Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gcp-auth registries is too restrictive #12003

Closed
briandealwis opened this issue Jul 19, 2021 · 2 comments · Fixed by #12106
Closed

gcp-auth registries is too restrictive #12003

briandealwis opened this issue Jul 19, 2021 · 2 comments · Fixed by #12106
Assignees
@sharifelgamal
Labels
addon/gcp-auth Issues with the GCP Auth addon kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
1.23.0

Comments

@briandealwis
Copy link
Contributor

The gcp-auth addon configures kubernetes.io/dockercfg secrets but only for gcr.io and us-docker.pkg.dev.

minikube/pkg/addons/addons_gcpauth.go

Lines 134 to 136 in 791e3b5

data := map[string][]byte{
".dockercfg": []byte(fmt.Sprintf(`{"https://gcr.io":{"username":"oauth2accesstoken","password":"%s","email":"none"}, "https://us-docker.pkg.dev":{"username":"oauth2accesstoken","password":"%s","email":"none"}}`, token.AccessToken, token.AccessToken)),
}

We should either make this configurable or add support for a broader set of endpoints.

One approach would be to query GCR/AR for the list of registries visible to the account.

cc: @sharifelgamal
@sharifelgamal
Copy link
Collaborator

yeah good call, when I originally implemented gcp-auth I made the explicit choice to not worry about registry mirrors, now is a good time to fix that.

@sharifelgamal sharifelgamal self-assigned this Jul 19, 2021
@sharifelgamal sharifelgamal added addon/gcp-auth Issues with the GCP Auth addon kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jul 19, 2021
@sharifelgamal sharifelgamal added this to the 1.23.0 milestone Jul 19, 2021
@briandealwis
Copy link
Contributor Author

I followed up with the GCR/AR team and they suggested either hard-coding a list or taking a dependency on https://github.com/GoogleCloudPlatform/docker-credential-gcr/blob/faed5e8b8ca2a14e6cfff27ec915dbbdcce696ea/config/const.go#L49-L77

@sharifelgamal sharifelgamal mentioned this issue Aug 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sharifelgamal sharifelgamal

Labels
addon/gcp-auth Issues with the GCP Auth addon kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
1.23.0
Development

Successfully merging a pull request may close this issue.

configure gcp-auth addon pull secret to work with all GCR and AR mirrors sharifelgamal/minikube
2 participants
@briandealwis @sharifelgamal