From 791a41c20c5d3c72dee4aca31df817710a7d39b0 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Mon, 3 Dec 2018 00:01:40 -0800 Subject: [PATCH] pkg/asset/ignition/bootstrap: Add /root/.docker/config.json We already provide /opt/tectonic/manifests/pull.json with a Kubernetes secret that contains the auth JSON, but the new file has the auth JSON without any wrapping. This resolves issues with auth-protected update payloads [1]: [core@ip-10-0-10-189 ~]$ journalctl -n5 -u bootkube.service -- Logs begin at Mon 2018-12-03 06:54:37 UTC, end at Mon 2018-12-03 07:24:52 UTC. -- Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: Trying to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b...Failed Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: unable to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: unable to pull image: Error determining manifest MIME type for docker://quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: Error reading manifest sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b in quay.io/openshift-release-dev/ocp-v4.0: unauthorized: access to the requested resource is not authorized Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service: main process exited, code=exited, status=125/n/a Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: Unit bootkube.service entered failed state. Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service failed. I think the ~/.docker directory name is unfortunate, since we're not actually using Docker at all. But ~/.docker/config.json is an auth location shared by Podman [2], CRI-O [3], and the kubelet [4]. And it's the most generic on-disk location that will survive reboots (/run will not [5]). I've also renamed the manifest template variable to PullSecretBase64 to distinguish it from the unencoded PullSecret I'm adding to the bootstrap template parameters. These are different template parameter sets, but I think recycling the same name would be unnecessarily confusing. [1]: https://github.com/openshift/installer/pull/773#issuecomment-443621991 [2]: https://github.com/containers/libpod/blob/v0.11.1.1/docs/podman-pull.1.md#options [3]: https://github.com/kubernetes-sigs/cri-o/blob/master/vendor/github.com/containers/image/pkg/docker/config/config.go#L32 [4]: https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry [5]: http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html#runPurpose --- data/data/bootstrap/files/root/.docker/config.json.template | 1 + data/data/manifests/bootkube/pull.yaml.template | 2 +- pkg/asset/ignition/bootstrap/bootstrap.go | 2 ++ pkg/asset/manifests/operators.go | 2 +- pkg/asset/manifests/template.go | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 data/data/bootstrap/files/root/.docker/config.json.template diff --git a/data/data/bootstrap/files/root/.docker/config.json.template b/data/data/bootstrap/files/root/.docker/config.json.template new file mode 100644 index 00000000000..a33d92da44a --- /dev/null +++ b/data/data/bootstrap/files/root/.docker/config.json.template @@ -0,0 +1 @@ +{{.PullSecret}} diff --git a/data/data/manifests/bootkube/pull.yaml.template b/data/data/manifests/bootkube/pull.yaml.template index 980ba3ee35a..08ffd7bb452 100644 --- a/data/data/manifests/bootkube/pull.yaml.template +++ b/data/data/manifests/bootkube/pull.yaml.template @@ -7,6 +7,6 @@ "name": "coreos-pull-secret" }, "data": { - ".dockerconfigjson": "{{.PullSecret}}" + ".dockerconfigjson": "{{.PullSecretBase64}}" } } diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go index e52113cf6f3..b70d64f7d64 100644 --- a/pkg/asset/ignition/bootstrap/bootstrap.go +++ b/pkg/asset/ignition/bootstrap/bootstrap.go @@ -40,6 +40,7 @@ type bootstrapTemplateData struct { EtcdCertSignerImage string EtcdCluster string EtcdctlImage string + PullSecret string ReleaseImage string AdminKubeConfigBase64 string } @@ -148,6 +149,7 @@ func (a *Bootstrap) getTemplateData(installConfig *types.InstallConfig, adminKub return &bootstrapTemplateData{ EtcdCertSignerImage: "quay.io/coreos/kube-etcd-signer-server:678cc8e6841e2121ebfdb6e2db568fce290b67d6", EtcdctlImage: "quay.io/coreos/etcd:v3.2.14", + PullSecret: installConfig.PullSecret, ReleaseImage: releaseImage, EtcdCluster: strings.Join(etcdEndpoints, ","), AdminKubeConfigBase64: base64.StdEncoding.EncodeToString(adminKubeConfig), diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go index fa89ae974a9..e422d10fe24 100644 --- a/pkg/asset/manifests/operators.go +++ b/pkg/asset/manifests/operators.go @@ -150,7 +150,7 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass KubeCaKey: base64.StdEncoding.EncodeToString(kubeCA.Key()), McsTLSCert: base64.StdEncoding.EncodeToString(mcsCertKey.Cert()), McsTLSKey: base64.StdEncoding.EncodeToString(mcsCertKey.Key()), - PullSecret: base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)), + PullSecretBase64: base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)), RootCaCert: string(rootCA.Cert()), ServiceServingCaCert: base64.StdEncoding.EncodeToString(serviceServingCA.Cert()), ServiceServingCaKey: base64.StdEncoding.EncodeToString(serviceServingCA.Key()), diff --git a/pkg/asset/manifests/template.go b/pkg/asset/manifests/template.go index 71dbdefecd8..455cb5bd3f8 100644 --- a/pkg/asset/manifests/template.go +++ b/pkg/asset/manifests/template.go @@ -25,7 +25,7 @@ type bootkubeTemplateData struct { KubeCaKey string McsTLSCert string McsTLSKey string - PullSecret string + PullSecretBase64 string RootCaCert string ServiceServingCaCert string ServiceServingCaKey string