Open Stack

I had the following discussion with openstack-helm guys on their IRC channel during their ‘office hours’.

Our plan is to write up a SPEC for this in openstack-helm.


[10:48:56]  <GregWaines> hey there ... general question on the topic of interworking with a Docker Registry with authentication turned on

[10:49:07]  <GregWaines> Has anyone looked at how to extend the helm-toolkit function to support docker registry credentials ?

[10:49:22]  <GregWaines> e.g. we were thinking of adding an optional imagePullSecret entry in the serviceAccount template ?

[10:49:31]  <GregWaines> Although don't understand how we could put this in an 'optional' manner ?

[10:49:37]  <GregWaines> Any thoughts ?

 [11:30:29]  <srwilkers> hey GregWaines -- it could be handled as optional by wrapping that section of the template in a conditional.  we do that for other optional fields, like tolerations on daemonsets

[11:30:33]  <srwilkers> let me grab a link

[11:31:10]  <srwilkers> https://github.com/openstack/openstack-helm-infra/blob/master/fluent-logging/templates/daemonset-fluent-bit.yaml#L96-L98

[11:33:22]  <GregWaines> the other option we just experimented with ....

[11:33:49]  <GregWaines> if you ALWAYS put in the ImagePullSecret in the serviceAccount template ... with a well-known secret name

[11:34:18]  <GregWaines> then it appears that this STILL works with a Registry with noauth ....if the secret does not exist or even if the secret exists

[11:34:40]  <GregWaines> ... and then would also work with a Registry with auth turned on ... as long as the secret exists with the proper credentials

[11:35:08]  <GregWaines> would that be acceptable upstream ?

[11:35:37]  <GregWaines> i.e. would require no change to upstream operational model if using noauth Registry

[11:36:04]  <GregWaines> but if using a tokenAuth Registry ... would require that user first create that secret and then apply the helm charts

[11:51:18]  <GregWaines> srwilkers: we looked at doing something similar to your example .... but in the serviceAccount template, I think the only env variables that can be checked are from the specific helm chart ... and there really isn't a variable common across all helm charts that we could use

 [11:55:59]  <srwilkers> GregWaines: well, this would require adding something common across all charts to take advantage of.  ideally, this would start small (ie, create a helm-toolkit function, then added it to a chart as a RFC upstream), then once proved out it could be rolled out across the rest of the charts

[11:56:10]  <srwilkers> preferably, something under the current images: key in the charts probably

[11:59:06]  <GregWaines> srwilkers: k, thanks for your input ... we'll probably work on suggesting something upstream in a SPEC in the near future

[11:59:26]  <srwilkers> i think that might be the best way forward GregWaines :)

[11:59:43]  <srwilkers> let me know when you're ready to throw a spec up and want some eyes on it

[12:47:25]  <GregWaines> srwilkers: will do.

Greg.

From: Jean-Philippe Evrard <jean-philippe at evrard.me>
Date: Tuesday, January 29, 2019 at 3:22 AM
To: Greg Waines <Greg.Waines at windriver.com>, "openstack-discuss at lists.openstack.org" <openstack-discuss at lists.openstack.org>
Cc: "Wang, Jing (Angie)" <Angie.Wang at windriver.com>
Subject: Re: [openstack-helm] Support for Docker Registry with authentication turned on ?

On Tue, 2019-01-22 at 12:35 +0000, Waines, Greg wrote:
Hey ... We’re relatively new to openstack-helm.
We are trying to use the openstack-helm charts with a Docker Registry
that has token authentication turned on.
With the current charts, there does not seem to be a way to do this.
I.e. there is not an ‘imagePullSecrets’ in the defined
pods/containers or in the defined serviceAccounts .
Our thinking would be to add a default imagePullSecret to all of the
serviceAccounts defined in the openstack-helm serviceaccount
template.
OR is there another way to use openstack-helm charts with a Docker
Registry with authentication turned on ?
Any info is appreciated,
Greg / Angie / Jerry.

Hello,

Did you get an answer there?

Could you post it to the ML, please?

Regards,
Jean-Philippe Evrard (evrardjp)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190129/68e001f2/attachment-0001.html>