Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAA: add support to look up imagePullSecrets for pods #2232

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CAA: add support to look up imagePullSecrets for pods #2232

wants to merge 1 commit into from

Conversation

squarti
Copy link
Contributor

@squarti squarti commented Jan 9, 2025

This PR initializes auth.json with the imagePullSecrets listed on the pod and service account.

Fixes: #2231

@squarti squarti requested a review from a team as a code owner January 9, 2025 16:41
@stevenhorsman stevenhorsman added the test_e2e_libvirt Run Libvirt e2e tests label Jan 9, 2025
mkulke
mkulke reviewed Jan 10, 2025
View reviewed changes
Copy link
Collaborator

@mkulke mkulke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx, looks good! the override semantics are interesting here, I'd intuitively expect that a cluster-wide auth.json is overridden by a pod-specific auth.json, but we're doing the opposite here. some questions:

does it make sense to retire the existing caa-wide "auth.json" mechanism in favor of passing this from kubernetes? the caa-wide param is roughly comparable to a node-wide auth.json in the kubelet config, which is discouraged (and which we don't consider it here, either).

I would suggest to at least deprecate the parameter and mark it for later removal.

If we don't want to remove the caa-wide auth.json, would we be able to "merge" both sources?

if we don't want to remove the caa-wide auth.json, would it make sense for pod-specific auth.json to take precedence?

What are the implications for auth.json that come from KBS?

src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go Outdated
@@ -259,6 +259,17 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
_, err = os.Stat(SrcAuthfilePath)
if err != nil {
logger.Printf("credential file %s is not present, skipping image auth config", SrcAuthfilePath)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the log message needs to be adjusted, to indicate that we fall back on image-pull-secrets from the pod

@stevenhorsman
Copy link
Member

@bpradipt @snir911 - I think you added the CAA wide auth.json, so wanted to check if you had any concerned with this. I'm inclined to agree with Magnus, that it would be good to replace the CAA-wide approach with a pod specific one, but am unsure if this would cause challenges with the pause image pull on OpenShift?

@bpradipt
Copy link
Member

@bpradipt @snir911 - I think you added the CAA wide auth.json, so wanted to check if you had any concerned with this. I'm inclined to agree with Magnus, that it would be good to replace the CAA-wide approach with a pod specific one, but am unsure if this would cause challenges with the pause image pull on OpenShift?

Afaicr, the pause image is embedded now.
Overall I like this approach, but I was thinking that imagePullSecrets, if present, would replace the default cluster wide auth.json as Magnus had mentioned.
In the current of using serviceAccount and imagePullSecrets may be we can have a flexibility to specify which service account to retrieve from. That could be a CAA config with default being the default SA. This will avoid any need for cluster wide auth.json to be used.

@squarti
Copy link
Contributor Author

squarti commented Jan 10, 2025

thx, looks good! the override semantics are interesting here, I'd intuitively expect that a cluster-wide auth.json is overridden by a pod-specific auth.json, but we're doing the opposite here. some questions:

I left the cluster wide auth.json overwriting the pod specific secrets because this way current code that uses cluster wide auth.json would not be broken. I think merging the secrets would also be ok as long as the pod secrets do not conflict with the cluster wide secret.

Let me know which approach to take and I will adjust the changes.

@mkulke
Copy link
Collaborator

mkulke commented Jan 10, 2025

thx, looks good! the override semantics are interesting here, I'd intuitively expect that a cluster-wide auth.json is overridden by a pod-specific auth.json, but we're doing the opposite here. some questions:

I left the cluster wide auth.json overwriting the pod specific secrets because this way current code that uses cluster wide auth.json would not be broken. I think merging the secrets would also be ok as long as the pod secrets do not conflict with the cluster wide secret.

Let me know which approach to take and I will adjust the changes.

I would opt for removing the option to have a cluster-wide auth.json in this case. If I understood it correctly there is no use case for that anymore. Propagating it from the cluster is the right call, IMO. since the manifest will still be pulled on the node different maintaining different sets of registry credentials in k8s and caa config can be pretty confusing.

@squarti squarti force-pushed the pull-secret branch 8 times, most recently from 42e1cf8 to 3630bc7 Compare January 11, 2025 00:31
@snir911
Copy link
Contributor

snir911 commented Jan 12, 2025

I like the idea, from the pause image pulling POV i don't think it would be an issue in Openshift..
Another point is that there're node/runtime level pull credentials also IIRC, if keeping auth.json is the only option to (roughly) mimic this behavior i'd keep it.

@squarti squarti force-pushed the pull-secret branch 5 times, most recently from f3a0d8b to c9c2e02 Compare January 14, 2025 16:45
@bpradipt bpradipt requested a review from mkulke January 16, 2025 13:24
bpradipt
bpradipt approved these changes Jan 23, 2025
View reviewed changes
Copy link
Member

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Thanks @squarti

@stevenhorsman
Copy link
Member

@squarti - are you able to rebase this please to pick up the latest changes. Also I'd like to understand where we ended up with on the user experience here: I think the consensus was having support for node wide secret that is overridden with a deployment specific imagePullSecret?

@squarti
CAA: add support to look up imagePullSecrets for pods
10a1bf6 
This PR initializes auth.json with the imagePullSecrets listed on the
pod and service account.

Fixes: confidential-containers#2231


Signed-off-by: Silenio Quarti <[email protected]>
@squarti
Copy link
Contributor Author

squarti commented Jan 23, 2025
edited
Loading

@squarti - are you able to rebase this please to pick up the latest changes. Also I'd like to understand where we ended up with on the user experience here: I think the consensus was having support for node wide secret that is overridden with a deployment specific imagePullSecret?

I think the consensus was to remove the option to have a cluster-wide auth.json.

@stevenhorsman
Copy link
Member

I think the consensus was to remove the option to have a cluster-wide auth.json.

Ok, that's not what was discussed on the community call, which I appreciate you weren't present at. From a quick scan above I think it looks like mostly @mkulke was for removing the cluster-wide option, but was supporting it on the call?

I don't really mind either way, but I'd like some community agreement here,

@bpradipt
Copy link
Member

I think the consensus was to remove the option to have a cluster-wide auth.json.

Ok, that's not what was discussed on the community call, which I appreciate you weren't present at. From a quick scan above I think it looks like mostly @mkulke was for removing the cluster-wide option, but was supporting it on the call?

I don't really mind either way, but I'd like some community agreement here,

Fwiw, I'm ok to remove the cluster-wide auth option since imagepullSecret can be provided via the SA. Also with this change it decouples the pod image pull secret from node specific secret.
Also to be clear, I don't have any hard preference either way..

@mkulke
Copy link
Collaborator

mkulke commented Jan 27, 2025

afair, in the discussion the rationale for the keeping a cluster-wide option was: we currently don't know how to propagate credentials that are specified "out-of-band" on the node to the podvm, e.g. as a kubelet option or via other container runtime means.

an alternative that I can imagine would be to provide a simple docs explaining how an "auth.json" can be embedded in in the image.

I think in both cases we need logic to merge auth.json and a specified behaviour for overlaps / preference. maybe we can leverage existing libraries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bpradipt bpradipt bpradipt approved these changes

@mkulke mkulke Awaiting requested review from mkulke

@stevenhorsman stevenhorsman Awaiting requested review from stevenhorsman

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
test_e2e_libvirt Run Libvirt e2e tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CAA: imagePullSecrets are not supported
5 participants
@squarti @stevenhorsman @bpradipt @mkulke @snir911