Pick up per-repository auth changes from go-containerregistry (#1939)
This commit is contained in:
Jason Hall
GitHub
parent
99a09a7153
commit
09e70e44d9
2
go.mod
2
go.mod
|
|
@ -24,7 +24,7 @@ require (
|
|||
github.com/godbus/dbus/v5 v5.0.6 // indirect
|
||||
github.com/golang/mock v1.6.0
|
||||
github.com/google/go-cmp v0.5.7
|
||||
github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15
|
||||
github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a
|
||||
github.com/google/go-github v17.0.0+incompatible
|
||||
github.com/google/slowjam v1.0.0
|
||||
github.com/karrick/godirwalk v1.16.1
|
||||
|
|
|
|||
2
go.sum
2
go.sum
|
|
@ -807,6 +807,8 @@ github.com/google/go-containerregistry v0.1.2/go.mod h1:GPivBPgdAyd2SU+vf6EpsgOt
|
|||
github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
|
||||
github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15 h1:yzCJSh/ZFHLiZ92yidtkRRENjtJML4teFEch7vzuL+U=
|
||||
github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15/go.mod h1:cwx3SjrH84Rh9VFJSIhPh43ovyOp3DCWgY3h8nWmdGQ=
|
||||
github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a h1:dc718J30nnewleBWCCDQXgpWeZWp17cgTmw6mpbF0xM=
|
||||
github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a/go.mod h1:cwx3SjrH84Rh9VFJSIhPh43ovyOp3DCWgY3h8nWmdGQ=
|
||||
github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
|
||||
github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
|
||||
github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM=
|
||||
|
|
|
|||
|
|
@ -114,20 +114,27 @@ func (dk *defaultKeychain) Resolve(target Resource) (Authenticator, error) {
|
|||
// See:
|
||||
// https://github.com/google/ko/issues/90
|
||||
// https://github.com/moby/moby/blob/fc01c2b481097a6057bec3cd1ab2d7b4488c50c4/registry/config.go#L397-L404
|
||||
key := target.RegistryStr()
|
||||
if key == name.DefaultRegistry {
|
||||
key = DefaultAuthKey
|
||||
}
|
||||
var cfg, empty types.AuthConfig
|
||||
for _, key := range []string{
|
||||
target.String(),
|
||||
target.RegistryStr(),
|
||||
} {
|
||||
if key == name.DefaultRegistry {
|
||||
key = DefaultAuthKey
|
||||
}
|
||||
|
||||
cfg, err := cf.GetAuthConfig(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
cfg, err = cf.GetAuthConfig(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if cfg != empty {
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
empty := types.AuthConfig{}
|
||||
if cfg == empty {
|
||||
return Anonymous, nil
|
||||
}
|
||||
|
||||
return FromConfig(AuthConfig{
|
||||
Username: cfg.Username,
|
||||
Password: cfg.Password,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ import (
|
|||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"time"
|
||||
|
||||
|
|
@ -155,7 +154,7 @@ func (gs gcloudSource) Token() (*oauth2.Token, error) {
|
|||
cmd.Stdout = &out
|
||||
|
||||
// Don't attempt to interpret stderr, just pass it through.
|
||||
cmd.Stderr = os.Stderr
|
||||
cmd.Stderr = logs.Warn.Writer()
|
||||
|
||||
if err := cmd.Run(); err != nil {
|
||||
return nil, fmt.Errorf("error executing `gcloud config config-helper`: %w", err)
|
||||
|
|
|
|||
|
|
@ -15,11 +15,11 @@
|
|||
package google
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/google/go-containerregistry/pkg/authn"
|
||||
"github.com/google/go-containerregistry/pkg/logs"
|
||||
)
|
||||
|
||||
// Keychain exports an instance of the google Keychain.
|
||||
|
|
@ -28,7 +28,6 @@ var Keychain authn.Keychain = &googleKeychain{}
|
|||
type googleKeychain struct {
|
||||
once sync.Once
|
||||
auth authn.Authenticator
|
||||
err error
|
||||
}
|
||||
|
||||
// Resolve implements authn.Keychain a la docker-credential-gcr.
|
||||
|
|
@ -55,27 +54,37 @@ type googleKeychain struct {
|
|||
func (gk *googleKeychain) Resolve(target authn.Resource) (authn.Authenticator, error) {
|
||||
// Only authenticate GCR and AR so it works with authn.NewMultiKeychain to fallback.
|
||||
host := target.RegistryStr()
|
||||
if host != "gcr.io" && !strings.HasSuffix(host, ".gcr.io") && !strings.HasSuffix(host, ".pkg.dev") && !strings.HasSuffix(host, ".google.com") {
|
||||
if host != "gcr.io" &&
|
||||
!strings.HasSuffix(host, ".gcr.io") &&
|
||||
!strings.HasSuffix(host, ".pkg.dev") &&
|
||||
!strings.HasSuffix(host, ".google.com") {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
|
||||
gk.once.Do(func() {
|
||||
gk.auth, gk.err = resolve()
|
||||
gk.auth = resolve()
|
||||
})
|
||||
|
||||
return gk.auth, gk.err
|
||||
return gk.auth, nil
|
||||
}
|
||||
|
||||
func resolve() (authn.Authenticator, error) {
|
||||
func resolve() authn.Authenticator {
|
||||
auth, envErr := NewEnvAuthenticator()
|
||||
if envErr == nil {
|
||||
return auth, nil
|
||||
if envErr == nil && auth != authn.Anonymous {
|
||||
return auth
|
||||
}
|
||||
|
||||
auth, gErr := NewGcloudAuthenticator()
|
||||
if gErr == nil {
|
||||
return auth, nil
|
||||
if gErr == nil && auth != authn.Anonymous {
|
||||
return auth
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("failed to create token source from env: %v or gcloud: %v", envErr, gErr) //nolint: errorlint
|
||||
logs.Debug.Println("Failed to get any Google credentials, falling back to Anonymous")
|
||||
if envErr != nil {
|
||||
logs.Debug.Printf("Google env error: %v", envErr)
|
||||
}
|
||||
if gErr != nil {
|
||||
logs.Debug.Printf("gcloud error: %v", gErr)
|
||||
}
|
||||
return authn.Anonymous
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ package tarball
|
|||
import (
|
||||
"bytes"
|
||||
"compress/gzip"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
|
|
@ -39,6 +40,7 @@ type layer struct {
|
|||
compression int
|
||||
annotations map[string]string
|
||||
estgzopts []estargz.Option
|
||||
mediaType types.MediaType
|
||||
}
|
||||
|
||||
// Descriptor implements partial.withDescriptor.
|
||||
|
|
@ -51,7 +53,7 @@ func (l *layer) Descriptor() (*v1.Descriptor, error) {
|
|||
Size: l.size,
|
||||
Digest: digest,
|
||||
Annotations: l.annotations,
|
||||
MediaType: types.DockerLayer,
|
||||
MediaType: l.mediaType,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
@ -82,7 +84,7 @@ func (l *layer) Size() (int64, error) {
|
|||
|
||||
// MediaType implements v1.Layer
|
||||
func (l *layer) MediaType() (types.MediaType, error) {
|
||||
return types.DockerLayer, nil
|
||||
return l.mediaType, nil
|
||||
}
|
||||
|
||||
// LayerOption applies options to layer
|
||||
|
|
@ -96,6 +98,13 @@ func WithCompressionLevel(level int) LayerOption {
|
|||
}
|
||||
}
|
||||
|
||||
// WithMediaType is a functional option for overriding the layer's media type.
|
||||
func WithMediaType(mt types.MediaType) LayerOption {
|
||||
return func(l *layer) {
|
||||
l.mediaType = mt
|
||||
}
|
||||
}
|
||||
|
||||
// WithCompressedCaching is a functional option that overrides the
|
||||
// logic for accessing the compressed bytes to memoize the result
|
||||
// and avoid expensive repeated gzips.
|
||||
|
|
@ -204,6 +213,7 @@ func LayerFromOpener(opener Opener, opts ...LayerOption) (v1.Layer, error) {
|
|||
layer := &layer{
|
||||
compression: gzip.BestSpeed,
|
||||
annotations: make(map[string]string, 1),
|
||||
mediaType: types.DockerLayer,
|
||||
}
|
||||
|
||||
if estgz := os.Getenv("GGCR_EXPERIMENT_ESTARGZ"); estgz == "1" {
|
||||
|
|
@ -249,15 +259,19 @@ func LayerFromOpener(opener Opener, opts ...LayerOption) (v1.Layer, error) {
|
|||
}
|
||||
|
||||
// LayerFromReader returns a v1.Layer given a io.Reader.
|
||||
//
|
||||
// The reader's contents are read and buffered to a temp file in the process.
|
||||
//
|
||||
// Deprecated: Use LayerFromOpener or stream.NewLayer instead, if possible.
|
||||
func LayerFromReader(reader io.Reader, opts ...LayerOption) (v1.Layer, error) {
|
||||
// Buffering due to Opener requiring multiple calls.
|
||||
a, err := ioutil.ReadAll(reader)
|
||||
tmp, err := ioutil.TempFile("", "")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, fmt.Errorf("creating temp file to buffer reader: %w", err)
|
||||
}
|
||||
return LayerFromOpener(func() (io.ReadCloser, error) {
|
||||
return ioutil.NopCloser(bytes.NewReader(a)), nil
|
||||
}, opts...)
|
||||
if _, err := io.Copy(tmp, reader); err != nil {
|
||||
return nil, fmt.Errorf("writing temp file to buffer reader: %w", err)
|
||||
}
|
||||
return LayerFromFile(tmp.Name(), opts...)
|
||||
}
|
||||
|
||||
func computeDigest(opener Opener) (v1.Hash, int64, error) {
|
||||
|
|
|
|||
|
|
@ -538,7 +538,7 @@ github.com/google/go-cmp/cmp/internal/diff
|
|||
github.com/google/go-cmp/cmp/internal/flags
|
||||
github.com/google/go-cmp/cmp/internal/function
|
||||
github.com/google/go-cmp/cmp/internal/value
|
||||
# github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15
|
||||
# github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a
|
||||
## explicit; go 1.14
|
||||
github.com/google/go-containerregistry/internal/and
|
||||
github.com/google/go-containerregistry/internal/estargz
|
||||
|
|
|
|||
Loading…
Reference in New Issue