ci: separate oci-pull tests from legacy tests

since they're considered integration tests and can't be run inside
a docker container due to testcontainers-go

Author: mac641

.github/workflows/build.yml

@@ -29,12 +29,21 @@ jobs:
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v2
 
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: 'go.mod'
+          cache: false
+
       - name: Make tag
         run: |
           [ "${GITHUB_EVENT_NAME}" == 'pull_request' ] && echo "TARGET_BINARY_LOCATION=pull-requests/$(echo $GITHUB_REF | awk -F / '{print $3}')-${GITHUB_HEAD_REF##*/}" >> $GITHUB_ENV || true
           [ "${GITHUB_EVENT_NAME}" == 'release' ] && echo "TARGET_BINARY_LOCATION=${GITHUB_REF##*/}" >> $GITHUB_ENV || true
           [ "${GITHUB_EVENT_NAME}" == 'push' ] && echo "TARGET_BINARY_LOCATION=latest" >> $GITHUB_ENV || true
 
+      - name: Run integration test
+        run: make test-integration
+
       - name: Build image
         run: |
           make metal-hammer-initrd.img.lz4

Makefile

@@ -29,7 +29,7 @@ LINKMODE := -linkmode external -extldflags '-static -s -w' \
 		 -X 'github.com/metal-stack/v.GitSHA1=$(SHA)' \
 		 -X 'github.com/metal-stack/v.BuildDate=$(BUILDDATE)'
 
-bin/$(BINARY): test $(GOSRC)
+bin/$(BINARY): test-unit $(GOSRC)
 	$(info CGO_ENABLED="$(CGO_ENABLED)")
 	$(GO) build \
 		-tags netgo \
@@ -39,10 +39,15 @@ bin/$(BINARY): test $(GOSRC)
 		$(MAINMODULE)
 	strip bin/$(BINARY)
 
-.PHONY: test
-test:
+.PHONY: test-unit
+test-unit:
 	CGO_ENABLED=1 $(GO) test -cover ./...
 
+.PHONY: test-integration
+test-integration:
+	CGO_ENABLED=1 find . -name '*_integration_test.go' -type f -printf '%h\n' | sort -u | xargs -r $(GO) test -cover -tags=integration
+	# CGO_ENABLED=1 $(GO) test -cover -tags=integration ./.../*_integration_test.go
+
 .PHONY: clean
 clean::
 	rm -f ${INITRD} ${INITRD_COMPRESSED}
@@ -138,4 +143,4 @@ start:
 		--cmdline "console=ttyS0" \
 		--cpus boot=4 \
 		--memory size=1024M \
-		--net "tap=,mac=,ip=,mask="
+		--net "tap=,mac=,ip=,mask="

cmd/image/image_integration_test.go

@@ -0,0 +1,187 @@
+//go:build integration
+package image
+
+import (
+	"context"
+	"crypto/rand"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/foomo/htpasswd"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
+	"github.com/metal-stack/metal-lib/pkg/pointer"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go/wait"
+)
+
+func TestOciPull(t *testing.T) {
+	var (
+		assert = assert.New(t)
+
+		ctx          = context.Background()
+		mountDir     = "/tmp/oci-pull-mount-dir"
+		extractedBin = "a"
+
+		anonymousUsername = ""
+		anonymousPassword = ""
+	)
+
+	t.Run("successful anonymous pull", func(t *testing.T) {
+		regIP, regPort, err := startRegistry(nil, nil, nil)
+		require.NoError(t, err)
+		registry := fmt.Sprintf("%s:%d", regIP, regPort)
+
+		imageRef := fmt.Sprintf("%s/library/image", registry)
+		err = createImage(imageRef, "", "")
+		require.NoError(t, err)
+
+		err = os.MkdirAll(mountDir, 0777)
+		require.NoError(t, err)
+		defer os.RemoveAll(mountDir)
+
+		i := NewImage(slog.Default())
+		if err = i.OciPull(ctx, imageRef, mountDir, anonymousUsername, anonymousPassword); err != nil {
+			t.Error(err)
+		}
+
+		extractedBinFullPath := filepath.Join(mountDir, extractedBin)
+		assert.FileExists(extractedBinFullPath)
+	})
+
+	t.Run("successful authenticated pull", func(t *testing.T) {
+		var (
+			username = "test-user"
+			password = "test-password"
+		)
+
+		f, err := os.CreateTemp("", "htpasswd")
+		require.NoError(t, err)
+		defer func() {
+			_ = os.Remove(f.Name())
+		}()
+
+		err = htpasswd.SetPassword(f.Name(), username, password, htpasswd.HashBCrypt)
+		require.NoError(t, err)
+
+		env := map[string]string{
+			"REGISTRY_AUTH":                "htpasswd",
+			"REGISTRY_AUTH_HTPASSWD_REALM": "registry-login",
+			"REGISTRY_AUTH_HTPASSWD_PATH":  "/htpasswd",
+		}
+		regIP, regPort, err := startRegistry(env, pointer.Pointer(f.Name()), pointer.Pointer("/htpasswd"))
+		require.NoError(t, err)
+		registry := fmt.Sprintf("%s:%d", regIP, regPort)
+
+		imageRefBehindAuth := fmt.Sprintf("%s/library/image", registry)
+		err = createImage(imageRefBehindAuth, username, password)
+		require.NoError(t, err)
+
+		err = os.MkdirAll(mountDir, 0777)
+		require.NoError(t, err)
+		defer os.RemoveAll(mountDir)
+
+		i := NewImage(slog.Default())
+		if err = i.OciPull(ctx, imageRefBehindAuth, mountDir, username, password); err != nil {
+			t.Error(err)
+		}
+
+		extractedBinFullPath := filepath.Join(mountDir, extractedBin)
+		assert.FileExists(extractedBinFullPath)
+	})
+
+	t.Run("parsing of image refs fails", func(t *testing.T) {
+		invalidImageRef := "invalid://"
+		i := NewImage(slog.Default())
+		err := i.OciPull(ctx, invalidImageRef, mountDir, anonymousUsername, anonymousPassword)
+		assert.EqualError(err, "parsing image reference: could not parse reference: invalid://")
+	})
+
+	t.Run("pulling remote image fails", func(t *testing.T) {
+		imageRefDoesNotExist := "oci://does/not/exist:tag"
+		i := NewImage(slog.Default())
+		err := i.OciPull(ctx, imageRefDoesNotExist, mountDir, anonymousUsername, anonymousPassword)
+		assert.Error(err)
+	})
+}
+
+// HELPER FUNCTIONS
+func startRegistry(env map[string]string, src, dst *string) (string, int, error) {
+	ctx := context.Background()
+	var (
+		c   testcontainers.Container
+		err error
+	)
+
+	req := testcontainers.ContainerRequest{
+		Image:        "registry:3",
+		ExposedPorts: []string{"5000/tcp"},
+		Env:          env,
+		WaitingFor: wait.ForAll(
+			wait.ForLog("listening on"),
+			wait.ForListeningPort("5000/tcp"),
+		),
+	}
+	c, err = testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
+		ContainerRequest: req,
+		Started:          true,
+	})
+	if err != nil {
+		return "", 0, err
+	}
+	if src != nil && dst != nil {
+		err = c.CopyFileToContainer(ctx, *src, *dst, 0o777)
+		if err != nil {
+			return "", 0, err
+		}
+	}
+
+	ip, err := c.Host(ctx)
+	if err != nil {
+		return ip, 0, err
+	}
+	port, err := c.MappedPort(ctx, "5000")
+	if err != nil {
+		return ip, port.Int(), err
+	}
+
+	return ip, port.Int(), nil
+}
+
+func createImage(imageName, username, password string, tags ...string) error {
+	// ensure every image has distinct content
+	buf := make([]byte, 128)
+	_, err := rand.Read(buf)
+	if err != nil {
+		return err
+	}
+	img, err := crane.Image(map[string][]byte{"a": buf})
+	if err != nil {
+		return err
+	}
+
+	var auth = authn.Anonymous
+	if username != "" || password != "" {
+		auth = &authn.Basic{
+			Username: username,
+			Password: password,
+		}
+	}
+	err = crane.Push(img, imageName, crane.WithAuth(auth))
+	if err != nil {
+		return err
+	}
+	for _, tag := range tags {
+		err := crane.Push(img, imageName+":"+tag, crane.WithAuth(auth))
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}