Add the possibility of logging in to an image registry/add secrets to Kubernetes in OSM

Proposers

• Pedro Escaleira (IT)

Description

When someone (probably a telco client) is deploying some app in Kubernetes, he/she might need to obtain the necessary container images from some registry (for instance, from Docker Hub). However, the client might not want to make the image publicly available, due to privacy restrictions. What this means is that the image can only be pulled from the registry if the client's credentials for his registry account are provided (while when the image is public, and anyone tries to pull it from the registry, the container environment will not ask for credentials, since the image can be found without any authentication).

Therefore, when someone wants to pull some image from a registry, he needs to authenticate in relation to this registry in the container environment (for instance, if the user is using Docker, he might authenticate with the command docker login <registry_url>). In Kubernetes, since there are multiple container runtimes possible to use, we usually create a secret containing the credentials, as specified in the Kubernetes documentation page.

And from this, we reach the point where the client might want to use one of his private images in OSM i.e., he might want to deploy a KNF, which uses, for example, a Docker image stored in Docker Hub, but privately associated with his account in Docker Hub. And now, the following question arises: how can the client tell OSM what his credentials are, in order to OSM to instruct the Kubernetes cluster to use that credentials to pull the image? I think that it would be appreciated the possibility of a user adding a new set of credentials in OSM, and then OSM stores these credentials in a secret in the target Kubernetes cluster. Therefore, when the client tries to instantiate the KNF, and the KDU is instantiated in the cluster, the cluster will be able to pull the private image.

Therefore, my proposal is to add this feature to OSM, by allowing the creation of a Kubernetes secret or simply to allow the user to simply tell OSM to add a new set of credentials to Kubernetes.

Demo or definition of done

An OSM user will be able to add a new K8s secret to OSM as part of the K8s cluster registration or updated, and that secret would be added to the K8s cluster and namespace where a KDU is instantiated (if the KDU targets that secret).