[openstack-helm] Support for Docker Registry with authentication turned on ?
Waines, Greg
Greg.Waines at windriver.com
Tue Jan 29 13:49:36 UTC 2019
I had the following discussion with openstack-helm guys on their IRC channel during their ‘office hours’.
Our plan is to write up a SPEC for this in openstack-helm.
[10:48:56] <GregWaines> hey there ... general question on the topic of interworking with a Docker Registry with authentication turned on
[10:49:07] <GregWaines> Has anyone looked at how to extend the helm-toolkit function to support docker registry credentials ?
[10:49:22] <GregWaines> e.g. we were thinking of adding an optional imagePullSecret entry in the serviceAccount template ?
[10:49:31] <GregWaines> Although don't understand how we could put this in an 'optional' manner ?
[10:49:37] <GregWaines> Any thoughts ?
[11:30:29] <srwilkers> hey GregWaines -- it could be handled as optional by wrapping that section of the template in a conditional. we do that for other optional fields, like tolerations on daemonsets
[11:30:33] <srwilkers> let me grab a link
[11:31:10] <srwilkers> https://github.com/openstack/openstack-helm-infra/blob/master/fluent-logging/templates/daemonset-fluent-bit.yaml#L96-L98
[11:33:22] <GregWaines> the other option we just experimented with ....
[11:33:49] <GregWaines> if you ALWAYS put in the ImagePullSecret in the serviceAccount template ... with a well-known secret name
[11:34:18] <GregWaines> then it appears that this STILL works with a Registry with noauth ....if the secret does not exist or even if the secret exists
[11:34:40] <GregWaines> ... and then would also work with a Registry with auth turned on ... as long as the secret exists with the proper credentials
[11:35:08] <GregWaines> would that be acceptable upstream ?
[11:35:37] <GregWaines> i.e. would require no change to upstream operational model if using noauth Registry
[11:36:04] <GregWaines> but if using a tokenAuth Registry ... would require that user first create that secret and then apply the helm charts
[11:51:18] <GregWaines> srwilkers: we looked at doing something similar to your example .... but in the serviceAccount template, I think the only env variables that can be checked are from the specific helm chart ... and there really isn't a variable common across all helm charts that we could use
[11:55:59] <srwilkers> GregWaines: well, this would require adding something common across all charts to take advantage of. ideally, this would start small (ie, create a helm-toolkit function, then added it to a chart as a RFC upstream), then once proved out it could be rolled out across the rest of the charts
[11:56:10] <srwilkers> preferably, something under the current images: key in the charts probably
[11:59:06] <GregWaines> srwilkers: k, thanks for your input ... we'll probably work on suggesting something upstream in a SPEC in the near future
[11:59:26] <srwilkers> i think that might be the best way forward GregWaines :)
[11:59:43] <srwilkers> let me know when you're ready to throw a spec up and want some eyes on it
[12:47:25] <GregWaines> srwilkers: will do.
Greg.
From: Jean-Philippe Evrard <jean-philippe at evrard.me>
Date: Tuesday, January 29, 2019 at 3:22 AM
To: Greg Waines <Greg.Waines at windriver.com>, "openstack-discuss at lists.openstack.org" <openstack-discuss at lists.openstack.org>
Cc: "Wang, Jing (Angie)" <Angie.Wang at windriver.com>
Subject: Re: [openstack-helm] Support for Docker Registry with authentication turned on ?
On Tue, 2019-01-22 at 12:35 +0000, Waines, Greg wrote:
Hey ... We’re relatively new to openstack-helm.
We are trying to use the openstack-helm charts with a Docker Registry
that has token authentication turned on.
With the current charts, there does not seem to be a way to do this.
I.e. there is not an ‘imagePullSecrets’ in the defined
pods/containers or in the defined serviceAccounts .
Our thinking would be to add a default imagePullSecret to all of the
serviceAccounts defined in the openstack-helm serviceaccount
template.
OR is there another way to use openstack-helm charts with a Docker
Registry with authentication turned on ?
Any info is appreciated,
Greg / Angie / Jerry.
Hello,
Did you get an answer there?
Could you post it to the ML, please?
Regards,
Jean-Philippe Evrard (evrardjp)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190129/68e001f2/attachment-0001.html>
More information about the openstack-discuss
mailing list