4. Out-of-the-box image repository for StoneSoup users

Date: Oct 29, 2022

Status

Accepted

Approvers

Reviewers

Context

Problem StoneSoup does not have a internal registry where images could be pushed to as an intermediate step before being deployed as a container. As an application centric experience, StoneSoup should not make it mandatory for its users to specify where the image ( built from source code ) needs to be pushed to.

Goals:

Non-Goals:

Design Goals

Decision

What

How - Design

Quay.io API token Configuration

  1. Setup a Quay.io organization to host the OAuth app.
  2. Create an OAuth Application in the Quay.io organization.
  3. Geneate a token for the OAuth Application. This token would act as the ‘service account’ using which Quay.io resources would be created. Important to note, the token acts on behalf of the user who is requesting it - but uses the explicit scopes specified at the time of token generation.
  4. Allowlist user ‘shbose’ to be create organizations using non-user-tokens using the Quay.io API.
Syntax Description
Quay.io organization quay.io/redhat-user-workloads
OAuth Application name Created, name redacted
Account used to generate token shbose , mkovarik
Scope Administer organizations, Adminster repositories, Create Repositories

image

Organization and Image Repository creation

When a user creates a Component, a StoneSoup service would need to generate the image repository for consumption by the build, test and deployment services.

The following deviations from this design would be implemented:

Until the capability to progammatically create organizations in Quay.io is activated:

Until the capability to determine the associated user/tenant/Space a Component is implemented,

Lifecycle of the Quay.io resources

How - Implementation

The implementation of the above design will be improved overtime with the possible introduction of new CRDs/APIs. At the moment, no new API is being planned till the need for it arises.

To request the Image controller to setup an image repository, annotate the Component with image.redhat.com/generate: 'true'.

apiVersion: StoneSoup.redhat.com/v1alpha1
kind: Component
metadata:
  annotations:
    image.redhat.com/generate: 'true'
  name: billing
  namespace: image-controller-system
spec:
  application: city-transit
  componentName: billing

The Image controller creates the necessary resources on Quay.io and writes out the details of the same into the Component resource as an annotation, namely:

{
   "image":"quay.io/redhat-user-workloads/image-controller-system/city-transit/billing",
   "secret":"billing",
}
apiVersion: StoneSoup.redhat.com/v1alpha1
kind: Component
metadata:
  annotations:
    image.redhat.com/generate: 'false'
    image.redhat.com/image: >-
      {"image":"quay.io/redhat-user-workloads/image-controller-system/city-transit/billing","secret":"billing"
      }
  name: billing
  namespace: image-controller-system
  resourceVersion: '86424'
  uid: 0e0f30b6-d77e-406f-bfdf-5802db1447a4
spec:
  application: city-transit
  componentName: billing

Open Questions

Consequences

References