github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-16 22:53:22 +00:00
Code Issues Projects Releases Wiki Activity

Implements a credentialprovider library for use by DockerPuller.

Browse Source 
This change refactors the way Kubelet's DockerPuller handles the docker config credentials to utilize a new credentialprovider library.

The credentialprovider library is based on several of the files from the Kubelet's dockertools directory, but supports a new pluggable model for retrieving a .dockercfg-compatible JSON blob with credentials.

With this change, the Kubelet will lazily ask for the docker config from a set of DockerConfigProvider extensions each time it needs a credential.

This change provides common implementations of DockerConfigProvider for:
 - "Default": load .dockercfg from disk
 - "Caching": wraps another provider in a cache that expires after a pre-specified lifetime.

GCP-only:
 - "google-dockercfg": reads a .dockercfg from a GCE instance's metadata
 - "google-dockercfg-url": reads a .dockercfg from a URL specified in a GCE instance's metadata.
 - "google-container-registry": reads an access token from GCE metadata into a password field.
This commit is contained in:
Matt Moore
2014-11-15 05:50:59 -08:00
parent 931cd3a2df
commit 0c5d9ed0d2
17 changed files with 1341 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
pkg/kubelet/dockertools/config.go
View File

@@ -1,130 +0,0 @@
/*
Copyright 2014 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package dockertools
import (
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"net/url"
"path/filepath"
"strings"
"github.com/fsouza/go-dockerclient"
"github.com/golang/glog"
)
const (
dockerConfigFileLocation = ".dockercfg"
)
func readDockerConfigFile() (cfg dockerConfig, err error) {
absDockerConfigFileLocation, err := filepath.Abs(dockerConfigFileLocation)
if err != nil {
glog.Errorf("while trying to canonicalize %s: %v", dockerConfigFileLocation, err)
}
absDockerConfigFileLocation, err = filepath.Abs(dockerConfigFileLocation)
glog.V(2).Infof("looking for .dockercfg at %s", absDockerConfigFileLocation)
contents, err := ioutil.ReadFile(absDockerConfigFileLocation)
if err != nil {
glog.Errorf("while trying to read %s: %v", absDockerConfigFileLocation, err)
return nil, err
}
if err = json.Unmarshal(contents, &cfg); err != nil {
glog.Errorf("while trying to parse %s: %v", absDockerConfigFileLocation, err)
return nil, err
}
return
}
// dockerConfig represents the config file used by the docker CLI.
// This config that represents the credentials that should be used
// when pulling images from specific image repositories.
type dockerConfig map[string]dockerConfigEntry
func (dc dockerConfig) addToKeyring(dk *dockerKeyring) {
for loc, ident := range dc {
creds := docker.AuthConfiguration{
Username: ident.Username,
Password: ident.Password,
Email: ident.Email,
}
parsed, err := url.Parse(loc)
if err != nil {
glog.Errorf("Entry %q in dockercfg invalid (%v), ignoring", loc, err)
continue
}
dk.add(parsed.Host+parsed.Path, creds)
}
}
type dockerConfigEntry struct {
Username string
Password string
Email string
}
// dockerConfigEntryWithAuth is used solely for deserializing the Auth field
// into a dockerConfigEntry during JSON deserialization.
type dockerConfigEntryWithAuth struct {
Username string
Password string
Email string
Auth string
}
func (ident *dockerConfigEntry) UnmarshalJSON(data []byte) error {
var tmp dockerConfigEntryWithAuth
err := json.Unmarshal(data, &tmp)
if err != nil {
return err
}
ident.Username = tmp.Username
ident.Password = tmp.Password
ident.Email = tmp.Email
if len(tmp.Auth) == 0 {
return nil
}
ident.Username, ident.Password, err = decodeDockerConfigFieldAuth(tmp.Auth)
return err
}
// decodeDockerConfigFieldAuth deserializes the "auth" field from dockercfg into a
// username and a password. The format of the auth field is base64(<username>:<password>).
func decodeDockerConfigFieldAuth(field string) (username, password string, err error) {
decoded, err := base64.StdEncoding.DecodeString(field)
if err != nil {
return
}
parts := strings.SplitN(string(decoded), ":", 2)
if len(parts) != 2 {
err = fmt.Errorf("unable to parse auth field")
return
}
username = parts[0]
password = parts[1]
return
}

208
pkg/kubelet/dockertools/config_test.go
View File

@@ -1,208 +0,0 @@
/*
Copyright 2014 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package dockertools
import (
"encoding/json"
"reflect"
"testing"
"github.com/fsouza/go-dockerclient"
)
func TestDockerConfigJSONDecode(t *testing.T) {
input := []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "foo@example.com"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "bar@example.com"}}`)
expect := dockerConfig(map[string]dockerConfigEntry{
"http://foo.example.com": {
Username: "foo",
Password: "bar",
Email: "foo@example.com",
},
"http://bar.example.com": {
Username: "bar",
Password: "baz",
Email: "bar@example.com",
},
})
var output dockerConfig
err := json.Unmarshal(input, &output)
if err != nil {
t.Errorf("Received unexpected error: %v", err)
}
if !reflect.DeepEqual(expect, output) {
t.Errorf("Received unexpected output. Expected %#v, got %#v", expect, output)
}
}
func TestDockerConfigEntryJSONDecode(t *testing.T) {
tests := []struct {
input []byte
expect dockerConfigEntry
fail bool
}{
// simple case, just decode the fields
{
input: []byte(`{"username": "foo", "password": "bar", "email": "foo@example.com"}`),
expect: dockerConfigEntry{
Username: "foo",
Password: "bar",
Email: "foo@example.com",
},
fail: false,
},
// auth field decodes to username & password
{
input: []byte(`{"auth": "Zm9vOmJhcg==", "email": "foo@example.com"}`),
expect: dockerConfigEntry{
Username: "foo",
Password: "bar",
Email: "foo@example.com",
},
fail: false,
},
// auth field overrides username & password
{
input: []byte(`{"username": "foo", "password": "bar", "auth": "cGluZzpwb25n", "email": "foo@example.com"}`),
expect: dockerConfigEntry{
Username: "ping",
Password: "pong",
Email: "foo@example.com",
},
fail: false,
},
// poorly-formatted auth causes failure
{
input: []byte(`{"auth": "pants", "email": "foo@example.com"}`),
expect: dockerConfigEntry{
Username: "",
Password: "",
Email: "foo@example.com",
},
fail: true,
},
// invalid JSON causes failure
{
input: []byte(`{"email": false}`),
expect: dockerConfigEntry{
Username: "",
Password: "",
Email: "",
},
fail: true,
},
}
for i, tt := range tests {
var output dockerConfigEntry
err := json.Unmarshal(tt.input, &output)
if (err != nil) != tt.fail {
t.Errorf("case %d: expected fail=%t, got err=%v", i, tt.fail, err)
}
if !reflect.DeepEqual(tt.expect, output) {
t.Errorf("case %d: expected output %#v, got %#v", i, tt.expect, output)
}
}
}
func TestDecodeDockerConfigFieldAuth(t *testing.T) {
tests := []struct {
input string
username string
password string
fail bool
}{
// auth field decodes to username & password
{
input: "Zm9vOmJhcg==",
username: "foo",
password: "bar",
},
// good base64 data, but no colon separating username & password
{
input: "cGFudHM=",
fail: true,
},
// bad base64 data
{
input: "pants",
fail: true,
},
}
for i, tt := range tests {
username, password, err := decodeDockerConfigFieldAuth(tt.input)
if (err != nil) != tt.fail {
t.Errorf("case %d: expected fail=%t, got err=%v", i, tt.fail, err)
}
if tt.username != username {
t.Errorf("case %d: expected username %q, got %q", i, tt.username, username)
}
if tt.password != password {
t.Errorf("case %d: expected password %q, got %q", i, tt.password, password)
}
}
}
func TestDockerKeyringFromConfig(t *testing.T) {
cfg := dockerConfig(map[string]dockerConfigEntry{
"http://foo.example.com": {
Username: "foo",
Password: "bar",
Email: "foo@example.com",
},
"https://bar.example.com": {
Username: "bar",
Password: "baz",
Email: "bar@example.com",
},
})
dk := newDockerKeyring()
cfg.addToKeyring(dk)
expect := newDockerKeyring()
expect.add("foo.example.com",
docker.AuthConfiguration{
Username: "foo",
Password: "bar",
Email: "foo@example.com",
},
)
expect.add("bar.example.com",
docker.AuthConfiguration{
Username: "bar",
Password: "baz",
Email: "bar@example.com",
},
)
if !reflect.DeepEqual(expect, dk) {
t.Errorf("Received unexpected output. Expected %#v, got %#v", expect, dk)
}
}

80
pkg/kubelet/dockertools/docker.go
View File

@@ -25,15 +25,14 @@ import (
"io"
"io/ioutil"
"math/rand"
"os"
"os/exec"
"sort"
"strconv"
"strings"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
"github.com/GoogleCloudPlatform/kubernetes/pkg/credentialprovider"
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
"github.com/fsouza/go-dockerclient"
docker "github.com/fsouza/go-dockerclient"
"github.com/golang/glog"
)
@@ -65,7 +64,7 @@ type DockerPuller interface {
// dockerPuller is the default implementation of DockerPuller.
type dockerPuller struct {
client DockerInterface
keyring *dockerKeyring
keyring credentialprovider.DockerKeyring
}
type throttledDockerPuller struct {
@@ -77,19 +76,9 @@ type throttledDockerPuller struct {
func NewDockerPuller(client DockerInterface, qps float32, burst int) DockerPuller {
dp := dockerPuller{
client: client,
keyring: newDockerKeyring(),
keyring: credentialprovider.NewDockerKeyring(),
}
cfg, err := readDockerConfigFile()
if err == nil {
cfg.addToKeyring(dp.keyring)
} else if !os.IsNotExist(err) {
glog.V(1).Infof("Unable to parse Docker config file: %v", err)
}
if dp.keyring.count() == 0 {
glog.V(1).Infof("Continuing with empty Docker keyring")
}
if qps == 0.0 {
return dp
}
@@ -218,7 +207,7 @@ func (p dockerPuller) Pull(image string) error {
Tag: tag,
}
creds, ok := p.keyring.lookup(image)
creds, ok := p.keyring.Lookup(image)
if !ok {
glog.V(1).Infof("Pulling image %s without credentials", image)
}
@@ -608,62 +597,3 @@ func parseImageName(image string) (string, string) {
type ContainerCommandRunner interface {
RunInContainer(containerID string, cmd []string) ([]byte, error)
}
// dockerKeyring tracks a set of docker registry credentials, maintaining a
// reverse index across the registry endpoints. A registry endpoint is made
// up of a host (e.g. registry.example.com), but it may also contain a path
// (e.g. registry.example.com/foo) This index is important for two reasons:
// - registry endpoints may overlap, and when this happens we must find the
// most specific match for a given image
// - iterating a map does not yield predictable results
type dockerKeyring struct {
index []string
creds map[string]docker.AuthConfiguration
}
func newDockerKeyring() *dockerKeyring {
return &dockerKeyring{
index: make([]string, 0),
creds: make(map[string]docker.AuthConfiguration),
}
}
func (dk *dockerKeyring) add(registry string, creds docker.AuthConfiguration) {
dk.creds[registry] = creds
dk.index = append(dk.index, registry)
dk.reindex()
}
// reindex updates the index used to identify which credentials to use for
// a given image. The index is reverse-sorted so more specific paths are
// matched first. For example, if for the given image "quay.io/coreos/etcd",
// credentials for "quay.io/coreos" should match before "quay.io".
func (dk *dockerKeyring) reindex() {
sort.Sort(sort.Reverse(sort.StringSlice(dk.index)))
}
const defaultRegistryHost = "index.docker.io/v1/"
func (dk *dockerKeyring) lookup(image string) (docker.AuthConfiguration, bool) {
// range over the index as iterating over a map does not provide
// a predictable ordering
for _, k := range dk.index {
if !strings.HasPrefix(image, k) {
continue
}
return dk.creds[k], true
}
// use credentials for the default registry if provided
if auth, ok := dk.creds[defaultRegistryHost]; ok {
return auth, true
}
return docker.AuthConfiguration{}, false
}
func (dk dockerKeyring) count() int {
return len(dk.creds)
}

21
pkg/kubelet/dockertools/docker_test.go
View File

@@ -23,7 +23,8 @@ import (
"testing"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
"github.com/fsouza/go-dockerclient"
"github.com/GoogleCloudPlatform/kubernetes/pkg/credentialprovider"
docker "github.com/fsouza/go-dockerclient"
)
func verifyCalls(t *testing.T, fakeDocker *FakeDockerClient, calls []string) {
@@ -213,9 +214,19 @@ func TestDockerKeyringLookup(t *testing.T) {
Email: "grace@example.com",
}
dk := newDockerKeyring()
dk.add("bar.example.com/pong", grace)
dk.add("bar.example.com", ada)
dk := &credentialprovider.BasicDockerKeyring{}
dk.Add(credentialprovider.DockerConfig{
"bar.example.com/pong": credentialprovider.DockerConfigEntry{
Username: grace.Username,
Password: grace.Password,
Email: grace.Email,
},
"bar.example.com": credentialprovider.DockerConfigEntry{
Username: ada.Username,
Password: ada.Password,
Email: ada.Email,
},
})
tests := []struct {
image string
@@ -243,7 +254,7 @@ func TestDockerKeyringLookup(t *testing.T) {
}
for i, tt := range tests {
match, ok := dk.lookup(tt.image)
match, ok := dk.Lookup(tt.image)
if tt.ok != ok {
t.Errorf("case %d: expected ok=%t, got %t", i, tt.ok, ok)
}