Merge pull request #146 from srl-labs/feat/docker-config-from-secret

feat: docker config for launcher user

apis/v1alpha1/configspec.go

@@ -115,4 +115,11 @@ type ConfigImagePull struct {
 	// /etc/docker and docker will be expecting the config at /etc/docker/daemon.json.
 	// +optional
 	DockerDaemonConfig string `json:"dockerDaemonConfig,omitempty"`
+	// DockerConfig allows for setting the docker user (for root) config for all launchers in this
+	// topology. The secret *must be present in the namespace of this topology*. The secret *must*
+	// contain a key "config.json" -- as this secret will be mounted to /root/.docker/config.json
+	// and as such wil be utilized when doing docker-y things -- this means you can put auth things
+	// in here in the event your cluster doesn't support the preferred image pull through option.
+	// +optional
+	DockerConfig string `json:"dockerConfig,omitempty"`
 }

apis/v1alpha1/topologyspec.go

@@ -223,4 +223,11 @@ type ImagePull struct {
 	// be expecting the config at /etc/docker/daemon.json.
 	// +optional
 	DockerDaemonConfig string `json:"dockerDaemonConfig,omitempty"`
+	// DockerConfig allows for setting the docker user (for root) config for all launchers in this
+	// topology. The secret *must be present in the namespace of this topology*. The secret *must*
+	// contain a key "config.json" -- as this secret will be mounted to /root/.docker/config.json
+	// and as such wil be utilized when doing docker-y things -- this means you can put auth things
+	// in here in the event your cluster doesn't support the preferred image pull through option.
+	// +optional
+	DockerConfig string `json:"dockerConfig,omitempty"`
 }

assets/crd/clabernetes.containerlab.dev_configs.yaml

@@ -262,6 +262,14 @@ spec:
                       now, in the future maybe crio support will be added.
                     pattern: (.*containerd\.sock)
                     type: string
+                  dockerConfig:
+                    description: |-
+                      DockerConfig allows for setting the docker user (for root) config for all launchers in this
+                      topology. The secret *must be present in the namespace of this topology*. The secret *must*
+                      contain a key "config.json" -- as this secret will be mounted to /root/.docker/config.json
+                      and as such wil be utilized when doing docker-y things -- this means you can put auth things
+                      in here in the event your cluster doesn't support the preferred image pull through option.
+                    type: string
                   dockerDaemonConfig:
                     description: |-
                       DockerDaemonConfig allows for setting a default docker daemon config for launcher pods

assets/crd/clabernetes.containerlab.dev_topologies.yaml

@@ -398,6 +398,14 @@ spec:
                   ImagePull holds configurations relevant to how clabernetes launcher pods handle pulling
                   images.
                 properties:
+                  dockerConfig:
+                    description: |-
+                      DockerConfig allows for setting the docker user (for root) config for all launchers in this
+                      topology. The secret *must be present in the namespace of this topology*. The secret *must*
+                      contain a key "config.json" -- as this secret will be mounted to /root/.docker/config.json
+                      and as such wil be utilized when doing docker-y things -- this means you can put auth things
+                      in here in the event your cluster doesn't support the preferred image pull through option.
+                    type: string
                   dockerDaemonConfig:
                     description: |-
                       DockerDaemonConfig allows for setting the docker daemon config for all launchers in this

charts/clabernetes/crds/clabernetes.containerlab.dev_configs.yaml

@@ -262,6 +262,14 @@ spec:
                       now, in the future maybe crio support will be added.
                     pattern: (.*containerd\.sock)
                     type: string
+                  dockerConfig:
+                    description: |-
+                      DockerConfig allows for setting the docker user (for root) config for all launchers in this
+                      topology. The secret *must be present in the namespace of this topology*. The secret *must*
+                      contain a key "config.json" -- as this secret will be mounted to /root/.docker/config.json
+                      and as such wil be utilized when doing docker-y things -- this means you can put auth things
+                      in here in the event your cluster doesn't support the preferred image pull through option.
+                    type: string
                   dockerDaemonConfig:
                     description: |-
                       DockerDaemonConfig allows for setting a default docker daemon config for launcher pods

charts/clabernetes/crds/clabernetes.containerlab.dev_topologies.yaml

@@ -398,6 +398,14 @@ spec:
                   ImagePull holds configurations relevant to how clabernetes launcher pods handle pulling
                   images.
                 properties:
+                  dockerConfig:
+                    description: |-
+                      DockerConfig allows for setting the docker user (for root) config for all launchers in this
+                      topology. The secret *must be present in the namespace of this topology*. The secret *must*
+                      contain a key "config.json" -- as this secret will be mounted to /root/.docker/config.json
+                      and as such wil be utilized when doing docker-y things -- this means you can put auth things
+                      in here in the event your cluster doesn't support the preferred image pull through option.
+                    type: string
                   dockerDaemonConfig:
                     description: |-
                       DockerDaemonConfig allows for setting the docker daemon config for all launchers in this

config/fake.go

@@ -74,6 +74,10 @@ func (f fakeManager) GetDockerDaemonConfig() string {
 	return ""
 }
 
+func (f fakeManager) GetDockerConfig() string {
+	return ""
+}
+
 func (f fakeManager) GetLauncherImagePullPolicy() string {
 	return clabernetesconstants.KubernetesImagePullIfNotPresent
 }

config/get.go

@@ -121,6 +121,13 @@ func (m *manager) GetDockerDaemonConfig() string {
 	return m.config.ImagePull.DockerDaemonConfig
 }
 
+func (m *manager) GetDockerConfig() string {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	return m.config.ImagePull.DockerConfig
+}
+
 func (m *manager) GetLauncherImage() string {
 	m.lock.RLock()
 	defer m.lock.RUnlock()

config/manager.go

@@ -133,8 +133,12 @@ type Manager interface {
 	GetImagePullCriSockOverride() string
 	// GetImagePullCriKindOverride returns the cri kind override.
 	GetImagePullCriKindOverride() string
-	// GetDockerDaemonConfig returns the secret name to mount in /etc/docker.
+	// GetDockerDaemonConfig returns the secret name to mount in /etc/docker -- the secret *must*
+	// have a key "daemon.json" so the final mounted file is /etc/docker/daemon.json.
 	GetDockerDaemonConfig() string
+	// GetDockerConfig returns the secret name to mount in /root/.docker/ -- the secret *must* have
+	// a key "config.json" so the final mounted file is /root/.docker/config.json.
+	GetDockerConfig() string
 	// GetLauncherImage returns the global default launcher image.
 	GetLauncherImage() string
 	// GetLauncherImagePullPolicy returns the global default launcher image pull policy.

controllers/topology/deployment.go

@@ -258,6 +258,37 @@ func (r *DeploymentReconciler) renderDeploymentVolumes( //nolint:funlen
 		)
 	}
 
+	dockerConfigSecret := owningTopology.Spec.ImagePull.DockerConfig
+	if dockerConfigSecret == "" {
+		dockerConfigSecret = r.configManagerGetter().GetDockerConfig()
+	}
+
+	if dockerConfigSecret != "" {
+		volumes = append(
+			volumes,
+			k8scorev1.Volume{
+				Name: "docker-config",
+				VolumeSource: k8scorev1.VolumeSource{
+					Secret: &k8scorev1.SecretVolumeSource{
+						SecretName: dockerConfigSecret,
+						DefaultMode: clabernetesutil.ToPointer(
+							int32(clabernetesconstants.PermissionsEveryoneReadWriteOwnerExecute),
+						),
+					},
+				},
+			},
+		)
+
+		volumeMountsFromCommonSpec = append(
+			volumeMountsFromCommonSpec,
+			k8scorev1.VolumeMount{
+				Name:      "docker-config",
+				ReadOnly:  true,
+				MountPath: "/root/.docker",
+			},
+		)
+	}
+
 	volumesFromConfigMaps := make([]clabernetesapisv1alpha1.FileFromConfigMap, 0)
 
 	volumesFromConfigMaps = append(

controllers/topology/deployment_test.go

@@ -499,6 +499,52 @@ func TestRenderDeployment(t *testing.T) {
 			},
 			nodeName: "srl1",
 		},
+		{
+			name: "docker-config",
+			owningTopology: &clabernetesapisv1alpha1.Topology{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "render-deployment-test",
+					Namespace: "clabernetes",
+				},
+				Spec: clabernetesapisv1alpha1.TopologySpec{
+					Connectivity: clabernetesconstants.ConnectivityVXLAN,
+					ImagePull: clabernetesapisv1alpha1.ImagePull{
+						DockerConfig: "sneakydockerconfig",
+					},
+					Definition: clabernetesapisv1alpha1.Definition{
+						Containerlab: `---
+		   name: test
+		   topology:
+		     nodes:
+		       srl1:
+		         kind: srl
+		         image: ghcr.io/nokia/srlinux
+		`,
+					},
+				},
+			},
+			clabernetesConfigs: map[string]*clabernetesutilcontainerlab.Config{
+				"srl1": {
+					Name:   "srl1",
+					Prefix: clabernetesutil.ToPointer(""),
+					Topology: &clabernetesutilcontainerlab.Topology{
+						Defaults: &clabernetesutilcontainerlab.NodeDefinition{
+							Ports: []string{},
+						},
+						Kinds: nil,
+						Nodes: map[string]*clabernetesutilcontainerlab.NodeDefinition{
+							"srl1": {
+								Kind:  "srl",
+								Image: "ghcr.io/nokia/srlinux",
+							},
+						},
+						Links: nil,
+					},
+					Debug: false,
+				},
+			},
+			nodeName: "srl1",
+		},
 		{
 			name: "scheduling",
 			owningTopology: &clabernetesapisv1alpha1.Topology{