Merge pull request #56217 from Cynerva/gkk/docker-logins

Automatic merge from submit-queue (batch tested with PRs 56217, 56268, 56263, 56328, 56200). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add docker-logins config to kubernetes-worker charm **What this PR does / why we need it**: This adds a `docker-logins` config option to the kubernetes-worker charm, which allows cluster operators to authenticate against docker registries so kubelet can pull containers from them. **Release note**: ```release-note Added docker-logins config to kubernetes-worker charm ```
2025-07-23 11:50:44 +00:00 · 2017-12-14 23:37:39 -08:00 · 2017-12-14 23:37:39 -08:00 · 05acd736c1
commit 05acd736c1
parent 8647490eae ca9076cf0f
2 changed files with 36 additions and 0 deletions
--- a/cluster/juju/layers/kubernetes-worker/config.yaml
+++ b/cluster/juju/layers/kubernetes-worker/config.yaml
@ -49,3 +49,12 @@ options:
        runtime-config=batch/v2alpha1=true profiling=true
      will result in kube-apiserver being run with the following options:
        --runtime-config=batch/v2alpha1=true --profiling=true
+  docker-logins:
+    type: string
+    default: "[]"
+    description: |
+      Docker login credentials. Setting this config allows Kubelet to pull images from
+      registries where auth is required.
+
+      The value for this config must be a JSON array of credential objects, like this:
+        [{"server": "my.registry", "username": "myUser", "password": "myPass"}]
--- a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
+++ b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
@ -14,6 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import json
 import os
 import random
 import shutil
@ -435,6 +436,32 @@ def extra_args_changed():
    set_state('kubernetes-worker.restart-needed')


+@when('config.changed.docker-logins')
+def docker_logins_changed():
+    config = hookenv.config()
+    previous_logins = config.previous('docker-logins')
+    logins = config['docker-logins']
+    logins = json.loads(logins)
+
+    if previous_logins:
+        previous_logins = json.loads(previous_logins)
+        next_servers = {login['server'] for login in logins}
+        previous_servers = {login['server'] for login in previous_logins}
+        servers_to_logout = previous_servers - next_servers
+        for server in servers_to_logout:
+            cmd = ['docker', 'logout', server]
+            subprocess.check_call(cmd)
+
+    for login in logins:
+        server = login['server']
+        username = login['username']
+        password = login['password']
+        cmd = ['docker', 'login', server, '-u', username, '-p', password]
+        subprocess.check_call(cmd)
+
+    set_state('kubernetes-worker.restart-needed')
+
+
 def arch():
    '''Return the package architecture as a string. Raise an exception if the
    architecture is not supported by kubernetes.'''