github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #50108 from mixslice/master

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 55254, 55525, 50108, 54674, 55263). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Support AWS ECR credentials in China

**What this PR does / why we need it**:
Resolve AWS ECR credentials bug in China region

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

I haven't open any issue yet

**Special notes for your reviewer**:

**Release note**:

```release-note
```
This commit is contained in:
Kubernetes Submit Queue 2017-11-17 13:34:12 -08:00 committed by GitHub
commit 80584237ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 70 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/credentialprovider/aws/aws_credentials.go
View File

@ -30,7 +30,10 @@ import (
"k8s.io/kubernetes/pkg/credentialprovider" "k8s.io/kubernetes/pkg/credentialprovider"
) )
const registryURLTemplate = "*.dkr.ecr.%s.amazonaws.com" const awsChinaRegionPrefix = "cn-"
const awsStandardDNSSuffix = "amazonaws.com"
const awsChinaDNSSuffix = "amazonaws.com.cn"
const registryURLTemplate = "*.dkr.ecr.%s.%s"
// awsHandlerLogger is a handler that logs all AWS SDK requests // awsHandlerLogger is a handler that logs all AWS SDK requests
// Copied from pkg/cloudprovider/providers/aws/log_handler.go // Copied from pkg/cloudprovider/providers/aws/log_handler.go
@ -80,6 +83,16 @@ type ecrProvider struct {
var _ credentialprovider.DockerConfigProvider = &ecrProvider{} var _ credentialprovider.DockerConfigProvider = &ecrProvider{}
// registryURL has different suffix in AWS China region
func registryURL(region string) string {
dnsSuffix := awsStandardDNSSuffix
// deal with aws none standard regions
if strings.HasPrefix(region, awsChinaRegionPrefix) {
dnsSuffix = awsChinaDNSSuffix
}
return fmt.Sprintf(registryURLTemplate, region, dnsSuffix)
}
// RegisterCredentialsProvider registers a credential provider for the specified region. // RegisterCredentialsProvider registers a credential provider for the specified region.
// It creates a lazy provider for each AWS region, in order to support // It creates a lazy provider for each AWS region, in order to support
// cross-region ECR access. They have to be lazy because it's unlikely, but not // cross-region ECR access. They have to be lazy because it's unlikely, but not
@ -92,7 +105,7 @@ func RegisterCredentialsProvider(region string) {
credentialprovider.RegisterCredentialProvider("aws-ecr-"+region, credentialprovider.RegisterCredentialProvider("aws-ecr-"+region,
&lazyEcrProvider{ &lazyEcrProvider{
region: region, region: region,
regionURL: fmt.Sprintf(registryURLTemplate, region), regionURL: registryURL(region),
}) })
} }
@ -136,7 +149,7 @@ func (p *lazyEcrProvider) Provide() credentialprovider.DockerConfig {
func newEcrProvider(region string, getter tokenGetter) *ecrProvider { func newEcrProvider(region string, getter tokenGetter) *ecrProvider {
return &ecrProvider{ return &ecrProvider{
region: region, region: region,
regionURL: fmt.Sprintf(registryURLTemplate, region), regionURL: registryURL(region),
getter: getter, getter: getter,
} }
} }

54
pkg/credentialprovider/aws/aws_credentials_test.go
View File

@ -59,6 +59,7 @@ func (p *testTokenGetter) GetAuthorizationToken(input *ecr.GetAuthorizationToken
func TestEcrProvide(t *testing.T) { func TestEcrProvide(t *testing.T) {
registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com" registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com"
otherRegistries := []string{ otherRegistries := []string{
"123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn",
"private.registry.com", "private.registry.com",
"gcr.io", "gcr.io",
} }
@ -107,3 +108,56 @@ func TestEcrProvide(t *testing.T) {
} }
} }
} }
func TestChinaEcrProvide(t *testing.T) {
registry := "123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn"
otherRegistries := []string{
"123456789012.dkr.ecr.lala-land-1.amazonaws.com",
"private.registry.com",
"gcr.io",
}
image := "foo/bar"
provider := newEcrProvider("cn-foo-1",
&testTokenGetter{
user: user,
password: password,
endpoint: registry,
})
keyring := &credentialprovider.BasicDockerKeyring{}
keyring.Add(provider.Provide())
// Verify that we get the expected username/password combo for
// an ECR image name.
fullImage := path.Join(registry, image)
creds, ok := keyring.Lookup(fullImage)
if !ok {
t.Errorf("Didn't find expected URL: %s", fullImage)
return
}
if len(creds) > 1 {
t.Errorf("Got more hits than expected: %s", creds)
}
val := creds[0]
if user != val.Username {
t.Errorf("Unexpected username value, want: _token, got: %s", val.Username)
}
if password != val.Password {
t.Errorf("Unexpected password value, want: %s, got: %s", password, val.Password)
}
if email != val.Email {
t.Errorf("Unexpected email value, want: %s, got: %s", email, val.Email)
}
// Verify that we get an error for other images.
for _, otherRegistry := range otherRegistries {
fullImage = path.Join(otherRegistry, image)
creds, ok = keyring.Lookup(fullImage)
if ok {
t.Errorf("Unexpectedly found image: %s", fullImage)
return
}
}
}