[credential provider] Add a flag mirrorMapping #6846
Conversation
| return image, "" | ||
| } | ||
|
|
||
| // processMirrorMapping input format: "--mirror-mapping=aaa:bbb,ccc:ddd" |
There was a problem hiding this comment.
Current logic takes aaa:ccc
There was a problem hiding this comment.
so this PR only supports one mirror mapping?
There was a problem hiding this comment.
No, it supports multiple.
Bin's question is how to handle two mappings with the same source registry. The logic is that the latter one takes effect.
8c0a9e2 to
3d563f5
Compare
cmd/acr-credential-provider/main.go
Outdated
| @@ -60,6 +63,9 @@ func main() { | |||
| logs.InitLogs() | |||
| defer logs.FlushLogs() | |||
|
|
|||
| // Flags | |||
| command.Flags().StringVarP(&mirrorMappingStr, "mirror-mapping", "m", "", "mirror mapping to use") | |||
There was a problem hiding this comment.
this flag value is defined after it's used in L50, then how could external user use defined flag to override this?
There was a problem hiding this comment.
I think as long as it is before command.Execute() then it is ok.
Please check the CCM code. You can see cmd is defined first, then flags.
| return image, "" | ||
| } | ||
|
|
||
| // processMirrorMapping input format: "--mirror-mapping=aaa:bbb,ccc:ddd" |
There was a problem hiding this comment.
so this PR only supports one mirror mapping?
| Username: username, | ||
| Password: password, | ||
| } | ||
| if sourceloginServer != "" { | ||
| response.Auth[sourceloginServer] = v1.AuthConfig{ |
There was a problem hiding this comment.
you will add auth for both sourceloginServer and targetloginServer, is that necessary?
There was a problem hiding this comment.
Yes. I think it does no harm, right.
There was a problem hiding this comment.
then you will use password pull the mcr image, not sure whether that has side effect, in this case, only targetloginServer needs password?
There was a problem hiding this comment.
When mirror mapping is used, in this case, sourceLoginServer is like MCR and targetloginServer is like ACR. So, it is the sourceloginServer needs password.
There was a problem hiding this comment.
mcr + acr auth is a MUST, additional auth should bring no hard.
kubelet will send mcr image + acr auth to containerd to pull mcr image, and containerd will mirror the mcr image to acr through registry host, and finally pull mcr image from acr server.
3d563f5 to
72952fe
Compare
| Username: username, | ||
| Password: password, | ||
| } | ||
| if sourceloginServer != "" { | ||
| response.Auth[sourceloginServer] = v1.AuthConfig{ |
There was a problem hiding this comment.
mcr + acr auth is a MUST, additional auth should bring no hard.
kubelet will send mcr image + acr auth to containerd to pull mcr image, and containerd will mirror the mcr image to acr through registry host, and finally pull mcr image from acr server.
|
|
||
| // processMirrorMapping input format: "--mirror-mapping=aaa:bbb,ccc:ddd" | ||
| // output format: map[string]string{"aaa": "bbb", "ccc": "ddd"} | ||
| func processMirrorMapping(mirrorMappingStr string) map[string]string { |
There was a problem hiding this comment.
nit, Maybe parseMirrorMapping to be specific, and to not conflict with other processXXX func.
cmd/acr-credential-provider/main.go
Outdated
| @@ -60,6 +63,9 @@ func main() { | |||
| logs.InitLogs() | |||
| defer logs.FlushLogs() | |||
|
|
|||
| // Flags | |||
| command.Flags().StringVarP(&mirrorMappingStr, "mirror-mapping", "m", "", "mirror mapping to use") | |||
There was a problem hiding this comment.
Please let's elaborate the flags. I did not see the detailed description of this flag anywhere else.
| command.Flags().StringVarP(&mirrorMappingStr, "mirror-mapping", "m", "", "mirror mapping to use") | |
| command.Flags().StringVarP(&mirrorMappingStr, "mirror-mapping", "m", "", "mirror mapping to mirror a source registry host to a target registry host, and image pull credentail will be requested to the target registry host when the image is from source registry host") |
There was a problem hiding this comment.
The name may be registry-mirror, since mirror is also the term used in containerd host namespace feature https://github.com/containerd/containerd/blob/main/docs/hosts.md#registry-host-namespace
72952fe to
ec05532
Compare
With registry mirror, e.g. --registry-mirror=mcr.microsoft.com:xxx.azurecr.io credential provider will return credentials of xxx.azurecr.io for mcr.microsoft.com. In this way, an image with URL prefix mcr.microsoft.com, but actually in xxx.azurecr.io, can be successfully pulled. Signed-off-by: Zhecheng Li <zhechengli@microsoft.com>
ec05532 to
b12bb67
Compare
|
Verified locally. SP and MSI work. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, lzhecheng The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherrypick release-1.31 |
|
/cherrypick release-1.30 |
|
@lzhecheng: new pull request created: #7335 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@lzhecheng: new pull request created: #7336 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
[credential provider] Add a flag mirrorMapping. This flag is to mirror registry A to B when fetching credential.
Which issue(s) this PR fixes:
Fixes #6845
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: