enhancement: add auth config to pull image in private registry (#61)

aylei · Oct 11, 2019 · 1e505fe · 1e505fe
1 parent 5021027
commit 1e505fe
Show file tree

Hide file tree

Showing 8 changed files with 239 additions and 58 deletions.
diff --git a/README.md b/README.md
@@ -11,14 +11,20 @@
 
 `kubectl-debug` is an out-of-tree solution for [troubleshooting running pods](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/troubleshoot-running-pods.md), which allows you to run a new container in running pods for debugging purpose ([examples](/docs/examples.md)). The new container will join the `pid`, `network`, `user` and `ipc` namespaces of the target container, so you can use arbitrary trouble-shooting tools without pre-installing them in your production container image.
 
-- [screenshots](#screenshots)
-- [quick start](#quick-start)
-- [build from source](#build-from-source)
-- [port-forward and agentless](#port-forward-mode-And-agentless-mode)
-- [configuration](#configuration)
-- [roadmap](#roadmap)
-- [authorization](#authorization)
-- [contribute](#contribute)
+- [Kubectl-debug](#kubectl-debug)
+- [Overview](#overview)
+- [Screenshots](#screenshots)
+- [Quick Start](#quick-start)
+  - [Install the kubectl debug plugin](#install-the-kubectl-debug-plugin)
+  - [(Optional) Install the debug agent DaemonSet](#optional-install-the-debug-agent-daemonset)
+  - [Debug instructions](#debug-instructions)
+- [Build from source](#build-from-source)
+- [port-forward mode And agentless mode](#port-forward-mode-and-agentless-mode)
+- [Configuration](#configuration)
+- [Authorization](#authorization)
+- [Roadmap](#roadmap)
+- [Contribute](#contribute)
+- [Acknowledgement](#acknowledgement)
 
 # Screenshots
 
@@ -79,6 +85,21 @@ kubectl debug POD_NAME --port-forward --daemonset-ns=kube-system --daemonset-nam
 
 # old versions of kubectl cannot discover plugins, you may execute the binary directly
 kubectl-debug POD_NAME
+
+# use primary docker registry, set registry kubernets secret to pull image
+# the default registry-secret-name is kubectl-debug-registry-secret, the default namespace is default
+# please set the secret data source as {Username: <username>, Password: <password>}
+kubectl-debug POD_NAME --image calmkart/netshoot:latest --registry-secret-name <k8s_secret_name> --registry-secret-namespace <namespace>
+```
+
+Example:
+```bash
+# how to create a private docker registry secret
+# take the user name 'calmkart' password 'calmkart' as an example
+# refer to the official kubernetes documentation for more ways to create
+# https://kubernetes.io/docs/concepts/configuration/secret/
+echo -n '{Username: calmkart, Password: calmkart}' > ./registrySecret.txt
+kubectl create secret generic kubectl-debug-registry-secret --from-file=./registrySecret.txt
 ```
 
 * You can configure the default arguments to simplify usage, refer to [Configuration](#configuration)
@@ -146,6 +167,11 @@ image: nicolaka/netshoot:latest
 command:
 - '/bin/bash'
 - '-l'
+# private docker registry auth kuberntes secret
+# default RegistrySecretName is kubectl-debug-registry-secret
+# default namspace is default
+RegistrySecretName: my-debug-secret
+RegistrySecretNamespace: debug
 ```
 
 If the debug-agent is not accessible from host port, it is recommended to set `portForward: true` to using port-forawrd mode.

diff --git a/docs/zh-cn.md b/docs/zh-cn.md
@@ -79,6 +79,21 @@ kubectl debug POD_NAME --port-forward --daemonset-ns=kube-system --daemonset-nam
 
 # 老版本的 kubectl 无法自动发现插件, 需要直接调用 binary
 kubectl-debug POD_NAME
+
+# 使用私有仓库镜像,并设置私有仓库使用的kubernetes secret
+# secret data原文请设置为 {Username: <username>, Password: <password>}
+# 默认secret_name为kubectl-debug-registry-secret,默认namspace为default
+kubectl-debug POD_NAME --image calmkart/netshoot:latest --registry-secret-name <k8s_secret_name> --registry-secret-namespace <namespace>
+```
+
+举例:
+```bash
+# 怎样创建一个私有仓库镜像secret
+# 以用户名'calmkart' 密码'calmkart'为例
+# 更多创建方式请参考kubernetes官方文档
+# https://kubernetes.io/docs/concepts/configuration/secret/
+echo -n '{Username: calmkart, Password: calmkart}' > ./registrySecret.txt
+kubectl create secret generic kubectl-debug-registry-secret --from-file=./registrySecret.txt
 ```
 
 # 构建项目
@@ -141,7 +156,13 @@ image: nicolaka/netshoot:latest
 # default ['bash']
 command:
 - '/bin/bash'
-- '-l
+- '-l'
+# private docker registry auth kuberntes secret, default is kubectl-debug-registry-secret
+# 使用私有仓库镜像,并设置私有仓库使用的kubernetes secret
+# secret data原文请设置为 {Username: <username>, Password: <password>}
+# 默认RegistrySecretName为kubectl-debug-registry-secret,默认RegistrySecretNamespace为default
+RegistrySecretName: my-debug-secret
+RegistrySecretNamespace: debug
 ```
 
 > `kubectl-debug` 会将容器的 entrypoint 直接覆盖掉, 这是为了避免在 debug 时不小心启动非 shell 进程.

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/aylei/kubectl-debug
 go 1.12
 
 require (
-	cloud.google.com/go v0.34.0
+	cloud.google.com/go v0.38.0
 	contrib.go.opencensus.io/exporter/ocagent v0.6.0
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78
 	github.com/Azure/go-autorest v11.2.8+incompatible
@@ -13,7 +13,7 @@ require (
 	github.com/PuerkitoBio/purell v1.1.1
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
 	github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973
-	github.com/census-instrumentation/opencensus-proto v0.1.0
+	github.com/census-instrumentation/opencensus-proto v0.2.1
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/docker/distribution v2.7.0+incompatible
 	github.com/docker/docker v0.0.0-20171023200535-7848b8beb9d3
@@ -27,14 +27,13 @@ require (
 	github.com/go-openapi/spec v0.19.0
 	github.com/go-openapi/swag v0.19.0
 	github.com/gogo/protobuf v1.2.0
-	github.com/golang/protobuf v1.2.0
+	github.com/golang/protobuf v1.3.2
 	github.com/google/btree v1.0.0
 	github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf
 	github.com/google/uuid v1.1.1
 	github.com/googleapis/gnostic v0.2.0
 	github.com/gophercloud/gophercloud v0.0.0-20181221023737-94924357ebf6
 	github.com/gregjones/httpcache v0.0.0-20181110185634-c63ab54fda8f
-	github.com/hashicorp/golang-lru v0.5.1 // indirect
 	github.com/imdario/mergo v0.3.6
 	github.com/inconshreveable/mousetrap v1.0.0
 	github.com/json-iterator/go v1.1.5
@@ -60,17 +59,17 @@ require (
 	github.com/spf13/cobra v0.0.3
 	github.com/spf13/pflag v1.0.3
 	go.opencensus.io v0.22.0
-	golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9
-	golang.org/x/net v0.0.0-20181217023233-e147a9138326
-	golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890
-	golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
-	golang.org/x/sys v0.0.0-20181213200352-4d1cda033e06
-	golang.org/x/text v0.3.0
+	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
+	golang.org/x/net v0.0.0-20190628185345-da137c7871d7
+	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	golang.org/x/sync v0.0.0-20190423024810-112230192c58
+	golang.org/x/sys v0.0.0-20190712062909-fae7ac547cb7
+	golang.org/x/text v0.3.2
 	golang.org/x/time v0.0.0-20181108054448-85acf8d2951c
-	google.golang.org/api v0.0.0-20181221000618-65a46cafb132
-	google.golang.org/appengine v1.3.0
-	google.golang.org/genproto v0.0.0-20181221175505-bd9b4fb69e2f
-	google.golang.org/grpc v1.17.0
+	google.golang.org/api v0.7.0
+	google.golang.org/appengine v1.5.0
+	google.golang.org/genproto v0.0.0-20190716160619-c506a9f90610
+	google.golang.org/grpc v1.22.0
 	gopkg.in/inf.v0 v0.9.1
 	gopkg.in/yaml.v2 v2.2.2
 	k8s.io/api v0.0.0-20181130031204-d04500c8c3dd