Add optional Docker Hub credentials for kubelet to avoid pull rate limits#146
Open
Hardikrepo wants to merge 2 commits into
Open
Add optional Docker Hub credentials for kubelet to avoid pull rate limits#146Hardikrepo wants to merge 2 commits into
Hardikrepo wants to merge 2 commits into
Conversation
…ker CE, modern apt keyring, Calico enP* support Resolves NVIDIA#140: replaces deprecated apt_key module with get_url+gpg --dearmor, pins docker-ce to 29.4.3 with arch detection instead of state: latest, switches GPU/Network Operator helm installs from install --generate-name to upgrade --install for retry-safety, and adds enP* to Calico IP_AUTODETECTION_METHOD for GB200/Grace NIC names.
…mits Resolves NVIDIA#118: there was no way to authenticate image pulls during install, so deployments on IPs that had already exhausted Docker Hub's anonymous pull quota would fail to pull Calico/CNI images with no workaround. Adds optional dockerhub_registry_username/dockerhub_registry_password vars (default empty, same convention as the existing ngc_registry_* vars). When dockerhub_registry_password is set, writes a standard /var/lib/kubelet/config.json docker-auth file on every node before kubeadm init/join, so kubelet authenticates all image pulls (including Calico) regardless of container runtime (containerd or cri-o). Leaving the password blank preserves the existing anonymous pull behavior.
17d481f to
56fad0c
Compare
Collaborator
|
Thank you for the contribution. Please fork the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #118.
Summary
There was no supported way to authenticate Docker Hub pulls during install. On corporate/shared egress IPs that have already exhausted Docker Hub's anonymous pull quota, this causes
kubeadm initto fail pulling Calico/CNI images, with no workaround other than manually patching things post-install.Adds two optional vars, following the same convention as the existing
ngc_registry_password:dockerhub_registry_username(default"")dockerhub_registry_password(default"")When
dockerhub_registry_passwordis non-empty, every node writes a standard/var/lib/kubelet/config.json(the well-documented kubelet node-level registry credential file) beforekubeadm init/joinruns. This authenticates all image pulls performed by kubelet — including Calico — regardless of whether the node uses containerd or cri-o, without needing per-namespaceimagePullSecrets. Leaving the password blank preserves today's anonymous-pull behavior exactly.Why this approach
The issue thread raises two alternatives: per-namespace
imagePullSecrets(already used for the GPU Operator/NGC registry, but each workload must reference it — doesn't help Calico) and a registry mirror (orthogonal, can be added separately). The kubelet-level docker config file authenticates uniformly across all namespaces and runtimes with a single set of credentials, which directly fixes the reported Calico pull failure.Test plan
/var/lib/kubelet/config.jsonis kubelet's documented legacy credential lookup path, independent of container runtimedockerhub_registry_passwordis set, so default installs are unaffected