Skip to content

fix(async-upload): add TLS and auth config for base image pull on disconnected clusters#2665

Open
jonburdo wants to merge 1 commit intokubeflow:mainfrom
jonburdo:fix/async-upload-base-image-pull-disconnected
Open

fix(async-upload): add TLS and auth config for base image pull on disconnected clusters#2665
jonburdo wants to merge 1 commit intokubeflow:mainfrom
jonburdo:fix/async-upload-base-image-pull-disconnected

Conversation

@jonburdo
Copy link
Copy Markdown
Member

@jonburdo jonburdo commented May 1, 2026

The async upload job only passed push_args to skopeo for the destination registry, but the base image pull (e.g. busybox for ModelCar) had no TLS or auth configuration. This caused failures on disconnected clusters where the base image is mirrored to a registry with self-signed certs or requiring authentication.

Add two new independent config flags for the base image pull:

  • MODEL_SYNC_DESTINATION_OCI_BASE_IMAGE_TLS_VERIFY (default: true)
  • MODEL_SYNC_DESTINATION_OCI_BASE_IMAGE_CREDENTIALS_PATH (default: none)

Ref: RHOAIENG-60454

Description

How Has This Been Tested?

Merge criteria:

  • All the commits have been signed-off (To pass the DCO check)
  • The commits have meaningful messages
  • Automated tests are provided as part of the PR for major new functionalities; testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work.
  • Code changes follow the kubeflow contribution guidelines.
  • For first time contributors: Please reach out to the Reviewers to ensure all tests are being run, ensuring the label ok-to-test has been added to the PR.

If you have UI changes

  • The developer has added tests or explained why testing cannot be added.
  • Included any necessary screenshots or gifs if it was a UI change.
  • Verify that UI/UX changes conform the UX guidelines for Kubeflow.

@jonburdo @claude
fix(async-upload): add TLS and auth config for base image pull on dis…
cf2e01b 
…connected clusters

The async upload job only passed push_args to skopeo for the destination
registry, but the base image pull (e.g. busybox for ModelCar) had no TLS
or auth configuration. This caused failures on disconnected clusters
where the base image is mirrored to a registry with self-signed certs
or requiring authentication.

Add two new independent config flags for the base image pull:
- MODEL_SYNC_DESTINATION_OCI_BASE_IMAGE_TLS_VERIFY (default: true)
- MODEL_SYNC_DESTINATION_OCI_BASE_IMAGE_CREDENTIALS_PATH (default: none)

Ref: RHOAIENG-60454

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jon Burdo <jon@jonburdo.com>
@google-oss-prow google-oss-prow Bot requested review from chambridge and fege May 1, 2026 13:53
@google-oss-prow
Copy link
Copy Markdown
Contributor

google-oss-prow Bot commented May 1, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from jonburdo. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jonburdo jonburdo marked this pull request as ready for review May 1, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chambridge chambridge Awaiting requested review from chambridge

@fege fege Awaiting requested review from fege

Assignees

No one assigned

Labels

Area/Jobs/Async-upload size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonburdo