Skip to content

Add authentication for private index images #1878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2020
Merged

Add authentication for private index images #1878

merged 1 commit into from
Dec 3, 2020

Conversation

anik120
Copy link
Contributor

@anik120 anik120 commented Nov 24, 2020
edited
Loading

Description of the change:

Closes #1536 #1505

This PR attaches the secrets in the spec.Secrets field of the
CatalogSource to the CatalogSource's service account in the
same namespace, to allow for pulling of index images that
are backed by authentication.

Motivation for the change:

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Docs updated or added to /docs
  • Commit messages sensible and descriptive

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 24, 2020
njhale
njhale requested changes Nov 25, 2020
View reviewed changes
Copy link
Member

@njhale njhale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @anik120 for picking this up.

Please see operator-framework/api#79 (comment) for my thoughts on the approach and an alternate solution.

@anik120 anik120 changed the title [WIP] Add authentication for private index images Add authentication for private index images Dec 1, 2020
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 1, 2020
kevinrizza
kevinrizza reviewed Dec 1, 2020
View reviewed changes
@exdx
Copy link
Member

exdx commented Dec 1, 2020

I think the implementation here looks good, if this is the way we choose to go.

The concern I raised in #1878 (comment) or as @ecordell put it

adding them [catalog secrets] to the [default] serviceaccount means that every pod using the default serviceaccount will need to rotate through the list of credentials in order to pull

is a valid concern. Is creating a per-catalog SA and using it too much of a change in behavior? It at least isolates the secrets a bit more.
/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 1, 2020
@anik120
Add authentication for private index images
f2ad0ee 
Fixes Issue operator-framework#1536 operator-framework#1505

This PR attaches the secrets in the spec.Secrets field of the
CatalogSource to the default service account in the CatalogSource's
namespace, to allow for pulling of index images that are backed
by authentication.
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Dec 2, 2020
@kevinrizza
Copy link
Member

/approve

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anik120, kevinrizza

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 2, 2020
@anik120
Copy link
Contributor Author

anik120 commented Dec 2, 2020
edited
Loading

The concern I raised in #1878 (comment) or as @ecordell put it

adding them [catalog secrets] to the [default] serviceaccount means that every pod using the default serviceaccount will need to rotate through the list of credentials in order to pull

is a valid concern. Is creating a per-catalog SA and using it too much of a change in behavior? It at least isolates the secrets a bit more.

@exdx @ecordell updated the PR to use per catalog SA instead of the default SA. PTAL, thanks!

@exdx
Copy link
Member

exdx commented Dec 2, 2020
edited
Loading

/lgtm

per the docs

The service account has to exist at the time the pod is created, or it will be rejected.

So just to be clear, for the openshift default catalogs, those are still managed by the marketplace operator right? Those have their own authentication not based on SAs. So this change is for custom catalogs only.

I think this is good, once we get some good docs on the Secrets field and its use users will have an easier time with using private catalogs and their contents.

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 2, 2020
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@anik120
Copy link
Contributor Author

anik120 commented Dec 3, 2020

/retest

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit d701e9a into operator-framework:master Dec 3, 2020
@jianzhangbjz
Copy link
Contributor

/QE-approved

anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Jan 6, 2021
@anik120
Bug 1909992: Allow private bundle images within private indexes
82cebe1 
In operator-framework#1878, the secrets passed in `spec.secrets` field of a catalogsource
were attached to the catsrc's corresponding SA that was used by the registry
pod, thereby having access to the secrets. This allowed for pulling of
private index images. However, the job that unpacks the bundle images did
not have access to the secrets, and as a result private bundle image included
in the catsrc were not installable using the secrets.
This PR attaches the secrets from the catsrc to the job that unpacks the bundles,
thereby allowing the inclusion of private bundle images within index from private
indexes.
@anik120 anik120 mentioned this pull request Jan 6, 2021
Merged
5 tasks
@exdx exdx mentioned this pull request Apr 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinrizza kevinrizza kevinrizza left review comments

@exdx exdx exdx left review comments

@njhale njhale njhale requested changes

@dinhxuanvu dinhxuanvu Awaiting requested review from dinhxuanvu

Assignees

@exdx exdx

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

secret does not work with catalogsource
8 participants
@anik120 @exdx @kevinrizza @openshift-ci-robot @openshift-bot @jianzhangbjz @njhale @openshift-merge-robot