-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use deployed Pod's Pull Secrets to mirror its image #92
Conversation
## [1.0.1](v1.0.0...v1.0.1) (2021-07-05) ### Bug Fixes * **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([estahn#70](https://github.com/DolevAlgam/k8s-image-swapper/issues/70)) ([4f30053](4f30053)) * **deps:** update module github.com/containers/image/v5 to v5.11.0 ([estahn#61](https://github.com/DolevAlgam/k8s-image-swapper/issues/61)) ([11d6d28](11d6d28)) * **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([estahn#82](https://github.com/DolevAlgam/k8s-image-swapper/issues/82)) ([dff1cb1](dff1cb1)) * **deps:** update module github.com/rs/zerolog to v1.22.0 ([estahn#76](https://github.com/DolevAlgam/k8s-image-swapper/issues/76)) ([c098326](c098326)) * **deps:** update module github.com/rs/zerolog to v1.23.0 ([estahn#84](https://github.com/DolevAlgam/k8s-image-swapper/issues/84)) ([607d5bb](607d5bb)) * **deps:** update module k8s.io/apimachinery to v0.21.1 ([estahn#79](https://github.com/DolevAlgam/k8s-image-swapper/issues/79)) ([aeeeffb](aeeeffb))
Let's start the tests? @estahn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this contribution. Apologies it took me so long to review this.
After reviewing the PR I am worried about the added complexity and the performance impact of this change to the k8s-image-swapper and the Kubernetes API.
In this PR the Kubernetes client is initialised for every request and therefore removes any possibilities for caching.
Without caching there is an avoidable increase in load to the Kubernetes API.
The details are still vague, but here are some pointers secrets.go and lister.go.
In regards to the added complexity, I was wondering if the entire auth logic could be outsourced to skopeo via --authfile
, --src-authfile
, --dest-authfile
.
This would reduce the change to fetching all image pull secrets, merging into a single file and passing it to skopeo.
That would also remove the need for looping over the authTokens
until one is successful.
Credential merging also seems to be default behaviour of Kubernetes:
You can use this in conjunction with a per-node .docker/config.json. The credentials will be merged.
Source: https://kubernetes.io/docs/concepts/containers/images/
The only disadvantage I see is the IO to the filesystem for creating these files.
Happy to discuss!
|
||
var registryAliases map[string]string = map[string]string{"docker.io": "https://index.docker.io/v1/"} | ||
|
||
secretsClient, err := configSecretsClient(namespace) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like the Kubernetes client is initialized on each request. I'm not sure how much of an issue this is in regards to performance/caching/... etc.
It's possible to create a tmpfs with a memory-backed filesystem:
|
Add support for pulling images from sources requiring authentication. The feature adheres to `imagePullSecrets` in `Pod`s and `ServiceAccount`s. Loosely based on some of @DolevAlgam's work in #92 fixes #19
Add support for pulling images from sources requiring authentication. The feature adheres to imagePullSecrets in Pods and ServiceAccounts. Loosely based on some of @DolevAlgam's work in #92 fixes #19
# [1.1.0-alpha.1](v1.0.0...v1.1.0-alpha.1) (2021-09-30) ### Bug Fixes * provide log record for ImageSwapPolicyExists ([179da70](179da70)) * timeout for ECR client ([26bdc10](26bdc10)) * **deps:** update module github.com/alitto/pond to v1.5.1 ([504e2dd](504e2dd)) * **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([#70](#70)) ([4f30053](4f30053)) * **deps:** update module github.com/aws/aws-sdk-go to v1.40.43 ([266ef01](266ef01)) * **deps:** update module github.com/containers/image/v5 to v5.11.0 ([#61](#61)) ([11d6d28](11d6d28)) * **deps:** update module github.com/containers/image/v5 to v5.16.0 ([5230b91](5230b91)) * **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([#82](#82)) ([dff1cb1](dff1cb1)) * **deps:** update module github.com/go-co-op/gocron to v1.9.0 ([c0e9f11](c0e9f11)) * **deps:** update module github.com/rs/zerolog to v1.22.0 ([#76](#76)) ([c098326](c098326)) * **deps:** update module github.com/rs/zerolog to v1.23.0 ([#84](#84)) ([607d5bb](607d5bb)) * **deps:** update module github.com/rs/zerolog to v1.25.0 ([72822f4](72822f4)) * **deps:** update module github.com/slok/kubewebhook to v2 ([8bd73d4](8bd73d4)) * **deps:** update module github.com/spf13/cobra to v1.2.1 ([ea1e787](ea1e787)) * **deps:** update module github.com/spf13/viper to v1.8.1 ([8a055a2](8a055a2)) * **deps:** update module k8s.io/api to v0.22.1 ([ab6d898](ab6d898)) * **deps:** update module k8s.io/apimachinery to v0.21.1 ([#79](#79)) ([aeeeffb](aeeeffb)) * **deps:** update module k8s.io/apimachinery to v0.22.2 ([ef72c66](ef72c66)) ### Features * Support for imagePullSecrets ([#112](#112)) ([2d8cf77](2d8cf77)), closes [#92](#92) [#19](#19)
# [1.1.0-alpha.1](v1.0.0...v1.1.0-alpha.1) (2021-09-30) ### Bug Fixes * provide log record for ImageSwapPolicyExists ([179da70](179da70)) * timeout for ECR client ([26bdc10](26bdc10)) * **deps:** update module github.com/alitto/pond to v1.5.1 ([504e2dd](504e2dd)) * **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([#70](#70)) ([4f30053](4f30053)) * **deps:** update module github.com/aws/aws-sdk-go to v1.40.43 ([266ef01](266ef01)) * **deps:** update module github.com/containers/image/v5 to v5.11.0 ([#61](#61)) ([11d6d28](11d6d28)) * **deps:** update module github.com/containers/image/v5 to v5.16.0 ([5230b91](5230b91)) * **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([#82](#82)) ([dff1cb1](dff1cb1)) * **deps:** update module github.com/go-co-op/gocron to v1.9.0 ([c0e9f11](c0e9f11)) * **deps:** update module github.com/rs/zerolog to v1.22.0 ([#76](#76)) ([c098326](c098326)) * **deps:** update module github.com/rs/zerolog to v1.23.0 ([#84](#84)) ([607d5bb](607d5bb)) * **deps:** update module github.com/rs/zerolog to v1.25.0 ([72822f4](72822f4)) * **deps:** update module github.com/slok/kubewebhook to v2 ([8bd73d4](8bd73d4)) * **deps:** update module github.com/spf13/cobra to v1.2.1 ([ea1e787](ea1e787)) * **deps:** update module github.com/spf13/viper to v1.8.1 ([8a055a2](8a055a2)) * **deps:** update module k8s.io/api to v0.22.1 ([ab6d898](ab6d898)) * **deps:** update module k8s.io/apimachinery to v0.21.1 ([#79](#79)) ([aeeeffb](aeeeffb)) * **deps:** update module k8s.io/apimachinery to v0.22.2 ([ef72c66](ef72c66)) ### Features * Support for imagePullSecrets ([#112](#112)) ([2d8cf77](2d8cf77)), closes [#92](#92) [#19](#19)
# [1.1.0](v1.0.0...v1.1.0) (2021-10-02) ### Bug Fixes * provide log record for ImageSwapPolicyExists ([179da70](179da70)) * timeout for ECR client ([26bdc10](26bdc10)) * **deps:** update module github.com/alitto/pond to v1.5.1 ([504e2dd](504e2dd)) * **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([#70](#70)) ([4f30053](4f30053)) * **deps:** update module github.com/aws/aws-sdk-go to v1.40.43 ([266ef01](266ef01)) * **deps:** update module github.com/containers/image/v5 to v5.11.0 ([#61](#61)) ([11d6d28](11d6d28)) * **deps:** update module github.com/containers/image/v5 to v5.16.0 ([5230b91](5230b91)) * **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([#82](#82)) ([dff1cb1](dff1cb1)) * **deps:** update module github.com/go-co-op/gocron to v1.9.0 ([c0e9f11](c0e9f11)) * **deps:** update module github.com/rs/zerolog to v1.22.0 ([#76](#76)) ([c098326](c098326)) * **deps:** update module github.com/rs/zerolog to v1.23.0 ([#84](#84)) ([607d5bb](607d5bb)) * **deps:** update module github.com/rs/zerolog to v1.25.0 ([72822f4](72822f4)) * **deps:** update module github.com/slok/kubewebhook to v2 ([8bd73d4](8bd73d4)) * **deps:** update module github.com/spf13/cobra to v1.2.1 ([ea1e787](ea1e787)) * **deps:** update module github.com/spf13/viper to v1.8.1 ([8a055a2](8a055a2)) * **deps:** update module k8s.io/api to v0.22.1 ([ab6d898](ab6d898)) * **deps:** update module k8s.io/apimachinery to v0.21.1 ([#79](#79)) ([aeeeffb](aeeeffb)) * **deps:** update module k8s.io/apimachinery to v0.22.2 ([ef72c66](ef72c66)) ### Features * Support for imagePullSecrets ([#112](#112)) ([2d8cf77](2d8cf77)), closes [#92](#92) [#19](#19) * Support for pod.spec.initContainers ([#118](#118)) ([725ff2c](725ff2c)), closes [#73](#73) [#96](#96)
This PR will allow k8s-image-swapper to mirror and swap private images, as discussed at #19 .
The user may suffice a pod with as many ImagePullSecrets as he\she wishes and the image-swapper will use those secrets as source credentials to pull the image (In terms it was given sufficient permissions to access said secrets).
Please raise as many concerns and pointers as you wish.
Thank You.