feat: add support for private registry #523
Conversation
Codecov Report
@@ Coverage Diff @@
## master #523 +/- ##
==========================================
- Coverage 54.56% 54.55% -0.01%
==========================================
Files 97 97
Lines 14622 14614 -8
==========================================
- Hits 7978 7973 -5
+ Misses 5971 5969 -2
+ Partials 673 672 -1 |
pkg/engine/params_k8s.go
Outdated
| @@ -46,6 +46,7 @@ func assignKubernetesParameters(properties *api.Properties, parametersMap params | |||
|
|
|||
| addValue(parametersMap, "kubeDNSServiceIP", kubernetesConfig.DNSServiceIP) | |||
| addValue(parametersMap, "kubernetesHyperkubeSpec", kubernetesHyperkubeSpec) | |||
| addValue(parametersMap, "privateRegistryServer", kubernetesConfig.PrivateRegistryServer) | |||
There was a problem hiding this comment.
Should we only add the param if it's not empty string?
parts/k8s/kubernetesinstalls.sh
Outdated
| @@ -273,6 +273,11 @@ installKubeletAndKubectl() { | |||
| pullContainerImage() { | |||
| CLI_TOOL=$1 | |||
| DOCKER_IMAGE_URL=$2 | |||
| if [ ! -z "${PRIVATE_REGISTRY_SERVER}" ]; then | |||
| if [[ "$CLI_TOOL" == "docker" ]]; then | |||
| $CLI_TOOL login -u $SERVICE_PRINCIPAL_CLIENT_ID -p $SERVICE_PRINCIPAL_CLIENT_SECRET $PRIVATE_REGISTRY_SERVER | |||
There was a problem hiding this comment.
Does this in practice not work w/ img?
There was a problem hiding this comment.
Seems like it should:
https://github.com/genuinetools/img
There was a problem hiding this comment.
In any event, if img login doesn't work in this context, we'll want to document something like the following:
"Private registry support is for default docker (moby) runtime only. It is not supported for non-docker cluster configuration scenarios, e.g., containerd, clear-containers, kata-containers."
There was a problem hiding this comment.
Added support for img as well.
docs/topics/kubernetes-developers.md
Outdated
| ``` | ||
| "kubernetesConfig": { | ||
| "customHyperkubeImage": "<your-private-registry>/hyperkube-amd64:<your-custom-version>", | ||
| "privateRegistryServer": "<your-private-registry>" |
There was a problem hiding this comment.
Does privateRegistryServer make any sense in a context when customHyperkubeImage is not provided? If not, we should probably add validation.
|
Final high-level comment: because |
|
@jackfrancis In theory this code can be expanded to work for other private container repositories as well, but the real reason is that only azure credentials can actually pull this image from ACR if you are using the Kubernetes Azure cloud provider. So I will update this variable to reflect that. Should we change it to |
|
How about just |
|
Can we keep |
d6fad33 to
a13db9c
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jackfrancis, ritazh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| } | ||
| } else { | ||
| valid = true | ||
| } |
There was a problem hiding this comment.
I found this logic hard to read. would something like the following be more more readable? I think that would remove the need for the valid check
k.PrivateAzureRegistryServer != "" and k.CustomHyperkubeImage == "" {
return errors.Errorf("customHyperkubeImage must be provided when privateAzureRegistryServer is provided")
}| @@ -278,6 +278,9 @@ installKubeletAndKubectl() { | |||
| pullContainerImage() { | |||
| CLI_TOOL=$1 | |||
| DOCKER_IMAGE_URL=$2 | |||
| if [ ! -z "${PRIVATE_AZURE_REGISTRY_SERVER}" ]; then | |||
| $CLI_TOOL login -u $SERVICE_PRINCIPAL_CLIENT_ID -p $SERVICE_PRINCIPAL_CLIENT_SECRET $PRIVATE_AZURE_REGISTRY_SERVER | |||
There was a problem hiding this comment.
should this use --password-stdin here? https://docs.docker.com/engine/reference/commandline/login/#provide-a-password-using-stdin
| @@ -145,7 +145,7 @@ | |||
| "mountetcdScript": "{{GetKubernetesB64Mountetcd}}", | |||
| "customSearchDomainsScript": "{{GetKubernetesB64CustomSearchDomainsScript}}", | |||
| "sshdConfig": "{{GetB64sshdConfig}}", | |||
| "provisionScriptParametersCommon": "[concat('ADMINUSER=',parameters('linuxAdminUsername'),' ETCD_DOWNLOAD_URL=',parameters('etcdDownloadURLBase'),' ETCD_VERSION=',parameters('etcdVersion'),' CONTAINERD_VERSION=',parameters('containerdVersion'),' MOBY_VERSION=',parameters('mobyVersion'),' DOCKER_ENGINE_REPO=',parameters('dockerEngineDownloadRepo'),' TENANT_ID=',variables('tenantID'),' KUBERNETES_VERSION={{.OrchestratorProfile.OrchestratorVersion}} HYPERKUBE_URL=',parameters('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',parameters('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',parameters('clientPrivateKey'),' TARGET_ENVIRONMENT=',parameters('targetEnvironment'),' NETWORK_PLUGIN=',parameters('networkPlugin'),' NETWORK_POLICY=',parameters('networkPolicy'),' VNET_CNI_PLUGINS_URL=',parameters('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',parameters('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',toLower(string(parameters('cloudproviderConfig').cloudProviderBackoff)),' CLOUDPROVIDER_BACKOFF_RETRIES=',parameters('cloudproviderConfig').cloudProviderBackoffRetries,' CLOUDPROVIDER_BACKOFF_EXPONENT=',parameters('cloudproviderConfig').cloudProviderBackoffExponent,' CLOUDPROVIDER_BACKOFF_DURATION=',parameters('cloudproviderConfig').cloudProviderBackoffDuration,' CLOUDPROVIDER_BACKOFF_JITTER=',parameters('cloudproviderConfig').cloudProviderBackoffJitter,' CLOUDPROVIDER_RATELIMIT=',toLower(string(parameters('cloudproviderConfig').cloudProviderRatelimit)),' CLOUDPROVIDER_RATELIMIT_QPS=',parameters('cloudproviderConfig').cloudProviderRatelimitQPS,' CLOUDPROVIDER_RATELIMIT_BUCKET=',parameters('cloudproviderConfig').cloudProviderRatelimitBucket,' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USER_ASSIGNED_IDENTITY_ID=',variables('userAssignedClientID'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' LOAD_BALANCER_SKU=',variables('loadBalancerSku'),' EXCLUDE_MASTER_FROM_STANDARD_LB=',variables('excludeMasterFromStandardLB'),' MAXIMUM_LOADBALANCER_RULE_COUNT=',variables('maximumLoadBalancerRuleCount'),' CONTAINER_RUNTIME=',parameters('containerRuntime'),' CONTAINERD_DOWNLOAD_URL_BASE=',parameters('containerdDownloadURLBase'),' POD_INFRA_CONTAINER_SPEC=',parameters('kubernetesPodInfraContainerSpec'),' KMS_PROVIDER_VAULT_NAME=',variables('clusterKeyVaultName'),' IS_HOSTED_MASTER={{IsHostedMaster}}')]", | |||
| "provisionScriptParametersCommon": "[concat('ADMINUSER=',parameters('linuxAdminUsername'),' ETCD_DOWNLOAD_URL=',parameters('etcdDownloadURLBase'),' ETCD_VERSION=',parameters('etcdVersion'),' CONTAINERD_VERSION=',parameters('containerdVersion'),' MOBY_VERSION=',parameters('mobyVersion'),' DOCKER_ENGINE_REPO=',parameters('dockerEngineDownloadRepo'),' TENANT_ID=',variables('tenantID'),' KUBERNETES_VERSION={{.OrchestratorProfile.OrchestratorVersion}} HYPERKUBE_URL=',parameters('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',parameters('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',parameters('clientPrivateKey'),' TARGET_ENVIRONMENT=',parameters('targetEnvironment'),' NETWORK_PLUGIN=',parameters('networkPlugin'),' NETWORK_POLICY=',parameters('networkPolicy'),' VNET_CNI_PLUGINS_URL=',parameters('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',parameters('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',toLower(string(parameters('cloudproviderConfig').cloudProviderBackoff)),' CLOUDPROVIDER_BACKOFF_RETRIES=',parameters('cloudproviderConfig').cloudProviderBackoffRetries,' CLOUDPROVIDER_BACKOFF_EXPONENT=',parameters('cloudproviderConfig').cloudProviderBackoffExponent,' CLOUDPROVIDER_BACKOFF_DURATION=',parameters('cloudproviderConfig').cloudProviderBackoffDuration,' CLOUDPROVIDER_BACKOFF_JITTER=',parameters('cloudproviderConfig').cloudProviderBackoffJitter,' CLOUDPROVIDER_RATELIMIT=',toLower(string(parameters('cloudproviderConfig').cloudProviderRatelimit)),' CLOUDPROVIDER_RATELIMIT_QPS=',parameters('cloudproviderConfig').cloudProviderRatelimitQPS,' CLOUDPROVIDER_RATELIMIT_BUCKET=',parameters('cloudproviderConfig').cloudProviderRatelimitBucket,' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USER_ASSIGNED_IDENTITY_ID=',variables('userAssignedClientID'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' LOAD_BALANCER_SKU=',variables('loadBalancerSku'),' EXCLUDE_MASTER_FROM_STANDARD_LB=',variables('excludeMasterFromStandardLB'),' MAXIMUM_LOADBALANCER_RULE_COUNT=',variables('maximumLoadBalancerRuleCount'),' CONTAINER_RUNTIME=',parameters('containerRuntime'),' CONTAINERD_DOWNLOAD_URL_BASE=',parameters('containerdDownloadURLBase'),' POD_INFRA_CONTAINER_SPEC=',parameters('kubernetesPodInfraContainerSpec'),' KMS_PROVIDER_VAULT_NAME=',variables('clusterKeyVaultName'),' IS_HOSTED_MASTER={{IsHostedMaster}} PRIVATE_AZURE_REGISTRY_SERVER=',parameters('privateAzureRegistryServer'))]", | |||
There was a problem hiding this comment.
This should have been separated by a comma. I'll fix this in another PR.
Reason for Change:
Add support to pull custom hyperkube image from private registry
Issue Fixed:
Fixes #271
This should also fix the broken cloud-provider-azure prow job as that uses ACR.
Requirements:
Notes:
cc @feiskyer