pkg/asset/ignition/bootstrap: Add /root/.docker/config.json #775
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci-robot
added
size/S
wking
force-pushed
the
pull-secret-for-bootkube.sh
branch
from
0099514
to
dfbf1ef
Compare
|
Before this lands, we'll want to make sure it fixes CI for #773. |
openshift-ci-robot
added
the
needs-rebase
wking
changed the title
wking
force-pushed
the
pull-secret-for-bootkube.sh
branch
from
dfbf1ef
to
d273367
Compare
openshift-ci-robot
added
size/XS
|
@smarterclayton, we can run CI on this and secret images by cherry-picking it onto #773 (which is what I'm doing now), but it would be good to be running CI for "can we launch from private images?" in master without hacks like that. Can we get pull-secret protections for at least one constituent image on the CI registry? Maybe the release payload? Or is that not easy with installer CI using |
|
@wking: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
e2e-aws failed to generate the I'll investigate in a fresh CI cluster: /retest |
We already provide /opt/tectonic/manifests/pull.json with a Kubernetes secret that contains the auth JSON, but the new file has the auth JSON without any wrapping. This resolves issues with auth-protected update payloads [1]: [core@ip-10-0-10-189 ~]$ journalctl -n5 -u bootkube.service -- Logs begin at Mon 2018-12-03 06:54:37 UTC, end at Mon 2018-12-03 07:24:52 UTC. -- Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: Trying to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b...Failed Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: unable to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: unable to pull image: Error determining manifest MIME type for docker://quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: Error reading manifest sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b in quay.io/openshift-release-dev/ocp-v4.0: unauthorized: access to the requested resource is not authorized Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service: main process exited, code=exited, status=125/n/a Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: Unit bootkube.service entered failed state. Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service failed. I think the ~/.docker directory name is unfortunate, since we're not actually using Docker at all. But ~/.docker/config.json is an auth location shared by Podman [2], CRI-O [3], and the kubelet [4]. And it's the most generic on-disk location that will survive reboots (/run will not [5]). I've also renamed the manifest template variable to PullSecretBase64 to distinguish it from the unencoded PullSecret I'm adding to the bootstrap template parameters. These are different template parameter sets, but I think recycling the same name would be unnecessarily confusing. [1]: openshift#773 (comment) [2]: https://github.com/containers/libpod/blob/v0.11.1.1/docs/podman-pull.1.md#options [3]: https://github.com/kubernetes-sigs/cri-o/blob/master/vendor/github.com/containers/image/pkg/docker/config/config.go#L32 [4]: https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry [5]: http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html#runPurpose
wking
force-pushed
the
pull-secret-for-bootkube.sh
branch
from
d273367
to
791a41c
Compare
|
This is slated but depends on other gating factors. We are going to
automatically promote and test, but not quite yet.
I have been leaning towards that because we have to get there for beta and
it addresses other customers concerns.
On Dec 3, 2018, at 2:12 PM, W. Trevor King <notifications@github.com> wrote:
@smarterclayton <https://github.com/smarterclayton>, we can run CI on this
and secret images by cherry-picking it onto #773
<#773> (which is what I'm doing
now), but it would be good to be running CI for "can we launch from private
images?" in master without hacks like that. Can we get pull-secret
protections for at least one constituent image on the CI registry? Maybe
the release payload? Or is that not easy with installer CI using
RELEASE_IMAGE_LATEST since openshift/release#1793
<openshift/release#1793>? Maybe the tooling that
pushes RELEASE_IMAGE_LATEST can push it up as a private image?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#775 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pyCMDAcBCX04kHN-iXVNOlHRPy4Oks5u1XedgaJpZM4Y-E_P>
.
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: crawford, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
wking
added a commit
to wking/openshift-installer
that referenced
this pull request
Dec 3, 2018
Through 6585f5d (Merge pull request openshift#775 from wking/pull-secret-for-bootkube.sh, 2018-12-03).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
And export
REGISTRY_AUTH_FILEpointing at that file. We already provide/opt/tectonic/manifests/pull.jsonwith a Kubernetes secret that contains the auth JSON, but the new file has the auth JSON without any wrapping. This resolves issues with auth-protected update payloads:The environment variable is documented here.
I've also renamed the manifest template variable to
PullSecretBase64to distinguish it from the unencodedPullSecretI'm adding to the bootstrap template parameters. These are different template parameter sets, but I think recycling the same name would be unnecessarily confusing.