This repository has been archived by the owner on Jan 5, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pull_auth.go
63 lines (53 loc) · 1.65 KB
/
pull_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package runs
import (
"os"
. "github.com/saschagrunert/crio-demos/pkg/demo"
"github.com/urfave/cli"
)
func PullAuth(ctx *cli.Context) error {
Ensure(
"sudo crictl rmi quay.io/crio/private-image",
`sudo sed -i -E 's/(global_auth_file = )(.*)/\1""/' /etc/crio/crio.conf`,
"sudo systemctl restart crio",
)
d := New(
"Image Pull Authentication",
"This demo shows how registry authentication works in CRI-O",
"(Please be aware that this demo does not work if the credentials",
"are not valid)",
)
d.Step(S(
"With the default configuration, CRI-O is not able to pull private images",
), S(
"sudo crictl -D pull quay.io/crio/private-image || true",
))
d.Step(S(
"But CRI-O is able to reuse the Docker authentication configuration as well",
), S(
`sudo sed -i -E 's;(global_auth_file = )(.*);\1"`+os.Getenv("HOME")+
`/.docker/config.json";' /etc/crio/crio.conf &&`,
"grep -B2 global_auth_file /etc/crio/crio.conf",
))
d.Step(S(
"The `global_auth_file` configuration does not support live configuration yet.",
"Which means that we have to restart CRI-O.",
"This is totally safe, since CRI-O relies only on the state on disk.",
), S(
"sudo systemctl restart crio",
))
d.Step(S(
"If the credentials inside this file are valid,",
"then CRI-O can pull private images too",
), S(
"sudo crictl pull quay.io/crio/private-image",
))
d.Step(S(
"We can see that the `containers/image` library takes care of the",
"authentication. Kubernetes is not involved in the authentication",
"at all in this demo",
), S(
"sudo journalctl -u crio --since '1 minute ago' |",
"grep -oP '(PullImageRequest|GET).*'",
))
return d.Run(ctx)
}