Add kops create secret dockerconfig feature
#3087
Conversation
This adds a well-known secret name `nodedockercfg` which will automatically be used if present to create /root/.docker/config.json on all nodes. This will allow private registries to be used for kops hooks as well as any k8s images without the need to define `imagePullSecrets` in every namespace. closes kubernetes#2505
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @blakebarnett. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
Also don't include the nodedockercfg in all_tokens.csv
move the tasks up so they apply to all nodes
blakebarnett
force-pushed
the
bdb/add_node_docker_config_secret
branch
from
c413236
to
cf1bae8
Compare
|
I'm not sure if there's a way to do cleanup in the case where this secret gets deleted from the secretStore. Also it doesn't appear there's currently a way to delete secrets either, I'll wait for the refactor in #3054 to figure out what to do about those 2 things. |
Add HOME=/root to kubelet sysconfig
blakebarnett
force-pushed
the
bdb/add_node_docker_config_secret
branch
from
cf1bae8
to
bd779e7
Compare
|
/assign @chrislovecnm |
| } | ||
| secret, err := fi.CreateSecret() | ||
| if err != nil { | ||
| return fmt.Errorf("error creating node docker config secret %v: %v", secret, err) |
There was a problem hiding this comment.
Nit: you probably don't want to print secret - it'll probably be nil.. Also it is only ever going to be random gibberish...
There was a problem hiding this comment.
And I don't think you want it anyway - just build the Secret directly, as you set Data below!
cmd/kops/create_secret.go
Outdated
| @@ -33,6 +33,9 @@ var ( | |||
| # Create an new ssh public key called admin. | |||
| kops create secret sshpublickey admin -i ~/.ssh/id_rsa.pub \ | |||
| --name k8s-cluster.example.com --state s3://example.com | |||
|
|
|||
| kops create secret nodedockercfg -i ~/.docker/config.json \ | |||
There was a problem hiding this comment.
So we use -i for SSH because that's the arg for ssh public keys. Except of course it's actually the arg for SSH private keys. I suspect -i was my mistake, and we should probably use -f...
There was a problem hiding this comment.
agreed, I'll switch it to -f
|
|
||
| create_secret_nodedockerconfig_example = templates.Examples(i18n.T(` | ||
| # Create an new node docker config. | ||
| kops create secret nodedockerconfig -i /path/to/docker/config.json \ |
There was a problem hiding this comment.
Wondering why this is _node_dockerconfig specifically. We probably do want to put it on the masters; if we didn't we would probably still call it dockerconfig but allow specific configuration (per instancegroup maybe?). kubectl calls it docker-registry. Thoughts?
There was a problem hiding this comment.
Yeah I guess I wanted to make it clear that it was at the node level and wasn't going to end up inside k8s. Happy to change it to dockerconfig though.
docs/security.md
Outdated
| @@ -20,6 +20,15 @@ To change the SSH public key on an existing cluster: | |||
| * `kops update cluster --yes` to reconfigure the auto-scaling groups | |||
| * `kops rolling-update cluster --name <clustername> --yes` to immediately roll all the machines so they have the new key (optional) | |||
|
|
|||
| ## Node Docker Configuration | |||
|
|
|||
| If you are using a private registry such as quay.io, you may be familiar with the inconvenience of managing the `imagePullSecrets` for each namespace. It can also be a pain to use [Kops Hooks ](cluster_spec.md#hooks) with private images. To configure docker on all nodes with access to one or more private registries: | |||
There was a problem hiding this comment.
Total nit: extra space after Kops Hooks
| @@ -146,6 +146,8 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet | |||
| } | |||
|
|
|||
| sysconfig := "DAEMON_ARGS=\"" + flags + "\"\n" | |||
| // Makes kubelet read /root/.docker/config.json properly | |||
| sysconfig = sysconfig + "HOME=\"/root" + "\"\n" | |||
There was a problem hiding this comment.
Came across this with the ~/.aws directory as well - it is a pain...
Wondering if we should give kubelet etc their own directories, but if we do we can just change it when we need it. Thanks for fixing :-)
nodeup/pkg/model/secrets.go
Outdated
| return err | ||
| } | ||
| if dockercfg == nil { | ||
| return fmt.Errorf("node docker config not found: %q", key) |
There was a problem hiding this comment.
Is this an error? Presumably not... I suspect we'll fail e2e with this (but we'll see I guess!)
There was a problem hiding this comment.
oops I meant to have this as a guard when nodedockercfg is stored but the lookup failed. I think you're right, I'll just remove it and rely on the string check.
upup/pkg/fi/cloudup/apply_cluster.go
Outdated
| if secret != nil { | ||
| nodeDockerConfig, err = secret.AsString() | ||
| if err != nil { | ||
| return fmt.Errorf("error node docker config not a string? %q: %v", nodeDockerConfig, err) |
There was a problem hiding this comment.
I think nodeDockerConfig is going be nil / "". So I don't think we print it, and I think that gets rid of nodeDockerConfig entirely.
Also, can we have a comment here - like // Verify that dockercfg is a string
There was a problem hiding this comment.
in a previous iteration I had it actually checking if the json is parsable, I think maybe I'll switch this back to that and maybe move it into the CLI code since that seems like a better place to provide the error.
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
Thanks - this is awesome! A few comments; I think some of them will need to be tweaked to pass e2e. Biggest questions (and they are questions) are about naming of the command / secret / flags - the hardest thing :-) |
- Rename to just DockerConfig / dockerconfig everywhere for consistency - Check if the config is valid JSON - Update docs
|
Thanks :) Let me know if this latest commit doesn't address all your comments! |
|
/test pull-kops-e2e-kubernetes-aws |
|
@justinsb not sure what that e2e error is about? Seems to have nothing to do with this PR... |
blakebarnett
changed the title
kops create secret nodedockercfg featurekops create secret dockerconfig feature
|
nevermind, I realized it was related to one of your original comments. Didn't notice the build log had the real reason for that error about |
|
/lgtm Nice work - thanks @blakebarnett |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: blakebarnett, justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
This adds a well-known secret name
dockerconfigwhich will automaticallybe used if present to create
/root/.docker/config.jsonon all nodes. This willallow private registries to be used for kops hooks as well as any k8s images
without the need to define
imagePullSecretsin every namespace.closes #2505