use auth for acrs only

SparebankenVest · Nov 10, 2023 · 5a546e0 · 5a546e0
1 parent 49cc1bf
commit 5a546e0
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 11 deletions.
diff --git a/pkg/azure/credentialprovider/acr.go b/pkg/azure/credentialprovider/acr.go
@@ -69,6 +69,11 @@ func (c CloudConfigCredentialProvider) GetAcrCredentials(image string) (k8sCrede
 		Password: "",
 	}
 
+	if !c.IsAcrRegistry(image) {
+		klog.V(4).Info("image not from acr, returning empty credentials")
+		return cred, nil
+	}
+
 	if c.config.UseManagedIdentityExtension {
 		klog.V(4).Info("using managed identity for acr credentials")
 		loginServer := parseACRLoginServerFromImage(image, c.environment)

diff --git a/pkg/docker/registry/registry.go b/pkg/docker/registry/registry.go
@@ -138,17 +138,31 @@ func getContainerRegistryRemoteOptions(ctx context.Context, client kubernetes.In
 			return nil, fmt.Errorf("cannot fetch acr credentials: %w", err)
 		}
 
-		sec := []corev1.Secret{ //{
-			*dockerCfgSecretType.Create(container.Namespace, "secret", registry, authn.AuthConfig{
-				Username: dockerConfigEntry.Username, Password: dockerConfigEntry.Password,
-			}),
-		}
-		*authChain, err = k8schain.NewFromPullSecrets(
-			ctx,
-			sec,
-		)
-		if err != nil {
-			return nil, err
+		if dockerConfigEntry.Username != "" {
+
+			sec := []corev1.Secret{ //{
+				*dockerCfgSecretType.Create(container.Namespace, "secret", registry, authn.AuthConfig{
+					Username: dockerConfigEntry.Username, Password: dockerConfigEntry.Password,
+				}),
+			}
+			*authChain, err = k8schain.NewFromPullSecrets(
+				ctx,
+				sec,
+			)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			*authChain, err = k8schain.New(
+				ctx,
+				client,
+				k8schain.Options{
+					Namespace:          container.Namespace,
+					ServiceAccountName: container.ServiceAccountName},
+			)
+			if err != nil {
+				return nil, err
+			}
 		}
 
 	default: