From 5224b94282625622e312feb16ed4baab50f9bd5a Mon Sep 17 00:00:00 2001 From: tiffany jernigan Date: Fri, 22 Mar 2019 07:49:17 +0000 Subject: [PATCH] Credential provider Provide takes image (general) --- pkg/credentialprovider/keyring.go | 8 ++--- pkg/credentialprovider/keyring_test.go | 4 +-- pkg/credentialprovider/provider.go | 32 ++++++++++++-------- pkg/credentialprovider/provider_test.go | 26 ++++++++-------- pkg/kubelet/dockershim/helpers.go | 2 +- pkg/kubelet/kuberuntime/kuberuntime_image.go | 2 +- 6 files changed, 41 insertions(+), 33 deletions(-) diff --git a/pkg/credentialprovider/keyring.go b/pkg/credentialprovider/keyring.go index 6f5fad5fc4..9f2d3b8760 100644 --- a/pkg/credentialprovider/keyring.go +++ b/pkg/credentialprovider/keyring.go @@ -261,11 +261,9 @@ func (dk *BasicDockerKeyring) Lookup(image string) ([]LazyAuthConfiguration, boo for _, k := range dk.index { // both k and image are schemeless URLs because even though schemes are allowed // in the credential configurations, we remove them in Add. - if matched, _ := urlsMatchStr(k, image); !matched { - continue + if matched, _ := urlsMatchStr(k, image); matched { + ret = append(ret, dk.creds[k]...) } - - ret = append(ret, dk.creds[k]...) } if len(ret) > 0 { @@ -288,7 +286,7 @@ func (dk *lazyDockerKeyring) Lookup(image string) ([]LazyAuthConfiguration, bool keyring := &BasicDockerKeyring{} for _, p := range dk.Providers { - keyring.Add(p.Provide()) + keyring.Add(p.Provide(image)) } return keyring.Lookup(image) diff --git a/pkg/credentialprovider/keyring_test.go b/pkg/credentialprovider/keyring_test.go index 2b36bde889..128670d19c 100644 --- a/pkg/credentialprovider/keyring_test.go +++ b/pkg/credentialprovider/keyring_test.go @@ -464,12 +464,12 @@ func (d *testProvider) Enabled() bool { } // LazyProvide implements dockerConfigProvider. Should never be called. -func (d *testProvider) LazyProvide() *DockerConfigEntry { +func (d *testProvider) LazyProvide(image string) *DockerConfigEntry { return nil } // Provide implements dockerConfigProvider -func (d *testProvider) Provide() DockerConfig { +func (d *testProvider) Provide(image string) DockerConfig { d.Count += 1 return DockerConfig{} } diff --git a/pkg/credentialprovider/provider.go b/pkg/credentialprovider/provider.go index 16b4e601a1..245810722e 100644 --- a/pkg/credentialprovider/provider.go +++ b/pkg/credentialprovider/provider.go @@ -33,15 +33,23 @@ type DockerConfigProvider interface { Enabled() bool // Provide returns docker configuration. // Implementations can be blocking - e.g. metadata server unavailable. - Provide() DockerConfig - // LazyProvide() gets called after URL matches have been performed, so the - // location used as the key in DockerConfig would be redundant. - LazyProvide() *DockerConfigEntry + // The image is passed in as context in the event that the + // implementation depends on information in the image name to return + // credentials; implementations are safe to ignore the image. + Provide(image string) DockerConfig + // LazyProvide gets called after URL matches have been + // performed, so the location used as the key in DockerConfig would be + // redundant. + // The image is passed in as context in the event that the + // implementation depends on information in the image name to return + // credentials; implementations are safe to ignore the image. + LazyProvide(image string) *DockerConfigEntry } -func LazyProvide(creds LazyAuthConfiguration) AuthConfig { +//LazyProvide returns an Lazy AuthConfig +func LazyProvide(creds LazyAuthConfiguration, image string) AuthConfig { if creds.Provider != nil { - entry := *creds.Provider.LazyProvide() + entry := *creds.Provider.LazyProvide(image) return DockerConfigEntryToLazyAuthConfiguration(entry).AuthConfig } return creds.AuthConfig @@ -77,8 +85,8 @@ func (d *defaultDockerConfigProvider) Enabled() bool { return true } -// Provide implements dockerConfigProvider -func (d *defaultDockerConfigProvider) Provide() DockerConfig { +// LazyProvide implements dockerConfigProvider +func (d *defaultDockerConfigProvider) Provide(image string) DockerConfig { // Read the standard Docker credentials from .dockercfg if cfg, err := ReadDockerConfigFile(); err == nil { return cfg @@ -89,7 +97,7 @@ func (d *defaultDockerConfigProvider) Provide() DockerConfig { } // LazyProvide implements dockerConfigProvider. Should never be called. -func (d *defaultDockerConfigProvider) LazyProvide() *DockerConfigEntry { +func (d *defaultDockerConfigProvider) LazyProvide(image string) *DockerConfigEntry { return nil } @@ -99,12 +107,12 @@ func (d *CachingDockerConfigProvider) Enabled() bool { } // LazyProvide implements dockerConfigProvider. Should never be called. -func (d *CachingDockerConfigProvider) LazyProvide() *DockerConfigEntry { +func (d *CachingDockerConfigProvider) LazyProvide(image string) *DockerConfigEntry { return nil } // Provide implements dockerConfigProvider -func (d *CachingDockerConfigProvider) Provide() DockerConfig { +func (d *CachingDockerConfigProvider) Provide(image string) DockerConfig { d.mu.Lock() defer d.mu.Unlock() @@ -114,7 +122,7 @@ func (d *CachingDockerConfigProvider) Provide() DockerConfig { } klog.V(2).Infof("Refreshing cache for provider: %v", reflect.TypeOf(d.Provider).String()) - d.cacheDockerConfig = d.Provider.Provide() + d.cacheDockerConfig = d.Provider.Provide(image) d.expiration = time.Now().Add(d.Lifetime) return d.cacheDockerConfig } diff --git a/pkg/credentialprovider/provider_test.go b/pkg/credentialprovider/provider_test.go index 4d70689532..44a2f58197 100644 --- a/pkg/credentialprovider/provider_test.go +++ b/pkg/credentialprovider/provider_test.go @@ -31,31 +31,33 @@ func TestCachingProvider(t *testing.T) { Lifetime: 1 * time.Second, } + image := "image" + if provider.Count != 0 { t.Errorf("Unexpected number of Provide calls: %v", provider.Count) } - cache.Provide() - cache.Provide() - cache.Provide() - cache.Provide() + cache.Provide(image) + cache.Provide(image) + cache.Provide(image) + cache.Provide(image) if provider.Count != 1 { t.Errorf("Unexpected number of Provide calls: %v", provider.Count) } time.Sleep(cache.Lifetime) - cache.Provide() - cache.Provide() - cache.Provide() - cache.Provide() + cache.Provide(image) + cache.Provide(image) + cache.Provide(image) + cache.Provide(image) if provider.Count != 2 { t.Errorf("Unexpected number of Provide calls: %v", provider.Count) } time.Sleep(cache.Lifetime) - cache.Provide() - cache.Provide() - cache.Provide() - cache.Provide() + cache.Provide(image) + cache.Provide(image) + cache.Provide(image) + cache.Provide(image) if provider.Count != 3 { t.Errorf("Unexpected number of Provide calls: %v", provider.Count) } diff --git a/pkg/kubelet/dockershim/helpers.go b/pkg/kubelet/dockershim/helpers.go index 21166b82d1..924715a486 100644 --- a/pkg/kubelet/dockershim/helpers.go +++ b/pkg/kubelet/dockershim/helpers.go @@ -344,7 +344,7 @@ func ensureSandboxImageExists(client libdocker.Interface, image string) error { var pullErrs []error for _, currentCreds := range creds { - authConfig := dockertypes.AuthConfig(credentialprovider.LazyProvide(currentCreds)) + authConfig := dockertypes.AuthConfig(credentialprovider.LazyProvide(currentCreds, repoToPull)) err := client.PullImage(image, authConfig, dockertypes.ImagePullOptions{}) // If there was no error, return success if err == nil { diff --git a/pkg/kubelet/kuberuntime/kuberuntime_image.go b/pkg/kubelet/kuberuntime/kuberuntime_image.go index 0823088bd8..66886a8604 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_image.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_image.go @@ -57,7 +57,7 @@ func (m *kubeGenericRuntimeManager) PullImage(image kubecontainer.ImageSpec, pul var pullErrs []error for _, currentCreds := range creds { - authConfig := credentialprovider.LazyProvide(currentCreds) + authConfig := credentialprovider.LazyProvide(currentCreds, repoToPull) auth := &runtimeapi.AuthConfig{ Username: authConfig.Username, Password: authConfig.Password,