Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for private image access #94

Merged
merged 5 commits into from
Nov 15, 2023
Merged

Add support for private image access #94

merged 5 commits into from
Nov 15, 2023

Conversation

dimitar-kostadinov
Copy link
Contributor

@dimitar-kostadinov dimitar-kostadinov commented Nov 9, 2023
edited by ialidzhikov
Loading

How to categorize this PR?

/kind enhancement, api-change

What this PR does / why we need it:
This PR introduce support for private image access. RegistryCache is extended with optional field SecretReferenceName that contains reference to upstream registry credentials.
The credentials are provided by the user in the gardener project as a immutable kubernetes secret (e.g. ro-docker-secret). The secret is defined in the Shoot spec as resource reference under resources and secretReferenceName points to this reference:

apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
...
spec:
  extensions:
  - type: registry-cache
    providerConfig:
      apiVersion: registry.extensions.gardener.cloud/v1alpha1
      kind: RegistryConfig
      caches:
      - upstream: docker.io
        size: 800Mi
        garbageCollection:
          enabled: true
        secretReferenceName: docker-secret
...
  resources:
  - name: docker-secret
    resourceRef:
      apiVersion: v1
      kind: Secret
      name: ro-docker-secret
...

During Shoot creation the secret is copied in the shoot namespace in the Seed with ref- prefix in the name.
When registry cache is deployed, a secret with the same credentials is added (e.g. registry-docker-io-7211f728) in the managed resource and cache registry access the credentials through env vars with data from this secret.

Which issue(s) this PR fixes:
Part of #3

Special notes for your reviewer:

Release note:

The registry-cache now supports providing credentials for private upstreams. For more details, see [How to provide credentials for upstream registry?](https://github.com/gardener/gardener-extension-registry-cache/blob/v0.3.0/docs/usage/upstream-credentials.md).

@gardener-prow gardener-prow bot added the kind/api-change API change with impact on API users label Nov 9, 2023
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Nov 9, 2023

@dimitar-kostadinov: The label(s) kind/enhancement, cannot be applied, because the repository doesn't have them.

In response to this:

How to categorize this PR?

/kind enhancement, api-change

What this PR does / why we need it:
This PR introduce support for private image access. RegistryCache is extended with optional field SecretReferenceName that contains reference to upstream registry credentials.
The credentials are provided by the user in the gardener project as a immutable kubernetes secret (e.g. ro-docker-secret). The secret is defined in the Shoot spec as resource reference under resources and secretReferenceName points to this reference:

apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
...
spec:
 extensions:
 - type: registry-cache
   providerConfig:
     apiVersion: registry.extensions.gardener.cloud/v1alpha1
     kind: RegistryConfig
     caches:
     - upstream: docker.io
       size: 800Mi
       garbageCollection:
         enabled: true
       secretReferenceName: docker-secret
...
 resources:
 - name: docker-secret
   resourceRef:
     apiVersion: v1
     kind: Secret
     name: ro-docker-secret
...

During Shoot creation the secret is copied in the shoot namespace in the Seed with ref- prefix in the name.
When registry cache is deployed, a secret with the same credentials is added (e.g. registry-docker-io-7211f728) in the managed resource and cache registry access the credentials through env vars with data from this secret.

Which issue(s) this PR fixes:
Part of #3

Special notes for your reviewer:

Release note:

Introduce `caches[].secretReferenceName` optional field that contains resource reference to upstream registry credentials.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@gardener-prow gardener-prow bot added the cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. label Nov 9, 2023
@gardener-prow gardener-prow bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Nov 9, 2023
@ialidzhikov ialidzhikov mentioned this pull request Nov 9, 2023
Closed
96 tasks
@dimitar-kostadinov
Copy link
Contributor Author

/retest

ialidzhikov
ialidzhikov requested changes Nov 9, 2023
View reviewed changes
This was referenced Nov 13, 2023
Merged
Merged
ialidzhikov
ialidzhikov reviewed Nov 13, 2023
View reviewed changes
Copy link
Member

@ialidzhikov ialidzhikov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! Minor suggestions inline.

@ialidzhikov
Copy link
Member

/test pull-gardener-extension-registry-cache-e2e-kind

@gardener-prow gardener-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Nov 14, 2023
@gitguardian GitGuardian
Copy link

gitguardian bot commented Nov 14, 2023
edited
Loading

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id Secret Commit Filename
- Generic High Entropy Secret f681c18 pkg/component/registrycaches/registry_caches_test.go View secret
- Generic High Entropy Secret 564cd95 pkg/component/registrycaches/registry_caches_test.go View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@dimitar-kostadinov dimitar-kostadinov force-pushed the enh/upstream-credentials branch 2 times, most recently from 3fdf3bc to d1db713 Compare November 14, 2023 18:15
@gardener-prow gardener-prow bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Nov 15, 2023
@ialidzhikov ialidzhikov force-pushed the enh/upstream-credentials branch from 4e19e97 to 8905b6d Compare November 15, 2023 15:34
@ialidzhikov ialidzhikov force-pushed the enh/upstream-credentials branch from 8905b6d to ac5f3a1 Compare November 15, 2023 15:42
ialidzhikov
ialidzhikov approved these changes Nov 15, 2023
View reviewed changes
Copy link
Member

@ialidzhikov ialidzhikov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Nov 15, 2023
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Nov 15, 2023

LGTM label has been added.

Git tree hash: d7ba09ef7d3a02f51ea002343911b6f3228d7c4d

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Nov 15, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ialidzhikov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 15, 2023
@gardener-prow gardener-prow bot merged commit 850540f into gardener:main Nov 15, 2023
@dimitar-kostadinov dimitar-kostadinov deleted the enh/upstream-credentials branch February 26, 2025 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ialidzhikov ialidzhikov ialidzhikov approved these changes

@Kostov6 Kostov6 Awaiting requested review from Kostov6

Assignees

@ialidzhikov ialidzhikov

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/api-change API change with impact on API users lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dimitar-kostadinov @ialidzhikov