mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
feat: use awslabs keychain for AWS and gcr keychain for GCP (#9416)
* feat: use awslabs keychain for AWS and gcr keychain for GCP Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * chore: remove unused var Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * chore: remove more unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: gofumpt Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
184166117b
commit
4108415153
6 changed files with 22 additions and 76 deletions
|
@ -1,8 +1,12 @@
|
||||||
package oci
|
package oci
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"io"
|
||||||
|
|
||||||
|
ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
||||||
"github.com/google/go-containerregistry/pkg/authn"
|
"github.com/google/go-containerregistry/pkg/authn"
|
||||||
"github.com/google/go-containerregistry/pkg/authn/github"
|
"github.com/google/go-containerregistry/pkg/authn/github"
|
||||||
|
"github.com/google/go-containerregistry/pkg/v1/google"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/pull"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/pull"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/push"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/push"
|
||||||
|
@ -14,8 +18,8 @@ func Command() *cobra.Command {
|
||||||
keychain := authn.NewMultiKeychain(
|
keychain := authn.NewMultiKeychain(
|
||||||
authn.DefaultKeychain,
|
authn.DefaultKeychain,
|
||||||
github.Keychain,
|
github.Keychain,
|
||||||
registryclient.AWSKeychain,
|
authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))),
|
||||||
registryclient.GCPKeychain,
|
google.Keychain,
|
||||||
registryclient.AzureKeychain,
|
registryclient.AzureKeychain,
|
||||||
)
|
)
|
||||||
cmd := &cobra.Command{
|
cmd := &cobra.Command{
|
||||||
|
|
|
@ -6,8 +6,10 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
||||||
"github.com/google/go-containerregistry/pkg/authn"
|
"github.com/google/go-containerregistry/pkg/authn"
|
||||||
"github.com/google/go-containerregistry/pkg/authn/github"
|
"github.com/google/go-containerregistry/pkg/authn/github"
|
||||||
|
"github.com/google/go-containerregistry/pkg/v1/google"
|
||||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
)
|
)
|
||||||
|
@ -15,8 +17,8 @@ import (
|
||||||
var keychain = authn.NewMultiKeychain(
|
var keychain = authn.NewMultiKeychain(
|
||||||
authn.DefaultKeychain,
|
authn.DefaultKeychain,
|
||||||
github.Keychain,
|
github.Keychain,
|
||||||
registryclient.AWSKeychain,
|
authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))),
|
||||||
registryclient.GCPKeychain,
|
google.Keychain,
|
||||||
registryclient.AzureKeychain,
|
registryclient.AzureKeychain,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -6,8 +6,10 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
||||||
"github.com/google/go-containerregistry/pkg/authn"
|
"github.com/google/go-containerregistry/pkg/authn"
|
||||||
"github.com/google/go-containerregistry/pkg/authn/github"
|
"github.com/google/go-containerregistry/pkg/authn/github"
|
||||||
|
"github.com/google/go-containerregistry/pkg/v1/google"
|
||||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
)
|
)
|
||||||
|
@ -15,8 +17,8 @@ import (
|
||||||
var keychain = authn.NewMultiKeychain(
|
var keychain = authn.NewMultiKeychain(
|
||||||
authn.DefaultKeychain,
|
authn.DefaultKeychain,
|
||||||
github.Keychain,
|
github.Keychain,
|
||||||
registryclient.AWSKeychain,
|
authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))),
|
||||||
registryclient.GCPKeychain,
|
google.Keychain,
|
||||||
registryclient.AzureKeychain,
|
registryclient.AzureKeychain,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -9,6 +9,7 @@ require (
|
||||||
github.com/Masterminds/sprig/v3 v3.2.3
|
github.com/Masterminds/sprig/v3 v3.2.3
|
||||||
github.com/aquilax/truncate v1.0.0
|
github.com/aquilax/truncate v1.0.0
|
||||||
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
|
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
|
||||||
|
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240116161626-88cfadc80e8f
|
||||||
github.com/blang/semver/v4 v4.0.0
|
github.com/blang/semver/v4 v4.0.0
|
||||||
github.com/cenkalti/backoff v2.2.1+incompatible
|
github.com/cenkalti/backoff v2.2.1+incompatible
|
||||||
github.com/cyphar/filepath-securejoin v0.2.4
|
github.com/cyphar/filepath-securejoin v0.2.4
|
||||||
|
@ -155,7 +156,6 @@ require (
|
||||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
|
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
|
||||||
github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
|
github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
|
||||||
github.com/aws/smithy-go v1.19.0 // indirect
|
github.com/aws/smithy-go v1.19.0 // indirect
|
||||||
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240116161626-88cfadc80e8f // indirect
|
|
||||||
github.com/beorn7/perks v1.0.1 // indirect
|
github.com/beorn7/perks v1.0.1 // indirect
|
||||||
github.com/blang/semver v3.5.1+incompatible // indirect
|
github.com/blang/semver v3.5.1+incompatible // indirect
|
||||||
github.com/buildkite/agent/v3 v3.62.0 // indirect
|
github.com/buildkite/agent/v3 v3.62.0 // indirect
|
||||||
|
|
|
@ -4,31 +4,17 @@ import (
|
||||||
"context"
|
"context"
|
||||||
"net/url"
|
"net/url"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/fluxcd/pkg/oci/auth/aws"
|
|
||||||
"github.com/fluxcd/pkg/oci/auth/azure"
|
"github.com/fluxcd/pkg/oci/auth/azure"
|
||||||
"github.com/fluxcd/pkg/oci/auth/gcp"
|
|
||||||
"github.com/google/go-containerregistry/pkg/authn"
|
"github.com/google/go-containerregistry/pkg/authn"
|
||||||
"github.com/google/go-containerregistry/pkg/name"
|
"github.com/google/go-containerregistry/pkg/name"
|
||||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var acrRE = regexp.MustCompile(`.*\.azurecr\.io|.*\.azurecr\.cn|.*\.azurecr\.de|.*\.azurecr\.us`)
|
||||||
acrRE = regexp.MustCompile(`.*\.azurecr\.io|.*\.azurecr\.cn|.*\.azurecr\.de|.*\.azurecr\.us`)
|
|
||||||
ecrPattern = regexp.MustCompile(`(^[a-zA-Z0-9][a-zA-Z0-9-_]*)\.dkr\.ecr(-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.amazonaws\.com(\.cn)?$`)
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
const (
|
||||||
mcrHostname = "mcr.microsoft.com"
|
mcrHostname = "mcr.microsoft.com"
|
||||||
tokenUsername = "<token>"
|
|
||||||
|
|
||||||
ServiceECR = "ecr"
|
|
||||||
ServiceECRPublic = "ecr-public"
|
|
||||||
proxyEndpointScheme = "https://"
|
|
||||||
programName = "docker-credential-ecr-login"
|
|
||||||
ecrPublicName = "public.ecr.aws"
|
|
||||||
ecrPublicEndpoint = proxyEndpointScheme + ecrPublicName
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type autoRefreshSecrets struct {
|
type autoRefreshSecrets struct {
|
||||||
|
@ -92,54 +78,3 @@ func isACRRegistry(input string) bool {
|
||||||
matches := acrRE.FindStringSubmatch(serverURL.Hostname())
|
matches := acrRE.FindStringSubmatch(serverURL.Hostname())
|
||||||
return len(matches) != 0
|
return len(matches) != 0
|
||||||
}
|
}
|
||||||
|
|
||||||
type awskeychain struct{}
|
|
||||||
|
|
||||||
var AWSKeychain authn.Keychain = awskeychain{}
|
|
||||||
|
|
||||||
func (awskeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) {
|
|
||||||
if !isAWSRegistry(resource.RegistryStr()) {
|
|
||||||
return authn.Anonymous, nil
|
|
||||||
}
|
|
||||||
awsClient := aws.NewClient()
|
|
||||||
auth, err := awsClient.Login(context.TODO(), true, resource.String())
|
|
||||||
if err != nil {
|
|
||||||
return authn.Anonymous, nil
|
|
||||||
}
|
|
||||||
return auth, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func isAWSRegistry(input string) bool {
|
|
||||||
input = strings.TrimPrefix(input, proxyEndpointScheme)
|
|
||||||
serverURL, err := url.Parse(proxyEndpointScheme + input)
|
|
||||||
if err != nil {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
if serverURL.Hostname() == ecrPublicName {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
matches := ecrPattern.FindStringSubmatch(serverURL.Hostname())
|
|
||||||
return len(matches) >= 3
|
|
||||||
}
|
|
||||||
|
|
||||||
type gcpkeychain struct{}
|
|
||||||
|
|
||||||
var GCPKeychain authn.Keychain = gcpkeychain{}
|
|
||||||
|
|
||||||
func (gcpkeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) {
|
|
||||||
if !gcp.ValidHost(resource.RegistryStr()) {
|
|
||||||
return authn.Anonymous, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ref, err := name.ParseReference(resource.String())
|
|
||||||
if err != nil {
|
|
||||||
return authn.Anonymous, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
gcpClient := gcp.NewClient()
|
|
||||||
auth, err := gcpClient.Login(context.TODO(), true, resource.String(), ref)
|
|
||||||
if err != nil {
|
|
||||||
return authn.Anonymous, nil
|
|
||||||
}
|
|
||||||
return auth, nil
|
|
||||||
}
|
|
||||||
|
|
|
@ -4,14 +4,17 @@ import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"runtime"
|
"runtime"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
||||||
"github.com/google/go-containerregistry/pkg/authn"
|
"github.com/google/go-containerregistry/pkg/authn"
|
||||||
"github.com/google/go-containerregistry/pkg/authn/github"
|
"github.com/google/go-containerregistry/pkg/authn/github"
|
||||||
"github.com/google/go-containerregistry/pkg/name"
|
"github.com/google/go-containerregistry/pkg/name"
|
||||||
|
"github.com/google/go-containerregistry/pkg/v1/google"
|
||||||
gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
|
gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
|
||||||
"github.com/kyverno/kyverno/pkg/tracing"
|
"github.com/kyverno/kyverno/pkg/tracing"
|
||||||
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
|
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
|
||||||
|
@ -124,10 +127,10 @@ func WithCredentialProviders(credentialProviders ...string) Option {
|
||||||
chains = append(chains, authn.DefaultKeychain)
|
chains = append(chains, authn.DefaultKeychain)
|
||||||
}
|
}
|
||||||
if helpers.Has("google") {
|
if helpers.Has("google") {
|
||||||
chains = append(chains, GCPKeychain)
|
chains = append(chains, google.Keychain)
|
||||||
}
|
}
|
||||||
if helpers.Has("amazon") {
|
if helpers.Has("amazon") {
|
||||||
chains = append(chains, AWSKeychain)
|
chains = append(chains, authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))))
|
||||||
}
|
}
|
||||||
if helpers.Has("azure") {
|
if helpers.Has("azure") {
|
||||||
chains = append(chains, AzureKeychain)
|
chains = append(chains, AzureKeychain)
|
||||||
|
|
Loading…
Add table
Reference in a new issue