Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use basic auth when token endpoint is not found #262

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use basic auth when token endpoint is not found #262

wants to merge 1 commit into from

Conversation

paulwilljones
Copy link
Contributor

@paulwilljones paulwilljones commented Aug 29, 2024
edited
Loading

Fixes #261

@paulwilljones
Copy link
Contributor Author

For the added header:

$ k logs -n version-checker version-checker-7db59c4996-s5bvt
time="2024-08-29T09:17:36Z" level=info msg="serving metrics on [::]:8080/metrics" module=metrics
time="2024-08-29T09:17:36Z" level=warning msg="Token endpoint not found, using basic auth: http://docker-registry.registry.svc.cluster.local:5000/v2/token 404 page not found\n"
time="2024-08-29T09:17:36Z" level=info msg="flag --test-all-containers=false only containers with the annotation \"enable.version-checker.io/${my-container}=true\" will be parsed"
time="2024-08-29T09:17:36Z" level=info msg="starting control loop" module=controller
time="2024-08-29T09:17:36Z" level=info msg="starting workers" module=controller
time="2024-08-29T09:17:36Z" level=info msg="starting cache garbage collector" cache=garbage_collector module=search
time="2024-08-29T09:17:36Z" level=info msg="starting cache garbage collector" cache=garbage_collector module=version_getter
time="2024-08-29T09:17:36Z" level=error msg="docker-registry.registry.svc.cluster.local:5000/v2/version-checker/manifests/0.0.2: failed to get manifest response for tag, skipping (404): {\"errors\":[{\"code\":\"MANIFEST_UNK
NOWN\",\"message\":\"OCI manifest found, but accept header does not support OCI manifests\"}]}\n" client="http://docker-registry.registry.svc.cluster.local:5000"
$ curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -i http://XXXXX:XXXXX@localhost:30000/v2/my-app/manifests/0.0.1
HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Thu, 29 Aug 2024 10:13:31 GMT
Content-Length: 122

{"errors":[{"code":"MANIFEST_UNKNOWN","message":"OCI manifest found, but accept header does not support OCI manifests"}]}
$ curl -H "Accept: application/vnd.oci.image.manifest.v1+json" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -i http://XXXXX:XXXXX@localhost:30000/v2/my-app/manifests/0.0.1
HTTP/1.1 200 OK
Content-Length: 1963
Content-Type: application/vnd.oci.image.manifest.v1+json
Docker-Content-Digest: sha256:c254d4bff1b77f2f5917430012f4f5c06af0126130ad80406459ec40743863f4
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:c254d4bff1b77f2f5917430012f4f5c06af0126130ad80406459ec40743863f4"
X-Content-Type-Options: nosniff
Date: Thu, 29 Aug 2024 10:12:59 GMT

{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":7497,"digest":"sha256:4e2a815822ff2c274d1e7ee8f75f65c18a654fee801e92016f5209e111e687fe"},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":29156528,"digest":"sha256:aa6fbc30c84e14e64571d3d7b547ea801dfca8a7bd74bd930b5ea5de3eb2f442"},{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":38508978,"digest":"sha256:c28fc33dc48c8c1d3d0ea444d5e08ab2c6463c0cd3457a62fc9b659b0dc7087e"},{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":628,"digest":"sha256:08fb08230766a3ac4a46f150b2bd696545690e6709b85ed0fec98fae8e13971f"},{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":956,"digest":"sha256:d2983a84b0c413175417075abc6d8937a5a163e0a1476194e0049d7e0b1f8ee5"},{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":394,"digest":"sha256:9f4e0339472051f950bb5ea2f8160351f0db13fa1bdaf470dcfda0651b5f4a53"},{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":1211,"digest":"sha256:522e88f665e733eb8993ee345f7f7ef4fe370467e6b358ca3a9a7848a87fb198"},{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":1399,"digest":"sha256:d964500c63bd5daea3c93fdc7fdf6848ed68617214040a3937a2602def43273a"}],"annotations":{"com.docker.official-images.bashbrew.arch":"arm64v8","org.opencontainers.image.base.digest":"sha256:19641d0a8330497653423d04744b1c92300f64dadbdd830172d98af7353592bb","org.opencontainers.image.base.name":"debian:bookworm-slim","org.opencontainers.image.created":"2024-08-14T21:31:12Z","org.opencontainers.image.revision":"e78cf70ce7b73a0c9ea734c9cf8aaaa283c1cc5a","org.opencontainers.image.source":"https://github.com/nginxinc/docker-nginx.git#e78cf70ce7b73a0c9ea734c9cf8aaaa283c1cc5a:mainline/debian","org.opencontainers.image.url":"https://hub.docker.com/_/nginx","org.opencontainers.image.version":"1.27.1"}}

davidcollom
davidcollom requested changes Aug 31, 2024
View reviewed changes
Copy link
Collaborator

@davidcollom davidcollom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, left a few comments/considerations. Be nice to get some unit tests but the logic seems fairly straightforward

pkg/client/selfhosted/selfhosted.go
if len(header) > 0 {
req.Header.Set("Accept", header)
req.Header.Set("Accept", ociV1Header)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't this override the line above?

pkg/client/selfhosted/selfhosted.go
@@ -245,9 +248,13 @@ func (c *Client) doRequest(ctx context.Context, url, header string, obj interfac
req = req.WithContext(ctx)
if len(c.Bearer) > 0 {
req.Header.Add("Authorization", "Bearer "+c.Bearer)
} else {
req.SetBasicAuth(c.Username, c.Password)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we should check the existence of anything in username/password here? Incase someone is using a fully public endpoint/registry

davidcollom
davidcollom reviewed Sep 2, 2024
View reviewed changes
pkg/client/selfhosted/selfhosted.go
@@ -31,6 +31,7 @@ const (

// HTTP headers to request API version
dockerAPIv1Header = "application/vnd.docker.distribution.manifest.v1+json"
ociV1Header = "application/vnd.oci.image.manifest.v1+json"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to be careful here also, as the responses could be different on OCI manifests too.. maybe we should include this in a separate pr incase if rollback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidcollom davidcollom davidcollom requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Self Hosted Token authentication
2 participants
@paulwilljones @davidcollom