Add kops create secret dockerconfig feature

cmd/kops/create_secret.go

@@ -33,6 +33,9 @@ var (
 	# Create an new ssh public key called admin.
 	kops create secret sshpublickey admin -i ~/.ssh/id_rsa.pub \
 		--name k8s-cluster.example.com --state s3://example.com
+
+	kops create secret nodedockercfg -i ~/.docker/config.json \
+		--name k8s-cluster.example.com --state s3://example.com
 	`))
 
 	create_secret_short = i18n.T(`Create a secret.`)
@@ -48,6 +51,7 @@ func NewCmdCreateSecret(f *util.Factory, out io.Writer) *cobra.Command {
 
 	// create subcommands
 	cmd.AddCommand(NewCmdCreateSecretPublicKey(f, out))
+	cmd.AddCommand(NewCmdCreateSecretNodeDockerConfig(f, out))
 
 	return cmd
 }

cmd/kops/create_secret_nodedockerconfig.go

@@ -0,0 +1,116 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/spf13/cobra"
+	"k8s.io/kops/cmd/kops/util"
+	"k8s.io/kops/pkg/apis/kops/registry"
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
+	"k8s.io/kubernetes/pkg/util/i18n"
+)
+
+var (
+	create_secret_nodedockerconfig_long = templates.LongDesc(i18n.T(`
+	Create a new node docker config, and store it in the state store. Use update
+	to update it, this command will only create a new entry.`))
+
+	create_secret_nodedockerconfig_example = templates.Examples(i18n.T(`
+	# Create an new node docker config.
+	kops create secret nodedockerconfig -i /path/to/docker/config.json \
+		--name k8s-cluster.example.com --state s3://example.com
+	`))
+
+	create_secret_nodedockerconfig_short = i18n.T(`Create a node docker config.`)
+)
+
+type CreateSecretDockercfgOptions struct {
+	ClusterName   string
+	DockerCfgPath string
+}
+
+func NewCmdCreateSecretNodeDockerConfig(f *util.Factory, out io.Writer) *cobra.Command {
+	options := &CreateSecretDockercfgOptions{}
+
+	cmd := &cobra.Command{
+		Use:     "nodedockercfg",
+		Short:   create_secret_nodedockerconfig_short,
+		Long:    create_secret_nodedockerconfig_long,
+		Example: create_secret_nodedockerconfig_example,
+		Run: func(cmd *cobra.Command, args []string) {
+			if len(args) != 0 {
+				exitWithError(fmt.Errorf("syntax: -i <DockerCfgPath>"))
+			}
+
+			err := rootCommand.ProcessArgs(args[0:])
+			if err != nil {
+				exitWithError(err)
+			}
+
+			options.ClusterName = rootCommand.ClusterName()
+
+			err = RunCreateSecretDockerCfg(f, os.Stdout, options)
+			if err != nil {
+				exitWithError(err)
+			}
+		},
+	}
+
+	cmd.Flags().StringVarP(&options.DockerCfgPath, "", "i", "", "Path to node docker config")
+
+	return cmd
+}
+
+func RunCreateSecretDockerCfg(f *util.Factory, out io.Writer, options *CreateSecretDockercfgOptions) error {
+	if options.DockerCfgPath == "" {
+		return fmt.Errorf("docker config path is required (use -i)")
+	}
+	secret, err := fi.CreateSecret()
+	if err != nil {
+		return fmt.Errorf("error creating node docker config secret %v: %v", secret, err)
+	}
+
+	cluster, err := GetCluster(f, options.ClusterName)
+	if err != nil {
+		return err
+	}
+
+	secretStore, err := registry.SecretStore(cluster)
+	if err != nil {
+		return err
+	}
+
+	data, err := ioutil.ReadFile(options.DockerCfgPath)
+	if err != nil {
+		return fmt.Errorf("error reading node docker config %v: %v", options.DockerCfgPath, err)
+	}
+
+	secret.Data = data
+
+	_, _, err = secretStore.GetOrCreateSecret("nodedockercfg", secret)
+	if err != nil {
+		return fmt.Errorf("error adding node docker config: %v", err)
+	}
+
+	return nil
+}

docs/cli/kops_create_secret.md

@@ -16,6 +16,9 @@ Create a secret
   # Create an new ssh public key called admin.
   kops create secret sshpublickey admin -i ~/.ssh/id_rsa.pub \
   --name k8s-cluster.example.com --state s3://example.com
+
+  kops create secret nodedockercfg -i ~/.docker/config.json \
+  --name k8s-cluster.example.com --state s3://example.com
 ```
 
 ### Options inherited from parent commands
@@ -35,5 +38,6 @@ Create a secret
 
 ### SEE ALSO
 * [kops create](kops_create.md)	 - Create a resource by command line, filename or stdin.
+* [kops create secret nodedockercfg](kops_create_secret_nodedockercfg.md)	 - Create a node docker config.
 * [kops create secret sshpublickey](kops_create_secret_sshpublickey.md)	 - Create a ssh public key.
 

docs/cli/kops_create_secret_nodedockercfg.md

@@ -0,0 +1,48 @@
+
+<!--- This file is automatically generated by make gen-cli-docs; changes should be made in the go CLI command code (under cmd/kops) -->
+
+## kops create secret nodedockercfg
+
+Create a node docker config.
+
+### Synopsis
+
+
+Create a new node docker config, and store it in the state store. Use update to update it, this command will only create a new entry.
+
+```
+kops create secret nodedockercfg
+```
+
+### Examples
+
+```
+  # Create an new node docker config.
+  kops create secret nodedockerconfig -i /path/to/docker/config.json \
+  --name k8s-cluster.example.com --state s3://example.com
+```
+
+### Options
+
+```
+  -i, -- string   Path to node docker config
+```
+
+### Options inherited from parent commands
+
+```
+      --alsologtostderr                  log to standard error as well as files
+      --config string                    config file (default is $HOME/.kops.yaml)
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory
+      --logtostderr                      log to standard error instead of files (default false)
+      --name string                      Name of cluster
+      --state string                     Location of state storage
+      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                          log level for V logs
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+### SEE ALSO
+* [kops create secret](kops_create_secret.md)	 - Create a secret.
+

docs/security.md

@@ -20,6 +20,15 @@ To change the SSH public key on an existing cluster:
 * `kops update cluster --yes` to reconfigure the auto-scaling groups
 * `kops rolling-update cluster --name <clustername> --yes` to immediately roll all the machines so they have the new key (optional)
 
+## Node Docker Configuration
+
+If you are using a private registry such as quay.io, you may be familiar with the inconvenience of managing the `imagePullSecrets` for each namespace. It can also be a pain to use [Kops Hooks ](cluster_spec.md#hooks) with private images. To configure docker on all nodes with access to one or more private registries:
+
+* `kops create secret --name <clustername> nodedockercfg -i ~/.docker/config.json`
+* `kops rolling-update cluster --name <clustername> --yes` to immediately roll all the machines so they have the new key (optional)
+
+This stores the `config.json` in `/root/.docker/config.json` on all nodes so that both Kubernetes and system containers may use the registries.
+
 ## IAM roles
 
 All Pods running on your cluster have access to underlying instance IAM role.

nodeup/pkg/model/kubelet.go

@@ -146,6 +146,8 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet
 	}
 
 	sysconfig := "DAEMON_ARGS=\"" + flags + "\"\n"
+	// Makes kubelet read /root/.docker/config.json properly
+	sysconfig = sysconfig + "HOME=\"/root" + "\"\n"
 
 	t := &nodetasks.File{
 		Path:     "/etc/sysconfig/kubelet",

nodeup/pkg/model/secrets.go

@@ -58,6 +58,26 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}
 
+	if b.SecretStore != nil {
+		key := "nodedockercfg"
+		dockercfg, err := b.SecretStore.Secret(key)
+		if err != nil {
+			return err
+		}
+		if dockercfg == nil {
+			return fmt.Errorf("node docker config not found: %q", key)
+		}
+		contents := string(dockercfg.Data)
+
+		t := &nodetasks.File{
+			Path:     filepath.Join("root", ".docker", "config.json"),
+			Contents: fi.NewStringResource(contents),
+			Type:     nodetasks.FileType_File,
+			Mode:     s("0600"),
+		}
+		c.AddTask(t)
+	}
+
 	// if we are not a master we can stop here
 	if !b.IsMaster {
 		return nil
@@ -129,6 +149,9 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 
 		var lines []string
 		for id, token := range allTokens {
+			if id == "nodedockercfg" {
+				continue
+			}
 			lines = append(lines, token+","+id+","+id)
 		}
 		csv := strings.Join(lines, "\n")

nodeup/pkg/model/tests/kubelet/featuregates/tasks.yaml

@@ -1,4 +1,5 @@
 contents: |
   DAEMON_ARGS="--feature-gates=AllowExtTrafficLocalEndpoints=false,ExperimentalCriticalPodAnnotation=true --node-labels=kubernetes.io/role=node,node-role.kubernetes.io/node= --cni-bin-dir=/opt/cni/bin/ --cni-conf-dir=/etc/cni/net.d/ --network-plugin-dir=/opt/cni/bin/"
+  HOME="/root"
 path: /etc/sysconfig/kubelet
 type: file

upup/pkg/fi/cloudup/apply_cluster.go

@@ -300,6 +300,17 @@ func (c *ApplyClusterCmd) Run() error {
 		}
 	}
 
+	var nodeDockerConfig string
+	{
+		secret, _ := secretStore.Secret("nodedockercfg")
+		if secret != nil {
+			nodeDockerConfig, err = secret.AsString()
+			if err != nil {
+				return fmt.Errorf("error node docker config not a string? %q: %v", nodeDockerConfig, err)
+			}
+		}
+	}
+
 	modelContext := &model.KopsModelContext{
 		Cluster:        cluster,
 		InstanceGroups: c.InstanceGroups,