test: verify distroless image compatibility with the ClickHouse Operator#248
Draft
motsc wants to merge 2 commits into
Draft
test: verify distroless image compatibility with the ClickHouse Operator#248motsc wants to merge 2 commits into
motsc wants to merge 2 commits into
Conversation
Add a 'switch to the distroless image' entry to the standalone ClickHouse and
Keeper update tables so the existing create/ready/read-write/version flow also
runs against the shell-free distroless production images
(clickhouse/clickhouse-{server,keeper}:*-distroless, ClickHouse/ClickHouse#105678).
Rolling a running cluster onto the distroless tag and reaching Ready exercises
the clickhouse docker-init entrypoint, the TCPSocket/HTTPGet probes, and the
clickhouse local version-probe Job against an image with no shell.
The shared version assertion strips the -distroless suffix (the reported version
is numeric); the suite preloads the distroless server/keeper images alongside the
existing version matrix via a new DistrolessSuffix constant.
Explain that the operator's defaults are shell-free and work with the distroless server/keeper images out of the box, and that user-supplied exec probes, lifecycle hooks, and init containers must invoke the binary directly since the image has no shell. Add distroless/busybox/coreutils to the Vale vocabulary.
GrigoryPervakov
left a comment
GrigoryPervakov
left a comment
Member
There was a problem hiding this comment.
Distroless images compatibility is verified in compatibility suite https://github.com/ClickHouse/clickhouse-operator/blob/main/.github/workflows/ci.yaml#L245
Instead of using -debug image ephemeral containers may be used
kubectl debug <pod> -it --image=busybox --profile=general --custom=<(echo '{"securityContext":{"runAsNonRoot":false,"runAsUser":0}}') -- /bin/sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
-distrolessimages are shell-free (ClickHouse/ClickHouse#105678). The question was whether the operator works on them. It already does, by design:tcpSocket/httpGetprobes, no containercommand(uses theclickhouse docker-initentrypoint), the version probe runsclickhouse local, and no default hooks or init containers. Nothing to fix, just pin it and document it.What
Adds a
switch to the distroless imageentry to the existing ClickHouse and Keeper update tables: rolls a running cluster onto the-distrolesstag and waits for Ready, which exercises the entrypoint, the probes, and theclickhouse localversion-probe Job with no shell in the image. Plus a docs guide, with the caveat that user-suppliedexecprobes, lifecycle hooks, and init containers must call the binary directly (no/bin/sh).Both entries pass locally on kind.
Related Issues
Related to ClickHouse/ClickHouse#105678