runservice: update docker registry auth

This commit is contained in:
Simone Gotti 2019-04-22 14:38:25 +02:00
parent d91bb36ccb
commit dfeba334f6
13 changed files with 400 additions and 218 deletions

1
go.mod
View File

@ -19,6 +19,7 @@ require (
github.com/go-ini/ini v1.42.0 // indirect github.com/go-ini/ini v1.42.0 // indirect
github.com/go-sql-driver/mysql v1.4.1 // indirect github.com/go-sql-driver/mysql v1.4.1 // indirect
github.com/google/go-cmp v0.3.0 github.com/google/go-cmp v0.3.0
github.com/google/go-containerregistry v0.0.0-20190412005658-1d38b9cfdb9d
github.com/google/go-jsonnet v0.12.1 github.com/google/go-jsonnet v0.12.1
github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect
github.com/gorilla/handlers v1.4.0 github.com/gorilla/handlers v1.4.0

4
go.sum
View File

@ -62,10 +62,10 @@ github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a h1:ZJu5NB1Bk5ms4vw0Xu
github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a h1:ZJu5NB1Bk5ms4vw0Xu4i+jD32SE9jQXyfnOvwhHqlT0= github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a h1:ZJu5NB1Bk5ms4vw0Xu4i+jD32SE9jQXyfnOvwhHqlT0=
github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-containerregistry v0.0.0-20190412005658-1d38b9cfdb9d h1:K8AF5hFHsOYRk0CG22FwQk3oCu7CbL2bNfiHoaGuW4Y=
github.com/google/go-containerregistry v0.0.0-20190412005658-1d38b9cfdb9d/go.mod h1:yZAFP63pRshzrEYLXLGPmUt0Ay+2zdjmMN1loCnRLUk=
github.com/google/go-jsonnet v0.12.1 h1:v0iUm/b4SBz7lR/diMoz9tLAz8lqtnNRKIwMrmU2HEU= github.com/google/go-jsonnet v0.12.1 h1:v0iUm/b4SBz7lR/diMoz9tLAz8lqtnNRKIwMrmU2HEU=
github.com/google/go-jsonnet v0.12.1/go.mod h1:gVu3UVSfOt5fRFq+dh9duBqXa5905QY8S1QvMNcEIVs= github.com/google/go-jsonnet v0.12.1/go.mod h1:gVu3UVSfOt5fRFq+dh9duBqXa5905QY8S1QvMNcEIVs=
github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=

View File

@ -59,30 +59,34 @@ const (
RuntimeTypePod RuntimeType = "pod" RuntimeTypePod RuntimeType = "pod"
) )
type RegistryAuthType string type DockerRegistryAuthType string
const ( const (
RegistryAuthTypeDefault RegistryAuthType = "default" DockerRegistryAuthTypeBasic DockerRegistryAuthType = "basic"
DockerRegistryAuthTypeEncodedAuth DockerRegistryAuthType = "encodedauth"
) )
type RegistryAuth struct { type DockerRegistryAuth struct {
Type RegistryAuthType `json:"type"` Type DockerRegistryAuthType `json:"type"`
// default auth // basic auth
Username Value `json:"username"` Username Value `json:"username"`
Password Value `json:"password"` Password Value `json:"password"`
// encoded auth string
Auth string `json:"auth"`
// future auths like aws ecr auth
} }
type Runtime struct { type Runtime struct {
Type RuntimeType `json:"type,omitempty"` Type RuntimeType `json:"type,omitempty"`
Auth *RegistryAuth `json:"auth"`
Arch common.Arch `json:"arch,omitempty"` Arch common.Arch `json:"arch,omitempty"`
Containers []*Container `json:"containers,omitempty"` Containers []*Container `json:"containers,omitempty"`
} }
type Container struct { type Container struct {
Image string `json:"image,omitempty"` Image string `json:"image,omitempty"`
Auth *RegistryAuth `json:"auth"`
Environment map[string]Value `json:"environment,omitempty"` Environment map[string]Value `json:"environment,omitempty"`
User string `json:"user"` User string `json:"user"`
Privileged bool `json:"privileged"` Privileged bool `json:"privileged"`
@ -92,6 +96,7 @@ type Container struct {
type Run struct { type Run struct {
Name string `json:"name"` Name string `json:"name"`
Tasks []*Task `json:"tasks"` Tasks []*Task `json:"tasks"`
DockerRegistriesAuth map[string]*DockerRegistryAuth `json:"docker_registries_auth"`
} }
type Task struct { type Task struct {
@ -106,6 +111,7 @@ type Task struct {
IgnoreFailure bool `json:"ignore_failure"` IgnoreFailure bool `json:"ignore_failure"`
Approval bool `json:"approval"` Approval bool `json:"approval"`
When *types.When `json:"when"` When *types.When `json:"when"`
DockerRegistriesAuth map[string]*DockerRegistryAuth `json:"docker_registries_auth"`
} }
type DependCondition string type DependCondition string
@ -198,6 +204,7 @@ func (t *Task) UnmarshalJSON(b []byte) error {
IgnoreFailure bool `json:"ignore_failure"` IgnoreFailure bool `json:"ignore_failure"`
Approval bool `json:"approval"` Approval bool `json:"approval"`
When *when `json:"when"` When *when `json:"when"`
DockerRegistriesAuth map[string]*DockerRegistryAuth `json:"docker_registries_auth"`
} }
var tr *runtask var tr *runtask
@ -214,6 +221,7 @@ func (t *Task) UnmarshalJSON(b []byte) error {
t.User = tr.User t.User = tr.User
t.IgnoreFailure = tr.IgnoreFailure t.IgnoreFailure = tr.IgnoreFailure
t.Approval = tr.Approval t.Approval = tr.Approval
t.DockerRegistriesAuth = tr.DockerRegistriesAuth
steps := make([]interface{}, len(tr.Steps)) steps := make([]interface{}, len(tr.Steps))
for i, stepEntry := range tr.Steps { for i, stepEntry := range tr.Steps {
@ -766,27 +774,25 @@ func checkConfig(config *Config) error {
// Set defaults // Set defaults
for _, run := range config.Runs { for _, run := range config.Runs {
// set auth type to basic if not specified
for _, registryAuth := range run.DockerRegistriesAuth {
if registryAuth.Type == "" {
registryAuth.Type = DockerRegistryAuthTypeBasic
}
}
for _, task := range run.Tasks { for _, task := range run.Tasks {
// set auth type to basic if not specified
for _, registryAuth := range task.DockerRegistriesAuth {
if registryAuth.Type == "" {
registryAuth.Type = DockerRegistryAuthTypeBasic
}
}
// set task default working dir // set task default working dir
if task.WorkingDir == "" { if task.WorkingDir == "" {
task.WorkingDir = defaultWorkingDir task.WorkingDir = defaultWorkingDir
} }
// set auth type to default if not specified
runtime := task.Runtime
if runtime.Auth != nil {
if runtime.Auth.Type == "" {
runtime.Auth.Type = RegistryAuthTypeDefault
}
}
for _, container := range runtime.Containers {
if container.Auth != nil {
if container.Auth.Type == "" {
container.Auth.Type = RegistryAuthTypeDefault
}
}
}
// set steps defaults // set steps defaults
for i, s := range task.Steps { for i, s := range task.Steps {
switch step := s.(type) { switch step := s.(type) {

View File

@ -170,14 +170,20 @@ func TestParseOutput(t *testing.T) {
in: ` in: `
runs: runs:
- name: run01 - name: run01
tasks: docker_registries_auth:
- name: task01 index.docker.io:
runtime:
type: pod
auth:
username: username username: username
password: password:
from_variable: password from_variable: password
tasks:
- name: task01
docker_registries_auth:
index.docker.io:
username: username
password:
from_variable: password
runtime:
type: pod
containers: containers:
- image: image01 - image: image01
auth: auth:
@ -263,25 +269,29 @@ func TestParseOutput(t *testing.T) {
Runs: []*Run{ Runs: []*Run{
&Run{ &Run{
Name: "run01", Name: "run01",
Tasks: []*Task{ DockerRegistriesAuth: map[string]*DockerRegistryAuth{
&Task{ "index.docker.io": {
Name: "task01", Type: DockerRegistryAuthTypeBasic,
Runtime: &Runtime{
Type: "pod",
Auth: &RegistryAuth{
Type: RegistryAuthTypeDefault,
Username: Value{Type: ValueTypeString, Value: "username"}, Username: Value{Type: ValueTypeString, Value: "username"},
Password: Value{Type: ValueTypeFromVariable, Value: "password"}, Password: Value{Type: ValueTypeFromVariable, Value: "password"},
}, },
},
Tasks: []*Task{
&Task{
Name: "task01",
DockerRegistriesAuth: map[string]*DockerRegistryAuth{
"index.docker.io": {
Type: DockerRegistryAuthTypeBasic,
Username: Value{Type: ValueTypeString, Value: "username"},
Password: Value{Type: ValueTypeFromVariable, Value: "password"},
},
},
Runtime: &Runtime{
Type: "pod",
Arch: "", Arch: "",
Containers: []*Container{ Containers: []*Container{
&Container{ &Container{
Image: "image01", Image: "image01",
Auth: &RegistryAuth{
Type: RegistryAuthTypeDefault,
Username: Value{Type: ValueTypeFromVariable, Value: "username2"},
Password: Value{Type: ValueTypeString, Value: "password2"},
},
Environment: map[string]Value{ Environment: map[string]Value{
"ENV01": Value{Type: ValueTypeString, Value: "ENV01"}, "ENV01": Value{Type: ValueTypeString, Value: "ENV01"},
"ENVFROMVARIABLE01": Value{Type: ValueTypeFromVariable, Value: "variable01"}, "ENVFROMVARIABLE01": Value{Type: ValueTypeFromVariable, Value: "variable01"},

View File

@ -37,23 +37,6 @@ func genRuntime(c *config.Config, ce *config.Runtime, variables map[string]strin
Entrypoint: cc.Entrypoint, Entrypoint: cc.Entrypoint,
} }
// Set container auth
if cc.Auth != nil {
container.Auth = &rstypes.RegistryAuth{
Type: rstypes.RegistryAuthType(cc.Auth.Type),
Username: genValue(cc.Auth.Username, variables),
Password: genValue(cc.Auth.Password, variables),
}
}
// if container auth is nil use runtime auth
if container.Auth == nil && ce.Auth != nil {
container.Auth = &rstypes.RegistryAuth{
Type: rstypes.RegistryAuthType(ce.Auth.Type),
Username: genValue(ce.Auth.Username, variables),
Password: genValue(ce.Auth.Password, variables),
}
}
containers = append(containers, container) containers = append(containers, container)
} }
@ -210,6 +193,28 @@ func GenRunConfigTasks(uuid util.UUIDGenerator, c *config.Config, runName string
IgnoreFailure: ct.IgnoreFailure, IgnoreFailure: ct.IgnoreFailure,
Skip: !include, Skip: !include,
NeedsApproval: ct.Approval, NeedsApproval: ct.Approval,
DockerRegistriesAuth: make(map[string]rstypes.DockerRegistryAuth),
}
if cr.DockerRegistriesAuth != nil {
for regname, auth := range cr.DockerRegistriesAuth {
t.DockerRegistriesAuth[regname] = rstypes.DockerRegistryAuth{
Type: rstypes.DockerRegistryAuthType(auth.Type),
Username: genValue(auth.Username, variables),
Password: genValue(auth.Password, variables),
}
}
}
// override with per task docker registry auth
if ct.DockerRegistriesAuth != nil {
for regname, auth := range ct.DockerRegistriesAuth {
t.DockerRegistriesAuth[regname] = rstypes.DockerRegistryAuth{
Type: rstypes.DockerRegistryAuthType(auth.Type),
Username: genValue(auth.Username, variables),
Password: genValue(auth.Password, variables),
}
}
} }
rcts[t.ID] = t rcts[t.ID] = t

View File

@ -635,25 +635,29 @@ func TestGenRunConfig(t *testing.T) {
Runs: []*config.Run{ Runs: []*config.Run{
&config.Run{ &config.Run{
Name: "run01", Name: "run01",
Tasks: []*config.Task{ DockerRegistriesAuth: map[string]*config.DockerRegistryAuth{
&config.Task{ "index.docker.io": {
Name: "task01", Type: config.DockerRegistryAuthTypeBasic,
Runtime: &config.Runtime{
Type: "pod",
Auth: &config.RegistryAuth{
Type: config.RegistryAuthTypeDefault,
Username: config.Value{Type: config.ValueTypeString, Value: "username"}, Username: config.Value{Type: config.ValueTypeString, Value: "username"},
Password: config.Value{Type: config.ValueTypeFromVariable, Value: "password"}, Password: config.Value{Type: config.ValueTypeFromVariable, Value: "password"},
}, },
},
Tasks: []*config.Task{
&config.Task{
Name: "task01",
DockerRegistriesAuth: map[string]*config.DockerRegistryAuth{
"index.docker.io": {
Type: config.DockerRegistryAuthTypeBasic,
Username: config.Value{Type: config.ValueTypeFromVariable, Value: "registry_username"},
Password: config.Value{Type: config.ValueTypeString, Value: "password2"},
},
},
Runtime: &config.Runtime{
Type: "pod",
Arch: "", Arch: "",
Containers: []*config.Container{ Containers: []*config.Container{
&config.Container{ &config.Container{
Image: "image01", Image: "image01",
Auth: &config.RegistryAuth{
Type: config.RegistryAuthTypeDefault,
Username: config.Value{Type: config.ValueTypeFromVariable, Value: "registry_username"},
Password: config.Value{Type: config.ValueTypeString, Value: "password2"},
},
Environment: map[string]config.Value{ Environment: map[string]config.Value{
"ENV01": config.Value{Type: config.ValueTypeString, Value: "ENV01"}, "ENV01": config.Value{Type: config.ValueTypeString, Value: "ENV01"},
"ENVFROMVARIABLE01": config.Value{Type: config.ValueTypeFromVariable, Value: "variable01"}, "ENVFROMVARIABLE01": config.Value{Type: config.ValueTypeFromVariable, Value: "variable01"},
@ -721,15 +725,17 @@ func TestGenRunConfig(t *testing.T) {
uuid.New("task01").String(): &rstypes.RunConfigTask{ uuid.New("task01").String(): &rstypes.RunConfigTask{
ID: uuid.New("task01").String(), ID: uuid.New("task01").String(),
Name: "task01", Depends: map[string]*rstypes.RunConfigTaskDepend{}, Name: "task01", Depends: map[string]*rstypes.RunConfigTaskDepend{},
DockerRegistriesAuth: map[string]rstypes.DockerRegistryAuth{
"index.docker.io": {
Type: rstypes.DockerRegistryAuthTypeBasic,
Username: "yourregistryusername",
Password: "password2",
},
},
Runtime: &rstypes.Runtime{Type: rstypes.RuntimeType("pod"), Runtime: &rstypes.Runtime{Type: rstypes.RuntimeType("pod"),
Containers: []*rstypes.Container{ Containers: []*rstypes.Container{
{ {
Image: "image01", Image: "image01",
Auth: &rstypes.RegistryAuth{
Type: rstypes.RegistryAuthTypeDefault,
Username: "yourregistryusername",
Password: "password2",
},
Environment: map[string]string{ Environment: map[string]string{
"ENV01": "ENV01", "ENV01": "ENV01",
"ENVFROMVARIABLE01": "VARVALUE01", "ENVFROMVARIABLE01": "VARVALUE01",
@ -751,21 +757,23 @@ func TestGenRunConfig(t *testing.T) {
}, },
}, },
{ {
name: "test runtime auth used for container nil auth", name: "test run auth used for task undefined auth",
in: &config.Config{ in: &config.Config{
Runs: []*config.Run{ Runs: []*config.Run{
&config.Run{ &config.Run{
Name: "run01", Name: "run01",
DockerRegistriesAuth: map[string]*config.DockerRegistryAuth{
"index.docker.io": {
Type: config.DockerRegistryAuthTypeBasic,
Username: config.Value{Type: config.ValueTypeString, Value: "username"},
Password: config.Value{Type: config.ValueTypeFromVariable, Value: "password"},
},
},
Tasks: []*config.Task{ Tasks: []*config.Task{
&config.Task{ &config.Task{
Name: "task01", Name: "task01",
Runtime: &config.Runtime{ Runtime: &config.Runtime{
Type: "pod", Type: "pod",
Auth: &config.RegistryAuth{
Type: config.RegistryAuthTypeDefault,
Username: config.Value{Type: config.ValueTypeString, Value: "username"},
Password: config.Value{Type: config.ValueTypeFromVariable, Value: "password"},
},
Arch: "", Arch: "",
Containers: []*config.Container{ Containers: []*config.Container{
&config.Container{ &config.Container{
@ -795,15 +803,17 @@ func TestGenRunConfig(t *testing.T) {
uuid.New("task01").String(): &rstypes.RunConfigTask{ uuid.New("task01").String(): &rstypes.RunConfigTask{
ID: uuid.New("task01").String(), ID: uuid.New("task01").String(),
Name: "task01", Depends: map[string]*rstypes.RunConfigTaskDepend{}, Name: "task01", Depends: map[string]*rstypes.RunConfigTaskDepend{},
DockerRegistriesAuth: map[string]rstypes.DockerRegistryAuth{
"index.docker.io": {
Type: rstypes.DockerRegistryAuthTypeBasic,
Username: "username",
Password: "yourregistrypassword",
},
},
Runtime: &rstypes.Runtime{Type: rstypes.RuntimeType("pod"), Runtime: &rstypes.Runtime{Type: rstypes.RuntimeType("pod"),
Containers: []*rstypes.Container{ Containers: []*rstypes.Container{
{ {
Image: "image01", Image: "image01",
Auth: &rstypes.RegistryAuth{
Type: rstypes.RegistryAuthTypeDefault,
Username: "username",
Password: "yourregistrypassword",
},
Environment: map[string]string{}, Environment: map[string]string{},
}, },
}, },
@ -816,30 +826,44 @@ func TestGenRunConfig(t *testing.T) {
}, },
}, },
{ {
name: "test runtime auth not used for container with auth", name: "test run auth override by task auth",
in: &config.Config{ in: &config.Config{
Runs: []*config.Run{ Runs: []*config.Run{
&config.Run{ &config.Run{
Name: "run01", Name: "run01",
Tasks: []*config.Task{ DockerRegistriesAuth: map[string]*config.DockerRegistryAuth{
&config.Task{ "index.docker.io": {
Name: "task01", Type: config.DockerRegistryAuthTypeBasic,
Runtime: &config.Runtime{
Type: "pod",
Auth: &config.RegistryAuth{
Type: config.RegistryAuthTypeDefault,
Username: config.Value{Type: config.ValueTypeString, Value: "username"}, Username: config.Value{Type: config.ValueTypeString, Value: "username"},
Password: config.Value{Type: config.ValueTypeFromVariable, Value: "password"}, Password: config.Value{Type: config.ValueTypeFromVariable, Value: "password"},
}, },
"https://myregistry.example.com": {
Type: config.DockerRegistryAuthTypeBasic,
Username: config.Value{Type: config.ValueTypeString, Value: "username"},
Password: config.Value{Type: config.ValueTypeFromVariable, Value: "password"},
},
},
Tasks: []*config.Task{
&config.Task{
Name: "task01",
DockerRegistriesAuth: map[string]*config.DockerRegistryAuth{
"index.docker.io": {
Type: config.DockerRegistryAuthTypeBasic,
Username: config.Value{Type: config.ValueTypeFromVariable, Value: "registry_username"},
Password: config.Value{Type: config.ValueTypeString, Value: "password2"},
},
"https://anotherregistry.example.com": {
Type: config.DockerRegistryAuthTypeBasic,
Username: config.Value{Type: config.ValueTypeFromVariable, Value: "registry_username"},
Password: config.Value{Type: config.ValueTypeString, Value: "password2"},
},
},
Runtime: &config.Runtime{
Type: "pod",
Arch: "", Arch: "",
Containers: []*config.Container{ Containers: []*config.Container{
&config.Container{ &config.Container{
Image: "image01", Image: "image01",
Auth: &config.RegistryAuth{
Type: config.RegistryAuthTypeDefault,
Username: config.Value{Type: config.ValueTypeFromVariable, Value: "registry_username"},
Password: config.Value{Type: config.ValueTypeString, Value: "password2"},
},
}, },
}, },
}, },
@ -860,20 +884,33 @@ func TestGenRunConfig(t *testing.T) {
variables: map[string]string{ variables: map[string]string{
"variable01": "VARVALUE01", "variable01": "VARVALUE01",
"registry_username": "yourregistryusername", "registry_username": "yourregistryusername",
"password": "myregistrypassword",
}, },
out: map[string]*rstypes.RunConfigTask{ out: map[string]*rstypes.RunConfigTask{
uuid.New("task01").String(): &rstypes.RunConfigTask{ uuid.New("task01").String(): &rstypes.RunConfigTask{
ID: uuid.New("task01").String(), ID: uuid.New("task01").String(),
Name: "task01", Depends: map[string]*rstypes.RunConfigTaskDepend{}, Name: "task01", Depends: map[string]*rstypes.RunConfigTaskDepend{},
DockerRegistriesAuth: map[string]rstypes.DockerRegistryAuth{
"index.docker.io": {
Type: rstypes.DockerRegistryAuthTypeBasic,
Username: "yourregistryusername",
Password: "password2",
},
"https://myregistry.example.com": {
Type: rstypes.DockerRegistryAuthTypeBasic,
Username: "username",
Password: "myregistrypassword",
},
"https://anotherregistry.example.com": {
Type: rstypes.DockerRegistryAuthTypeBasic,
Username: "yourregistryusername",
Password: "password2",
},
},
Runtime: &rstypes.Runtime{Type: rstypes.RuntimeType("pod"), Runtime: &rstypes.Runtime{Type: rstypes.RuntimeType("pod"),
Containers: []*rstypes.Container{ Containers: []*rstypes.Container{
{ {
Image: "image01", Image: "image01",
Auth: &rstypes.RegistryAuth{
Type: rstypes.RegistryAuthTypeDefault,
Username: "yourregistryusername",
Password: "password2",
},
Environment: map[string]string{}, Environment: map[string]string{},
}, },
}, },

View File

@ -16,6 +16,8 @@ package driver
import ( import (
"context" "context"
"encoding/base64"
"encoding/json"
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
@ -25,6 +27,7 @@ import (
"time" "time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sorintlab/agola/internal/services/runservice/executor/registry"
"github.com/docker/docker/api/types" "github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/container"
@ -116,9 +119,25 @@ func (d *DockerDriver) NewPod(ctx context.Context, podConfig *PodConfig, out io.
containerConfig := podConfig.Containers[0] containerConfig := podConfig.Containers[0]
regName, err := registry.GetRegistry(containerConfig.Image)
if err != nil {
return nil, err
}
var registryAuth registry.DockerConfigAuth
if podConfig.DockerConfig != nil {
if regauth, ok := podConfig.DockerConfig.Auths[regName]; ok {
registryAuth = regauth
}
}
buf, err := json.Marshal(registryAuth)
if err != nil {
return nil, err
}
registryAuthEnc := base64.URLEncoding.EncodeToString(buf)
// by default always try to pull the image so we are sure only authorized users can fetch them // by default always try to pull the image so we are sure only authorized users can fetch them
// see https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages // see https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages
reader, err := d.client.ImagePull(ctx, containerConfig.Image, types.ImagePullOptions{RegistryAuth: containerConfig.RegistryAuth}) reader, err := d.client.ImagePull(ctx, containerConfig.Image, types.ImagePullOptions{RegistryAuth: registryAuthEnc})
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -17,6 +17,8 @@ package driver
import ( import (
"context" "context"
"io" "io"
"github.com/sorintlab/agola/internal/services/runservice/executor/registry"
) )
const ( const (
@ -68,6 +70,7 @@ type PodConfig struct {
Labels map[string]string Labels map[string]string
// The container dir where the init volume will be mounted // The container dir where the init volume will be mounted
InitVolumeDir string InitVolumeDir string
DockerConfig *registry.DockerConfig
} }
type ContainerConfig struct { type ContainerConfig struct {
@ -77,7 +80,6 @@ type ContainerConfig struct {
Image string Image string
User string User string
Privileged bool Privileged bool
RegistryAuth string
} }
type ExecConfig struct { type ExecConfig struct {

View File

@ -37,6 +37,7 @@ import (
slog "github.com/sorintlab/agola/internal/log" slog "github.com/sorintlab/agola/internal/log"
"github.com/sorintlab/agola/internal/services/config" "github.com/sorintlab/agola/internal/services/config"
"github.com/sorintlab/agola/internal/services/runservice/executor/driver" "github.com/sorintlab/agola/internal/services/runservice/executor/driver"
"github.com/sorintlab/agola/internal/services/runservice/executor/registry"
rsapi "github.com/sorintlab/agola/internal/services/runservice/scheduler/api" rsapi "github.com/sorintlab/agola/internal/services/runservice/scheduler/api"
"github.com/sorintlab/agola/internal/services/runservice/types" "github.com/sorintlab/agola/internal/services/runservice/types"
"github.com/sorintlab/agola/internal/util" "github.com/sorintlab/agola/internal/util"
@ -795,7 +796,7 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
log.Debugf("starting pod") log.Debugf("starting pod")
registryAuth, err := registryAuthToken(et.Containers[0].Auth) dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image})
if err != nil { if err != nil {
return err return err
} }
@ -803,6 +804,7 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
podConfig := &driver.PodConfig{ podConfig := &driver.PodConfig{
Labels: createTaskLabels(et.ID), Labels: createTaskLabels(et.ID),
InitVolumeDir: toolboxContainerDir, InitVolumeDir: toolboxContainerDir,
DockerConfig: dockerConfig,
Containers: []*driver.ContainerConfig{ Containers: []*driver.ContainerConfig{
{ {
Image: et.Containers[0].Image, Image: et.Containers[0].Image,
@ -810,7 +812,6 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
Env: et.Containers[0].Environment, Env: et.Containers[0].Environment,
User: et.Containers[0].User, User: et.Containers[0].User,
Privileged: et.Containers[0].Privileged, Privileged: et.Containers[0].Privileged,
RegistryAuth: registryAuth,
}, },
}, },
} }

View File

@ -1,47 +0,0 @@
// Copyright 2019 Sorint.lab
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied
// See the License for the specific language governing permissions and
// limitations under the License.
package executor
import (
"encoding/base64"
"encoding/json"
"github.com/sorintlab/agola/internal/services/runservice/types"
dtypes "github.com/docker/docker/api/types"
"github.com/pkg/errors"
)
func registryAuthToken(auth *types.RegistryAuth) (string, error) {
if auth == nil {
return "", nil
}
switch auth.Type {
case types.RegistryAuthTypeDefault:
authConfig := dtypes.AuthConfig{
Username: auth.Username,
Password: auth.Password,
}
authConfigj, err := json.Marshal(authConfig)
if err != nil {
panic(err)
}
return base64.URLEncoding.EncodeToString(authConfigj), nil
default:
return "", errors.Errorf("unsupported registry auth type %q", auth.Type)
}
}

View File

@ -0,0 +1,139 @@
// Copyright 2019 Sorint.lab
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied
// See the License for the specific language governing permissions and
// limitations under the License.
package registry
import (
"encoding/base64"
"fmt"
"strings"
"github.com/pkg/errors"
"github.com/sorintlab/agola/internal/services/runservice/types"
"github.com/google/go-containerregistry/pkg/name"
)
//func registryAuthToken(auth *types.DockerRegistryAuth) (string, error) {
// if auth == nil {
// return "", nil
// }
//
// switch auth.Type {
// case types.DockerRegistryAuthTypeBasic:
// authConfig := dtypes.AuthConfig{
// Username: auth.Username,
// Password: auth.Password,
// }
// authConfigj, err := json.Marshal(authConfig)
// if err != nil {
// panic(err)
// }
// return base64.URLEncoding.EncodeToString(authConfigj), nil
//
// default:
// return "", errors.Errorf("unsupported registry auth type %q", auth.Type)
// }
//}
// Docker config represents the docker config.json format. We only consider the "auths" part
type DockerConfig struct {
Auths map[string]DockerConfigAuth `json:"auths,omitempty"`
}
// Docker config represents the docker config.json auth part. We only consider the "auth" token part
type DockerConfigAuth struct {
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
Auth string `json:"auth,omitempty"`
}
// There are a variety of ways a domain may get qualified within the Docker credential file.
// We enumerate them here as format strings.
var (
domainForms = []string{
// Allow naked domains
"%s",
// Allow scheme-prefixed.
"https://%s",
"http://%s",
// Allow scheme-prefixes with version in url path.
"https://%s/v1/",
"http://%s/v1/",
"https://%s/v2/",
"http://%s/v2/",
}
)
func GetRegistry(image string) (string, error) {
ref, err := name.ParseReference(image, name.WeakValidation)
if err != nil {
return "", err
}
regName := ref.Context().RegistryStr()
return regName, nil
}
// ResolveAuth resolves the auth username and password for the provided registry name
func ResolveAuth(auths map[string]types.DockerRegistryAuth, regname string) (string, string, error) {
if auths != nil {
for _, form := range domainForms {
if auth, ok := auths[fmt.Sprintf(form, regname)]; ok {
switch auth.Type {
case types.DockerRegistryAuthTypeEncodedAuth:
decoded, err := base64.StdEncoding.DecodeString(auth.Auth)
if err != nil {
return "", "", errors.Wrapf(err, "failed to decode docker auth")
}
parts := strings.Split(string(decoded), ":")
if len(parts) != 2 {
return "", "", errors.Wrapf(err, "wrong docker auth")
}
return parts[0], parts[1], nil
case types.DockerRegistryAuthTypeBasic:
return auth.Username, auth.Password, nil
default:
return "", "", fmt.Errorf("unsupported auth type %q", auth.Type)
}
}
}
}
return "", "", nil
}
func GenDockerConfig(auths map[string]types.DockerRegistryAuth, images []string) (*DockerConfig, error) {
dockerConfig := &DockerConfig{Auths: make(map[string]DockerConfigAuth)}
for _, image := range images {
ref, err := name.ParseReference(image, name.WeakValidation)
if err != nil {
return nil, err
}
regName := ref.Context().RegistryStr()
if _, ok := dockerConfig.Auths[regName]; ok {
continue
}
username, password, err := ResolveAuth(auths, regName)
if err != nil {
return nil, errors.Wrapf(err, "failed to resolve auth")
}
delimited := fmt.Sprintf("%s:%s", username, password)
auth := base64.StdEncoding.EncodeToString([]byte(delimited))
dockerConfig.Auths[regName] = DockerConfigAuth{Username: username, Password: password, Auth: auth}
}
return dockerConfig, nil
}

View File

@ -335,6 +335,7 @@ func (s *Scheduler) genExecutorTask(ctx context.Context, r *types.Run, rt *types
Steps: make([]*types.ExecutorTaskStepStatus, len(rct.Steps)), Steps: make([]*types.ExecutorTaskStepStatus, len(rct.Steps)),
ExecutorID: executor.ID, ExecutorID: executor.ID,
}, },
DockerRegistriesAuth: rct.DockerRegistriesAuth,
} }
for i := range et.Status.Steps { for i := range et.Status.Steps {

View File

@ -330,6 +330,7 @@ type RunConfigTask struct {
IgnoreFailure bool `json:"ignore_failure,omitempty"` IgnoreFailure bool `json:"ignore_failure,omitempty"`
NeedsApproval bool `json:"needs_approval,omitempty"` NeedsApproval bool `json:"needs_approval,omitempty"`
Skip bool `json:"skip,omitempty"` Skip bool `json:"skip,omitempty"`
DockerRegistriesAuth map[string]DockerRegistryAuth `json:"docker_registries_auth"`
} }
type RunConfigTaskDependCondition string type RunConfigTaskDependCondition string
@ -351,18 +352,24 @@ const (
RuntimeTypePod RuntimeType = "pod" RuntimeTypePod RuntimeType = "pod"
) )
type RegistryAuthType string type DockerRegistryAuthType string
const ( const (
RegistryAuthTypeDefault RegistryAuthType = "default" DockerRegistryAuthTypeBasic DockerRegistryAuthType = "basic"
DockerRegistryAuthTypeEncodedAuth DockerRegistryAuthType = "encodedauth"
) )
type RegistryAuth struct { type DockerRegistryAuth struct {
Type RegistryAuthType `json:"type,omitempty"` Type DockerRegistryAuthType `json:"type"`
// default auth // basic auth
Username string `json:"username,omitempty"` Username string `json:"username"`
Password string `json:"password,omitempty"` Password string `json:"password"`
// encoded auth string
Auth string `json:"auth"`
// future auths like aws ecr auth
} }
type Runtime struct { type Runtime struct {
@ -502,6 +509,8 @@ type ExecutorTask struct {
User string `json:"user,omitempty"` User string `json:"user,omitempty"`
Privileged bool `json:"privileged"` Privileged bool `json:"privileged"`
DockerRegistriesAuth map[string]DockerRegistryAuth `json:"docker_registries_auth"`
Steps []interface{} `json:"steps,omitempty"` Steps []interface{} `json:"steps,omitempty"`
Status ExecutorTaskStatus `json:"status,omitempty"` Status ExecutorTaskStatus `json:"status,omitempty"`
@ -540,7 +549,6 @@ type ExecutorTaskStepStatus struct {
type Container struct { type Container struct {
Image string `json:"image,omitempty"` Image string `json:"image,omitempty"`
Auth *RegistryAuth `json:"auth,omitempty"`
Environment map[string]string `json:"environment,omitempty"` Environment map[string]string `json:"environment,omitempty"`
User string `json:"user,omitempty"` User string `json:"user,omitempty"`
Privileged bool `json:"privileged"` Privileged bool `json:"privileged"`