Skip to content

Commit

Permalink
Merge pull request #327 from keel-hq/feature/301_better_registry_matc…
Browse files Browse the repository at this point in the history
…hing

Feature/301 better registry matching
  • Loading branch information
rusenask authored Dec 12, 2018
2 parents 66143de + 3ff6de6 commit d0fc99c
Show file tree
Hide file tree
Showing 4 changed files with 130 additions and 29 deletions.
52 changes: 52 additions & 0 deletions secrets/match.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
package secrets

import (
"net/url"
"strings"
)

func registryMatches(imageRegistry, secretRegistry string) bool {

if imageRegistry == secretRegistry {
return true
}

imageRegistry = stripScheme(imageRegistry)
secretRegistry = stripScheme(secretRegistry)

if imageRegistry == secretRegistry {
return true
}

// checking domains only
if domainOnly(imageRegistry) == domainOnly(secretRegistry) {
return true
}

// stripping any paths
irh, err := url.Parse("https://" + imageRegistry)
if err != nil {
return false
}
srh, err := url.Parse("https://" + secretRegistry)
if err != nil {
return false
}

if irh.Hostname() == srh.Hostname() {
return true
}

return false
}

func stripScheme(url string) string {

if strings.HasPrefix(url, "http://") {
return strings.TrimPrefix(url, "http://")
}
if strings.HasPrefix(url, "https://") {
return strings.TrimPrefix(url, "https://")
}
return url
}
68 changes: 68 additions & 0 deletions secrets/match_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
package secrets

import "testing"

func Test_registryMatches(t *testing.T) {
type args struct {
imageRegistry string
secretRegistry string
}
tests := []struct {
name string
args args
want bool
}{
{
name: "matches",
args: args{imageRegistry: "docker.io", secretRegistry: "docker.io"},
want: true,
},
{
name: "doesnt match",
args: args{imageRegistry: "docker.io", secretRegistry: "index.docker.io"},
want: false,
},
{
name: "matches, secret with port",
args: args{imageRegistry: "docker.io", secretRegistry: "docker.io:443"},
want: true,
},
{
name: "matches, image with port",
args: args{imageRegistry: "docker.io:443", secretRegistry: "docker.io"},
want: true,
},
{
name: "matches, image with scheme",
args: args{imageRegistry: "https://docker.io", secretRegistry: "docker.io"},
want: true,
},
{
name: "matches, secret with scheme",
args: args{imageRegistry: "docker.io", secretRegistry: "https://docker.io"},
want: true,
},
{
name: "matches, both with scheme",
args: args{imageRegistry: "https://docker.io", secretRegistry: "https://docker.io"},
want: true,
},
{
name: "matches, both with scheme and port",
args: args{imageRegistry: "https://docker.io:443", secretRegistry: "https://docker.io:443"},
want: true,
},
{
name: "matches, both with scheme and port and a URL path in the secret",
args: args{imageRegistry: "https://docker.io:443", secretRegistry: "https://docker.io:443/v1"},
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := registryMatches(tt.args.imageRegistry, tt.args.secretRegistry); got != tt.want {
t.Errorf("registryMatches() = %v, want %v", got, tt.want)
}
})
}
}
33 changes: 6 additions & 27 deletions secrets/secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ func (g *DefaultGetter) getCredentialsFromSecret(image *types.TrackedImage) (*ty
"registry": image.Image.Registry(),
"image": image.Image.Repository(),
"secrets": image.Secrets,
}).Warn("secrets.defaultGetter.lookupSecrets: docker credentials were not found among secrets")
}).Warnf("secrets.defaultGetter.lookupSecrets: docker credentials were not found among secrets, is secret in the namespace '%s'?", image.Namespace)
}

return credentials, nil
Expand All @@ -248,31 +248,11 @@ func credentialsFromConfig(image *types.TrackedImage, cfg DockerCfg) (*types.Cre
credentials := &types.Credentials{}
found := false

imageRegistry, err := domainOnly(image.Image.Registry())
if err != nil {
log.WithFields(log.Fields{
"image": image.Image.Repository(),
"namespace": image.Namespace,
"error": err,
}).Error("secrets.credentialsFromConfig: failed to parse registry hostname")
return credentials, false
}
imageRegistry := image.Image.Registry()

// looking for our registry
for registry, auth := range cfg {
h, err := hostname(registry)

if err != nil {
log.WithFields(log.Fields{
"image": image.Image.Repository(),
"namespace": image.Namespace,
"registry": registry,
"error": err,
}).Error("secrets.defaultGetter: failed to parse hostname")
continue
}

if h == imageRegistry {
if registryMatches(imageRegistry, registry) {
if auth.Username != "" && auth.Password != "" {
credentials.Username = auth.Username
credentials.Password = auth.Password
Expand All @@ -295,7 +275,6 @@ func credentialsFromConfig(image *types.TrackedImage, cfg DockerCfg) (*types.Cre
"image": image.Image.Repository(),
"namespace": image.Namespace,
"registry": registry,
"error": err,
}).Warn("secrets.defaultGetter: secret doesn't have username, password and base64 encoded auth, skipping")
continue
}
Expand Down Expand Up @@ -344,12 +323,12 @@ func hostname(registry string) (string, error) {
return registry, nil
}

func domainOnly(registry string) (string, error) {
func domainOnly(registry string) string {
if strings.Contains(registry, ":") {
return strings.Split(registry, ":")[0], nil
return strings.Split(registry, ":")[0]
}

return registry, nil
return registry
}

func decodeSecret(data []byte) (DockerCfg, error) {
Expand Down
6 changes: 4 additions & 2 deletions trigger/poll/watcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -236,8 +236,10 @@ func (w *RepositoryWatcher) addJob(ti *types.TrackedImage, schedule string) erro
})
if err != nil {
log.WithFields(log.Fields{
"error": err,
"image": ti.Image.String(),
"error": err,
"image": ti.Image.String(),
"username": creds.Username,
"password": strings.Repeat("*", len(creds.Password)),
}).Error("trigger.poll.RepositoryWatcher.addJob: failed to get image digest")
return err
}
Expand Down

0 comments on commit d0fc99c

Please sign in to comment.