Skip to content

Re-use public credential provider API #9502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2025
Merged

Re-use public credential provider API #9502

merged 1 commit into from
Oct 9, 2025
+110 −16

Conversation

saschagrunert
Copy link
Member

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Re-using the public auth and config API from the credential provider to keep both projects in sync.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

None

@saschagrunert saschagrunert requested a review from mrunalp as a code owner October 7, 2025 07:27
@openshift-ci openshift-ci bot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Oct 7, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 7, 2025
@openshift-ci openshift-ci bot requested review from bitoku and klihub October 7, 2025 07:27
@saschagrunert saschagrunert force-pushed the credential-provider-pub branch 2 times, most recently from ad8dc24 to 486c307 Compare October 7, 2025 07:43
@codecov Codecov
Copy link

codecov bot commented Oct 7, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 39.13043% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.96%. Comparing base (96bb9ac) to head (93121f4).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9502      +/-   ##
==========================================
- Coverage   67.02%   66.96%   -0.07%     
==========================================
  Files         202      202              
  Lines       28155    28168      +13     
==========================================
- Hits        18872    18863       -9     
- Misses       7706     7722      +16     
- Partials     1577     1583       +6
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@saschagrunert
Copy link
Member Author

/retest

bitoku
bitoku reviewed Oct 7, 2025
View reviewed changes
Copy link
Contributor

@bitoku bitoku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change itself lgtm. My comments may be out of scope of this PR.

server/image_pull.go
Comment on lines +270 to +291
ext := filepath.Ext(authFilePath)
newAuthFileName := fmt.Sprintf("%s-%s%s", strings.TrimSuffix(filepath.Base(authFilePath), ext), uuid.New(), ext)

tempAuthFilePath := filepath.Join(inUseAuthDirPath, newAuthFileName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/cri-o/cri-o/pull/9463/files#diff-a3d824da3c42420cd5cbb0a4a2c0e7b5bfddd819652788a0596d195dc6e31fa5

This description may be outdated? The final auth file name will be <NAMESPACE>-<IMAGE_NAME_SHA256>-<UUID>.json.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, updated the docs.

server/image_pull.go
Comment on lines 274 to 296
if err := os.Rename(authFilePath, tempAuthFilePath); err != nil {
return cleanup, fmt.Errorf("unable to move auth file path to temporary location: %w", err)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#9475 (comment)
We should mention potential race scenarios (same name with different tag images pulled at once) and the reason why it's acceptable for posterity.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the doc within the function to explain the possible race.

server/image_pull.go

inUseAuthDirPath := filepath.Join(s.config.NamespacedAuthDir, "in-use")
if err := os.MkdirAll(inUseAuthDirPath, 0o700); err != nil {
return cleanup, fmt.Errorf("unable to ensure in-use auth dir: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we want to cleanup authFilePath when it fails in the middle. Does it make this more race-prone?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, I added another cleanup function if that method errors.

@saschagrunert saschagrunert force-pushed the credential-provider-pub branch 2 times, most recently from af2338a to 82f69f4 Compare October 8, 2025 08:06
@saschagrunert
Copy link
Member Author

/retest

@saschagrunert saschagrunert force-pushed the credential-provider-pub branch from 82f69f4 to 27dcdcc Compare October 8, 2025 10:59
@saschagrunert
Re-use public credential provider API
93121f4 
Re-using the public auth and config API from the credential provider to
keep both projects in sync.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert saschagrunert force-pushed the credential-provider-pub branch from 27dcdcc to 93121f4 Compare October 8, 2025 10:59
@bitoku
Copy link
Contributor

bitoku commented Oct 9, 2025

/lgtm
/hold
I hold it in case @QiWang19 wants to look, otherwise unhold anytime.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 9, 2025
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 9, 2025
QiWang19
QiWang19 reviewed Oct 9, 2025
View reviewed changes
Copy link
Member

@QiWang19 QiWang19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 9, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 1db71e5 into cri-o:main Oct 9, 2025
72 of 76 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bitoku bitoku bitoku left review comments

@QiWang19 QiWang19 QiWang19 left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@klihub klihub Awaiting requested review from klihub

Assignees

@bitoku bitoku

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@saschagrunert @bitoku @QiWang19