Use credentials from providers for docker sandbox image #51870
Conversation
k8s-ci-robot
added
size/M
k8s-github-robot
added
the
release-note
|
@feiskyer: GitHub didn't allow me to request PR reviews from the following users: alena1108. Note that only kubernetes members can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @yujuhong |
pkg/credentialprovider/provider.go
Outdated
| d.expiration = time.Now().Add(-1 * time.Hour) | ||
| } | ||
|
|
||
| // ResetDefaultDockerProviderExpiration resets .dockercfg provider's expiration. |
There was a problem hiding this comment.
Same here. This function is not used outside testing...
There was a problem hiding this comment.
@yujuhong yep, but the timeout is set at init(), there is no easy way to set it outside the package. Any suggestions of a gentle way?
There was a problem hiding this comment.
I don't think dockershim should be testing the internals of the CachingDockerConfigProvider.
One option is to decouple the testing of credential provider by mocking it in dockershim. The other is to export defaultDockerConfigProvider and use that.
There was a problem hiding this comment.
ok, will remove this test case.
There was a problem hiding this comment.
we may add a docker config test in pkg/credentialprovider package later.
pkg/credentialprovider/provider.go
Outdated
|
|
||
| // Reset expiration so that the provider will get configure from real provider instead of cache. | ||
| // This is useful in testings. | ||
| func (d *CachingDockerConfigProvider) resetExpiration() { |
There was a problem hiding this comment.
Adding a function just for testing is strange.
pkg/kubelet/dockershim/helpers.go
Outdated
|
|
||
| err := client.PullImage(image, dockertypes.AuthConfig{}, dockertypes.ImagePullOptions{}) | ||
| if err != nil { | ||
| return fmt.Errorf("error of pulling image %q: %v", image, err) |
There was a problem hiding this comment.
s/error of pulling image/failed pulling image
yujuhong
added
kind/bug
feiskyer
force-pushed
the
sandbox-creds
branch
from
2f743e1
to
4d5d974
Compare
|
@yujuhong Addressed comments. PTAL |
|
PR looks good. @feiskyer do we have a node e2e test for this? I'd like to make sure the fix works before cherrypicking. |
I think no. |
|
Let me add a credential e2e tests before cherry-picking to old branches. |
|
/retest |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: feiskyer, yujuhong Associated issue: 51293 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
We should cherrypick the fix to 1.7 at least. |
|
No outputs of all failed tests, try the tests again. |
|
/test all |
The submit queue is blocked by #52307 |
|
/retest |
|
Automatic merge from submit-queue (batch tested with PRs 52264, 51870) |
wojtek-t
added
the
cherry-pick-approved
|
Commit found in the "release-1.7" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
Automatic merge from submit-queue (batch tested with PRs 49762, 52256). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add node e2e tests for pulling images from credential providers **What this PR does / why we need it**: Add node e2e tests for pulling images from credential providers. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Refer #51870 (comment) **Special notes for your reviewer**: /assign @yujuhong @Random-Liu 1. We still need to add ResetDefaultDockerProviderExpiration for facilitating tests 2. Do we need a separate image for pulling private image from credential provider? 3. Any suggestion of also adding this for sandbox images? the pause image is a global config of kubelet, but we only need to set a private one for just one test case. **Release note**: ```release-note NONE ```
What this PR does / why we need it:
Sandbox image lookup uses creds from docker config only; other credential providers are ignored. This is a regression introduced in dockershim.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #51293Special notes for your reviewer:
Should also cherry-pick this to release-1.6 and release-1.7.
Release note: