add support for container image registry with user password auth

tools/gke-disk-image-builder/cli/main.go

@@ -56,7 +56,8 @@ func main() {
 	diskType := flag.String("disk-type", "pd-ssd", "disk type to generate the disk image")
 	diskSizeGb := flag.Int64("disk-size-gb", 60, "disk size to unpack container images")
 	gcpOAuth := flag.String("gcp-oauth", "", "path to GCP service account credential file")
-	imagePullAuth := flag.String("image-pull-auth", "None", "auth mechanism to pull the container image, valid values: [None, ServiceAccountToken].\nNone means that the images are publically available and no authentication is required to pull them.\nServiceAccountToken means the service account oauth token will be used to pull the images.\nFor more information refer to https://cloud.google.com/compute/docs/access/authenticate-workloads#applications")
+	imagePullAuth := flag.String("image-pull-auth", "None", "auth mechanism to pull the container image, valid values: [None, ServiceAccountToken,UserPassword].\nNone means that the images are publically available and no authentication is required to pull them.\nServiceAccountToken means the service account oauth token will be used to pull the images.\nUserPassword means the user password from parameter <mage-pull-user> will be used to pull the images.\nFor more information refer to https://cloud.google.com/compute/docs/access/authenticate-workloads#applications")
+	imagePullUser := flag.String("image-pull-user", "None", "set user:password if your image registry is non public access ")
 	timeout := flag.String("timeout", "20m", "Default timout for each step, defaults to 20m")
 	network := flag.String("network", "default", "VPC network to be used by GCE resources used for disk image creation.")
 	subnet := flag.String("subnet", "default", "subnet to be used by GCE resources used for disk image creation.")
@@ -95,8 +96,10 @@ func main() {
 		auth = builder.None
 	case "ServiceAccountToken":
 		auth = builder.ServiceAccountToken
+	case "UserPassword":
+		auth = "UserPassword"
 	default:
-		log.Panicf("Please specify a valid value for the flag --image-pull-auth, valid values are [None, ServiceAccountToken]")
+		log.Panicf("Please specify a valid value for the flag --image-pull-auth, valid values are [None, ServiceAccountToken, UserPassword]")
 	}
 
 	req := builder.Request{
@@ -116,6 +119,7 @@ func main() {
 		ContainerImages:       containerImages,
 		Timeout:               td,
 		ImagePullAuth:         auth,
+		ImagePullUser:         *imagePullUser,
 		ImageLabels:           imageLabels,
 		StoreSnapshotCheckSum: *storeSnapshotCheckSum,
 	}

tools/gke-disk-image-builder/imager.go

@@ -43,6 +43,8 @@ const (
 	// ServiceAccountToken means that the script must use the oauth access token of the service account.
 	// For more information refer to https://cloud.google.com/compute/docs/access/authenticate-workloads#applications
 	ServiceAccountToken ImagePullAuthMechanism = "ServiceAccountToken"
+
+	String ImagePullAuthMechanism = "UserPassword"
 )
 
 // Request contains the required input for the disk image generation.
@@ -62,6 +64,7 @@ type Request struct {
 	ContainerImages       []string
 	Timeout               time.Duration
 	ImagePullAuth         ImagePullAuthMechanism
+	ImagePullUser         string
 	ImageLabels           []string
 	ServiceAccount        string
 	StoreSnapshotCheckSum bool
@@ -82,6 +85,9 @@ func buildDiskStartupScript(req Request) (*os.File, error) {
 	}
 	images := strings.Join(req.ContainerImages, " ")
 	flags := fmt.Sprintf("\n\nunpack %t %s %s", req.StoreSnapshotCheckSum, req.ImagePullAuth, images)
+  if req.ImagePullAuth == "UserPassword" {
+      flags = fmt.Sprintf("\n\nunpack %t %s %s %s", req.StoreSnapshotCheckSum, req.ImagePullAuth,req.ImagePullUser, images)
+  }
 	if _, err = concreteStartupScript.Write([]byte(flags)); err != nil {
 		return nil, fmt.Errorf("umable to create concrete startup script: %v", err)
 	}

tools/gke-disk-image-builder/script/startup.sh

@@ -69,6 +69,9 @@ sudo apt-get --yes install jq
 echo Fetching OAuth token...
 ACCESS_TOKEN=$(curl -sSf -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token | jq -r '.access_token')
 
+#init user password
+USER_PASSWORD=""
+
 function remove_snapshot_views() {
   echo Removing the previously created snapshot views...
   views=($(sudo ctr -n k8s.io snapshot list | grep "View" | sed 's/ \{1,\}/,/g'))
@@ -87,8 +90,10 @@ function pull_images() {
       sudo ctr -n k8s.io image pull --hosts-dir "/etc/containerd/certs.d" $param
     elif [ "$OAUTH_MECHANISM" == "serviceaccounttoken" ]; then
       sudo ctr -n k8s.io image pull --hosts-dir "/etc/containerd/certs.d" --user "oauth2accesstoken:$ACCESS_TOKEN" $param
+    elif [ "$OAUTH_MECHANISM" == "userpassword" ]; then
+      sudo ctr -n k8s.io image pull --hosts-dir "/etc/containerd/certs.d" --user $USER_PASSWORD $param
     else
-      echo "Unknown OAuth mechanism, expected 'None' or 'ServiceAccountToken' but got '$OAUTH_MECHANISM'".
+      echo "Unknown OAuth mechanism, expected 'None' or 'ServiceAccountToken' or 'UserPassword' but got '$OAUTH_MECHANISM'".
       exit 1
     fi
     if [ $? -ne 0 ]; then
@@ -191,6 +196,11 @@ function unpack() {
   OAUTH_MECHANISM=$(echo "$1" | tr '[:upper:]' '[:lower:]')
   shift
 
+  # Store image auth user and password in variable
+  if [ "$OAUTH_MECHANISM" == "userpassword" ]; then
+    USER_PASSWORD=$(echo "$1")
+    shift
+  fi
   # Pull all the given images.
   pull_images $@