Improve concurrency and cache for credential provider
Removed lock from "Provide" as it can be called in parallel
from image puller. To avoid execing for the same image concurrently
wrapped exec in singleflight.
Purging the cache for expried data with 15mins interval only when
a request for credential is made.
KEP:2133
Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
Adds a default timeout to the Azure ACR HTTP client to avoid hanging
when unable to reach server.
Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
* Before this change, even on non-AWS platforms, the Enabled() check attempts
to make calls to the metadata endpoint when the session and credentials
are initialized (in order to determine if the provider should be
initialized at all).
* This can cause latency because the SDK times out and retries -- up to
20 seconds of latency has been observed on non-AWS platforms when the
metadata IP was blocked with an iptables rule.
* Instead, check once if we are running on an EC2 platform, first trying
to find the EC2 UUID in system files, and second attempting to get
credentials.
* Add a benchmark test that includes intialization and the credential
check.
There are a lot of scenarios where an invalid .dockercfg file
will still contain secrets. This commit removes logging of the
contents to avoid any potential leaking and manages the actual error
by printing to the user the actual location of the invalid file.
Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
base64 allows usage of new line characters and some tools use them.
As a result, the length of the encoded string cannot be used to
determine whether it's padded or not.
This patch fixes the regression after #82148.
docker-credential-desk does not pad anymore the auth field.
it is then possible to have unpadded auth field.
field might be encoded either with RawStdEncoding or StdEncoding
we now determine if it is correctly padded in order to handle
both cases.
Currently, the credential provider will look in the path set in
the $HOME env variable, but that environment does not exist on
Windows, but $HOMEPATH does. Because of this, if credentials are
set in ~/.docker on Windows, they will not be used by kubelet
when pulling images.
The function os.UserHomeDir can solve this problem [1].
[1] https://golang.org/pkg/os/#UserHomeDir
