-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: allow specifying auth.json for guest-pull #1933
auth: allow specifying auth.json for guest-pull #1933
Conversation
bdad5f9
to
1604871
Compare
Kata introduced a flag to specify `image-registry-auth` which we can in guest pull. Since our agent-configuration is mostly static and we want to avoid brittle templating we provision the full kata-agent config from the CAA application like other config files. If an auth secret is present in a CAA deployment, CAA will embed it in the agent config and provision it to the guest. The static agent-configuration has been removed and the configuration is pointing to `/run/peerpod/agent-config.toml` now, since it is a resource that changes at runtime. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
d98c3d4
to
3a1e07b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code LGTM. I'm struggling to get it working locally, but I think it's just my environment that is going wrong as after I restarted from scratch I can't create any peer pods, so I'm happy to see this merged and then I'll test it out with the proper builds. Thanks for the work @mkulke!
Version = "0.0.0" | ||
SrcAuthfilePath = "/root/containers/auth.json" | ||
AgentConfigPath = "/run/peerpod/agent-config.toml" | ||
AuthFilePath = "/run/peerpod/auth.json" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Should these vars be prefixed with Def
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I opted to not call them DefaultSomething if they are hardcoded values that cannot be overridden.
I'm able to access the link that's failing in the CI. Looks like an infra issue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Since it passed the e2e checks, there shouldn't be a regression. i'll merge, let's hope it'll work in automated tests 🤞 |
Kata introduced a flag to specify
image-registry-auth
which we can in guest pull. Since our agent-configuration is mostly static and we want to avoid brittle templating we provision the full kata-agent config from the CAA application like other config files.If an auth secret is present in a CAA deployment, CAA will embed it in the agent config and provision it to the guest. The static agent-configuration has been removed and the configuration is pointing to
/run/peerpod/agent-config.toml
now, since it is a resource that changes at runtime.