Use local auth file if present for pulling images

operator-framework · Oct 4, 2024 · 33f8089 · 33f8089
1 parent 92edf48
commit 33f8089
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 41 deletions.
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -227,12 +227,21 @@ func main() {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: filepath.Join(cachePath, "unpack"),
- SourceContext: &types.SystemContext{
- DockerCertPath: caCertDir,
- OCICertPath: caCertDir,
- AuthFilePath: authFilePathIfPresent(setupLog),
- },
- }
+ SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) {
+ srcContext := &types.SystemContext{
+ DockerCertPath: caCertDir,
+ OCICertPath: caCertDir,
+ }
+ if _, err := os.Stat(authFilePath); err == nil {
+ logger.Info("using available authentication information for pulling image")
+ srcContext.AuthFilePath = authFilePath
+ } else if os.IsNotExist(err) {
+ logger.Info("no authentication information found for pulling image, proceeding without auth")
+ } else {
+ return nil, fmt.Errorf("could not stat auth file, error: %w", err)
+ }
+ return srcContext, nil
+ }}
 
  clusterExtensionFinalizers := crfinalizer.NewFinalizers()
  if err := clusterExtensionFinalizers.Register(controllers.ClusterExtensionCleanupUnpackCacheFinalizer, finalizers.FinalizerFunc(func(ctx context.Context, obj client.Object) (crfinalizer.Result, error) {
@@ -348,17 +357,3 @@ func main() {
  os.Exit(1)
  }
 }
-
-func authFilePathIfPresent(logger logr.Logger) string {
- _, err := os.Stat(authFilePath)
- if os.IsNotExist(err) {
- logger.Info("auth file not found, skipping configuration of global auth file", "path", authFilePath)
- return ""
- }
- if err != nil {
- logger.Error(err, "unable to access auth file path", "path", authFilePath)
- os.Exit(1)
- }
- logger.Info("auth file found, configuring globally for image registry interactions", "path", authFilePath)
- return authFilePath
-}
diff --git a/internal/rukpak/source/containers_image.go b/internal/rukpak/source/containers_image.go
@@ -26,8 +26,8 @@ import (
 )
 
 type ContainersImageRegistry struct {
- BaseCachePath string
- SourceContext *types.SystemContext
+ BaseCachePath  string
+ SourceContextFunc func(logger logr.Logger) (*types.SystemContext, error)
 }
 
 func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSource) (*Result, error) {
@@ -41,12 +41,16 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSour
  return nil, reconcile.TerminalError(fmt.Errorf("error parsing bundle, bundle %s has a nil image source", bundle.Name))
  }
 
+ srcCtx, err := i.SourceContextFunc(l)
+ if err != nil {
+ return nil, err
+ }
  //////////////////////////////////////////////////////
  //
  // Resolve a canonical reference for the image.
  //
  //////////////////////////////////////////////////////
- imgRef, canonicalRef, _, err := resolveReferences(ctx, bundle.Image.Ref, i.SourceContext)
+ imgRef, canonicalRef, _, err := resolveReferences(ctx, bundle.Image.Ref, srcCtx)
  if err != nil {
  return nil, err
  }
@@ -102,7 +106,7 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSour
  // a policy context for the image pull.
  //
  //////////////////////////////////////////////////////
- policyContext, err := loadPolicyContext(i.SourceContext, l)
+ policyContext, err := loadPolicyContext(srcCtx, l)
  if err != nil {
  return nil, fmt.Errorf("error loading policy context: %w", err)
  }
@@ -118,7 +122,7 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSour
  //
  //////////////////////////////////////////////////////
  if _, err := copy.Image(ctx, policyContext, layoutRef, dockerRef, &copy.Options{
- SourceCtx: i.SourceContext,
+ SourceCtx: srcCtx,
  }); err != nil {
  return nil, fmt.Errorf("error copying image: %w", err)
  }
@@ -129,7 +133,7 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSour
  // Mount the image we just pulled
  //
  //////////////////////////////////////////////////////
- if err := i.unpackImage(ctx, unpackPath, layoutRef); err != nil {
+ if err := i.unpackImage(ctx, unpackPath, layoutRef, srcCtx); err != nil {
  if cleanupErr := deleteRecursive(unpackPath); cleanupErr != nil {
  err = errors.Join(err, cleanupErr)
  }
@@ -225,8 +229,8 @@ func loadPolicyContext(sourceContext *types.SystemContext, l logr.Logger) (*sign
  return signature.NewPolicyContext(policy)
 }
 
-func (i *ContainersImageRegistry) unpackImage(ctx context.Context, unpackPath string, imageReference types.ImageReference) error {
- img, err := imageReference.NewImage(ctx, i.SourceContext)
+func (i *ContainersImageRegistry) unpackImage(ctx context.Context, unpackPath string, imageReference types.ImageReference, sourceContext *types.SystemContext) error {
+ img, err := imageReference.NewImage(ctx, sourceContext)
  if err != nil {
  return fmt.Errorf("error reading image: %w", err)
  }
@@ -236,7 +240,7 @@ func (i *ContainersImageRegistry) unpackImage(ctx context.Context, unpackPath st
  }
  }()
 
- layoutSrc, err := imageReference.NewImageSource(ctx, i.SourceContext)
+ layoutSrc, err := imageReference.NewImageSource(ctx, sourceContext)
  if err != nil {
  return fmt.Errorf("error creating image source: %w", err)
  }

diff --git a/internal/rukpak/source/containers_image_test.go b/internal/rukpak/source/containers_image_test.go
@@ -14,6 +14,7 @@ import (
  "github.com/containers/image/v5/docker/reference"
  "github.com/containers/image/v5/pkg/sysregistriesv2"
  "github.com/containers/image/v5/types"
+ "github.com/go-logr/logr"
  "github.com/google/go-containerregistry/pkg/crane"
  "github.com/google/go-containerregistry/pkg/registry"
  "github.com/opencontainers/go-digest"
@@ -35,7 +36,9 @@ func TestUnpackValidInsecure(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -70,7 +73,9 @@ func TestUnpackValidUsesCache(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageDigestRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageDigestRef)
+ },
  }
 
  bundleSource := &source.BundleSource{
@@ -103,7 +108,9 @@ func TestUnpackCacheCheckError(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -132,7 +139,9 @@ func TestUnpackNameOnlyImageReference(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -154,7 +163,9 @@ func TestUnpackUnservedTaggedImageReference(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -176,7 +187,9 @@ func TestUnpackUnservedCanonicalImageReference(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
 
  origRef := imageDigestRef.String()
@@ -232,7 +245,11 @@ func TestUnpackInvalidNilImage(t *testing.T) {
 }
 
 func TestUnpackInvalidImageRef(t *testing.T) {
- unpacker := &source.ContainersImageRegistry{}
+ unpacker := &source.ContainersImageRegistry{
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return &types.SystemContext{}, nil
+ },
+ }
  // Create BundleSource with malformed image reference
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -256,7 +273,9 @@ func TestUnpackUnexpectedFile(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -281,7 +300,9 @@ func TestUnpackCopySucceedsMountFails(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -306,7 +327,9 @@ func TestCleanup(t *testing.T) {
 
  unpacker := &source.ContainersImageRegistry{
  BaseCachePath: t.TempDir(),
- SourceContext: buildPullContext(t, imageTagRef),
+ SourceContextFunc: func(_ logr.Logger) (*types.SystemContext, error) {
+ return buildPullContext(t, imageTagRef)
+ },
  }
  bundleSource := &source.BundleSource{
  Name: "test-bundle",
@@ -360,7 +383,7 @@ func newReference(host, repo, tag string) (reference.NamedTagged, error) {
  return reference.WithTag(ref, tag)
 }
 
-func buildPullContext(t *testing.T, ref reference.Named) *types.SystemContext {
+func buildPullContext(t *testing.T, ref reference.Named) (*types.SystemContext, error) {
  // Build a containers/image context that allows pulling from the test registry insecurely
  registriesConf := sysregistriesv2.V2RegistriesConf{Registries: []sysregistriesv2.Registry{
  {
@@ -382,5 +405,5 @@ func buildPullContext(t *testing.T, ref reference.Named) *types.SystemContext {
 
  return &types.SystemContext{
  SystemRegistriesConfPath: registriesConfPath,
- }
+ }, nil
 }