fix to use secret authentication information not containerd setting f…

…ile hard coding
jupyter-server · Jan 24, 2024 · 7c43f84 · 7c43f84
1 parent 6334b01
commit 7c43f84
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/etc/docker/kernel-image-puller/kernel_image_puller.py b/etc/docker/kernel-image-puller/kernel_image_puller.py
@@ -10,6 +10,7 @@
 
 from docker.client import DockerClient
 from docker.errors import NotFound
+from kubernetes import client, config
 
 # initialize root logger
 logging.basicConfig(format="[%(levelname)1.1s %(asctime)s %(name)s.%(threadName)s] %(message)s")
@@ -223,14 +224,22 @@ def image_exists(self, image_name: str) -> bool:
         """Checks for the existence of the named image using the configured container runtime."""
         result = True
         absolute_image_name = self.get_absolute_image_name(image_name)
+        kernel_namespace = os.environ.get("KERNEL_NAMESPACE", "default")
+        secret_name = "gcr-cyberagent-402"
         t0 = time.time()
         if self.container_runtime == KernelImagePuller.DOCKER_CLIENT:
             try:
                 DockerClient.from_env().images.get(absolute_image_name)
             except NotFound:
                 result = False
         elif self.container_runtime == KernelImagePuller.CONTAINERD_CLIENT:
-            argv = ["crictl", "-r", self.runtime_endpoint, "inspecti", "-q", absolute_image_name]
+            config.load_incluster_config()
+            v1 = client.CoreV1Api()
+            secret = v1.read_namespaced_secret(secret_name, kernel_namespace)
+            username = secret.data["username"].decode("utf-8")
+            password = secret.data["password"].decode("utf-8")
+            creds = f"{username}:{password}"
+            argv = ["crictl", "--creds", creds, "-r", self.runtime_endpoint, "inspecti", "-q", absolute_image_name]
             result = self.execute_cmd(argv)
         else:  # invalid container runtime
             logger.error(f"Invalid container runtime detected: '{self.container_runtime}'!")
@@ -245,14 +254,22 @@ def download_image(self, image_name: str) -> bool:
         """Downloads (pulls) the named image using the configured container runtime."""
         result = True
         absolute_image_name = self.get_absolute_image_name(image_name)
+        kernel_namespace = os.environ.get("KERNEL_NAMESPACE", "default")
+        secret_name = "gcr-cyberagent-402"
         t0 = time.time()
         if self.container_runtime == KernelImagePuller.DOCKER_CLIENT:
             try:
                 DockerClient.from_env().images.pull(absolute_image_name)
             except NotFound:
                 result = False
         elif self.container_runtime == KernelImagePuller.CONTAINERD_CLIENT:
-            argv = ["crictl", "-r", self.runtime_endpoint, "pull", absolute_image_name]
+            config.load_incluster_config()
+            v1 = client.CoreV1Api()
+            secret = v1.read_namespaced_secret(secret_name, kernel_namespace)
+            username = secret.data["username"].decode("utf-8")
+            password = secret.data["password"].decode("utf-8")
+            creds = f"{username}:{password}"
+            argv = ["crictl", "--creds", creds, "-r", self.runtime_endpoint, "pull", absolute_image_name]
             result = self.execute_cmd(argv)
         else:  # invalid container runtime
             logger.error(f"Invalid container runtime detected: '{self.container_runtime}'!")