added enable variable for private registry feature default=false

func/internal/podevaluator.go

@@ -71,7 +71,7 @@ type podEvaluator struct {
 
 var _ Evaluator = &podEvaluator{}
 
-func NewPodEvaluator(namespace, wrapperServerImage string, interval, ttl time.Duration, podTTLConfig string, functionPodTemplateName string, registryAuthSecretPath string, registryAuthSecretName string) (Evaluator, error) {
+func NewPodEvaluator(namespace, wrapperServerImage string, interval, ttl time.Duration, podTTLConfig string, functionPodTemplateName string, enablePrivateRegistries bool, registryAuthSecretPath string, registryAuthSecretName string) (Evaluator, error) {
 	restCfg, err := config.GetConfig()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get rest config: %w", err)
@@ -100,14 +100,15 @@ func NewPodEvaluator(namespace, wrapperServerImage string, interval, ttl time.Du
 	pe := &podEvaluator{
 		requestCh: reqCh,
 		podCacheManager: &podCacheManager{
-			gcScanInternal:         interval,
-			podTTL:                 ttl,
-			registryAuthSecretPath: registryAuthSecretPath,
-			registryAuthSecretName: registryAuthSecretName,
-			requestCh:              reqCh,
-			podReadyCh:             readyCh,
-			cache:                  map[string]*podAndGRPCClient{},
-			waitlists:              map[string][]chan<- *clientConnAndError{},
+			gcScanInternal:          interval,
+			podTTL:                  ttl,
+			enablePrivateRegistries: enablePrivateRegistries,
+			registryAuthSecretPath:  registryAuthSecretPath,
+			registryAuthSecretName:  registryAuthSecretName,
+			requestCh:               reqCh,
+			podReadyCh:              readyCh,
+			cache:                   map[string]*podAndGRPCClient{},
+			waitlists:               map[string][]chan<- *clientConnAndError{},
 
 			podManager: &podManager{
 				kubeClient:              cl,
@@ -172,8 +173,9 @@ type podCacheManager struct {
 	gcScanInternal time.Duration
 	podTTL         time.Duration
 
-	registryAuthSecretPath string
-	registryAuthSecretName string
+	enablePrivateRegistries bool
+	registryAuthSecretPath  string
+	registryAuthSecretName  string
 
 	// requestCh is a receive-only channel to receive
 	requestCh <-chan *clientConnRequest
@@ -243,7 +245,7 @@ func (pcm *podCacheManager) warmupCache(podTTLConfig string) error {
 
 		// We invoke the function with useGenerateName=false so that the pod name is fixed,
 		// since we want to ensure only one pod is created for each function.
-		pcm.podManager.getFuncEvalPodClient(ctx, fnImage, ttl, false, pcm.registryAuthSecretPath, pcm.registryAuthSecretName)
+		pcm.podManager.getFuncEvalPodClient(ctx, fnImage, ttl, false, pcm.enablePrivateRegistries, pcm.registryAuthSecretPath, pcm.registryAuthSecretName)
 		klog.Infof("preloaded pod cache for function %v", fnImage)
 	})
 
@@ -311,7 +313,7 @@ func (pcm *podCacheManager) podCacheManager() {
 			pcm.waitlists[req.image] = append(list, req.grpcClientCh)
 			// We invoke the function with useGenerateName=true to avoid potential name collision, since if pod foo is
 			// being deleted and we can't use the same name.
-			go pcm.podManager.getFuncEvalPodClient(context.Background(), req.image, pcm.podTTL, true, pcm.registryAuthSecretPath, pcm.registryAuthSecretName)
+			go pcm.podManager.getFuncEvalPodClient(context.Background(), req.image, pcm.podTTL, true, pcm.enablePrivateRegistries, pcm.registryAuthSecretPath, pcm.registryAuthSecretName)
 		case resp := <-pcm.podReadyCh:
 			if resp.err != nil {
 				klog.Warningf("received error from the pod manager: %v", resp.err)
@@ -443,9 +445,9 @@ type digestAndEntrypoint struct {
 // time-to-live period for the pod. If useGenerateName is false, it will try to
 // create a pod with a fixed name. Otherwise, it will create a pod and let the
 // apiserver to generate the name from a template.
-func (pm *podManager) getFuncEvalPodClient(ctx context.Context, image string, ttl time.Duration, useGenerateName bool, registryAuthSecretPath string, registryAuthSecretName string) {
+func (pm *podManager) getFuncEvalPodClient(ctx context.Context, image string, ttl time.Duration, useGenerateName bool, enablePrivateRegistries bool, registryAuthSecretPath string, registryAuthSecretName string) {
 	c, err := func() (*podAndGRPCClient, error) {
-		podKey, err := pm.retrieveOrCreatePod(ctx, image, ttl, useGenerateName, registryAuthSecretPath, registryAuthSecretName)
+		podKey, err := pm.retrieveOrCreatePod(ctx, image, ttl, useGenerateName, enablePrivateRegistries, registryAuthSecretPath, registryAuthSecretName)
 		if err != nil {
 			return nil, err
 		}
@@ -537,7 +539,7 @@ type DockerConfig struct {
 }
 
 // imageDigestAndEntrypoint gets the entrypoint of a container image by looking at its metadata.
-func (pm *podManager) imageDigestAndEntrypoint(ctx context.Context, image string, registryAuthSecretPath string, registryAuthSecretName string) (*digestAndEntrypoint, error) {
+func (pm *podManager) imageDigestAndEntrypoint(ctx context.Context, image string, enablePrivateRegistries bool, registryAuthSecretPath string, registryAuthSecretName string) (*digestAndEntrypoint, error) {
 	start := time.Now()
 	defer func() {
 		klog.Infof("getting image metadata for %v took %v", image, time.Since(start))
@@ -550,7 +552,7 @@ func (pm *podManager) imageDigestAndEntrypoint(ctx context.Context, image string
 	}
 
 	var auth authn.Authenticator
-	if !strings.HasPrefix(image, defaultRegistry) {
+	if enablePrivateRegistries && !strings.HasPrefix(image, defaultRegistry) {
 		if err := pm.ensureCustomAuthSecret(ctx, registryAuthSecretPath, registryAuthSecretName); err != nil {
 			return nil, err
 		}
@@ -624,14 +626,14 @@ func (pm *podManager) getImageMetadata(ctx context.Context, ref name.Reference,
 }
 
 // retrieveOrCreatePod retrieves or creates a pod for an image.
-func (pm *podManager) retrieveOrCreatePod(ctx context.Context, image string, ttl time.Duration, useGenerateName bool, registryAuthSecretPath string, registryAuthSecretName string) (client.ObjectKey, error) {
+func (pm *podManager) retrieveOrCreatePod(ctx context.Context, image string, ttl time.Duration, useGenerateName bool, enablePrivateRegistries bool, registryAuthSecretPath string, registryAuthSecretName string) (client.ObjectKey, error) {
 	var de *digestAndEntrypoint
 	var replacePod bool
 	var currentPod *corev1.Pod
 	var err error
 	val, found := pm.imageMetadataCache.Load(image)
 	if !found {
-		de, err = pm.imageDigestAndEntrypoint(ctx, image, registryAuthSecretPath, registryAuthSecretName)
+		de, err = pm.imageDigestAndEntrypoint(ctx, image, enablePrivateRegistries, registryAuthSecretPath, registryAuthSecretName)
 		if err != nil {
 			return client.ObjectKey{}, fmt.Errorf("unable to get the entrypoint for %v: %w", image, err)
 		}
@@ -654,7 +656,7 @@ func (pm *podManager) retrieveOrCreatePod(ctx context.Context, image string, ttl
 		klog.Errorf("failed to generate a base pod template: %v", err)
 		return client.ObjectKey{}, fmt.Errorf("failed to generate a base pod template: %w", err)
 	}
-	pm.appendImagePullSecret(image, registryAuthSecretPath, registryAuthSecretName, podTemplate)
+	pm.appendImagePullSecret(image, enablePrivateRegistries, registryAuthSecretName, podTemplate)
 	err = pm.kubeClient.List(ctx, podList, client.InNamespace(pm.namespace), client.MatchingLabels(map[string]string{krmFunctionLabel: podId}))
 	if err != nil {
 		klog.Warningf("error when listing pods for %q: %v", image, err)
@@ -803,8 +805,8 @@ func (pm *podManager) getBasePodTemplate(ctx context.Context) (*corev1.Pod, stri
 }
 
 // if a custom image is requested, use the secret provided to authenticate
-func (pm *podManager) appendImagePullSecret(image string, registryAuthSecretPath string, registryAuthSecretName string, podTemplate *corev1.Pod) {
-	if !strings.HasPrefix(image, defaultRegistry) {
+func (pm *podManager) appendImagePullSecret(image string, enablePrivateRegistries bool, registryAuthSecretName string, podTemplate *corev1.Pod) {
+	if enablePrivateRegistries && !strings.HasPrefix(image, defaultRegistry) {
 		podTemplate.Spec.ImagePullSecrets = []corev1.LocalObjectReference{
 			{Name: registryAuthSecretName},
 		}

func/internal/podevaluator_podmanager_test.go

@@ -644,7 +644,7 @@ func TestPodManager(t *testing.T) {
 			fakeServer.evalFunc = tt.evalFunc
 
 			//Execute the function under test
-			go pm.getFuncEvalPodClient(ctx, tt.functionImage, time.Hour, tt.useGenerateName, "", "auth-secret")
+			go pm.getFuncEvalPodClient(ctx, tt.functionImage, time.Hour, tt.useGenerateName, false, "", "auth-secret")
 
 			if tt.podPatch != nil {
 				go func() {

func/server/server.go

@@ -41,6 +41,7 @@ var (
 	port                    = flag.Int("port", 9445, "The server port")
 	functions               = flag.String("functions", "./functions", "Path to cached functions.")
 	config                  = flag.String("config", "./config.yaml", "Path to the config file.")
+	enablePrivateRegistries = flag.Bool("enable-private-registry", false, "if true enables the use of private registries and their authentication")
 	registryAuthSecretPath  = flag.String("registry-auth-secret-path", "/var/tmp/config-secret/.dockerconfigjson", "The path of the secret used in custom registry authentication")
 	registryAuthSecretName  = flag.String("registry-auth-secret-name", "auth-secret", "The name of the secret used in custom registry authentication")
 	podCacheConfig          = flag.String("pod-cache-config", "/pod-cache-config/pod-cache-config.yaml", "Path to the pod cache config file. The file is map of function name to TTL.")
@@ -91,7 +92,7 @@ func run() error {
 			if wrapperServerImage == "" {
 				return fmt.Errorf("environment variable %v must be set to use pod function evaluator runtime", wrapperServerImageEnv)
 			}
-			podEval, err := internal.NewPodEvaluator(*podNamespace, wrapperServerImage, *scanInterval, *podTTL, *podCacheConfig, *functionPodTemplateName, *registryAuthSecretPath, *registryAuthSecretName)
+			podEval, err := internal.NewPodEvaluator(*podNamespace, wrapperServerImage, *scanInterval, *podTTL, *podCacheConfig, *functionPodTemplateName, *enablePrivateRegistries, *registryAuthSecretPath, *registryAuthSecretName)
 			if err != nil {
 				return fmt.Errorf("failed to initialize pod evaluator: %w", err)
 			}