daemon: use env variables to download payload from private registry

When a payload image is stored in a private repository the daemon needs to authenticate with the registry to be able to download it. There are two environment variables defined in the daemons pod specification. These variables are populated by a Kubernetes secret that the user can create. It needs to be created before the daemons start to run. The variables and the secret are optional and will only be used when a configmap for a custom payload image is used. See the documentation for instructions for how to use the configmap and the secret for custom payload containers. Signed-off-by: Jens Freimann <jfreimann@redhat.com>
openshift · Jan 27, 2021 · c4c47d9 · c4c47d9
1 parent 88df0b3
commit c4c47d9
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 11 deletions.
diff --git a/docs/DEVELOPMENT.md b/docs/DEVELOPMENT.md
@@ -18,6 +18,35 @@ change
 
     daemon.payload: quay.io/<username>/mykatapayload:mytag
 
+## Payload container images in private repositories
+
+When a payload image is stored in a private repository the daemon
+needs to authenticate with the registry to be able to download it.
+
+There are two environment variables defined in the daemons pod specification.
+These variables are populated by a Kubernetes secret that the user can create.
+It has to be created before the daemon pods are created.
+
+Steps to use a payload image in a private repository:
+
+1. deploy the operator as usual
+2. create the payload configmap and set daemon.payload to the path in
+   the private repository, for example
+   quay.io/jensfr/kata-operator-payload:special
+3. create the kubernetes secret with the credentials to above private
+   repository. An example:
+
+   apiVersion: v1
+     kind: Secret
+   metadata:
+     name: payload-secret   <- has to have this exact name
+   data:
+     username: ajVXe2ZyCg=y <- base64 encoded
+     password: emFmekIaOKMN <- base64 encoded
+
+4. create the Kataconfig custom ressource. From here on the
+   installation works as usual.
+
 ## How to create a custom payload container image
 
 Based on an existing and known to work set of RPMs it is possible to replace

diff --git a/images/daemon/pkg/daemon/kata_openshift.go b/images/daemon/pkg/daemon/kata_openshift.go
@@ -12,6 +12,7 @@ import (
 	"github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/signature"
 	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
 	"github.com/coreos/go-semver/semver"
 	"github.com/opencontainers/image-tools/image"
 	confv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
@@ -47,10 +48,10 @@ func (k *KataOpenShift) Install(kataConfigResourceName string) error {
 	if k.KataInstallChecker == nil {
 		k.KataInstallChecker = func() (bool, bool, error) {
 			var (
-				isKataInstalled bool
+				isKataInstalled       bool
 				isCrioDropInInstalled bool
-				err error
-				kataConfig kataTypes.KataConfig
+				err                   error
+				kataConfig            kataTypes.KataConfig
 			)
 
 			err = k.KataClient.Get(context.Background(), client.ObjectKey{
@@ -196,10 +197,10 @@ func (k *KataOpenShift) Uninstall(kataConfigResourceName string) error {
 		k.KataUninstallChecker = func() (bool, bool, error) {
 
 			var (
-				isKataUnInstalled bool
+				isKataUnInstalled       bool
 				isCrioDropInUnInstalled bool
-				err error
-				kataConfig kataTypes.KataConfig
+				err                     error
+				kataConfig              kataTypes.KataConfig
 			)
 
 			err = k.KataClient.Get(context.Background(), client.ObjectKey{
@@ -381,12 +382,23 @@ func installRPMs(k *KataOpenShift) error {
 	}
 
 	payloadImage := os.Getenv("KATA_PAYLOAD_IMAGE")
-	if payloadImage == "" {
-		payloadImage = "docker://quay.io/isolatedcontainers/kata-operator-payload:" + k.PayloadTag
-	} else {
-		log.Println("WARNING: kataconfig installation is tainted")
+	sourceCtx := &types.SystemContext{}
+	if payloadImage != "" {
+		username := strings.Replace(os.Getenv("PAYLOAD_REGISTRY_USERNAME"), "\n", "", -1)
+		password := strings.Replace(os.Getenv("PAYLOAD_REGISTRY_PASSWORD"), "\n", "", -1)
+		if username != "" && password != "" {
+			sourceCtx = &types.SystemContext{
+				DockerAuthConfig: &types.DockerAuthConfig{
+					Username: username,
+					Password: password,
+				},
+			}
+		}
+		log.Println("WARNING: private payload image in use")
 		log.Println("Using env variable KATA_PAYLOAD_IMAGE " + payloadImage)
 		payloadImage = "docker://" + payloadImage
+	} else {
+		payloadImage = "docker://quay.io/isolatedcontainers/kata-operator-payload:" + k.PayloadTag
 	}
 
 	srcRef, err := alltransports.ParseImageName(payloadImage)
@@ -400,7 +412,18 @@ func installRPMs(k *KataOpenShift) error {
 		return err
 	}
 
-	_, err = copy.Image(context.Background(), policyContext, destRef, srcRef, &copy.Options{})
+	_, err = copy.Image(context.Background(), policyContext, destRef, srcRef,
+		&copy.Options{SourceCtx: sourceCtx})
+
+	if err != nil {
+		fmt.Println("Error occured when downloading payload image:")
+		fmt.Println(err)
+		if os.Getenv("PAYLOAD_REGISTRY_USERNAME") != "" {
+			fmt.Println("payload secret env vars are set and used. Please check the credentials used?")
+		}
+		return err
+	}
+
 	err = image.CreateRuntimeBundleLayout("/opt/kata-install/kata-image/",
 		"/usr/local/kata", "latest", "linux", []string{"name=latest"})
 	if err != nil {