Fix: When creating a list of files and images with ./generate_list.sh, included ingress-nginx/kube-webhook-certgen image in the list.

[DearJey]

What type of PR is this?
/kind bug

What this PR does / why we need it:

When list of files, images and local repogitry was created with ./generate_list.sh, ./manage-offline-files.sh and createing Kubernetes Cluster In offline construction with ingress_nginx_webhook_enabled: true, ingress-nginx-admission-* Pod of the Job created when is ImagePullBackOff and does not become READY.

• kubectl describe po -n ingress-nginx ingress-nginx-admission-*

Events:
  Type     Reason     Age                  From               Message
  ----     ------     ----                 ----               -------
  Normal   Scheduled  2m16s                default-scheduler  Successfully assigned ingress-nginx/ingress-nginx-admission-patch-5hcxf to worker2
  Normal   Pulling    53s (x4 over 2m16s)  kubelet            Pulling image "192.168.122.155:5000/ingress-nginx/kube-webhook-certgen:v1.4.1"
  Warning  Failed     53s (x4 over 2m16s)  kubelet            Failed to pull image "192.168.122.155:5000/ingress-nginx/kube-webhook-certgen:v1.4.1": rpc error: code = NotFound desc = failed to pull and unpack image "192.168.122.155:5000/ingress-nginx/kube-webhook-certgen:v1.4.1": failed to resolve reference "192.168.122.155:5000/ingress-nginx/kube-webhook-certgen:v1.4.1": 192.168.122.155:5000/ingress-nginx/kube-webhook-certgen:v1.4.1: not found
  Warning  Failed     53s (x4 over 2m16s)  kubelet            Error: ErrImagePull
  Warning  Failed     38s (x6 over 2m16s)  kubelet            Error: ImagePullBackOff
  Normal   BackOff    23s (x7 over 2m16s)  kubelet            Back-off pulling image "192.168.122.155:5000/ingress-nginx/kube-webhook-certgen:v1.4.1"

./generate_list.sh creates an image list based on the downloads: section of /roles/kubespray-defaults/defaults/main/download.yml.

#!/bin/bash
set -eo pipefail

CURRENT_DIR=$(cd $(dirname $0); pwd)
TEMP_DIR="${CURRENT_DIR}/temp"
REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"

: ${DOWNLOAD_YML:="roles/kubespray-defaults/defaults/main/download.yml"}

mkdir -p ${TEMP_DIR}

# generate all download files url template
grep 'download_url:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
    | sed 's/^.*_url: //g;s/\"//g' > ${TEMP_DIR}/files.list.template

# generate all images list template
sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
    | sed -n "s/repo: //p;s/tag: //p" | tr -d ' ' \
    | sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/\"//g' > ${TEMP_DIR}/images.list.template

So, add the following to download.yml, registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1 was added to the image list, and the above phenomenon was resolved.

• vi /root/k8s-upgrade/kubespray-2.25.0/roles/kubespray-defaults/defaults/main/download.yml

downloads:
  ingress_nginx_kube_webhook_certgen:
    repo: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}"
    tag: "{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
    sha256: "{{ ingress_nginx_kube_webhook_certgen_digest_checksum | default(None) }}"
    groups:
      - kube_node
    when: ingress_nginx_webhook_enabled

Which issue(s) this PR fixes:

Fixes #11591

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fix: When creating a list of files and images with ./generate_list.sh, `ingress-nginx/kube-webhook-certgen:v1.4.1` is also included in the list.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: DearJey
Once this PR has been reviewed and has the lgtm label, please assign yankay for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @DearJey. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[VannTen]

/ok-to-test

[VannTen]

I think this should be enabled: "{{ ingress_nginx_webhook_enabled }}" like the other in this file.

[DearJey]

Thank you for comments!
I fixed it as descibed below.

enabled: "{{ ingress_nginx_webhook_enabled }}"

Dose this address your cocmments?
commit: d47e051

[VannTen]

This would download the webhook image on all nodes, this will slow down kubespray on large clusters.
This should be scoped to smaller subset of nodes 🤔

[DearJey]

I've updated it as described below.

    groups:
      - kube_control_plane
      - infra

Could you confirm if this task is correct?
commit: af5dd45

[VannTen]

I'd drop the d(None). We should have valid checksums for our images.

[DearJey]

I deleted default(None) from this task.

sha256: "{{ ingress_nginx_kube_webhook_certgen_digest_checksum }}"

[k8s-ci-robot]

Adding label do-not-merge/contains-merge-commits because PR contains merge commits, which are not allowed in this repository.
Use git rebase to reapply your commits on top of the target branch. Detailed instructions for doing so can be found here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.