Merge pull request #838 from Random-Liu/add-auth-config

Add auth config
containerd · Jul 11, 2018 · ca32566 · ca32566
2 parents 5ad95b2 + 1d9a754
commit ca32566
Show file tree

Hide file tree

Showing 99 changed files with 1,152 additions and 5,302 deletions.
diff --git a/docs/installation.md b/docs/installation.md
@@ -1,4 +1,3 @@
-<!-- TODO(now) -->
 # Install Containerd with Release Tarball
 This document provides the steps to install `containerd` and its dependencies with the release tarball, and bring up a Kubernetes cluster using kubeadm.
 

diff --git a/docs/registry.md b/docs/registry.md
@@ -1,6 +1,7 @@
 # Configure Image Registry
 This document describes the method to configure the image registry for `containerd` for use with the `cri` plugin.
 
+## Configure Registry Endpoint
 With containerd, `docker.io` is the default image registry. You can also set up other image registries similar to docker.
 
 To configure image registries create/modify the `/etc/containerd/config.toml` as follows:
@@ -19,4 +20,26 @@ The default configuration can be generated by `containerd config default > /etc/
 The endpoint is a list that can contain multiple image registry URLs split by commas. When pulling an image
 from a registry, containerd will try these endpoint URLs one by one, and use the first working one.
 
-After modify the config file, you need restart the `containerd` service.
+After modify this config, you need restart the `containerd` service.
+
+## Configure Registry Credentials
+
+`cri` plugin also supports docker like registry credential config.
+
+To configure a credential for a specific registry endpoint, create/modify the
+`/etc/containerd/config.toml` as follows:
+```toml
+[plugins.cri.registry.auths]
+  [plugins.cri.registry.auths."https://gcr.io"]
+    username = ""
+    password = ""
+    auth = ""
+    identitytoken = ""
+```
+The meaning of each field is the same with the corresponding field in `.docker/config.json`.
+
+Please note that auth config passed by CRI takes precedence over this config.
+The registry credential in this config will only be used when auth config is
+not specified by Kubernetes via CRI.
+
+After modify this config, you need restart the `containerd` service.
diff --git a/hack/verify-lint.sh b/hack/verify-lint.sh
@@ -20,7 +20,7 @@ set -o pipefail
 for d in $(find . -type d -a \( -iwholename './pkg*' -o -iwholename './cmd*' \) -not -iwholename './pkg/api*'); do
 	echo for directory ${d} ...
 	gometalinter \
-		 --exclude='error return value not checked.*(Close|Log|Print).*\(errcheck\)$' \
+		 --exclude='error return value not checked.*(Close|Log|Print|Fprint).*\(errcheck\)$' \
 		 --exclude='.*_test\.go:.*error return value not checked.*\(errcheck\)$' \
 		 --exclude='duplicate of.*_test.go.*\(dupl\)$' \
 		 --exclude='.*/mock_.*\.go:.*\(golint\)$' \

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -61,16 +61,32 @@ type CniConfig struct {
 // Mirror contains the config related to the registry mirror
 type Mirror struct {
 	// Endpoints are endpoints for a namespace. CRI plugin will try the endpoints
-	// one by one until a working one is found.
+	// one by one until a working one is found. The endpoint must be a valid url
+	// with host specified.
 	Endpoints []string `toml:"endpoint" json:"endpoint"`
-	// TODO (Abhi) We might need to add auth per namespace. Looks like
-	// image auth information is passed by kube itself.
+}
+
+// AuthConfig contains the config related to authentication to a specific registry
+type AuthConfig struct {
+	// Username is the username to login the registry.
+	Username string `toml:"username" json:"username"`
+	// Password is the password to login the registry.
+	Password string `toml:"password" json:"password"`
+	// Auth is a base64 encoded string from the concatenation of the username,
+	// a colon, and the password.
+	Auth string `toml:"auth" json:"auth"`
+	// IdentityToken is used to authenticate the user and get
+	// an access token for the registry.
+	IdentityToken string `toml:"identitytoken" json:"identitytoken"`
 }
 
 // Registry is registry settings configured
 type Registry struct {
 	// Mirrors are namespace to mirror mapping for all namespaces.
 	Mirrors map[string]Mirror `toml:"mirrors" json:"mirrors"`
+	// Auths are registry endpoint to auth config mapping. The registry endpoint must
+	// be a valid url with host specified.
+	Auths map[string]AuthConfig `toml:"auths" json:"auths"`
 }
 
 // PluginConfig contains toml config related to CRI plugin,
@@ -81,7 +97,7 @@ type PluginConfig struct {
 	// CniConfig contains config related to cni
 	CniConfig `toml:"cni" json:"cni"`
 	// Registry contains config related to the registry
-	Registry `toml:"registry" json:"registry"`
+	Registry Registry `toml:"registry" json:"registry"`
 	// StreamServerAddress is the ip address streaming server is listening on.
 	StreamServerAddress string `toml:"stream_server_address" json:"streamServerAddress"`
 	// StreamServerPort is the port streaming server is listening on.

diff --git a/pkg/containerd/resolver/auth.go b/pkg/containerd/resolver/auth.go