trt-2163: check for registryAuthFilePath

Author: neisw

pkg/test/extensions/binary.go

@@ -24,8 +24,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/mod/semver"
-	kapierrs "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 	k8simage "k8s.io/kubernetes/test/utils/image"
@@ -35,7 +33,6 @@ import (
 	"github.com/openshift/origin/pkg/clioptions/clusterdiscovery"
 	"github.com/openshift/origin/pkg/clioptions/imagesetup"
 	"github.com/openshift/origin/pkg/clioptions/upgradeoptions"
-	"github.com/openshift/origin/test/extended/util"
 	exutil "github.com/openshift/origin/test/extended/util"
 	origingenerated "github.com/openshift/origin/test/extended/util/annotate/generated"
 	"github.com/openshift/origin/test/extended/util/image"
@@ -422,64 +419,16 @@ func ExtractAllTestBinaries(ctx context.Context, parallelism int) (func(), TestB
 		return nil, nil, errors.WithMessage(err, "couldn't determine release image")
 	}
 
-	oc := util.NewCLIWithoutNamespace("default")
-
-	// To extract binaries bearing external tests, we must inspect the release
-	// payload under tests as well as extract content from component images
-	// referenced by that payload.
-	// openshift-tests is frequently run in the context of a CI job, within a pod.
-	// CI sets $RELEASE_IMAGE_LATEST to a pullspec for the release payload under test. This
-	// pull spec resolve to:
-	// 1. A build farm ci-op-* namespace / imagestream location (anonymous access permitted).
-	// 2. A quay.io/openshift-release-dev location (for tests against promoted ART payloads -- anonymous access permitted).
-	// 3. A registry.ci.openshift.org/ocp-<arch>/release:<tag> (request registry.ci.openshift.org token).
-	// Within the pod, we don't necessarily have a pull-secret for #3 OR the component images
-	// a payload references (which are private, unless in a ci-op-* imagestream).
-	// We try the following options:
-	// 1. If set, use the REGISTRY_AUTH_FILE environment variable to an auths file with
-	//    pull secrets capable of reading appropriate payload & component image
-	//    information.
-	// 2. If it exists, use a file /run/secrets/ci.openshift.io/cluster-profile/pull-secret
-	//    (conventional location for pull-secret information for CI cluster profile).
-	// 3. Use openshift-config secret/pull-secret from the cluster-under-test, if it exists
-	//    (Microshift does not).
-	// 4. Use unauthenticated access to the payload image and component images.
-	registryAuthFilePath := os.Getenv("REGISTRY_AUTH_FILE")
-
-	// if the environment variable is not set, extract the target cluster's
-	// platform pull secret.
-	if len(registryAuthFilePath) != 0 {
-		logrus.Infof("Using REGISTRY_AUTH_FILE environment variable: %v", registryAuthFilePath)
-	} else {
-
-		// See if the cluster-profile has stored a pull-secret at the conventional location.
-		ciProfilePullSecretPath := "/run/secrets/ci.openshift.io/cluster-profile/pull-secret"
-		_, err := os.Stat(ciProfilePullSecretPath)
-		if !os.IsNotExist(err) {
-			logrus.Infof("Detected %v; using cluster profile for image access", ciProfilePullSecretPath)
-			registryAuthFilePath = ciProfilePullSecretPath
-		} else {
-			// Inspect the cluster-under-test and read its cluster pull-secret dockerconfigjson value.
-			clusterPullSecret, err := oc.AdminKubeClient().CoreV1().Secrets("openshift-config").Get(context.Background(), "pull-secret", metav1.GetOptions{})
-			if err != nil {
-				if kapierrs.IsNotFound(err) {
-					logrus.Warningf("Cluster has no openshift-config secret/pull-secret; falling back to unauthenticated image access")
-				} else {
-					return nil, nil, fmt.Errorf("unable to read ephemeral cluster pull secret: %w", err)
-				}
-			} else {
-				tmpDir, err := os.MkdirTemp("", "external-binary")
-				clusterDockerConfig := clusterPullSecret.Data[".dockerconfigjson"]
-				registryAuthFilePath = filepath.Join(tmpDir, ".dockerconfigjson")
-				err = os.WriteFile(registryAuthFilePath, clusterDockerConfig, 0600)
-				if err != nil {
-					return nil, nil, fmt.Errorf("unable to serialize target cluster pull-secret locally: %w", err)
-				}
+	tmpDir, err := os.MkdirTemp("", "external-binary")
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create temporary directory: %w", err)
+	}
 
-				defer os.RemoveAll(tmpDir)
-				logrus.Infof("Using target cluster pull-secrets for registry auth")
-			}
-		}
+	defer os.RemoveAll(tmpDir)
+
+	registryAuthFilePath, err := DetermineRegistryAuthFilePath(tmpDir)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to determine registry auth file path: %w", err)
 	}
 
 	externalBinaryProvider, err := NewExternalBinaryProvider(releaseImage, registryAuthFilePath)

pkg/test/extensions/util.go

@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	kapierrs "k8s.io/apimachinery/pkg/api/errors"
 	"os"
 	"os/exec"
 	"path"
@@ -280,8 +281,13 @@ func ExtractImageFromReleasePayload(releaseImage, imageTag string) (string, erro
 	}
 	defer os.RemoveAll(tmpDir)
 
+	registryAuthFilePath, err := DetermineRegistryAuthFilePath(tmpDir)
+	if err != nil {
+		return "", fmt.Errorf("failed to determine registry auth file path: %w", err)
+	}
+
 	// Extract the ImageStream from the release payload
-	imageStream, _, err := extractReleaseImageStream(tmpDir, releaseImage, "")
+	imageStream, _, err := extractReleaseImageStream(tmpDir, releaseImage, registryAuthFilePath)
 	if err != nil {
 		return "", fmt.Errorf("failed to extract image references from release payload: %w", err)
 	}
@@ -295,3 +301,64 @@ func ExtractImageFromReleasePayload(releaseImage, imageTag string) (string, erro
 
 	return "", fmt.Errorf("image tag %q not found in release payload %q", imageTag, releaseImage)
 }
+
+func DetermineRegistryAuthFilePath(tmpDir string) (string, error) {
+	oc := util.NewCLIWithoutNamespace("default")
+
+	// To extract binaries bearing external tests, we must inspect the release
+	// payload under tests as well as extract content from component images
+	// referenced by that payload.
+	// openshift-tests is frequently run in the context of a CI job, within a pod.
+	// CI sets $RELEASE_IMAGE_LATEST to a pullspec for the release payload under test. This
+	// pull spec resolve to:
+	// 1. A build farm ci-op-* namespace / imagestream location (anonymous access permitted).
+	// 2. A quay.io/openshift-release-dev location (for tests against promoted ART payloads -- anonymous access permitted).
+	// 3. A registry.ci.openshift.org/ocp-<arch>/release:<tag> (request registry.ci.openshift.org token).
+	// Within the pod, we don't necessarily have a pull-secret for #3 OR the component images
+	// a payload references (which are private, unless in a ci-op-* imagestream).
+	// We try the following options:
+	// 1. If set, use the REGISTRY_AUTH_FILE environment variable to an auths file with
+	//    pull secrets capable of reading appropriate payload & component image
+	//    information.
+	// 2. If it exists, use a file /run/secrets/ci.openshift.io/cluster-profile/pull-secret
+	//    (conventional location for pull-secret information for CI cluster profile).
+	// 3. Use openshift-config secret/pull-secret from the cluster-under-test, if it exists
+	//    (Microshift does not).
+	// 4. Use unauthenticated access to the payload image and component images.
+	registryAuthFilePath := os.Getenv("REGISTRY_AUTH_FILE")
+
+	// if the environment variable is not set, extract the target cluster's
+	// platform pull secret.
+	if len(registryAuthFilePath) != 0 {
+		logrus.Infof("Using REGISTRY_AUTH_FILE environment variable: %v", registryAuthFilePath)
+	} else {
+
+		// See if the cluster-profile has stored a pull-secret at the conventional location.
+		ciProfilePullSecretPath := "/run/secrets/ci.openshift.io/cluster-profile/pull-secret"
+		_, err := os.Stat(ciProfilePullSecretPath)
+		if !os.IsNotExist(err) {
+			logrus.Infof("Detected %v; using cluster profile for image access", ciProfilePullSecretPath)
+			registryAuthFilePath = ciProfilePullSecretPath
+		} else {
+			// Inspect the cluster-under-test and read its cluster pull-secret dockerconfigjson value.
+			clusterPullSecret, err := oc.AdminKubeClient().CoreV1().Secrets("openshift-config").Get(context.Background(), "pull-secret", metav1.GetOptions{})
+			if err != nil {
+				if kapierrs.IsNotFound(err) {
+					logrus.Warningf("Cluster has no openshift-config secret/pull-secret; falling back to unauthenticated image access")
+				} else {
+					return "", fmt.Errorf("unable to read ephemeral cluster pull secret: %w", err)
+				}
+			} else {
+				clusterDockerConfig := clusterPullSecret.Data[".dockerconfigjson"]
+				registryAuthFilePath = filepath.Join(tmpDir, ".dockerconfigjson")
+				err = os.WriteFile(registryAuthFilePath, clusterDockerConfig, 0600)
+				if err != nil {
+					return "", fmt.Errorf("unable to serialize target cluster pull-secret locally: %w", err)
+				}
+				logrus.Infof("Using target cluster pull-secrets for registry auth")
+			}
+		}
+	}
+
+	return registryAuthFilePath, nil
+}