I don't know what that us to do with templates though - what "parameter"
applies?  The registry external name?

On Aug 9, 2017, at 1:22 PM, Cesar Wong <cew...@redhat.com> wrote:

The purpose of the endpoint is to parameterize an aspect of the resources
passed to it. We are initially implementing image references, but the idea
is to allow parameterizing other things such as environment variables,
names, etc. This is orthogonal to transforming the resources for export
which ‘GET’ with the export parameter needs to handle.

On Aug 9, 2017, at 1:20 PM, Clayton Coleman <ccole...@redhat.com> wrote:

Why do we need parameters? Which parameters are we adding?

On Aug 9, 2017, at 12:21 PM, Cesar Wong <cew...@redhat.com> wrote:

Hi Devan,

You can see my branch here:
(last 5 commits)

Hopefully should be a PR soon. The REST endpoint should be functional, the
CLI still needs work, but basically the idea is to have the reverse of the
‘oc process’ command, where the input is a list of resources and out comes
a template with parameters.

On Aug 9, 2017, at 11:40 AM, Devan Goodwin <dgood...@redhat.com> wrote:

On Wed, Aug 9, 2017 at 11:44 AM, Cesar Wong <cew...@redhat.com> wrote:

Hi Devan,

This past iteration I started work on this same problem [1]


The problem is broad and the way I decided to break it up is to consider the
export and parameterize operations independently. The export should be
handled by the resource’s strategy as you mentioned in the Kube issue you
opened. The parameterization part can be a follow up to the export. Here’s
an initial document describing it:


Thanks that was a good read, will keep an eye on this document.

Does anything exist yet for your parameterization code? Curious what
it looks like and if it's something we could re-use yet, what the
inputs and outputs are, etc.

On the export side, I think we need to decide whether there is different
“types” of export that can happen which should affect the logic of the
resource strategy. For example, does a deployment config look different if
you’re exporting it for use in a different namespace vs a different cluster.
If this is the case, then right now is probably a good time to drive that
change to the upstream API as David suggested.

Is anyone working on a proposal for this export logic upstream? I am
wondering if I should try to put one together if I can find the time.
The general idea (as I understand it) would be to migrate the
currently quite broken export=true param to something strategy based,
and interpret "true" to mean a strategy that matches what we do today.
The references in code I've seen indicate that the current intention
is to strip anything the user cannot specify themselves.

On Aug 9, 2017, at 10:27 AM, Ben Parees <bpar...@redhat.com> wrote:

On Wed, Aug 9, 2017 at 10:00 AM, Devan Goodwin <dgood...@redhat.com> wrote:

On Wed, Aug 9, 2017 at 9:58 AM, Ben Parees <bpar...@redhat.com> wrote:

On Wed, Aug 9, 2017 at 8:49 AM, Devan Goodwin <dgood...@redhat.com>

We are working on a more robust project export/import process (into a
new namespace, possibly a new cluster, etc) and have a question on how
to handle image streams.

Our first test was with "oc new-app
https://github.com/openshift/ruby-hello-world.git";, this results in an
image stream like the following:

$ oc get is ruby-hello-world -o yaml
apiVersion: v1
kind: ImageStream
   openshift.io/generated-by: OpenShiftNewApp
 creationTimestamp: 2017-08-08T12:01:22Z
 generation: 1
   app: ruby-hello-world
 name: ruby-hello-world
 namespace: project1
 resourceVersion: "183991"
 selfLink: /oapi/v1/namespaces/project1/imagestreams/ruby-hello-world
 uid: 4bd229be-7c31-11e7-badf-989096de63cb
   local: false
 - items:
   - created: 2017-08-08T12:02:04Z
     generation: 1
   tag: latest

If we link up with the kubernetes resource exporting by adding

$ oc get is ruby-hello-world -o yaml --export
apiVersion: v1
kind: ImageStream
   openshift.io/generated-by: OpenShiftNewApp
 creationTimestamp: null
 generation: 1
   app: ruby-hello-world
 name: ruby-hello-world
 namespace: default
 selfLink: /oapi/v1/namespaces/default/imagestreams/ruby-hello-world
   local: false

This leads to an initial question, what stripped the status tags? I
would have expected this code to live in the image stream strategy:

but this does not satisfy RESTExportStrategy, I wasn't able to
determine where this is happening.

The dockerImageRepository in status remains, but weirdly flips from
"project1" to "default" when doing an export. Should this remain in an
exported IS at all? And if so is there any reason why it would flip
from project1 to default?

Our real problem however picks up in the deployment config after
import, in here we end up with the following (partial) DC:

apiVersion: v1
kind: DeploymentConfig
   openshift.io/generated-by: OpenShiftNewApp
   app: ruby-hello-world
 name: ruby-hello-world
 namespace: project2
       openshift.io/generated-by: OpenShiftNewApp
       app: ruby-hello-world
       deploymentconfig: ruby-hello-world
     - image:
       imagePullPolicy: Always
       name: ruby-hello-world

So our deployment config still refers to a very specific image and
points to the old project. Is there any logic we could apply safely to
address this?

It feels like this should boil down to something like
"ruby-hello-world@sha256:HASH", could we watch for
$REGISTRY_IP:PORT/projectname/ during export and strip that leading
portion out? What would be the risks in doing so?

Adding Cesar since he was recently looking at some of the export logic
have questions about and he's also very interested in this subject since
he's working on a related piece of functionality.  That said:

if you've got an imagechangetrigger in the DC you should be able to
the entire image field (it should be repopulated from the ICT
reference during deployment).  However:

Ok good, so during export we can iterate the image change triggers, if
we see one we can match up on containerName and strip container.image
for that name.

1) you still need to straighten out the ICT reference which is also
going to
be pointing to an imagestreamtag in the old project/cluster/whatever

Ok I think we can handle this explicitly. More below though.

2) if you don't have an ICT reference you do need to sort this out and
stripping it the way you propose is definitely not a good idea...what's
going to repopulate that w/ the right prefix/project in the new cluster?
What if the image field was pointing to docker.io or some other external

I definitely wouldn't advocate blindly doing so, but rather on export
I believe we can determine the cluster registry IP (if there is one),
and then watch for it as we export objects, and parameterize it. At
this point it feels like we need to be thinking about generating a
template rather than a flat list of kube API resources. (which is what
our app does right now)

talk to Cesar.  He's developing a "templatize this resource object" api
endpoint.  The idea would be to run a flow where you export objects, then
send them through the templatizer.

This past iteration

To clarify I have been attempting to do as much of this using the
built in kube API "export" param, but the suggestion above feels like
it should not be there. Our main driver will be an app in-cluster (for
monitoring capacity and archiving dormant projects), so we do have a
place to apply extra logic like this. I'm now thinking our app should
layer this logic in after we fetch the resources using kube's export
param, and then generate a template.

We need a general solution to the "export this resource for use in another
project/cluster" problem, it would be nice if this could be that.  But as i
said, there are some very intractable problems around how to handle

Side topic, it would be nice if this functionality was available in oc
somewhere (potentially as some new command in future), would just need
to solve lookup of the integrated registry IP so we could extract it
to a param.

yes, it's definitely desirable if we can solve the challenges to make it
generically usable.

In short, you're attempting to tackle a very complex problem where the
answer is frequently "it depends".  We wrote some documentation
some of the considerations when exporting/importing resources between


This is very useful, as is the feedback, thanks! If anyone has
additional edge cases in mind please let us know, or if you believe
this is simply not possible and we shouldn't be trying. However at
this point I'm still feeling like we can proceed here with the goal of
doing as much as we can, try to ensure the users project makes it into
it's new location and if something is broken because we missed it, or
it simply has to be broken because we can't make assumptions, they can
fix it themselves.

Defining the boundary conditions of when the user simply has to step in and
manually fix up references/etc is definitely a good idea.  I think anything
that references something outside the current project (whether that means
another project in the same cluster, or another cluster, or an external
registry entirely) qualifies, at a minimum, for a warning to the user of "we
weren't sure how to handle this so we left it alone, but you may need to
update it depending where you intend to reuse this resource"

All help appreciated, thanks.


Ben Parees | OpenShift

Ben Parees | OpenShift

dev mailing list
dev mailing list

Reply via email to