Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloud-config: streamline credentials provisioning #1850

Merged
merged 1 commit into from
Jul 26, 2024
Merged

cloud-config: streamline credentials provisioning #1850

merged 1 commit into from
Jul 26, 2024

Conversation

mkulke
Copy link
Collaborator

@mkulke mkulke commented May 31, 2024
edited
Loading

Instead of nesting it into a daemon.json property for the forwarder the auth file is being moved to its own entry, which will simplify the logic and allow cloud-init based podvms to use authenticated registries without running process-user-data alongside cloud-init.

@mkulke mkulke force-pushed the mkulke/streamline-provisioning-of-authjson branch from c9316d6 to b323245 Compare May 31, 2024 12:20
@mkulke
Copy link
Collaborator Author

mkulke commented May 31, 2024

according to the discussion on the linked guest-component issue, we might end up having to add an image_registry_auth_file param back to kata to make this work, since there are provisions to change the path in image-rs's ImageConfig and unless we want to go around and sneak in an override path via env or something, we'd have to specify it at the owner of the ImageConfig, which is kata agent.

stevenhorsman
stevenhorsman reviewed May 31, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy with moving the destination path for auth.json and removing it out of daemon.json, but I have a question on how we might be able to use it in image-rs

src/cloud-api-adaptor/pkg/agent/update.go Outdated Show resolved Hide resolved
@mkulke mkulke mentioned this pull request Jun 8, 2024
Closed
@mkulke mkulke marked this pull request as draft July 19, 2024 06:50
@mkulke
Copy link
Collaborator Author

mkulke commented Jul 19, 2024

some changes need to be applied once #1933 has been merged

@mkulke mkulke force-pushed the mkulke/streamline-provisioning-of-authjson branch from b323245 to 22f4ddd Compare July 25, 2024 18:11
@mkulke mkulke marked this pull request as ready for review July 25, 2024 18:11
@mkulke mkulke mentioned this pull request Jul 25, 2024
Closed
@mkulke mkulke requested a review from stevenhorsman July 25, 2024 18:26
@mkulke mkulke force-pushed the mkulke/streamline-provisioning-of-authjson branch 2 times, most recently from 7432ced to a6d5d13 Compare July 25, 2024 18:37
@mkulke mkulke added the core Issues related to the core adaptor code label Jul 25, 2024
stevenhorsman
stevenhorsman approved these changes Jul 25, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM. Thanks!

bpradipt
bpradipt approved these changes Jul 26, 2024
View reviewed changes
Copy link
Member

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@huoqifeng
Copy link

@mkulke I'm wondering how was this file get provisioned?

SrcAuthfilePath = "/root/containers/auth.json"

Is this something can be introduced in initdata? Like in PR #1912

@mkulke
Copy link
Collaborator Author

mkulke commented Jul 26, 2024

@mkulke I'm wondering how was this file get provisioned?

SrcAuthfilePath = "/root/containers/auth.json"

Is this something can be introduced in initdata? Like in PR #1912

this is part of the kustomize install routine, an auth.json gets mounted to the CAA daemonset container at this path

@mkulke
cloud-config: provision auth.json directly
f08ea46 
instead of nesting it into a daemon.json property for the forwarder the
auth file is being moved to its own entry, which will simplify the logic
and allow cloud-init based podvms to use authenticated registries
without running process-user-data alongside cloud-init.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
@mkulke mkulke force-pushed the mkulke/streamline-provisioning-of-authjson branch from a6d5d13 to f08ea46 Compare July 26, 2024 07:18
@mkulke mkulke merged commit b8730a4 into confidential-containers:main Jul 26, 2024
19 of 20 checks passed
@mkulke mkulke deleted the mkulke/streamline-provisioning-of-authjson branch July 26, 2024 07:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liudalibj liudalibj liudalibj left review comments

@bpradipt bpradipt bpradipt approved these changes

@stevenhorsman stevenhorsman stevenhorsman approved these changes

@surajssd surajssd Awaiting requested review from surajssd

@yoheiueda yoheiueda Awaiting requested review from yoheiueda

Assignees
No one assigned
Labels
core Issues related to the core adaptor code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mkulke @huoqifeng @bpradipt @stevenhorsman @liudalibj