Cache KubeVirt Boot Image

[nunnatsa]

Create a new PVC (if missing) to pull the boot image, then modify the KubeVirt node pull template, to clone from the new PVC, instead of pull from each node.

Signed-off-by: Nahshon Unna-Tsameret nunnatsa@redhat.com

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[davidvossel]

I've been debating on whether this caching functionality belongs in the nodepool operator, or whether it fits better into capk itself.

I'm leaning towards thinking the current NodePool approach is a better fit. We're essentially doing some namespace scoped golden image caching that's local for each guest cluster. The context around what image to cache and how long to cache it for is hypershift specific, and which i think is generally outside of the scope of capk.

[davidvossel]

we need to use the namespace that the VMs will be placed in. not the NodePool namespace.

[davidvossel]

We'll likely have multiple images associated with a single cluster. Can you think of a way to name the pvcs differently so that 1:many relationship can be observed?

[davidvossel]

We need either a label or annotation which stores the bootimage hash. This hash is how we'll determine whether or not a new cached DV needs to be created, or whether we can use a previously cached image.

This [1] is where that bootImage is detected today. It's not immediately obvious, but there's a hash in there as well we can retrieve. we return disk.Location url today, but there's also a disk.sha256 that we have access too. example struct [2].

That sha256 is our key when caching, not the location url.

1. hypershift/hypershift-operator/controllers/nodepool/kubevirt/kubevirt.go

   Line 26 in afcbd08

   artifact, exists := openStack.Formats["qcow2.gz"]

2. hypershift/support/releaseinfo/releaseinfo.go

   Line 51 in afcbd08

   type CoreOSFormat struct {

[nunnatsa]

/test kubevirt-e2e-kubevirt-gcp-ovn

[openshift-ci]

@nunnatsa: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test e2e-aws
• /test images
• /test periodics-4.12-images
• /test unit
• /test verify

The following commands are available to trigger optional jobs:

• /test e2e-aws-metrics
• /test e2e-conformance
• /test e2e-ibmcloud-iks
• /test e2e-ibmcloud-roks

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-hypershift-main-e2e-aws
• pull-ci-openshift-hypershift-main-images
• pull-ci-openshift-hypershift-main-periodics-4.12-images
• pull-ci-openshift-hypershift-main-unit
• pull-ci-openshift-hypershift-main-verify

Details

In response to this:

/test kubevirt-e2e-kubevirt-gcp-ovn

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[netlify]

✅ Deploy Preview for hypershift-docs ready!

Name	Link
🔨 Latest commit	cb6bf72
🔍 Latest deploy log	https://app.netlify.com/sites/hypershift-docs/deploys/6464e101374a690008e8e471
😎 Deploy Preview	https://deploy-preview-1918--hypershift-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[nunnatsa]

/retest

[nunnatsa]

/hold

[nunnatsa]

/retest

[davidvossel]

for now, i'd suggest only caching images provided by the release payload, where the sha is known beforehand.

[davidvossel]

does the DV need to be cleaned up as well potentially?

Also, shouldn't we only delete if pvc.DeletionTimestamp == nil?

[nunnatsa]

From 4.12, the DV is auto deleted when the PVC is ready.

[davidvossel]

We can't assume that just because a pvc was marked for deletion, that it is actually deleted.

I think it would be wise to give every cached pvc a unique name so we aren't colliding during garbage collection like this.

[davidvossel]

what's causing all these go.mod changes, and can we avoid it? Ideally i'd like this pr to not involve any changes to the vendor directory.

[nunnatsa]

Added to read the container image digest, to be used as the image hash. Removed as we don't cache container images for now.

[nunnatsa]

/test kubevirt-e2e-kubevirt-aws-ovn

[nunnatsa]

/test kubevirt-e2e-kubevirt-aws-ovn

[nunnatsa]

/test kubevirt-e2e-kubevirt-aws-ovn

[nunnatsa]

rebased

[davidvossel]

/test e2e-kubevirt-aws-ovn

[davidvossel]

/lgtm

I made two comments that need to be addressed at some point, but don't have to be fixed right away.

1. the nodepool cache strategy cli arg needs to match the cluster create one
2. we need to close the small possibility of cache not being deleted when during deletion

I know you're looking at transitioning us to use the kubevirt rhcos image soon, which will touch all these areas again, so we can fix these issues there. This PR has grown so large i'd like to avoid delaying it any further if possible. as long as the local and external e2e tests pass, i think this is good to go

[davidvossel]

This cli arg doesn't match the one for the cluster create. I think they should be the same for consistency. For example, the root-volume-size arg is the same between nodepool and cluster create.

s/cache-strategy-type/root-volume-cache-strategy

[nunnatsa]

sure. I guess I rename one and forgot the other. fixing

[davidvossel]

There's a chance that the cache won't get cleaned up here if we get unlucky and the hypershift-operator either restarts or is updated while a nodepool is being deleted.

What can happen is that the kubevirt infra client cache map might not have an entry for this nodepool if the current invocation of the hypershift-operator was unable to reconcile it before the nodepool deleted... This is because the kubevirt infra client is only cached during the normal reconcile, not during deletion.

This could be solved by storing a reference to the kubevirt infra secret on the nodepool status, similar to how the cache name is stored.

[nunnatsa]

@davidvossel - fixed a bug in the new e2e nodepool test + the create nodepool CLI flag name.

[davidvossel]

/lgtm

[nunnatsa]

/test e2e-kubevirt-aws-ovn

[davidvossel]

/test e2e-kubevirt-aws-ovn

[nunnatsa]

/test e2e-kubevirt-aws-ovn

[nunnatsa]

@davidvossel , I think it is ready now.

[davidvossel]

/lgtm
/approve
/hold cancel

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidvossel, nunnatsa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [davidvossel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@nunnatsa: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/kubevirt-e2e-kubevirt-aws-ovn	10a4d04	link	false	/test kubevirt-e2e-kubevirt-aws-ovn
ci/prow/e2e-ibmcloud-iks	23aa969	link	false	/test e2e-ibmcloud-iks
ci/prow/e2e-ibmcloud-roks	23aa969	link	false	/test e2e-ibmcloud-roks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.