Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

entrypoint image lookup: change auth order #620

Merged
merged 2 commits into from
Mar 15, 2019
Merged

entrypoint image lookup: change auth order #620

merged 2 commits into from
Mar 15, 2019

Conversation

vdemeester
Copy link
Member

Changes

The google.Keychain will fail hard in case of gcloud command
missing (which can be the case in minikube and other kubernetes
cluster). This means it will fail before trying to contact the
registry anonymously — even if the images are publically available.

This add an ad-hoc anonymous keychain, and set it as the first
keychaien to check. That way, it will first try to get images config
anonymously and then try other authentications.

Signed-off-by: Vincent Demeester vdemeest@redhat.com

This could be removed if google/go-containerregistry#405 gets merged, but I also think pipeline should try anonymously before the rest.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide
for more details.

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 14, 2019
@googlebot googlebot added the cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit label Mar 14, 2019
@tekton-robot tekton-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 14, 2019
imjasonh
imjasonh reviewed Mar 14, 2019
View reviewed changes
pkg/reconciler/v1alpha1/taskrun/entrypoint/entrypoint.go Outdated
mkc := authn.NewMultiKeychain(kc, google.Keychain)
// this will first try to anonymous
// the fall back to authenticate using the k8schain,
// then fall back to the google keychain
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment stating that this will (currently) fail if gcloud isn't available?

pkg/reconciler/v1alpha1/taskrun/entrypoint/entrypoint.go Outdated
type anonymousKeychain struct{}

func (a *anonymousKeychain) Resolve(_ name.Registry) (authn.Authenticator, error) {
return &anonymous{}, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this return your own anonymous implementation since NewMultiKeychain has special logic to detect authn.Anonymous? (ref)

If so, can you document that, so I don't try to make this return authn.Anonymous in a future change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It returns our own anonymous implement because NewMultiKeychain has a special logic to detect authn.Anonymous (and will skip it until the end). Good point, I'll had a comment about that too 👍

@vdemeester
entrypoint image lookup: change auth order
968814d 
The google.Keychain will fail hard in case of `gcloud` command
missing (which can be the case in minikube and other kubernetes
cluster). This means it will fail before trying to contact the
registry anonymously — even if the images are publically available.

This add an ad-hoc anonymous keychain, and set it as the first
keychaien to check. That way, it will first try to get images config
anonymously and then try other authentications.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
@vdemeester
Copy link
Member Author

/hold
It breaks stuff 😭

@tekton-robot tekton-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 14, 2019
@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 14, 2019
@tekton-robot tekton-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 14, 2019
@vdemeester vdemeester force-pushed the fix-entrypoint-gcr-public branch 2 times, most recently from 1a41bd9 to bc934d1 Compare March 14, 2019 17:11
@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 14, 2019
@vdemeester
Call remote.Image anonymously first
e16f68b 
Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
@vdemeester
Copy link
Member Author

/test pull-tekton-pipeline-integration-tests

@vdemeester
Copy link
Member Author

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 15, 2019
imjasonh
imjasonh approved these changes Mar 15, 2019
View reviewed changes
Copy link
Member

@imjasonh imjasonh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 15, 2019
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ImJasonH, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [ImJasonH,vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot merged commit f83432c into tektoncd:master Mar 15, 2019
@vdemeester vdemeester deleted the fix-entrypoint-gcr-public branch March 15, 2019 14:35
piyush-garg pushed a commit to piyush-garg/pipeline that referenced this pull request Mar 5, 2021
@openshift-merge-robot
Merge pull request tektoncd#620 from pradeepitm12/remove-gcs-fetcher-…
f2de711 
…image

remove gcs-fetcher image as removed in upstream
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

@dlorenc dlorenc Awaiting requested review from dlorenc

Assignees

@imjasonh imjasonh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@vdemeester @tekton-robot @imjasonh @googlebot