Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Containerd repo mirror auth #12562

Closed
wants to merge 2 commits into from
Closed

Containerd repo mirror auth #12562

wants to merge 2 commits into from

Conversation

haad
Copy link
Contributor

@haad haad commented Oct 20, 2021

Add support for registry mirror authentication with containerD. This was managed byt overiding cotnainerd config as whole.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 20, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @haad. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 20, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign johngmyers after the PR has been reviewed.
You can assign the PR to them by writing /assign @johngmyers in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hakman
Copy link
Member

hakman commented Oct 20, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 20, 2021
@haad haad force-pushed the containerd_repo_mirror_auth branch 2 times, most recently from af8a524 to 853ebbb Compare October 24, 2021 08:24
@haad
Add support for container authenticated registries implemented are Us…
0d0bf41 
…ername/Password and Auth Token formats.

Signed-off-by: Adam Hamsik <adam.hamsik@lablabs.io>
@haad
Add autogenerated code.
b3b227c
@haad haad force-pushed the containerd_repo_mirror_auth branch from 1e35730 to b3b227c Compare October 25, 2021 16:14
@haad
Copy link
Contributor Author

haad commented Nov 5, 2021

Ping

@hakman
Copy link
Member

hakman commented Nov 8, 2021

Hi @haad. Sorry for the delay in answering. We had some discussions about this topic at our weekly meeting and some concerns were raised about adding passwords directly into kOps config. There was no consensus on how to approach this last week, but it's still on our list of priorities.

One question came up about the use of Docker secrets managed by kOps which are directly used by k8s even with containerd. Did you try to see if those work somehow for the mirrors too?.

@haad
Copy link
Contributor Author

haad commented Nov 8, 2021

I understand, but We are not forcing our users to include those passwords there. Plus you have an option to use a token, too. Right no every Kops users has to override this config as a whole which isn't a good thing. It complicates workflow for them as they have to check if we have not changed default configuration(containerd/config.toml) before each upgrade.

We should be able to add some cloud based password insertion scheme (Use aws system parameters as passwords), but I would add/implment that functionality as a separate PR.

@blakebarnett
Copy link

blakebarnett commented Nov 15, 2021
edited
Loading

Shouldn't this be implemented similarly to the host-level docker auth (as a secret)? We could maybe abstract it to be a generic "registry auth" secret, and have it apply to both...

for reference: #3087

@olemarkus
Copy link
Member

That would be my preferred way of implementing this

@k8s-ci-robot
Copy link
Contributor

@haad: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kops-e2e-cni-cilium-ipv6 b3b227c link true /test pull-kops-e2e-cni-cilium-ipv6
pull-kops-e2e-cni-calico-ipv6 b3b227c link true /test pull-kops-e2e-cni-calico-ipv6

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 26, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 28, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@hakman hakman mentioned this pull request May 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hakman hakman hakman left review comments

@olemarkus olemarkus Awaiting requested review from olemarkus

Assignees
No one assigned
Labels
area/api area/nodeup cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@haad @k8s-ci-robot @hakman @blakebarnett @olemarkus @k8s-triage-robot