On Fri, Sep 11, 2020 at 02:48:03PM -0400, Owen Taylor wrote:
From: "Owen W. Taylor" otaylor@fishsoup.net
This is an initial attempt to create a configuration for flatpak-indexer to replace regindexer and add an image delta capability. The config here is derived from a working openshift configuration, but is untested in this form.
Sorry this has languished so long. ;(
Open questions:
How to propagate content to the registry.fedoraproject.org reverse proxy
Currently the regindexer-generated content is rsync'ed from sundries to fedora-web/registry. How should this be done with flatpak-indexer running as an openshift app? Some possibilities that come to mind:
Run a rsyncd within the openshift app (either as a separate deploymentconfig or as a sidecar to the indexer) and expose a route to it internally in Fedora infrastructure.
Run a web server within the openshift app, expose a route to it internally in Fedora infrasturcture, and reverse proxy the content on fedora-web/registry instead of rsync'ing it.
Write the content onto a netapp volume, and mount that volume RO either on a host running rsyncd or directly on fedora-web/registry.
I think the last one is the easiest here. We can just mount the volume on sundries and re-use the existing rsync setup to deploy it out to proxies. I would imagine the volume could be very small?
So basically: - make small netapp volume - mount on sundries - mount in the openshift pod - pod writes content out, sundries rsyncs it to proxies.
What to use for a redis image
Redis is used for caching and communication between the components. What redis image should be used?
registry.redhat.io/rhel8/redis-5 needs configuration of a subscription docker.io/library/redis:5 centos/redis-5-centos7 don't rely on such images currently Custom Dockerfile image built from fedora:32 how would rebuilds be triggered?
I wonder, would it be possible to use rabbitmq instead? Then we could just use our existing cluster?
If thats not possble/easy, I guess I would go with a fedora:latest image, rebuilt on us deploying, or manually when we want to rebuild?
For the two other images needed here, I used ubi8 images - which aren't currently used elsewhere, but are presumably ok.
Yeah, I would think that would be fine.
How to handle identifying versions to build for staging/production
I see that most openshift applications simply use 'staging'/'production' tags in the upstream repo, while a few take the approach of having specific hashes checked into the infrastructure ansible repository.
Is the upstream tag approach considered sufficiently secure? (Making the service write a malicious index could allow causing users to upgrade to arbitrary application binaries.)
Well, I think it's fine as long as we control/monitor the upstream repos here. If the upstream repo updates, we should know who did it and why?
I'm perfectly fine also with the hash...
kevin --
Owen W. Taylor (1): Add a flatpak-indexer openshift service
playbooks/openshift-apps/flatpak-indexer.yml | 56 +++++ .../reversepassproxy.registry-generic.conf | 34 ++- .../flatpak-indexer/files/imagestream.yml | 52 +++++ .../flatpak-indexer/files/service.yml | 16 ++ .../flatpak-indexer/files/storage.yml | 24 ++ .../flatpak-indexer/templates/buildconfig.yml | 84 +++++++ .../flatpak-indexer/templates/configmap.yml | 98 ++++++++ .../templates/deploymentconfig.yml | 221 ++++++++++++++++++ .../flatpak-indexer/templates/secret.yml | 11 + roles/regindexer/build/tasks/main.yml | 21 -- roles/regindexer/build/templates/config.yaml | 74 ------ 11 files changed, 584 insertions(+), 107 deletions(-) create mode 100644 playbooks/openshift-apps/flatpak-indexer.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/imagestream.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/service.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/storage.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/configmap.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/secret.yml delete mode 100644 roles/regindexer/build/tasks/main.yml delete mode 100644 roles/regindexer/build/templates/config.yaml
-- 2.28.0 _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...