community
community copied to clipboard
aws-controllers-k8s
Add support for optionally building service controller images that meet Red Hat's Container Certification Requirements
Is your feature request related to a problem? No.
Describe the solution you'd like
The ability to build the service controller images in a way that meets Red Hat's Container Certification requirements. This amounts to
- A base image built on Red Hat UBI ("minimal" should suffice in this case)
- Additional labels added
For starters, I would target the latest UBI minimal image (8.3) until a Micro image is made available. When a Micro image is made available, it may be worth considering a shift to that if everything works out of the box.
This image will need to be bumped periodically as the minor release increments. Also note that I'll need to perform a test to make sure the controller functions with the UBI image.
Potential challenges to address
-
In the build-controller-image.sh script, you cannot change the target docker registry without replacing the entire repository AND tag. If possible, add the ability to change the registry and repository independent of the tag logic. publish-controller-image.sh and olm-publish-bundle-image.sh both decouple the image tag from the registry and introduce a precedence based on specificity to determine what the resulting value would be.
-
The final controller image that would be submitted to Red Hat certification pipelines has a few additional pieces of metadata (read: labels) that need to access on the built container image. Those amount to: Reference: Red Hat Certified Operator Guide - Docker
LABEL name="ACK - Amazon SageMaker" \ vendor="Amazon, Inc." \ version="v0.0.1" \ release="1" \ summary="AWS Controllers for Kubernetes - Amazon SageMaker Controller" \ description="This operator will manage Amazon SageMaker services from within your cluster." -
The final controller image needs to have its license accessible at
/licenses. This is probably just an extraCOPYstatement in the docker file. https://github.com/aws-controllers-k8s/community/blob/main/Dockerfile#L47 -
Given that the runtime image will be built on UBI, the Dockerfile would need to reflect that image in the final
FROMdeclaration. https://github.com/aws-controllers-k8s/community/blob/main/Dockerfile#L43
Possible implementations and alternatives
Corresponding with the above challenges:
-
Effectively replicate what's happening in the mentioned scripts. Introduce additional environment variables that allow for various levels of specificity in the built image. Alternatively, an image can always be re-labeled after the build. I'm not sure what approach you take in your pipeline here. Happy to conform with whatever is happening.
-
In the olm-build-bundle-image.sh script, there's an environment variable that automatically adds the necessary labels to the bundle. On option is to do something like that where the labels are added at
docker buildtime. An alternate would be if we introduced an additional dockerfile, say, Dockerfile.ubi, that took advantage of the existing arguments and some pre-planned verbiage for things like description and summary. -
As stated, this is probably the easiest as the licenses are already copied over to the final controller image. This is just a matter of placement, and the license can probably exist in two places. I can also find out if some kind of symlink is acceptable from the certification pipeline standpoint.
-
Here, I'm specifically referring to this line in the Dockerfile: I think there are a couple of options. We could do some kind of in-line switch using something like
sed. Or we can target a separate Dockerfile as is done whenLOCAL_MODULESis set to true. The challenge with usingsedis that the change feels transient. The challenge with setting up a separate Dockerfile is that now you have multiple things to keep in sync. In theory, using a separate Dockerfile simplifies items 2) and 3), but again - multiple Dockerfiles to keep in sync, as I don't think the controller image changes at all aside from these listed things.
Happy to answer any questions, and am willing to send PRs once we're chosen a path forward.
Just wanted to share possible implementations here. Have not submitted a PR as these requirements and a path forward haven't been hashed out here yet.
https://github.com/komish/community/commit/97f942a892fea3abbf86a5305cffece745be2b46 https://github.com/komish/community/commit/8f5d53cdbc865fa71de3996e727c8061fe678d41
These aren't the best-case scenario because, at least with regards to the Dockerfile, there's a fair amount of duplication. There's also a metadata problem where the service names are all reflected in lower case because that's what's provided as input (or at least, that's how the input is transformed for the rest of the script's functionality).
Either way, this is what I've been testing with locally.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle rotten
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle rotten
