flag.Name == flags.FlagNameScannerImage || fw.Flag.Name == flags.FlagNameScannerDBImage || fw.Flag.Name == flags.FlagNameCentralDBImage {
imgDefArg := argSlice.findArgByName(flags.FlagNameImageDefaults)
if imgDefArg == nil {
panic(fmt.Sprintf("unable to find flag '%s'", flags.FlagNameImageDefaults))
Expand All @@ -339,6 +339,10 @@ func processFlagWraps(argSlice *argSlice, fws []flagWrap) {
if fw.Flag.DefValue == "" {
fw.Flag.DefValue = flavor.ScannerDBImage()
}
case flags.FlagNameCentralDBImage:
if fw.Flag.DefValue == "" {
fw.Flag.DefValue = flavor.CentralDBImage()
}
}
}

Expand Down
4 changes: 3 additions & 1 deletion roxctl/central/generate/k8s.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,9 @@ func k8sBasedOrchestrator(cliEnvironment environment.Environment, k8sConfig *ren
defaultImageHelp := fmt.Sprintf("(if unset, a default will be used according to --%s)", flags.ImageDefaultsFlagName)
flagWrap.StringVarP(&k8sConfig.MainImage, flags.FlagNameMainImage, "i", "", "main image to use"+defaultImageHelp, "central")
flagWrap.BoolVar(&k8sConfig.OfflineMode, "offline", false, "whether to run StackRox in offline mode, which avoids reaching out to the Internet", "central")

if features.PostgresDatastore.Enabled() {
flagWrap.StringVar(&k8sConfig.CentralDBImage, flags.FlagNameCentralDBImage, "", "central-db image to use"+defaultImageHelp, "central")
}
flagWrap.StringVar(&k8sConfig.ScannerImage, flags.FlagNameScannerImage, "", "scanner image to use"+defaultImageHelp, "scanner")
flagWrap.StringVar(&k8sConfig.ScannerDBImage, flags.FlagNameScannerDBImage, "", "scanner-db image to use"+defaultImageHelp, "scanner")

Expand Down
2 changes: 2 additions & 0 deletions roxctl/common/flags/imageFlavor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ const (
FlagNameImageDefaults = "image-defaults"
// FlagNameMainImage is a shared constant for --main-image command line flag.
FlagNameMainImage = "main-image"
// FlagNameCentralDBImage is a shared constant for --central-db-image command line flag.
FlagNameCentralDBImage = "central-db-image"
// FlagNameScannerImage is a shared constant for --scanner-image command line flag.
FlagNameScannerImage = "scanner-image"
// FlagNameScannerDBImage is a shared constant for --scanner-db-image command line flag.
Expand Down
4 changes: 4 additions & 0 deletions roxctl/helm/derivelocalvalues/derivelocalvalues.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,10 @@ func derivePublicLocalValuesForCentralServices(ctx context.Context, namespace st
"registry": extractImageRegistry(k8s.evaluateToString(ctx, "deployment", "central",
`{.spec.template.spec.containers[?(@.name == "central")].image}`, ""), "main"),
},
"dbImage": map[string]interface{}{
"registry": extractImageRegistry(k8s.evaluateToString(ctx, "deployment", "central-db",
`{.spec.template.spec.containers[?(@.name == "central-db")].image}`, ""), "central-db"),
},
"resources": k8s.evaluateToObject(ctx, "deployment", "central",
`{.spec.template.spec.containers[?(@.name == "central")].resources}`, nil),
"persistence": map[string]interface{}{
Expand Down
15 changes: 15 additions & 0 deletions tests/roxctl/bats-tests/helpers.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,9 @@ assert_components_registry() {
main)
assert_registry_version_file "${dir}/01-central-13-deployment.yaml" 0 "central" "$regex"
;;
central-db)
assert_registry_version_file "${dir}/01-central-12-central-db.yaml" 0 "central-db" "$regex"
;;
scanner)
assert_registry_version_file "${dir}/02-scanner-06-deployment.yaml" 0 "scanner" "$regex"
;;
Expand Down Expand Up @@ -211,6 +214,13 @@ assert_file_exist() {
fi
}

assert_file_not_exist() {
local -r file="$1"
if [[ -e "$file" ]]; then
fail "ERROR: file '$file' exists"
fi
}

image_reference_regex() {
local registry_slug="$1"
local component="$2"
Expand Down Expand Up @@ -264,6 +274,11 @@ run_image_defaults_registry_test() {
assert_success
assert_components_registry "$out_dir/central" "$expected_main_registry" "$any_version" 'main'
assert_components_registry "$out_dir/scanner" "$expected_scanner_registry" "$any_version" 'scanner' 'scanner-db'
if [[ "$ROX_POSTGRES_DATASTORE" =~ "true" ]]; then
assert_components_registry "$out_dir/central" "$expected_main_registry" "$any_version" 'central-db'
else
assert_file_not_exist "$out_dir/central/01-central-12-central-db.yaml"
fi
}

# run_no_rhacs_flag_test asserts that 'roxctl central generate' fails when presented with `--rhacs` parameter
Expand Down
Loading