-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kops create secret dockerconfig
feature
#3087
Add kops create secret dockerconfig
feature
#3087
Conversation
This adds a well-known secret name `nodedockercfg` which will automatically be used if present to create /root/.docker/config.json on all nodes. This will allow private registries to be used for kops hooks as well as any k8s images without the need to define `imagePullSecrets` in every namespace. closes kubernetes#2505
Hi @blakebarnett. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Also don't include the nodedockercfg in all_tokens.csv
move the tasks up so they apply to all nodes
c413236
to
cf1bae8
Compare
I'm not sure if there's a way to do cleanup in the case where this secret gets deleted from the secretStore. Also it doesn't appear there's currently a way to delete secrets either, I'll wait for the refactor in #3054 to figure out what to do about those 2 things. |
Add HOME=/root to kubelet sysconfig
cf1bae8
to
bd779e7
Compare
/assign @chrislovecnm |
} | ||
secret, err := fi.CreateSecret() | ||
if err != nil { | ||
return fmt.Errorf("error creating node docker config secret %v: %v", secret, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: you probably don't want to print secret - it'll probably be nil.. Also it is only ever going to be random gibberish...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And I don't think you want it anyway - just build the Secret directly, as you set Data below!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point
cmd/kops/create_secret.go
Outdated
@@ -33,6 +33,9 @@ var ( | |||
# Create an new ssh public key called admin. | |||
kops create secret sshpublickey admin -i ~/.ssh/id_rsa.pub \ | |||
--name k8s-cluster.example.com --state s3://example.com | |||
|
|||
kops create secret nodedockercfg -i ~/.docker/config.json \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we use -i
for SSH because that's the arg for ssh public keys. Except of course it's actually the arg for SSH private keys. I suspect -i
was my mistake, and we should probably use -f
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed, I'll switch it to -f
|
||
create_secret_nodedockerconfig_example = templates.Examples(i18n.T(` | ||
# Create an new node docker config. | ||
kops create secret nodedockerconfig -i /path/to/docker/config.json \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering why this is _node_dockerconfig specifically. We probably do want to put it on the masters; if we didn't we would probably still call it dockerconfig but allow specific configuration (per instancegroup maybe?). kubectl calls it docker-registry
. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I guess I wanted to make it clear that it was at the node level and wasn't going to end up inside k8s. Happy to change it to dockerconfig though.
docs/security.md
Outdated
@@ -20,6 +20,15 @@ To change the SSH public key on an existing cluster: | |||
* `kops update cluster --yes` to reconfigure the auto-scaling groups | |||
* `kops rolling-update cluster --name <clustername> --yes` to immediately roll all the machines so they have the new key (optional) | |||
|
|||
## Node Docker Configuration | |||
|
|||
If you are using a private registry such as quay.io, you may be familiar with the inconvenience of managing the `imagePullSecrets` for each namespace. It can also be a pain to use [Kops Hooks ](cluster_spec.md#hooks) with private images. To configure docker on all nodes with access to one or more private registries: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Total nit: extra space after Kops Hooks
@@ -146,6 +146,8 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet | |||
} | |||
|
|||
sysconfig := "DAEMON_ARGS=\"" + flags + "\"\n" | |||
// Makes kubelet read /root/.docker/config.json properly | |||
sysconfig = sysconfig + "HOME=\"/root" + "\"\n" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Came across this with the ~/.aws directory as well - it is a pain...
Wondering if we should give kubelet etc their own directories, but if we do we can just change it when we need it. Thanks for fixing :-)
nodeup/pkg/model/secrets.go
Outdated
return err | ||
} | ||
if dockercfg == nil { | ||
return fmt.Errorf("node docker config not found: %q", key) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this an error? Presumably not... I suspect we'll fail e2e with this (but we'll see I guess!)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops I meant to have this as a guard when nodedockercfg is stored but the lookup failed. I think you're right, I'll just remove it and rely on the string check.
upup/pkg/fi/cloudup/apply_cluster.go
Outdated
if secret != nil { | ||
nodeDockerConfig, err = secret.AsString() | ||
if err != nil { | ||
return fmt.Errorf("error node docker config not a string? %q: %v", nodeDockerConfig, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think nodeDockerConfig is going be nil / "". So I don't think we print it, and I think that gets rid of nodeDockerConfig
entirely.
Also, can we have a comment here - like // Verify that dockercfg is a string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in a previous iteration I had it actually checking if the json is parsable, I think maybe I'll switch this back to that and maybe move it into the CLI code since that seems like a better place to provide the error.
/ok-to-test |
Thanks - this is awesome! A few comments; I think some of them will need to be tweaked to pass e2e. Biggest questions (and they are questions) are about naming of the command / secret / flags - the hardest thing :-) |
- Rename to just DockerConfig / dockerconfig everywhere for consistency - Check if the config is valid JSON - Update docs
Thanks :) Let me know if this latest commit doesn't address all your comments! |
/test pull-kops-e2e-kubernetes-aws |
@justinsb not sure what that e2e error is about? Seems to have nothing to do with this PR... |
kops create secret nodedockercfg
featurekops create secret dockerconfig
feature
nevermind, I realized it was related to one of your original comments. Didn't notice the build log had the real reason for that error about |
/lgtm Nice work - thanks @blakebarnett |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: blakebarnett, justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
This adds a well-known secret name
dockerconfig
which will automaticallybe used if present to create
/root/.docker/config.json
on all nodes. This willallow private registries to be used for kops hooks as well as any k8s images
without the need to define
imagePullSecrets
in every namespace.closes #2505