Allow unauthenticated pull for n3000-opae image

This update is part of the change to move away from docker container runtime for FPGA tools. The n3000 opae image is pulled from the local registry during puppet manifest while a non-controller-0 node is unlocked. During puppet manifest, there is no way of getting sysinv credential via keyring. Thus, the image n3000-opae is made to be downloadable without credential. Story: 2008972 Task: 43422 Change-Id: I8f4267f6ffb71717391ac131a34926a389d1a437 Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
2021-09-22 10:16:15 -04:00 · 2021-09-22 10:16:15 -04:00 · 87c4393414
parent 34102e753f
commit 87c4393414
1 changed files with 2 additions and 0 deletions
--- a/registry-token-server/src/main.go
+++ b/registry-token-server/src/main.go
@ -184,7 +184,9 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
 			publicRepos := []string{"public/"}
 			// pause is usually used as a test deployment by kubernetes and deployed without pull secrets
 			// acmesolver is deployed in a namespace that don't have access to pull secrets
+                        // n3000-opae is used during puppet manifest at which point credentials cannot be obtained
 			publicImages := []string{"k8s.gcr.io/pause",
+                                                 "docker.io/starlingx/n3000-opae",
 						 "quay.io/jetstack/cert-manager-acmesolver"}

 			// this controls our own authorization rules like admin accounts and public repos/images