New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix pull image error from multiple ACRs using azure managed identity #96355
Conversation
/kind bug |
/test pull-kubernetes-bazel-test |
/retest |
/hold cancel |
/retest |
/retest |
2 similar comments
/retest |
/retest |
/test pull-kubernetes-e2e-aks-engine-azure |
abee8b3
to
848516c
Compare
fix comments fix comment fix comments fix comments fix comments fix comments fix bazel
275d7ad
to
48ba883
Compare
/retest |
1 similar comment
/retest |
/test pull-kubernetes-e2e-azure-disk-windows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/hold (in case @liggitt may want to review again)
/retest |
/retest |
// add ACR anonymous repo support: use empty username and password for anonymous access | ||
defaultConfigEntry := credentialprovider.DockerConfigEntry{ | ||
Username: "", | ||
Password: "", | ||
Email: dummyRegistryEmail, | ||
} | ||
cfg["*.azurecr.*"] = defaultConfigEntry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the case where we're returning a cache entry, this is modifying the shared cache object that was previously returned and can cause a data race.
Suggest making an addAnonymousCredentials(cfg)
method and calling it from getFromACR
when we're constructing a new cached credential set, and from the else block in Provide() when we're not using UseManagedIdentityExtension. That ensures we never modify a config after we've returned it from Provide()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @liggitt there is no shared cache object anymore, cfg
is a newly constructed object every time in Provide()
func, see line 253, I have removed the cacheDockerConfig
field in this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, I see, thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
// add ACR anonymous repo support: use empty username and password for anonymous access | ||
defaultConfigEntry := credentialprovider.DockerConfigEntry{ | ||
Username: "", | ||
Password: "", | ||
Email: dummyRegistryEmail, | ||
} | ||
cfg["*.azurecr.*"] = defaultConfigEntry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, I see, thanks.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
/hold cancel |
…6355-upstream-release-1.19 Automated cherry pick of #96355: fix pull image error from multiple ACRs using azure managed
…6355-upstream-release-1.17 Automated cherry pick of #96355: fix pull image error from multiple ACRs using azure managed
…6355-upstream-release-1.18 Automated cherry pick of #96355: fix pull image error from multiple ACRs using azure managed
@porrascarlos802018 this fix "pull image auth error from multiple(>1) ACRs using azure managed identity" has been merged in 1.17.14, 1.18.12, 1.19.4, for existing clusters with MSI, wait for a few more tries or using single ACR could workaround |
What type of PR is this?
/kind bug
What this PR does / why we need it:
fix pull image error from multiple ACRs using azure managed identity
This PR continues with PR(#92330), fixed the pull image error with azure managed identity.
This PR is using per-registry cache (also with cache expiration), pls note that per-registry cache is only for managed identity, and for service principal(account name & password), it's not necessary since password is supposed to be the same in whole kubelet life time.
Which issue(s) this PR fixes:
Fixes #92326
Special notes for your reviewer:
With this fix, there is no authentication error when pulling images from two ACRs using managed identity:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/priority important-soon
/sig cloud-provider
/area provider/azure
/triage accepted
/assign @feiskyer