Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Production-ready: Configure possible different Image #78

Open
slopezz opened this issue Jul 20, 2023 · 4 comments
Open

Production-ready: Configure possible different Image #78

slopezz opened this issue Jul 20, 2023 · 4 comments
Labels
participation/good first issue Good for newcomers target/current
Milestone
v0.8.0

Comments

@slopezz
Copy link

slopezz commented Jul 20, 2023

In 3scale SaaS we have been using successfully limitador for a couple of years together with Redis, to protect all our public endpoints. However:

  • We are using an old image community image
  • Yamls are managed individually via ArgoCD

We would like to update how we manage limitador application, and use the most recommended limitador setup using limitador-operator, with a production-ready grade.

Current limitador-operator:

  • Do not permit to configure an image/tag/pullSecretName via CR
  • Operator image repository is harcoded to quay.io/kuadrant/limitador
  • Operator image tag can be overriden on a weird way: setting in the Operator Subscription CR the envvar RELATED_IMAGE_LIMITADOR.
    • However, only a different tag inside same image repo quay.io/kuadrant/limitador can be used because it is harcoded

Desired features :

  • With the possibility of using productized images which are in private image repositories (so requires a pullSecretName reference pointing to a secret holding the private image repo credentials), the image/tag/pullSecretName should be able to be configured via CR to override default values
  • Not very important immediately as we will use community images from OperatorHub installation, but eventually I guess would be required if it is needed to use productized images elsewhere

Possible CR config

apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
  name: limitador-sample
spec:
  image:
    name: brew.registry.redhat.io/rh-osbs/3scale-mas-limitador-rhel8
    tag: 1.2.0-2
    pullSecretName: brew-pull-secret  # this secret holds the private image repo credentials

Which should create something like:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: limitador
spec:
...
  template:
    spec:
      imagePullSecrets:
        - name: brew-pull-secret
...
      containers:
        - name: limitador
          image: brew.registry.redhat.io/rh-osbs/3scale-mas-limitador-rhel8:1.2.0-2
@KevFan KevFan self-assigned this Aug 9, 2023
@KevFan KevFan mentioned this issue Aug 16, 2023
Closed
@KevFan
Copy link
Contributor

KevFan commented Aug 16, 2023

Operator image tag can be overriden on a weird way: setting in the Operator Subscription CR the envvar RELATED_IMAGE_LIMITADOR.
However, only a different tag inside same image repo quay.io/kuadrant/limitador can be used because it is harcoded

No, I believe the whole image can be overriden using RELATED_IMAGE_LIMITADOR env var currently 🤔

@slopezz
Copy link
Author

slopezz commented Sep 4, 2023

Hi @KevFan , TBH I did not check carefully the code, @eguzki told me that this operator image override was a bit hacky and could easily be improved.

So, in our specific case, overriding operator image is not a must, since possibly we will keep using community images for simplicity (not productized images), so from our side this issue can be closed.

However, if you think other people might be interested on using productized images, operator need to permit overriding 2 different images:

  • Override limitador-operator image (to be done on the operator Subscription with and envvar maybe)?
  • Override limitador app image via limitador CR fields for every possible limitador CR?

In addition, in case you want to override any of the images (operator or limitador app) in order to use for example a productized image, aside from updating the image, you will need to specify the imagePullSecrets,name containing the credentials to access the private image repo (like productized image repo which is private), and you would need a way to specific this pullSecretName on both operator.Subscription with an envvar? and in the limitador CR.

@KevFan
Copy link
Contributor

KevFan commented Oct 11, 2023

Hi @slopezz, I don't think overriding limitator-operator image is typically a done thing since this is controlled by the CSV typically 🤔

Feels odd over an operator to override it's own running image. So unless this is provided by OLM itself, I dont think we will support this.

Allow overriding limitador app image and allowing pulling from private repos I think has some value. I'm due to write an RFC for this so we have a consistent way of allowing this across all kuadrant components. Once we have this decided, we can follow up with an implementation

@alexsnaps alexsnaps added this to the v0.8.0 milestone Dec 8, 2023
@KevFan KevFan removed their assignment May 15, 2024
@KevFan
Copy link
Contributor

KevFan commented May 15, 2024

Part of the functionality is completed by #133 but doesn't allow for pulling from private repos

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
participation/good first issue Good for newcomers target/current
Projects
Kuadrant
Status: No status
Kuadrant Service Protection
Status: In Progress
Milestone
v0.8.0
Development

Successfully merging a pull request may close this issue.

feat: configurable image via spec KevFan/limitador-operator
4 participants
@alexsnaps @eguzki @KevFan @slopezz