Fix digest-only image tagging and gateway resource requests, again#26
Merged
Conversation
added 3 commits
May 12, 2026 10:18
…ontroller resources kubectl apply --server-side validates the manifest against the apps/v1 Deployment schema client-side; a partial manifest declaring only resources.requests fails with "spec.selector: Required value" / "containers[0].image: Required value" before the request reaches the API server. SSA's partial-ownership semantics only kick in after the validator passes, which it doesn't for a partial Deployment. Switch the controller-resources tweak to `kubectl patch --type=strategic --patch <body>`. The patch body identifies the target via CLI args (kind/name/namespace), so it does NOT need apiVersion/kind/metadata; the merge RESULT is what the API server validates, and that has the full Deployment from the install.yaml apply step. Strategic-merge's container-list merge key (name) preserves the existing image / env / ports; only resources.requests on the named container changes. Test pinned via TestControllerResourcesPatch_RequestsOnly: patch body asserts neither apiVersion nor kind nor metadata, and rejects accidental limits / image declarations. Refs PR #25, /tmp/appliance.log.
…gest aliasFor was added in PR #23 to skip the bare sha256:<hex> config-digest row and to synthesize a :latest@digest alias for digest-only refs. It missed the fourth shape, tag+digest ("<repo>:<tag>@<digest>"), which is what y-site-images-load emits today: every line in the input was logging WARN ctr image tag (alias) failed alias=<repo>:<tag>:latest@<digest> stderr="ctr: error parsing reference: ... is not a valid repository/tag invalid reference format" The import itself succeeded (the row landed as <repo>:<tag>@<digest>) but no <repo>@<digest> alias existed, which broke checkit's appliance-init.sh post-load workaround for minio-deduplication ("ctr: image ...: not found" on the follow-up `ctr image tag --force <repo>@<digest> <repo>:latest@<digest>`). Fix: for tag+digest input, the alias drops the tag and keeps the digest (<repo>@<digest>). The full input ref stays in the store for kubelet; the digest-only alias gives legacy consumers (and kubelet's checkpoint-image check on containerd v2) something parseable. hasTag() pulled out as a small helper, scoped to a ref already trimmed of "@<digest>": it checks for ":" after the last "/" to avoid host:port false positives. TestAliasFor grows the four-shape table: adds tag+digest, :latest+digest, and a hostport tag+digest case. Refs PR #23, /tmp/appliance.log.
…ranches TestEnvoyGateway_InstallAgainstKwok was calling Install with the four resource-request fields left zero, which short-circuited both the kubectl-patch branch (controller) and the EnvoyProxy CR branch (proxy). That's how PR #25's "kubectl rejects the partial Deployment manifest" regression slipped past PR CI: the named test for the package didn't grow when the package's surface did. Now the test calls Install with non-zero ControllerCPURequest / ControllerMemRequest / ProxyCPURequest / ProxyMemRequest and asserts five new things: - controller container resources.requests.cpu / .memory landed (proves the kubectl-patch step ran AND merged against the right container) - EnvoyProxy CR exists with the proxy resource values - GatewayClass.spec.parametersRef.{kind, name} points at the EnvoyProxy kwok runs a real apiserver, so a future regression where the patch step generates an invalid Deployment or the EnvoyProxy CR isn't applied will surface here without needing a full docker/qemu e2e. Refs the kubectl-patch fix b8ec43d.
solsson
changed the title
solsson
pushed a commit
to Yolean/ystack
that referenced
this pull request
May 12, 2026
Bumps host bin (bin/y-bin.runner.yaml) and the in-cluster y-kustomize Deployment image across four consecutive y-cluster releases: - v0.4.2: `images load` accepts remote refs (Yolean/y-cluster#22) - v0.4.3: fix `images load` for digest-only refs (Yolean/y-cluster#23) - v0.4.4: `images list --context=<ctx>` subcommand (Yolean/y-cluster#24) and tunable Gateway API resource requests (Yolean/y-cluster#25) - v0.4.5: re-fix digest-only image tagging and gateway resource requests (Yolean/y-cluster#26) Image digest verified via `crane digest ghcr.io/yolean/y-cluster:v0.4.5`. sha256 sums copied from v0.4.5's checksums.txt.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Followup on #23 and #25