Merge pull request #1955 from etungsten/registry-credentials

models, containerd, ecs-agent, host-ctr: support registry credentials

Author: etungsten

README.md

@@ -453,6 +453,30 @@ When pulling an image from a registry, the container runtime will try the endpoi
 
 For [host-container](#host-containers-settings) and [bootstrap-container](#bootstrap-containers-settings) images from Amazon ECR private repositories, registry mirrors are currently unsupported.
 
+The following setting is optional and allows you to configure image registry credentials.
+* `settings.container-registry.credentials`: An array of container images registry credential settings. Each element specifies the registry and the credential information for said registry.
+The credential fields map to [containerd's registry credential fields](https://github.com/containerd/containerd/blob/v1.6.0/docs/cri/registry.md#configure-registry-credentials), which in turn map to the fields in `.docker/config.json`.
+It is recommended to programmatically set these settings via `apiclient` through the Bottlerocket control container and/or custom host-containers.
+  * An example `apiclient` call to set registry credentials for `gcr.io` and `docker.io` looks like this:
+  ```bash
+  apiclient set --json '{
+    "container-registry": {
+      "credentials": [
+        {
+          "registry": "gcr.io",
+          "username": "example_username",
+          "password": "example_password"
+        },
+        {
+          "registry": "docker.io",
+          "auth": "example_base64_encoded_auth_string"
+        }
+      ]
+    }
+  }'
+  ```
+In addition to the container runtime daemons, these credential settings will also apply to [host-container](#host-containers-settings) and [bootstrap-container](#bootstrap-containers-settings) image pulls as well.
+
 #### Updates settings
 
 * `settings.updates.metadata-base-url`: The common portion of all URIs used to download update metadata.

Release.toml

@@ -103,4 +103,6 @@ version = "1.6.1"
 "(1.6.0, 1.6.1)" = []
 "(1.6.1, 1.6.2)" = [
     "migrate_v1.6.2_add-cfsignal.lz4",
+    "migrate_v1.6.2_container-registry-credentials.lz4",
+    "migrate_v1.6.2_container-registry-credentials-metadata.lz4",
 ]

packages/containerd/containerd-config-toml_k8s

@@ -37,3 +37,25 @@ conf_dir = "/etc/cni/net.d"
 endpoint = [{{join_array ", " endpoint }}]
 {{/each}}
 {{/if}}
+
+{{#if settings.container-registry.credentials}}
+{{#each settings.container-registry.credentials}}
+{{#if (eq registry "docker.io" )}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth]
+{{else}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."{{registry}}".auth]
+{{/if}}
+{{#if username}}
+username = "{{{username}}}"
+{{/if}}
+{{#if password}}
+password = "{{{password}}}"
+{{/if}}
+{{#if auth}}
+auth = "{{{auth}}}"
+{{/if}}
+{{#if identitytoken}}
+identitytoken = "{{{identitytoken}}}"
+{{/if}}
+{{/each}}
+{{/if}}

packages/containerd/containerd-config-toml_k8s_nvidia

@@ -37,3 +37,25 @@ conf_dir = "/etc/cni/net.d"
 endpoint = [{{join_array ", " endpoint }}]
 {{/each}}
 {{/if}}
+
+{{#if settings.container-registry.credentials}}
+{{#each settings.container-registry.credentials}}
+{{#if (eq registry "docker.io" )~}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth]
+{{else}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."{{registry}}".auth]
+{{/if}}
+{{#if username}}
+username = "{{{username}}}"
+{{/if}}
+{{#if password}}
+password = "{{{password}}}"
+{{/if}}
+{{#if auth}}
+auth = "{{{auth}}}"
+{{/if}}
+{{#if identitytoken}}
+identitytoken = "{{{identitytoken}}}"
+{{/if}}
+{{/each}}
+{{/if}}

packages/containerd/containerd.spec

@@ -20,6 +20,10 @@ Source2: containerd-config-toml_k8s
 Source3: containerd-config-toml_basic
 Source4: containerd-config-toml_k8s_nvidia
 Source5: containerd-tmpfiles.conf
+
+# Mount for writing containerd configuration
+Source100: etc-containerd.mount
+
 Source1000: clarify.toml
 
 # TODO: submit this upstream, including a unit test.
@@ -72,7 +76,7 @@ do
 done
 
 install -d %{buildroot}%{_cross_unitdir}
-install -p -m 0644 %{S:1} %{buildroot}%{_cross_unitdir}/containerd.service
+install -p -m 0644 %{S:1} %{S:100} %{buildroot}%{_cross_unitdir}
 
 install -d %{buildroot}%{_cross_templatedir}
 install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/containerd
@@ -93,6 +97,7 @@ install -p -m 0644 %{S:5} %{buildroot}%{_cross_tmpfilesdir}/containerd.conf
 %{_cross_bindir}/containerd-shim-runc-v2
 %{_cross_bindir}/ctr
 %{_cross_unitdir}/containerd.service
+%{_cross_unitdir}/etc-containerd.mount
 %dir %{_cross_factorydir}%{_cross_sysconfdir}/containerd
 %{_cross_templatedir}/containerd-config-toml*
 %{_cross_tmpfilesdir}/containerd.conf

packages/containerd/etc-containerd.mount

@@ -0,0 +1,16 @@
+[Unit]
+Description=Containerd Configuration Directory (/etc/containerd)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=selinux-policy-files.service
+Wants=selinux-policy-files.service
+
+[Mount]
+What=tmpfs
+Where=/etc/containerd
+Type=tmpfs
+Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0
+
+[Install]
+WantedBy=preconfigured.target

packages/ecs-agent/ecs-agent.spec

@@ -42,6 +42,9 @@ Source108: pause-repositories
 # Bottlerocket-specific - version data can be set with linker options
 Source109: version.go
 
+# Mount for writing ECS agent configuration
+Source200: etc-ecs.mount
+
 # Patches are numbered according to which source they apply to
 # Patches 0000 - 0999 apply to Source0
 # Patches 1000 - 1999 apply to Source1
@@ -241,7 +244,9 @@ install -D -p -m 0755 %{ecscni_gorepo}-%{ecscni_gitrev}/ecs-eni %{buildroot}%{_c
 install -D -p -m 0755 %{ecscni_gorepo}-%{ecscni_gitrev}/ecs-ipam %{buildroot}%{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam
 install -D -p -m 0755 %{vpccni_gorepo}-%{vpccni_gitrev}/vpc-branch-eni %{buildroot}%{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni
 
-install -D -p -m 0644 %{S:101} %{buildroot}%{_cross_unitdir}/ecs.service
+install -d %{buildroot}%{_cross_unitdir}
+install -D -p -m 0644 %{S:101} %{S:200} %{buildroot}%{_cross_unitdir}
+
 install -D -p -m 0644 %{S:102} %{buildroot}%{_cross_tmpfilesdir}/ecs.conf
 install -D -p -m 0644 %{S:103} %{buildroot}%{_cross_sysctldir}/90-ecs.conf
 install -D -p -m 0644 %{S:104} %{buildroot}%{_cross_templatedir}/ecs.config
@@ -288,6 +293,7 @@ mv %{vpccni_gorepo}-%{vpccni_gitrev}/vendor go-vendor/%{vpccni_gorepo}
 %{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam
 %{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni
 %{_cross_unitdir}/ecs.service
+%{_cross_unitdir}/etc-ecs.mount
 %{_cross_tmpfilesdir}/ecs.conf
 %{_cross_sysctldir}/90-ecs.conf
 %{_cross_templatedir}/ecs.config

packages/ecs-agent/ecs.config

@@ -1,2 +1,18 @@
 ECS_LOGFILE=/var/log/ecs/ecs-agent.log
 ECS_LOGLEVEL="{{settings.ecs.loglevel}}"
+{{#if settings.container-registry.credentials~}}
+ECS_ENGINE_AUTH_TYPE=dockercfg
+ECS_ENGINE_AUTH_DATA='{
+    {{~#each settings.container-registry.credentials~}}
+    {{~#unless @first~}},{{~/unless~}}
+    {{~#if (eq registry "docker.io" )~}}
+    "https://index.docker.io/v1/":
+    {{~else~}}
+    "{{registry}}":
+    {{~/if~}}
+    {"email": "."
+        {{~#if auth~}},"auth": "{{{auth}}}"{{/if}}
+        {{~#if username~}},"username": "{{{username}}}"{{/if}}
+        {{~#if password~}},"password": "{{{password}}}"}{{/if}}
+    {{~/each~}}}}'
+{{/if}}

packages/ecs-agent/etc-ecs.mount

@@ -0,0 +1,16 @@
+[Unit]
+Description=ECS agent Configuration Directory (/etc/ecs)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=selinux-policy-files.service
+Wants=selinux-policy-files.service
+
+[Mount]
+What=tmpfs
+Where=/etc/ecs
+Type=tmpfs
+Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0
+
+[Install]
+WantedBy=preconfigured.target

packages/host-ctr/clarify.toml

@@ -0,0 +1,5 @@
+[clarify."sigs.k8s.io/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00 },
+]