To authenticate with private container image registry you are required to provide registry authentication file to your podvm in order to allow the image to be pulled directly.
Registry authentication file can be provided either statically or at runtime.
- For pulling images from authenticated registries you need the attestation-agent in the podvm. The role of the attestation-agent is to provide the registry credentials to the
kata-agent. The podvm image that you are using should be built withAA_KBC="offline_fs_kbc. This ensures that agent-config.toml in podVM should haveaa_kbc_params = "offline_fs_kbc::null"set. - The registry credentials also need to be available in a file inside the Pod VM image. The config
aa_kbc_params = "offline_fs_kbc::nulltells the attestation-agent to retrieve secrets from the local filesystem. The registry credentials are embedded in a resources file on a fixed path on the local filesystem:/etc/aa-offline_fs_kbc-resources.json.
cd ~/cloud-api-adaptor/podvm/files/etc- Base64 your auth.json, this can be done by doing
cat auth.json | base64 -w 0 - Export the base64 encoded file
export AUTHFILE=<base64-encoded-auth.json> - Create and Add the base64 encoded auth file into the
aa-offline_fs_kbc-resources.jsonlike so:
cat <<EOF | tee aa-offline_fs_kbc-resources.json
{
"Credential": "${AUTHFILE}"
}
EOF
- Important: Make sure to build image with
AA_KBC="offline_fs_kbc" make image.
- The cloud-api-adaptor (CAA) provides the secret to the local fs in the podvm image by attaching it. This secret is converted and copied using
cloud-initto/etc/aa-offline_fs_kbc-resources.jsonon the podvm. - CAA gets the secret from the auth-json-secret secret that is mounted inside the CAA pod using
install/overlays/$(CLOUD_PROVIDER)/kustomization.yaml. - Important: Make sure to build image with
AA_KBC="offline_fs_kbc" make image. - Make sure you set auth.json file for the
auth-json-secretwhen you configureinstall/overlays/$(CLOUD_PROVIDER)/kustomization.yamlprior tomake deploy