Replace containerd Sysinv credentials with mtce credentials
Sysinv credentials in the containerd config allowed kubernetes to deploy images without pull secrets. We replace the credentials with "mtce" user's credentials. The "mtce" user is treated as a public user and is not allowed to deploy non-public images. Partial-bug: 1894930 Depends-On: https://review.opendev.org/756557 Change-Id: Icf293a8c3e44a587d5392db57f612ea26b422f12 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
parent
5fd5a67dcf
commit
77a68d3cad
|
@ -104,12 +104,29 @@
|
|||
- set_fact:
|
||||
local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
|
||||
|
||||
- name: Get guest local registry credentials
|
||||
vars:
|
||||
script_content: |
|
||||
import keyring
|
||||
password = keyring.get_password("mtce", "services")
|
||||
if not password:
|
||||
raise Exception("Local registry password not found.")
|
||||
print dict(username='mtce', password=str(password))
|
||||
shell: "{{ script_content }}"
|
||||
args:
|
||||
executable: /usr/bin/python
|
||||
register: guest_local_registry_credentials_output
|
||||
|
||||
- set_fact:
|
||||
guest_local_registry_credentials: "{{ guest_local_registry_credentials_output.stdout }}"
|
||||
|
||||
- name: Update config.toml with registry auth
|
||||
command: "sed -i -e 's|<%= @registry_auth %>|$REG_AUTH|g' /etc/containerd/config.toml"
|
||||
args:
|
||||
warn: false
|
||||
environment:
|
||||
REG_AUTH: "{{ (local_registry_credentials['username'] + ':' + local_registry_credentials['password']) | b64encode }}"
|
||||
REG_AUTH: "{{ (guest_local_registry_credentials['username'] + ':'
|
||||
+ guest_local_registry_credentials['password']) | b64encode }}"
|
||||
|
||||
- name: Determine the stream_server_address for containerd
|
||||
set_fact:
|
||||
|
|
Loading…
Reference in New Issue