Re: [PATCH 0/1] Add a flatpak-indexer openshift service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



MIssed that https://pagure.io/Fedora-Infra/ansible now exists. I'll
post the next version there as a pull-request, but unless anybody
requests otherwise, I'll leave this here for now, since the questions
in my cover letter are probably better on the mailing list anyways.

Thanks,
Owen

On Fri, Sep 11, 2020 at 2:49 PM Owen Taylor <otaylor@xxxxxxxxxx> wrote:
>
> From: "Owen W. Taylor" <otaylor@xxxxxxxxxxxx>
>
> This is an initial attempt to create a configuration for flatpak-indexer to replace
> regindexer and add an image delta capability. The config here is derived from
> a working openshift configuration, but is untested in this form.
>
> See: https://pagure.io/fedora-infrastructure/issue/9272
>
> Open questions:
>
> How to propagate content to the registry.fedoraproject.org reverse proxy
> ========================================================================
>
> Currently the regindexer-generated content is rsync'ed from sundries to
> fedora-web/registry. How should this be done with flatpak-indexer running as
> an openshift app? Some possibilities that come to mind:
>
>  - Run a rsyncd within the openshift app (either as a separate deploymentconfig
>    or as a sidecar to the indexer) and expose a route to it internally in
>    Fedora infrastructure.
>
>  - Run a web server within the openshift app, expose a route to it internally
>    in Fedora infrasturcture, and reverse proxy the content on fedora-web/registry
>    instead of rsync'ing it.
>
>  - Write the content onto a netapp volume, and mount that volume RO either
>    on a host running rsyncd or directly on fedora-web/registry.
>
> What to use for a redis image
> =============================
>
> Redis is used for caching and communication between the components. What redis
> image should be used?
>
>   registry.redhat.io/rhel8/redis-5
>     needs configuration of a subscription
>   docker.io/library/redis:5
>   centos/redis-5-centos7
>     don't rely on such images currently
>   Custom Dockerfile image built from fedora:32
>     how would rebuilds be triggered?
>
> For the two other images needed here, I used ubi8 images - which aren't currently
> used elsewhere, but are presumably ok.
>
> How to handle identifying versions to build for staging/production
> ==================================================================
>
> I see that most openshift applications simply use 'staging'/'production' tags
> in the upstream repo, while a few take the approach of having specific hashes
> checked into the infrastructure ansible repository.
>
> Is the upstream tag approach considered sufficiently secure? (Making the service
> write a malicious index could allow causing users to upgrade to arbitrary
> application binaries.)
>
>
> Owen W. Taylor (1):
>   Add a flatpak-indexer openshift service
>
>  playbooks/openshift-apps/flatpak-indexer.yml  |  56 +++++
>  .../reversepassproxy.registry-generic.conf    |  34 ++-
>  .../flatpak-indexer/files/imagestream.yml     |  52 +++++
>  .../flatpak-indexer/files/service.yml         |  16 ++
>  .../flatpak-indexer/files/storage.yml         |  24 ++
>  .../flatpak-indexer/templates/buildconfig.yml |  84 +++++++
>  .../flatpak-indexer/templates/configmap.yml   |  98 ++++++++
>  .../templates/deploymentconfig.yml            | 221 ++++++++++++++++++
>  .../flatpak-indexer/templates/secret.yml      |  11 +
>  roles/regindexer/build/tasks/main.yml         |  21 --
>  roles/regindexer/build/templates/config.yaml  |  74 ------
>  11 files changed, 584 insertions(+), 107 deletions(-)
>  create mode 100644 playbooks/openshift-apps/flatpak-indexer.yml
>  create mode 100644 roles/openshift-apps/flatpak-indexer/files/imagestream.yml
>  create mode 100644 roles/openshift-apps/flatpak-indexer/files/service.yml
>  create mode 100644 roles/openshift-apps/flatpak-indexer/files/storage.yml
>  create mode 100644 roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml
>  create mode 100644 roles/openshift-apps/flatpak-indexer/templates/configmap.yml
>  create mode 100644 roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml
>  create mode 100644 roles/openshift-apps/flatpak-indexer/templates/secret.yml
>  delete mode 100644 roles/regindexer/build/tasks/main.yml
>  delete mode 100644 roles/regindexer/build/templates/config.yaml
>
> --
> 2.28.0
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux