Merge branch 'fix-empty-pull-secrets' into 'main'

cdesiniotis · cdesiniotis · commit a992438245c7 · 2023-08-04T17:33:11.000Z
Omit creating auth.Credentials if no pull secret is configured for a runtime class

See merge request nvidia/cloud-native/k8s-kata-manager!22
diff --git a/cmd/kata-manager/pull/pull.go b/cmd/kata-manager/pull/pull.go
@@ -129,7 +129,7 @@ func (m command) run(c *cli.Context, opts *options) error {
 	}
 	m.logger.Infof("Artifact: %v", art)
 
-	creds := auth.Credential{
+	creds := &auth.Credential{
 		Username: opts.username,
 		Password: opts.password,
 	}
diff --git a/internal/client-go/secrets.go b/internal/client-go/secrets.go
@@ -19,12 +19,12 @@ package kubernetes
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 
 	api "github.com/NVIDIA/k8s-kata-manager/api/v1alpha1/config"
 	utils "github.com/NVIDIA/k8s-kata-manager/internal/utils"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/klog/v2"
 	"oras.land/oras-go/v2/registry/remote/auth"
 )
 
@@ -44,22 +44,25 @@ type RegistryCredentials struct {
 	Auth     string `json:"auth"`
 }
 
-func (k *k8scli) GetCredentials(rc api.RuntimeClass, namespace string) (auth.Credential, error) {
-	auths := Auths{}
+func (k *k8scli) GetCredentials(rc api.RuntimeClass, namespace string) (*auth.Credential, error) {
+	if rc.Artifacts.PullSecret == "" {
+		return nil, nil
+	}
 
+	auths := Auths{}
 	secret, err := k.Get(context.Background(), rc.Artifacts.PullSecret, metav1.GetOptions{})
 	if err != nil {
-		return auth.Credential{}, err
+		return nil, fmt.Errorf("error getting secret: %v", err)
 	}
 	if err := json.Unmarshal(secret.Data[".dockerconfigjson"], &auths); err != nil {
-		klog.Errorf("error decoding secret: %s", err)
+		return nil, fmt.Errorf("error decoding secret: %v", err)
 	}
 	Registry, err := utils.ParseRegistry(rc.Artifacts.URL)
 	if err != nil {
-		klog.Errorf("error parsing registry: %s", err)
+		return nil, fmt.Errorf("error parsing registry: %v", err)
 	}
 
-	creds := auth.Credential{
+	creds := &auth.Credential{
 		Username: auths.Registries[Registry].Username,
 		Password: auths.Registries[Registry].Password,
 	}
diff --git a/internal/oras/pull.go b/internal/oras/pull.go
@@ -68,7 +68,7 @@ func NewArtifact(ref string, output string) (*Artifact, error) {
 }
 
 // Pull pulls the artifact from the remote repository into a local path
-func (a *Artifact) Pull(creds auth.Credential) (ocispec.Descriptor, error) {
+func (a *Artifact) Pull(creds *auth.Credential) (ocispec.Descriptor, error) {
 	// Create a file store
 	fs, err := file.New(a.Output)
 	if err != nil {
@@ -83,13 +83,15 @@ func (a *Artifact) Pull(creds auth.Credential) (ocispec.Descriptor, error) {
 		return ocispec.Descriptor{}, err
 	}
 
-	repo.Client = &auth.Client{
-		Client: retry.DefaultClient,
-		Cache:  auth.DefaultCache,
-		Credential: auth.StaticCredential(a.Registry, auth.Credential{
-			Username: creds.Username,
-			Password: creds.Password,
-		}),
+	if creds != nil {
+		repo.Client = &auth.Client{
+			Client: retry.DefaultClient,
+			Cache:  auth.DefaultCache,
+			Credential: auth.StaticCredential(a.Registry, auth.Credential{
+				Username: creds.Username,
+				Password: creds.Password,
+			}),
+		}
 	}
 
 	// Copy from the remote repository to the file store

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ func (m command) run(c cli.Context, opts options) error {`
`129`	`129`	`}`
`130`	`130`	`m.logger.Infof("Artifact: %v", art)`
`131`	`131`
`132`		`- creds := auth.Credential{`
	`132`	`+ creds := &auth.Credential{`
`133`	`133`	`Username: opts.username,`
`134`	`134`	`Password: opts.password,`
`135`	`135`	`}`