From 45ae5bf1e580ed10db6aa02b68a030c6ce4db5a3 Mon Sep 17 00:00:00 2001 From: Zeqing Zhang Date: Fri, 4 Aug 2017 04:34:57 +0800 Subject: [PATCH 1/4] Support AWS ECR credentials in China --- pkg/credentialprovider/aws/aws_credentials.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/pkg/credentialprovider/aws/aws_credentials.go b/pkg/credentialprovider/aws/aws_credentials.go index 7e8955e9c0c..3a3284a255b 100644 --- a/pkg/credentialprovider/aws/aws_credentials.go +++ b/pkg/credentialprovider/aws/aws_credentials.go @@ -30,7 +30,9 @@ import ( "k8s.io/kubernetes/pkg/credentialprovider" ) +const chinaRegionPrefix = "cn-" const registryURLTemplate = "*.dkr.ecr.%s.amazonaws.com" +const chinaRegistryURLTemplate = "*.dkr.ecr.%s.amazonaws.com.cn" // awsHandlerLogger is a handler that logs all AWS SDK requests // Copied from pkg/cloudprovider/providers/aws/log_handler.go @@ -80,6 +82,14 @@ type ecrProvider struct { var _ credentialprovider.DockerConfigProvider = &ecrProvider{} +// registryURL has different suffix in AWS China region +func registryURL(region string) string { + if strings.HasPrefix(region, chinaRegionPrefix) { + return fmt.Sprintf(registryURLTemplate, region) + } + return fmt.Sprintf(chinaRegistryURLTemplate, region) +} + // RegisterCredentialsProvider registers a credential provider for the specified region. // It creates a lazy provider for each AWS region, in order to support // cross-region ECR access. They have to be lazy because it's unlikely, but not @@ -92,7 +102,7 @@ func RegisterCredentialsProvider(region string) { credentialprovider.RegisterCredentialProvider("aws-ecr-"+region, &lazyEcrProvider{ region: region, - regionURL: fmt.Sprintf(registryURLTemplate, region), + regionURL: registryURL(region), }) } @@ -136,7 +146,7 @@ func (p *lazyEcrProvider) Provide() credentialprovider.DockerConfig { func newEcrProvider(region string, getter tokenGetter) *ecrProvider { return &ecrProvider{ region: region, - regionURL: fmt.Sprintf(registryURLTemplate, region), + regionURL: registryURL(region), getter: getter, } } From 6a1b31323ec873fe8796fc02bf5cfadcc72e72f6 Mon Sep 17 00:00:00 2001 From: Zeqing Zhang Date: Tue, 8 Aug 2017 12:49:44 +0800 Subject: [PATCH 2/4] swap the return statements --- pkg/credentialprovider/aws/aws_credentials.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/pkg/credentialprovider/aws/aws_credentials.go b/pkg/credentialprovider/aws/aws_credentials.go index 3a3284a255b..1a7246c04dd 100644 --- a/pkg/credentialprovider/aws/aws_credentials.go +++ b/pkg/credentialprovider/aws/aws_credentials.go @@ -30,9 +30,10 @@ import ( "k8s.io/kubernetes/pkg/credentialprovider" ) -const chinaRegionPrefix = "cn-" -const registryURLTemplate = "*.dkr.ecr.%s.amazonaws.com" -const chinaRegistryURLTemplate = "*.dkr.ecr.%s.amazonaws.com.cn" +const awsChinaRegionPrefix = "cn-" +const awsStandardDNSSuffix = "amazon.com" +const awsChinaDNSSuffix = "amazonaws.com.cn" +const registryURLTemplate = "*.dkr.ecr.%s.%s" // awsHandlerLogger is a handler that logs all AWS SDK requests // Copied from pkg/cloudprovider/providers/aws/log_handler.go @@ -84,10 +85,12 @@ var _ credentialprovider.DockerConfigProvider = &ecrProvider{} // registryURL has different suffix in AWS China region func registryURL(region string) string { - if strings.HasPrefix(region, chinaRegionPrefix) { - return fmt.Sprintf(registryURLTemplate, region) + dnsSuffix := awsStandardDNSSuffix + // deal with aws none standard regions + if strings.HasPrefix(region, awsChinaRegionPrefix) { + dnsSuffix = awsChinaDNSSuffix } - return fmt.Sprintf(chinaRegistryURLTemplate, region) + return fmt.Sprintf(registryURLTemplate, region, dnsSuffix) } // RegisterCredentialsProvider registers a credential provider for the specified region. From be7c0bdce22f4757fad7157f4ba4a55c6ce6a951 Mon Sep 17 00:00:00 2001 From: Zeqing Zhang Date: Tue, 8 Aug 2017 12:50:13 +0800 Subject: [PATCH 3/4] add testcase for aws china region --- .../aws/aws_credentials_test.go | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/pkg/credentialprovider/aws/aws_credentials_test.go b/pkg/credentialprovider/aws/aws_credentials_test.go index 7299c85ce57..499af17b78b 100644 --- a/pkg/credentialprovider/aws/aws_credentials_test.go +++ b/pkg/credentialprovider/aws/aws_credentials_test.go @@ -59,6 +59,7 @@ func (p *testTokenGetter) GetAuthorizationToken(input *ecr.GetAuthorizationToken func TestEcrProvide(t *testing.T) { registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com" otherRegistries := []string{ + "123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn", "private.registry.com", "gcr.io", } @@ -107,3 +108,56 @@ func TestEcrProvide(t *testing.T) { } } } + +func TestChinaEcrProvide(t *testing.T) { + registry := "123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn" + otherRegistries := []string{ + "123456789012.dkr.ecr.lala-land-1.amazonaws.com", + "private.registry.com", + "gcr.io", + } + image := "foo/bar" + + provider := newEcrProvider("cn-foo-1", + &testTokenGetter{ + user: user, + password: password, + endpoint: registry, + }) + + keyring := &credentialprovider.BasicDockerKeyring{} + keyring.Add(provider.Provide()) + + // Verify that we get the expected username/password combo for + // an ECR image name. + fullImage := path.Join(registry, image) + creds, ok := keyring.Lookup(fullImage) + if !ok { + t.Errorf("Didn't find expected URL: %s", fullImage) + return + } + if len(creds) > 1 { + t.Errorf("Got more hits than expected: %s", creds) + } + val := creds[0] + + if user != val.Username { + t.Errorf("Unexpected username value, want: _token, got: %s", val.Username) + } + if password != val.Password { + t.Errorf("Unexpected password value, want: %s, got: %s", password, val.Password) + } + if email != val.Email { + t.Errorf("Unexpected email value, want: %s, got: %s", email, val.Email) + } + + // Verify that we get an error for other images. + for _, otherRegistry := range otherRegistries { + fullImage = path.Join(otherRegistry, image) + creds, ok = keyring.Lookup(fullImage) + if ok { + t.Errorf("Unexpectedly found image: %s", fullImage) + return + } + } +} From 65bed1d982c10b386ddcc3ea899501df448f8565 Mon Sep 17 00:00:00 2001 From: Zeqing Zhang Date: Wed, 15 Nov 2017 16:31:53 +0800 Subject: [PATCH 4/4] fix awsStandardDNSSuffix --- pkg/credentialprovider/aws/aws_credentials.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/credentialprovider/aws/aws_credentials.go b/pkg/credentialprovider/aws/aws_credentials.go index 1a7246c04dd..d889cbf1fa8 100644 --- a/pkg/credentialprovider/aws/aws_credentials.go +++ b/pkg/credentialprovider/aws/aws_credentials.go @@ -31,7 +31,7 @@ import ( ) const awsChinaRegionPrefix = "cn-" -const awsStandardDNSSuffix = "amazon.com" +const awsStandardDNSSuffix = "amazonaws.com" const awsChinaDNSSuffix = "amazonaws.com.cn" const registryURLTemplate = "*.dkr.ecr.%s.%s"