[PDSDNREQ-5899] Configure registry credentials (#184)

* Doc update * Update Installation.md * Podman login and pull * Artifacts... * check_paas fix * Improvements * Improvements * auth.json permissions Co-authored-by: shmo1218 <[email protected]>
Netcracker · Jul 7, 2022 · dbdfc6e · dbdfc6e
1 parent b07254a
commit dbdfc6e
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 3 deletions.
diff --git a/documentation/Installation.md b/documentation/Installation.md
@@ -2037,6 +2037,24 @@ services:
         - https://artifactory.example.com:5443
 ```
 
+When the registry requires an authentication, `containerdConfig` should be similar to the following:
+
+```yaml
+services:
+  cri:
+    containerRuntime: containerd
+    containerdConfig:
+      plugins."io.containerd.grpc.v1.cri".registry.configs."private-registry:5000".tls:
+        insecure_skip_verify: true
+      plugins."io.containerd.grpc.v1.cri".registry.configs."private-registry:5000".auth:
+        auth: "bmMtdXNlcjperfr="
+      plugins."io.containerd.grpc.v1.cri".registry.mirrors."private-registry:5000":
+        endpoint:
+        - https://private-registry:5000
+```
+
+Where, `auth: "bmMtdXNlcjperfr="` field is `username:password` string in base64 encoding.
+
 Note how `containerdConfig` section reflects the toml format structure.
 For more details on containerd configuration, refer to the official containerd configuration file documentation at [https://github.com/containerd/containerd/blob/main/docs/cri/config.md](https://github.com/containerd/containerd/blob/main/docs/cri/config.md).
 By default, the following parameters are used for `containerdConfig`:

diff --git a/kubemarine/cri/containerd.py b/kubemarine/cri/containerd.py
@@ -16,6 +16,7 @@
 
 import toml
 import yaml
+import json
 
 from distutils.util import strtobool
 from kubemarine import system, packages
@@ -77,6 +78,17 @@ def configure(group):
                     break
             if is_insecure:
                 insecure_registries.append(mirror)
+    # save 'auth.json' if there are credentials for registry
+    auth_registries = {"auths": {}}
+    if config_toml.get('plugins', {}).get('io.containerd.grpc.v1.cri', {}).get('registry', {}).get('configs'):
+        registry_configs = config_toml['plugins']['io.containerd.grpc.v1.cri']['registry']['configs']
+        for auth_registry in registry_configs:
+            auth_registries['auths'][auth_registry] = {}
+            if registry_configs[auth_registry].get('auth', {}).get('auth', ''):
+                auth_registries['auths'][auth_registry]['auth'] = registry_configs[auth_registry]['auth']['auth']
+        auth_json = json.dumps(auth_registries)
+        group.put(StringIO(auth_json), "/etc/containers/auth.json", backup=True, sudo=True)
+        group.sudo("chmod 600 /etc/containers/auth.json")
     if insecure_registries:
         log.debug("Uploading podman configuration...")
         podman_registries = f"[registries.insecure]\nregistries = {insecure_registries}\n"

diff --git a/kubemarine/procedures/check_paas.py b/kubemarine/procedures/check_paas.py
@@ -1034,6 +1034,7 @@ def kubernetes_admission_status(cluster):
         api_result = first_control_plane.sudo("cat /etc/kubernetes/manifests/kube-apiserver.yaml")
         api_conf = yaml.safe_load(list(api_result.values())[0].stdout)
         ext_args = [cmd for cmd in api_conf["spec"]["containers"][0]["command"]]                
+        admission_path = "" 
         for item in ext_args:
             if item.startswith("--"):
                 key = re.split('=',item)[0]

diff --git a/kubemarine/resources/scripts/etcdctl.sh b/kubemarine/resources/scripts/etcdctl.sh
@@ -69,10 +69,30 @@ if [ -n "${ETCD_POD_CONFIG}" ]; then
   fi
 
   if [ "$CONT_RUNTIME" == "podman" ]; then
-    podman pull ${ETCD_IMAGE} &> /dev/null
-    podman run --network=host --rm ${ETCD_MOUNTS} -e ETCDCTL_API=3 ${ETCD_IMAGE} etcdctl --cert=${ETCD_CERT} --key=${ETCD_KEY} --cacert=${ETCD_CA} "${USER_ARGS[@]}"
+    # Check if the registry needs authentication:
+    # Match the registry from etcd image with the list of registries that assume an athentication
+    REGISTRIES=$(cat /etc/containerd/config.toml | grep '\.auth\]' | sed 's/.\+configs\."\(.\+\)"\.auth\]/\1/')
+    ETCD_REGISTRY=$(echo ${ETCD_IMAGE} | cut -d "/" -f1)
+    IS_AUTH=$(echo "${REGISTRIES}" | grep ${ETCD_REGISTRY} | wc -l)
+    if [ $IS_AUTH -eq 1 ]; then
+      # Login into registries and pull image if the authentication file exists
+      export REGISTRY_AUTH_FILE=${REGISTRY_AUTH_FILE:-/etc/containers/auth.json}
+      if [ -e ${REGISTRY_AUTH_FILE} ]; then
+	podman login ${ETCD_REGISTRY} > /dev/null 2&>1
+	podman pull ${ETCD_IMAGE} > /dev/null 2&>1
+        podman run --network=host --rm ${ETCD_MOUNTS} -e ETCDCTL_API=3 ${ETCD_IMAGE} \
+		etcdctl --cert=${ETCD_CERT} --key=${ETCD_KEY} --cacert=${ETCD_CA} "${USER_ARGS[@]}"
+      else
+	exit 1
+      fi
+    else
+      podman pull ${ETCD_IMAGE} &> /dev/null
+      podman run --network=host --rm ${ETCD_MOUNTS} -e ETCDCTL_API=3 ${ETCD_IMAGE} \
+	    etcdctl --cert=${ETCD_CERT} --key=${ETCD_KEY} --cacert=${ETCD_CA} "${USER_ARGS[@]}"
+    fi
   else
-    docker run --rm ${ETCD_MOUNTS} -e ETCDCTL_API=3 ${ETCD_IMAGE} etcdctl --cert=${ETCD_CERT} --key=${ETCD_KEY} --cacert=${ETCD_CA} "${USER_ARGS[@]}"
+    docker run --rm ${ETCD_MOUNTS} -e ETCDCTL_API=3 ${ETCD_IMAGE} \
+	    etcdctl --cert=${ETCD_CERT} --key=${ETCD_KEY} --cacert=${ETCD_CA} "${USER_ARGS[@]}"
   fi
   exit $?
 fi