Skip to content

[blobserve] watch and reload dockerAuth config when using ECR #15426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kylos101 opened this issue Dec 19, 2022 · 4 comments · Fixed by #15442
Closed

[blobserve] watch and reload dockerAuth config when using ECR #15426

kylos101 opened this issue Dec 19, 2022 · 4 comments · Fixed by #15442
Assignees
@jenting
Labels
component: blobserve component: refresh-credential

Comments

@kylos101
Copy link
Contributor

Is your feature request related to a problem? Please describe

When running in AWS using ECR, the cluster's image pull secret will be updated periodically by the refresh-credential component. Eventually, this means the dockerAuth config for blobserve will grow stale.

Describe the behaviour you'd like

blobserve should watch the pull secret for changes and update its configmap, similar to registry-facade and image-builder-mk3.

additionally, the new refresh-credential component should be deployed in application clusters as part of IDE installation types, not just workspace types.

Additional context

Here is an example for workspace, and image builder.

We depend on an image pull secret being defined at install time

gitpod/install/installer/pkg/components/image-builder-mk3/deployment.go

Line 30 in 0b4662b

secretName = ctx.Config.ContainerRegistry.External.Certificate.Name

Rotated on a schedule at runtime

gitpod/install/installer/pkg/components/refresh-credential/constants.go

Line 10 in 0b4662b

CronSchedule = "* */6 * * *"

And then components which need a working dockerAuth value update their config at runtime:

gitpod/components/image-builder-mk3/pkg/auth/auth.go

Line 42 in 0b4662b

res.loadFromFile(fn)

@kylos101
Copy link
Contributor Author

@laushinka @akosyakov @loujaybee for 👀 and @jenting because IDE team may questions.

@kylos101
Copy link
Contributor Author

We discussed today that the Scout Team will take of supporting external services, removing from IDE team inbox @akosyakov @laushinka @loujaybee .

@kylos101 kylos101 removed this from 🚀 IDE Team Dec 19, 2022
@jenting
Copy link
Contributor

jenting commented Dec 20, 2022

additionally, the new refresh-credential component should be deployed in application clusters as part of IDE installation types, not just workspace types.

If the image builder moved to the workspace cluster, should the refresh-credential still need to be deployed into the application cluster?

@jenting jenting mentioned this issue Dec 20, 2022
Merged
4 tasks
@jenting jenting self-assigned this Dec 21, 2022
@jenting jenting moved this to In Progress in 🌌 Workspace Team Dec 21, 2022
@kylos101 kylos101 removed the status in 🌌 Workspace Team Dec 21, 2022
@github-project-automation github-project-automation bot moved this to Awaiting Deployment in 🌌 Workspace Team Jan 5, 2023
@WVerlaek WVerlaek moved this from Awaiting Deployment to In Validation in 🌌 Workspace Team Jan 11, 2023
@jenting jenting moved this from In Validation to Done in 🌌 Workspace Team Jan 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jenting jenting

Labels
component: blobserve component: refresh-credential
Projects
No open projects
🌌 Workspace Team
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

blobserve: dynamically reload Docker auth config gitpod-io/gitpod
3 participants
@kylos101 @jenting and others