Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use deployed Pod's Pull Secrets to mirror its image #92

Closed
wants to merge 18 commits into from

Conversation

DolevAlgam
Copy link

@DolevAlgam DolevAlgam commented Jul 8, 2021

This PR will allow k8s-image-swapper to mirror and swap private images, as discussed at #19 .
The user may suffice a pod with as many ImagePullSecrets as he\she wishes and the image-swapper will use those secrets as source credentials to pull the image (In terms it was given sufficient permissions to access said secrets).

Please raise as many concerns and pointers as you wish.
Thank You.

Dolev Algam and others added 13 commits July 4, 2021 17:57
## [1.0.1](v1.0.0...v1.0.1) (2021-07-05)

### Bug Fixes

* **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([estahn#70](https://github.com/DolevAlgam/k8s-image-swapper/issues/70)) ([4f30053](4f30053))
* **deps:** update module github.com/containers/image/v5 to v5.11.0 ([estahn#61](https://github.com/DolevAlgam/k8s-image-swapper/issues/61)) ([11d6d28](11d6d28))
* **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([estahn#82](https://github.com/DolevAlgam/k8s-image-swapper/issues/82)) ([dff1cb1](dff1cb1))
* **deps:** update module github.com/rs/zerolog to v1.22.0 ([estahn#76](https://github.com/DolevAlgam/k8s-image-swapper/issues/76)) ([c098326](c098326))
* **deps:** update module github.com/rs/zerolog to v1.23.0 ([estahn#84](https://github.com/DolevAlgam/k8s-image-swapper/issues/84)) ([607d5bb](607d5bb))
* **deps:** update module k8s.io/apimachinery to v0.21.1 ([estahn#79](https://github.com/DolevAlgam/k8s-image-swapper/issues/79)) ([aeeeffb](aeeeffb))
@DolevAlgam DolevAlgam marked this pull request as ready for review July 8, 2021 16:04
@DolevAlgam DolevAlgam mentioned this pull request Jul 8, 2021
3 tasks
@DolevAlgam
Copy link
Author

Let's start the tests? @estahn

Copy link
Owner

@estahn estahn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this contribution. Apologies it took me so long to review this.

After reviewing the PR I am worried about the added complexity and the performance impact of this change to the k8s-image-swapper and the Kubernetes API.

In this PR the Kubernetes client is initialised for every request and therefore removes any possibilities for caching.
Without caching there is an avoidable increase in load to the Kubernetes API.
The details are still vague, but here are some pointers secrets.go and lister.go.

In regards to the added complexity, I was wondering if the entire auth logic could be outsourced to skopeo via --authfile, --src-authfile, --dest-authfile.

This would reduce the change to fetching all image pull secrets, merging into a single file and passing it to skopeo.
That would also remove the need for looping over the authTokens until one is successful.

Credential merging also seems to be default behaviour of Kubernetes:

You can use this in conjunction with a per-node .docker/config.json. The credentials will be merged.

Source: https://kubernetes.io/docs/concepts/containers/images/

The only disadvantage I see is the IO to the filesystem for creating these files.

Happy to discuss!


var registryAliases map[string]string = map[string]string{"docker.io": "https://index.docker.io/v1/"}

secretsClient, err := configSecretsClient(namespace)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like the Kubernetes client is initialized on each request. I'm not sure how much of an issue this is in regards to performance/caching/... etc.

@estahn
Copy link
Owner

estahn commented Sep 15, 2021

The only disadvantage I see is the IO to the filesystem for creating these files.

It's possible to create a tmpfs with a memory-backed filesystem:

However, if you set the emptyDir.medium field to "Memory", Kubernetes mounts a tmpfs (RAM-backed filesystem) for you instead.
https://kubernetes.io/docs/concepts/storage/volumes/

estahn added a commit that referenced this pull request Sep 24, 2021
Add support for pulling images from sources requiring authentication.
The feature adheres to `imagePullSecrets` in `Pod`s and `ServiceAccount`s.

Loosely based on some of @DolevAlgam's work in #92

fixes #19
estahn added a commit that referenced this pull request Sep 28, 2021
Add support for pulling images from sources requiring authentication.
The feature adheres to imagePullSecrets in Pods and ServiceAccounts.

Loosely based on some of @DolevAlgam's work in #92

fixes #19
@estahn estahn closed this Sep 28, 2021
github-actions bot pushed a commit that referenced this pull request Sep 30, 2021
# [1.1.0-alpha.1](v1.0.0...v1.1.0-alpha.1) (2021-09-30)

### Bug Fixes

* provide log record for ImageSwapPolicyExists ([179da70](179da70))
* timeout for ECR client ([26bdc10](26bdc10))
* **deps:** update module github.com/alitto/pond to v1.5.1 ([504e2dd](504e2dd))
* **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([#70](#70)) ([4f30053](4f30053))
* **deps:** update module github.com/aws/aws-sdk-go to v1.40.43 ([266ef01](266ef01))
* **deps:** update module github.com/containers/image/v5 to v5.11.0 ([#61](#61)) ([11d6d28](11d6d28))
* **deps:** update module github.com/containers/image/v5 to v5.16.0 ([5230b91](5230b91))
* **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([#82](#82)) ([dff1cb1](dff1cb1))
* **deps:** update module github.com/go-co-op/gocron to v1.9.0 ([c0e9f11](c0e9f11))
* **deps:** update module github.com/rs/zerolog to v1.22.0 ([#76](#76)) ([c098326](c098326))
* **deps:** update module github.com/rs/zerolog to v1.23.0 ([#84](#84)) ([607d5bb](607d5bb))
* **deps:** update module github.com/rs/zerolog to v1.25.0 ([72822f4](72822f4))
* **deps:** update module github.com/slok/kubewebhook to v2 ([8bd73d4](8bd73d4))
* **deps:** update module github.com/spf13/cobra to v1.2.1 ([ea1e787](ea1e787))
* **deps:** update module github.com/spf13/viper to v1.8.1 ([8a055a2](8a055a2))
* **deps:** update module k8s.io/api to v0.22.1 ([ab6d898](ab6d898))
* **deps:** update module k8s.io/apimachinery to v0.21.1 ([#79](#79)) ([aeeeffb](aeeeffb))
* **deps:** update module k8s.io/apimachinery to v0.22.2 ([ef72c66](ef72c66))

### Features

* Support for imagePullSecrets ([#112](#112)) ([2d8cf77](2d8cf77)), closes [#92](#92) [#19](#19)
estahn pushed a commit that referenced this pull request Oct 2, 2021
# [1.1.0-alpha.1](v1.0.0...v1.1.0-alpha.1) (2021-09-30)

### Bug Fixes

* provide log record for ImageSwapPolicyExists ([179da70](179da70))
* timeout for ECR client ([26bdc10](26bdc10))
* **deps:** update module github.com/alitto/pond to v1.5.1 ([504e2dd](504e2dd))
* **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([#70](#70)) ([4f30053](4f30053))
* **deps:** update module github.com/aws/aws-sdk-go to v1.40.43 ([266ef01](266ef01))
* **deps:** update module github.com/containers/image/v5 to v5.11.0 ([#61](#61)) ([11d6d28](11d6d28))
* **deps:** update module github.com/containers/image/v5 to v5.16.0 ([5230b91](5230b91))
* **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([#82](#82)) ([dff1cb1](dff1cb1))
* **deps:** update module github.com/go-co-op/gocron to v1.9.0 ([c0e9f11](c0e9f11))
* **deps:** update module github.com/rs/zerolog to v1.22.0 ([#76](#76)) ([c098326](c098326))
* **deps:** update module github.com/rs/zerolog to v1.23.0 ([#84](#84)) ([607d5bb](607d5bb))
* **deps:** update module github.com/rs/zerolog to v1.25.0 ([72822f4](72822f4))
* **deps:** update module github.com/slok/kubewebhook to v2 ([8bd73d4](8bd73d4))
* **deps:** update module github.com/spf13/cobra to v1.2.1 ([ea1e787](ea1e787))
* **deps:** update module github.com/spf13/viper to v1.8.1 ([8a055a2](8a055a2))
* **deps:** update module k8s.io/api to v0.22.1 ([ab6d898](ab6d898))
* **deps:** update module k8s.io/apimachinery to v0.21.1 ([#79](#79)) ([aeeeffb](aeeeffb))
* **deps:** update module k8s.io/apimachinery to v0.22.2 ([ef72c66](ef72c66))

### Features

* Support for imagePullSecrets ([#112](#112)) ([2d8cf77](2d8cf77)), closes [#92](#92) [#19](#19)
github-actions bot pushed a commit that referenced this pull request Oct 2, 2021
# [1.1.0](v1.0.0...v1.1.0) (2021-10-02)

### Bug Fixes

* provide log record for ImageSwapPolicyExists ([179da70](179da70))
* timeout for ECR client ([26bdc10](26bdc10))
* **deps:** update module github.com/alitto/pond to v1.5.1 ([504e2dd](504e2dd))
* **deps:** update module github.com/aws/aws-sdk-go to v1.38.47 ([#70](#70)) ([4f30053](4f30053))
* **deps:** update module github.com/aws/aws-sdk-go to v1.40.43 ([266ef01](266ef01))
* **deps:** update module github.com/containers/image/v5 to v5.11.0 ([#61](#61)) ([11d6d28](11d6d28))
* **deps:** update module github.com/containers/image/v5 to v5.16.0 ([5230b91](5230b91))
* **deps:** update module github.com/dgraph-io/ristretto to v0.1.0 ([#82](#82)) ([dff1cb1](dff1cb1))
* **deps:** update module github.com/go-co-op/gocron to v1.9.0 ([c0e9f11](c0e9f11))
* **deps:** update module github.com/rs/zerolog to v1.22.0 ([#76](#76)) ([c098326](c098326))
* **deps:** update module github.com/rs/zerolog to v1.23.0 ([#84](#84)) ([607d5bb](607d5bb))
* **deps:** update module github.com/rs/zerolog to v1.25.0 ([72822f4](72822f4))
* **deps:** update module github.com/slok/kubewebhook to v2 ([8bd73d4](8bd73d4))
* **deps:** update module github.com/spf13/cobra to v1.2.1 ([ea1e787](ea1e787))
* **deps:** update module github.com/spf13/viper to v1.8.1 ([8a055a2](8a055a2))
* **deps:** update module k8s.io/api to v0.22.1 ([ab6d898](ab6d898))
* **deps:** update module k8s.io/apimachinery to v0.21.1 ([#79](#79)) ([aeeeffb](aeeeffb))
* **deps:** update module k8s.io/apimachinery to v0.22.2 ([ef72c66](ef72c66))

### Features

* Support for imagePullSecrets ([#112](#112)) ([2d8cf77](2d8cf77)), closes [#92](#92) [#19](#19)
* Support for pod.spec.initContainers ([#118](#118)) ([725ff2c](725ff2c)), closes [#73](#73) [#96](#96)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants