Merge pull request #488 from ijc/APP-28-registry-auth-for-private-images

Share registry auth with invocation image

Author: silvin-lubecki

Gopkg.lock

@@ -40,11 +40,11 @@ required = ["github.com/wadey/gocovmerge"]
   name = "github.com/docker/cli"
   branch = "master"
 
-# Waiting for https://github.com/deislabs/duffle/pull/664 to be merged
+# Waiting for https://github.com/deislabs/duffle/pull/682 to be merged
 [[override]]
   name = "github.com/deislabs/duffle"
-  source = "github.com/silvin-lubecki/duffle"
-  branch = "docker-app"
+  source = "github.com/ijc/duffle"
+  branch = "set-merge"
 
 [[constraint]]
   name = "github.com/sirupsen/logrus"

Gopkg.toml

@@ -1,8 +1,11 @@
 package main
 
 import (
+	"encoding/json"
+	"io/ioutil"
 	"os"
 
+	"github.com/docker/app/internal"
 	"github.com/docker/cli/cli/command"
 	cliconfig "github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/context/docker"
@@ -11,10 +14,6 @@ import (
 	cliflags "github.com/docker/cli/cli/flags"
 )
 
-const (
-	fileDockerContext = "/cnab/app/context.dockercontext"
-)
-
 var storeConfig = contextstore.NewConfig(
 	func() interface{} { return &command.DockerContext{} },
 	contextstore.EndpointTypeGetter(docker.DockerEndpoint, func() interface{} { return &docker.EndpointMeta{} }),
@@ -23,7 +22,7 @@ var storeConfig = contextstore.NewConfig(
 
 func setupDockerContext() (command.Cli, error) {
 	s := contextstore.New(cliconfig.ContextStoreDir(), storeConfig)
-	f, err := os.Open(fileDockerContext)
+	f, err := os.Open(internal.CredentialDockerContextPath)
 	if err != nil {
 		return nil, err
 	}
@@ -35,9 +34,23 @@ func setupDockerContext() (command.Cli, error) {
 	if err != nil {
 		return nil, err
 	}
-	return cli, cli.Initialize(&cliflags.ClientOptions{
+	if err := cli.Initialize(&cliflags.ClientOptions{
 		Common: &cliflags.CommonOptions{
 			Context: "cnab",
 		},
-	})
+	}); err != nil {
+		return nil, err
+	}
+	authConfigsJSON, err := ioutil.ReadFile(internal.CredentialRegistryPath)
+	if err != nil {
+		return nil, err
+	}
+
+	configFile := cli.ConfigFile()
+
+	if err := json.Unmarshal(authConfigsJSON, &configFile.AuthConfigs); err != nil {
+		return nil, err
+	}
+
+	return cli, nil
 }

cmd/cnab-run/env.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
+	"strconv"
 
 	"github.com/deislabs/duffle/pkg/bundle"
 	"github.com/docker/app/internal"
@@ -52,11 +53,15 @@ func installAction(instanceName string) error {
 	if err := os.Chdir(app.Path); err != nil {
 		return err
 	}
+	sendRegistryAuth, err := strconv.ParseBool(os.Getenv("DOCKER_SHARE_REGISTRY_CREDS"))
+	if err != nil {
+		return err
+	}
 	// todo: pass registry auth to invocation image
 	return stack.RunDeploy(cli, getFlagset(orchestrator), rendered, orchestrator, options.Deploy{
 		Namespace:        instanceName,
 		ResolveImage:     swarm.ResolveImageAlways,
-		SendRegistryAuth: false,
+		SendRegistryAuth: sendRegistryAuth,
 	})
 }
 

cmd/cnab-run/install.go

@@ -12,12 +12,12 @@ type cnabAction func(string) error
 
 var (
 	cnabActions = map[string]cnabAction{
-		"install":                      installAction,
-		"upgrade":                      installAction,
-		"uninstall":                    uninstallAction,
-		internal.Namespace + "status":  statusAction,
-		internal.Namespace + "inspect": inspectAction,
-		internal.Namespace + "render":  renderAction,
+		"install":                  installAction,
+		"upgrade":                  installAction, // upgrade is implemented as reinstall.
+		"uninstall":                uninstallAction,
+		internal.ActionStatusName:  statusAction,
+		internal.ActionInspectName: inspectAction,
+		internal.ActionRenderName:  renderAction,
 	}
 )
 

cmd/cnab-run/main.go

@@ -106,6 +106,16 @@
 				"com.docker.app.render"
 			]
 		},
+		"com.docker.app.share-registry-creds": {
+			"type": "bool",
+			"defaultValue": false,
+			"metadata": {
+				"description": "Share registry credentials with the invocation image"
+			},
+			"destination": {
+				"env": "DOCKER_SHARE_REGISTRY_CREDS"
+			}
+		},
 		"static_subdir": {
 			"type": "string",
 			"defaultValue": "data/static",
@@ -122,6 +132,9 @@
 		}
 	},
 	"credentials": {
+		"com.docker.app.registry-creds": {
+			"path": "/cnab/app/registry-creds.json"
+		},
 		"docker.context": {
 			"path": "/cnab/app/context.dockercontext"
 		}

e2e/testdata/simple-bundle.json.golden

@@ -22,7 +22,7 @@
 		}
 	},
 	"parameters": {
-		"docker.kubernetes-namespace": {
+		"com.docker.app.kubernetes-namespace": {
 			"type": "string",
 			"defaultValue": "",
 			"required": false,
@@ -34,7 +34,7 @@
 				"env": "DOCKER_KUBERNETES_NAMESPACE"
 			}
 		},
-		"docker.orchestrator": {
+		"com.docker.app.orchestrator": {
 			"type": "string",
 			"defaultValue": "",
 			"allowedValues": [
@@ -88,4 +88,4 @@
 			"env": ""
 		}
 	}
-}
+}

examples/cnab-simple/bundle.json

@@ -2,6 +2,8 @@ package commands
 
 import (
 	"bytes"
+	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -23,8 +25,10 @@ import (
 	"github.com/docker/cli/cli/context/docker"
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/registry"
 	"github.com/pkg/errors"
 )
 
@@ -35,41 +39,91 @@ type bindMount struct {
 
 const defaultSocketPath string = "/var/run/docker.sock"
 
-func prepareCredentialSet(contextName string, contextStore store.Store, b *bundle.Bundle, namedCredentialsets []string) (map[string]string, error) {
+type credentialSetOpt func(b *bundle.Bundle, creds credentials.Set) error
+
+func addNamedCredentialSets(namedCredentialsets []string) credentialSetOpt {
+	return func(_ *bundle.Bundle, creds credentials.Set) error {
+		for _, file := range namedCredentialsets {
+			if _, err := os.Stat(file); err != nil {
+				file = filepath.Join(duffleHome().Credentials(), file+".yaml")
+			}
+			c, err := credentials.Load(file)
+			if err != nil {
+				return err
+			}
+			values, err := c.Resolve()
+			if err != nil {
+				return err
+			}
+			if err := creds.Merge(values); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+func addDockerCredentials(contextName string, contextStore store.Store) credentialSetOpt {
 	// docker desktop contexts require some rewriting for being used within a container
 	contextStore = dockerDesktopAwareStore{Store: contextStore}
-	creds := map[string]string{}
-	for _, file := range namedCredentialsets {
-		if _, err := os.Stat(file); err != nil {
-			file = filepath.Join(duffleHome().Credentials(), file+".yaml")
-		}
-		c, err := credentials.Load(file)
-		if err != nil {
-			return nil, err
+	return func(_ *bundle.Bundle, creds credentials.Set) error {
+		if contextName != "" {
+			data, err := ioutil.ReadAll(store.Export(contextName, contextStore))
+			if err != nil {
+				return err
+			}
+			creds[internal.CredentialDockerContextName] = string(data)
 		}
-		values, err := c.Resolve()
-		if err != nil {
-			return nil, err
+		return nil
+	}
+}
+
+func addRegistryCredentials(shouldPopulate bool, dockerCli command.Cli) credentialSetOpt {
+	return func(b *bundle.Bundle, creds credentials.Set) error {
+		if _, ok := b.Credentials[internal.CredentialRegistryName]; !ok {
+			return nil
 		}
-		for k, v := range values {
-			if _, ok := creds[k]; ok {
-				return nil, fmt.Errorf("ambiguous credential resolution: %q is present in multiple credential sets", k)
+
+		registryCreds := map[string]types.AuthConfig{}
+		if shouldPopulate {
+			for _, img := range b.Images {
+				named, err := reference.ParseNormalizedNamed(img.Image)
+				if err != nil {
+					return err
+				}
+				info, err := registry.ParseRepositoryInfo(named)
+				if err != nil {
+					return err
+				}
+				key := registry.GetAuthConfigKey(info.Index)
+				if _, ok := registryCreds[key]; !ok {
+					registryCreds[key] = command.ResolveAuthConfig(context.Background(), dockerCli, info.Index)
+				}
 			}
-			creds[k] = v
 		}
-	}
-	if contextName != "" {
-		data, err := ioutil.ReadAll(store.Export(contextName, contextStore))
+		registryCredsJSON, err := json.Marshal(registryCreds)
 		if err != nil {
+			return err
+		}
+		creds[internal.CredentialRegistryName] = string(registryCredsJSON)
+		return nil
+	}
+}
+
+func prepareCredentialSet(b *bundle.Bundle, opts ...credentialSetOpt) (map[string]string, error) {
+	creds := map[string]string{}
+	for _, op := range opts {
+		if err := op(b, creds); err != nil {
 			return nil, err
 		}
-		creds["docker.context"] = string(data)
 	}
-	_, requiresDockerContext := b.Credentials["docker.context"]
-	_, hasDockerContext := creds["docker.context"]
+
+	_, requiresDockerContext := b.Credentials[internal.CredentialDockerContextName]
+	_, hasDockerContext := creds[internal.CredentialDockerContextName]
 	if requiresDockerContext && !hasDockerContext {
 		return nil, errors.New("no target context specified. Use --target-context= or DOCKER_TARGET_CONTEXT= to define it")
 	}
+
 	return creds, nil
 }
 
@@ -199,7 +253,7 @@ func resolveBundle(dockerCli command.Cli, name string, pullRef bool, insecureReg
 
 func requiredClaimBindMount(c claim.Claim, targetContextName string, dockerCli command.Cli) (bindMount, error) {
 	var specifiedOrchestrator string
-	if rawOrchestrator, ok := c.Parameters["docker.orchestrator"]; ok {
+	if rawOrchestrator, ok := c.Parameters[internal.ParameterOrchestratorName]; ok {
 		specifiedOrchestrator = rawOrchestrator.(string)
 	}
 
@@ -253,7 +307,7 @@ func isDockerHostLocal(host string) bool {
 func prepareCustomAction(actionName string, dockerCli command.Cli, appname string, stdout io.Writer,
 	registryOpts registryOptions, pullOpts pullOptions, paramsOpts parametersOptions) (*action.RunCustom, *claim.Claim, *bytes.Buffer, error) {
 
-	c, err := claim.New(actionName)
+	c, err := claim.New("custom-action")
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -267,17 +321,15 @@ func prepareCustomAction(actionName string, dockerCli command.Cli, appname strin
 	}
 	c.Bundle = bundle
 
-	parameters, err := mergeBundleParameters(c.Bundle,
+	if err := mergeBundleParameters(c,
 		withFileParameters(paramsOpts.parametersFiles),
 		withCommandLineParameters(paramsOpts.overrides),
-	)
-	if err != nil {
+	); err != nil {
 		return nil, nil, nil, err
 	}
-	c.Parameters = parameters
 
 	a := &action.RunCustom{
-		Action: internal.Namespace + actionName,
+		Action: actionName,
 		Driver: driverImpl,
 	}
 	return a, c, errBuf, nil