Implement AuthN and K8S ServiceAccount DockerFile Keychain support

Author: davidcollom

Dockerfile

@@ -6,7 +6,8 @@ WORKDIR /app/
 RUN go mod download -x
 
 ARG TARGETOS TARGETARCH
-RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o ./bin/version-checker ./cmd/.
+ENV CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH
+RUN go build -o ./bin/version-checker ./cmd/.
 
 
 FROM alpine:3.21.3

cmd/app/app.go

@@ -37,8 +37,10 @@ func NewCommand(ctx context.Context) *cobra.Command {
 		Use:   "version-checker",
 		Short: helpOutput,
 		Long:  helpOutput,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			return opts.complete()
+		},
 		RunE: func(_ *cobra.Command, _ []string) error {
-			opts.complete()
 
 			logLevel, err := logrus.ParseLevel(opts.LogLevel)
 			if err != nil {
@@ -105,14 +107,14 @@ func NewCommand(ctx context.Context) *cobra.Command {
 				metricsServer.RoundTripper,
 			)
 
-			client, err := client.New(ctx, log, opts.Client)
+			clientManager, err := client.NewManager(ctx, log, mgr.GetConfig(), opts.Client)
 			if err != nil {
 				return fmt.Errorf("failed to setup image registry clients: %s", err)
 			}
 
 			c := controller.NewPodReconciler(opts.CacheTimeout,
 				metricsServer,
-				client,
+				clientManager,
 				mgr.GetClient(),
 				log,
 				opts.RequeueDuration,

cmd/app/options.go

@@ -50,6 +50,14 @@ const (
 	envSelfhostedTokenPath = "TOKEN_PATH"
 	envSelfhostedInsecure  = "INSECURE"
 	envSelfhostedCAPath    = "CA_PATH"
+
+	// Used for kubernetes Credential Discovery
+	envKeychainServiceAccountName = "AUTH_SERVICE_ACCOUNT_NAME"
+	envKeychainNamespace          = "AUTH_SERVICE_ACCOUNT_NAMESPACE"
+	envKeychainImagePullSecrets   = "AUTH_IMAGE_PULL_SECRETS"
+	envKeychainUseMountSecrets    = "AUTH_USE_MOUNT_SECRETS"
+	// Duration in which to Refresh Credentials from Service Account
+	envKeychainRefreshDuration = "AUTH_REFRESH_DURATION"
 )
 
 var (
@@ -149,26 +157,63 @@ func (o *Options) addAppFlags(fs *pflag.FlagSet) {
 }
 
 func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
+
+	/// KEYCHAIN
+	fs.StringVar(&o.Client.KeyChain.Namespace,
+		"keychain-namespace", "",
+		fmt.Sprintf(
+			"Namespace inside of which service account and imagepullsecrets belong too (%s_%s).",
+			envPrefix, envKeychainNamespace,
+		))
+
+	fs.StringVar(&o.Client.KeyChain.ServiceAccountName,
+		"keychain-service-account", "",
+		fmt.Sprintf(
+			"ServiceAccount used to fetch Image Pull Secrets from (%s_%s).",
+			envPrefix, envKeychainServiceAccountName,
+		))
+
+	fs.StringSliceVar(&o.Client.KeyChain.ImagePullSecrets,
+		"keychain-image-pull-secrets", []string{},
+		fmt.Sprintf(
+			"Set of image pull secrets to include during authentication (%s_%s).",
+			envPrefix, envKeychainImagePullSecrets,
+		))
+
+	fs.BoolVar(&o.Client.KeyChain.UseMountSecrets,
+		"keychain-use-mount-secrets", false,
+		fmt.Sprintf("Include Mount Secrets during discovery (%s_%s).",
+			envPrefix, envKeychainUseMountSecrets,
+		))
+	fs.DurationVar(&o.Client.AuthRefreshDuration,
+		"keychain-refresh-duration", time.Hour,
+		fmt.Sprintf("Duration credentials are refreshed (%s_%s).",
+			envPrefix, envKeychainRefreshDuration,
+		))
+
 	/// ACR
 	fs.StringVar(&o.Client.ACR.Username,
 		"acr-username", "",
 		fmt.Sprintf(
 			"Username to authenticate with azure container registry (%s_%s).",
 			envPrefix, envACRUsername,
 		))
+	_ = fs.MarkDeprecated("acr-username", "use keychain instead")
 	fs.StringVar(&o.Client.ACR.Password,
 		"acr-password", "",
 		fmt.Sprintf(
 			"Password to authenticate with azure container registry (%s_%s).",
 			envPrefix, envACRPassword,
 		))
+	_ = fs.MarkDeprecated("acr-password", "use keychain instead")
 	fs.StringVar(&o.Client.ACR.RefreshToken,
 		"acr-refresh-token", "",
 		fmt.Sprintf(
 			"Refresh token to authenticate with azure container registry. Cannot be used with "+
 				"username/password (%s_%s).",
 			envPrefix, envACRRefreshToken,
 		))
+	_ = fs.MarkDeprecated("acr-refresh-token", "use keychain instead")
 	fs.StringVar(&o.Client.ACR.JWKSURI,
 		"acr-jwks-uri", "",
 		fmt.Sprintf(
@@ -184,19 +229,22 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 			"Username to authenticate with docker registry (%s_%s).",
 			envPrefix, envDockerUsername,
 		))
+	_ = fs.MarkDeprecated("docker-username", "use keychain instead")
 	fs.StringVar(&o.Client.Docker.Password,
 		"docker-password", "",
 		fmt.Sprintf(
 			"Password to authenticate with docker registry (%s_%s).",
 			envPrefix, envDockerPassword,
 		))
+	_ = fs.MarkDeprecated("docker-password", "use keychain instead")
 	fs.StringVar(&o.Client.Docker.Token,
 		"docker-token", "",
 		fmt.Sprintf(
 			"Token to authenticate with docker registry. Cannot be used with "+
 				"username/password (%s_%s).",
 			envPrefix, envDockerToken,
 		))
+	_ = fs.MarkDeprecated("docker-token", "use keychain instead")
 	///
 
 	/// ECR
@@ -233,6 +281,7 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 			"Access token for read access to private GCR registries (%s_%s).",
 			envPrefix, envGCRAccessToken,
 		))
+	_ = fs.MarkDeprecated("gcr-token", "use keychain instead")
 	///
 
 	/// GHCR
@@ -242,6 +291,7 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 			"Personal Access token for read access to GHCR releases (%s_%s).",
 			envPrefix, envGHCRAccessToken,
 		))
+	_ = fs.MarkDeprecated("gchr-token", "use keychain instead")
 	fs.StringVar(&o.Client.GHCR.Hostname,
 		"gchr-hostname", "",
 		fmt.Sprintf(
@@ -257,6 +307,7 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 			"Access token for read access to private Quay registries (%s_%s).",
 			envPrefix, envQuayToken,
 		))
+	_ = fs.MarkDeprecated("quay-token", "use keychain instead")
 	///
 
 	/// Selfhosted
@@ -266,19 +317,22 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 			"Username is authenticate with a selfhosted registry (%s_%s_%s).",
 			envPrefix, envSelfhostedPrefix, envSelfhostedUsername,
 		))
+	_ = fs.MarkDeprecated("selfhosted-username", "use keychain instead")
 	fs.StringVar(&o.selfhosted.Password,
 		"selfhosted-password", "",
 		fmt.Sprintf(
 			"Password is authenticate with a selfhosted registry (%s_%s_%s).",
 			envPrefix, envSelfhostedPrefix, envSelfhostedPassword,
 		))
+	_ = fs.MarkDeprecated("selfhosted-password", "use keychain instead")
 	fs.StringVar(&o.selfhosted.Bearer,
 		"selfhosted-token", "",
 		fmt.Sprintf(
 			"Token to authenticate to a selfhosted registry. Cannot be used with "+
 				"username/password (%s_%s_%s).",
 			envPrefix, envSelfhostedPrefix, envSelfhostedBearer,
 		))
+	_ = fs.MarkDeprecated("selfhosted-token", "use keychain instead")
 	fs.StringVar(&o.selfhosted.TokenPath,
 		"selfhosted-token-path", "",
 		fmt.Sprintf(
@@ -305,12 +359,9 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 				"THIS IS NOT RECOMMENDED AND IS INTENDED FOR DEBUGGING (%s_%s_%s)",
 			envPrefix, envSelfhostedPrefix, envSelfhostedInsecure,
 		))
-	// if !validSelfHostedOpts(o) {
-	// 	panic(fmt.Errorf("invalid self hosted configuration"))
-	// }
 }
 
-func (o *Options) complete() {
+func (o *Options) complete() error {
 	o.Client.Selfhosted = make(map[string]*selfhosted.Options)
 
 	envs := os.Environ()
@@ -338,6 +389,9 @@ func (o *Options) complete() {
 		{envGHCRHostname, &o.Client.GHCR.Hostname},
 
 		{envQuayToken, &o.Client.Quay.Token},
+
+		{envKeychainNamespace, &o.Client.KeyChain.Namespace},
+		{envKeychainServiceAccountName, &o.Client.KeyChain.ServiceAccountName},
 	} {
 		for _, env := range envs {
 			if o.assignEnv(env, opt.key, opt.assign) {
@@ -346,7 +400,7 @@ func (o *Options) complete() {
 		}
 	}
 
-	o.assignSelfhosted(envs)
+	return o.assignSelfhosted(envs)
 }
 
 func (o *Options) assignEnv(env, key string, assign *string) bool {
@@ -363,7 +417,24 @@ func (o *Options) assignEnv(env, key string, assign *string) bool {
 	return false
 }
 
-func (o *Options) assignSelfhosted(envs []string) {
+// assignSelfhosted processes a list of environment variables and assigns
+// self-hosted configuration options to the Options struct. It parses the
+// environment variables using predefined regular expressions to extract
+// self-hosted configuration details such as token path, bearer token, host,
+// username, password, insecure flag, and CA path.
+//
+// The function ensures that each self-hosted configuration is initialized
+// before assigning values. It also validates the self-hosted options after
+// processing all environment variables.
+//
+// Parameters:
+//   - envs: A slice of strings representing environment variables in the
+//     format "KEY=VALUE".
+//
+// Returns:
+//   - error: An error if validation of the self-hosted options fails, or nil
+//     if the operation is successful.
+func (o *Options) assignSelfhosted(envs []string) error {
 	if o.Client.Selfhosted == nil {
 		o.Client.Selfhosted = make(map[string]*selfhosted.Options)
 	}
@@ -451,26 +522,40 @@ func (o *Options) assignSelfhosted(envs []string) {
 		o.Client.Selfhosted[o.selfhosted.Host] = &o.selfhosted
 	}
 
-	if !validSelfHostedOpts(o) {
-		panic(fmt.Errorf("invalid self hosted configuration"))
-	}
+	return validateSelfHostedOpts(o)
 }
 
-func validSelfHostedOpts(opts *Options) bool {
+// validateSelfHostedOpts validates the self-hosted options provided in the
+// Options struct. It checks both the options set using environment variables
+// and those set using flags.
+//
+// For options set using environment variables, it iterates through the list
+// of self-hosted options and ensures that each host is valid.
+//
+// For options set using flags, it validates the host in the selfhosted.Options
+// struct.
+//
+// Returns an error if any of the self-hosted options contain an invalid host,
+// otherwise returns nil.
+func validateSelfHostedOpts(opts *Options) error {
 	// opts set using env vars
 	if opts.Client.Selfhosted != nil {
-		for _, selfHostedOpts := range opts.Client.Selfhosted {
-			return isValidOption(selfHostedOpts.Host, "")
+		for name, selfHostedOpts := range opts.Client.Selfhosted {
+			if err := isValidOption(selfHostedOpts.Host, ""); !err {
+				return fmt.Errorf("invalid self-hosted option for: %s", name)
+			}
 		}
 	}
 
 	// opts set using flags
 	if opts.selfhosted != (selfhosted.Options{}) {
-		return isValidOption(opts.selfhosted.Host, "")
+		if !isValidOption(opts.selfhosted.Host, "") {
+			return fmt.Errorf("invalid self-hosted option for host: %s", opts.selfhosted.Host)
+		}
 	}
-	return true
+	return nil
 }
 
-func isValidOption(option, invalid string) bool {
+func isValidOption(option, invalid any) bool {
 	return option != invalid
 }

cmd/app/options_test.go

@@ -5,10 +5,11 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/jetstack/version-checker/pkg/client"
 	"github.com/jetstack/version-checker/pkg/client/acr"
-	"github.com/jetstack/version-checker/pkg/client/docker"
+	"github.com/jetstack/version-checker/pkg/client/dockerhub"
 	"github.com/jetstack/version-checker/pkg/client/ecr"
 	"github.com/jetstack/version-checker/pkg/client/gcr"
 	"github.com/jetstack/version-checker/pkg/client/ghcr"
@@ -55,7 +56,7 @@ func TestComplete(t *testing.T) {
 					RefreshToken: "acr-token",
 					JWKSURI:      "acr-jwks-uri",
 				},
-				Docker: docker.Options{
+				Docker: dockerhub.Options{
 					Username: "docker-username",
 					Password: "docker-password",
 					Token:    "docker-token",
@@ -125,7 +126,7 @@ func TestComplete(t *testing.T) {
 					RefreshToken: "acr-token",
 					JWKSURI:      "acr-jwks-uri",
 				},
-				Docker: docker.Options{
+				Docker: dockerhub.Options{
 					Username: "docker-username",
 					Password: "docker-password",
 					Token:    "docker-token",
@@ -180,14 +181,15 @@ func TestComplete(t *testing.T) {
 				t.Setenv(env[0], env[1])
 			}
 			o := new(Options)
-			o.complete()
+			err := o.complete()
+			require.NoError(t, err)
 
 			assert.Exactly(t, test.expOptions, o.Client)
 		})
 	}
 }
 
-func TestInvalidSelfhostedPanic(t *testing.T) {
+func TestInvalidSelfhostedEnv(t *testing.T) {
 	tests := map[string]struct {
 		envs []string
 	}{
@@ -199,12 +201,8 @@ func TestInvalidSelfhostedPanic(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			defer func() { _ = recover() }()
-
 			o := new(Options)
-			o.assignSelfhosted(test.envs)
-
-			t.Errorf("did not panic")
+			assert.Error(t, o.assignSelfhosted(test.envs))
 		})
 	}
 }
@@ -221,7 +219,7 @@ func TestInvalidSelfhostedOpts(t *testing.T) {
 		"no self hosted host provided": {
 			opts: Options{
 				Client: client.Options{
-					Selfhosted: map[string]*selfhosted.Options{"foo": &selfhosted.Options{
+					Selfhosted: map[string]*selfhosted.Options{"foo": {
 						Insecure: true,
 					}},
 				},
@@ -232,9 +230,12 @@ func TestInvalidSelfhostedOpts(t *testing.T) {
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
 
-			valid := validSelfHostedOpts(&test.opts)
-
-			assert.Equal(t, test.valid, valid)
+			err := validateSelfHostedOpts(&test.opts)
+			if test.valid {
+				assert.NoError(t, err)
+			} else {
+				assert.Error(t, err)
+			}
 		})
 	}
 }
@@ -353,7 +354,8 @@ func TestAssignSelfhosted(t *testing.T) {
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
 			o := new(Options)
-			o.assignSelfhosted(test.envs)
+			err := o.assignSelfhosted(test.envs)
+			require.NoError(t, err)
 
 			assert.Exactly(t, test.expOptions.Selfhosted, o.Client.Selfhosted)
 		})