mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-11 06:02:18 +00:00
Implements a credentialprovider library for use by DockerPuller.
This change refactors the way Kubelet's DockerPuller handles the docker config credentials to utilize a new credentialprovider library. The credentialprovider library is based on several of the files from the Kubelet's dockertools directory, but supports a new pluggable model for retrieving a .dockercfg-compatible JSON blob with credentials. With this change, the Kubelet will lazily ask for the docker config from a set of DockerConfigProvider extensions each time it needs a credential. This change provides common implementations of DockerConfigProvider for: - "Default": load .dockercfg from disk - "Caching": wraps another provider in a cache that expires after a pre-specified lifetime. GCP-only: - "google-dockercfg": reads a .dockercfg from a GCE instance's metadata - "google-dockercfg-url": reads a .dockercfg from a URL specified in a GCE instance's metadata. - "google-container-registry": reads an access token from GCE metadata into a password field.
This commit is contained in:
Matt Moore
62
pkg/credentialprovider/plugins.go
Normal file
62
pkg/credentialprovider/plugins.go
Normal file
@@ -0,0 +1,62 @@
|
||||
/*
|
||||
Copyright 2014 Google Inc. All rights reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package credentialprovider
|
||||
|
||||
import (
|
||||
"sync"
|
||||
|
||||
"github.com/golang/glog"
|
||||
)
|
||||
|
||||
// All registered credential providers.
|
||||
var providersMutex sync.Mutex
|
||||
var providers = make(map[string]DockerConfigProvider)
|
||||
|
||||
// RegisterCredentialProvider is called by provider implementations on
|
||||
// initialization to register themselves, like so:
|
||||
// func init() {
|
||||
// RegisterCredentialProvider("name", &myProvider{...})
|
||||
// }
|
||||
func RegisterCredentialProvider(name string, provider DockerConfigProvider) {
|
||||
providersMutex.Lock()
|
||||
defer providersMutex.Unlock()
|
||||
_, found := providers[name]
|
||||
if found {
|
||||
glog.Fatalf("Credential provider %q was registered twice", name)
|
||||
}
|
||||
glog.V(1).Infof("Registered credential provider %q", name)
|
||||
providers[name] = provider
|
||||
}
|
||||
|
||||
// NewDockerKeyring creates a DockerKeyring to use for resolving credentials,
|
||||
// which lazily draws from the set of registered credential providers.
|
||||
func NewDockerKeyring() DockerKeyring {
|
||||
keyring := &lazyDockerKeyring{
|
||||
Providers: make([]DockerConfigProvider, 0),
|
||||
}
|
||||
|
||||
// TODO(mattmoor): iterating over the map is non-deterministic. We should
|
||||
// introduce the notion of priorities for conflict resolution.
|
||||
for name, provider := range providers {
|
||||
if provider.Enabled() {
|
||||
glog.Infof("Registering credential provider: %v", name)
|
||||
keyring.Providers = append(keyring.Providers, provider)
|
||||
}
|
||||
}
|
||||
|
||||
return keyring
|
||||
}
|
||||
Reference in New Issue
Block a user