From 87c4393414b64343b7ad60147e434a2f2a03d384 Mon Sep 17 00:00:00 2001 From: Teresa Ho Date: Wed, 22 Sep 2021 10:16:15 -0400 Subject: [PATCH] Allow unauthenticated pull for n3000-opae image This update is part of the change to move away from docker container runtime for FPGA tools. The n3000 opae image is pulled from the local registry during puppet manifest while a non-controller-0 node is unlocked. During puppet manifest, there is no way of getting sysinv credential via keyring. Thus, the image n3000-opae is made to be downloadable without credential. Story: 2008972 Task: 43422 Change-Id: I8f4267f6ffb71717391ac131a34926a389d1a437 Signed-off-by: Teresa Ho --- registry-token-server/src/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/registry-token-server/src/main.go b/registry-token-server/src/main.go index 31671a5..2ffea2d 100644 --- a/registry-token-server/src/main.go +++ b/registry-token-server/src/main.go @@ -184,7 +184,9 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a publicRepos := []string{"public/"} // pause is usually used as a test deployment by kubernetes and deployed without pull secrets // acmesolver is deployed in a namespace that don't have access to pull secrets + // n3000-opae is used during puppet manifest at which point credentials cannot be obtained publicImages := []string{"k8s.gcr.io/pause", + "docker.io/starlingx/n3000-opae", "quay.io/jetstack/cert-manager-acmesolver"} // this controls our own authorization rules like admin accounts and public repos/images