Allow use of org_path with mirrored images

Fixes the logic when adding mirrors with an optional org_path.

Author: sebsoto

pkg/registries/registries.go

@@ -101,6 +101,17 @@ func extractRegistryHostname(fullImage string) string {
 	return strings.Split(fullImage, imagePathSeparator)[0]
 }
 
+// extractRegistryOrgPath returns only the org path when given a reference to a registry.
+// The input for this function should not include an image name.
+func extractRegistryOrgPath(registry string) string {
+	hostname := extractRegistryHostname(registry)
+	hostnameSplit := strings.SplitN(registry, hostname, 2)
+	if len(hostnameSplit) != 2 {
+		return ""
+	}
+	return strings.TrimPrefix(hostnameSplit[1], "/")
+}
+
 // getMergedMirrorSets extracts and merges the contents of the given mirror sets.
 // The resulting slice of mirrorSets represents a system-wide image registry configuration.
 func getMergedMirrorSets(idmsItems []config.ImageDigestMirrorSet, idtsItems []config.ImageTagMirrorSet) []mirrorSet {
@@ -218,14 +229,24 @@ func (ms *mirrorSet) generateConfig(secretsConfig credentialprovider.DockerConfi
 		// set the fallback server to the first mirror to ensure the source is never contacted, even if all mirrors fail
 		fallbackServer = ms.mirrors[0].host
 	}
-	result += fmt.Sprintf("server = \"https://%s\"", fallbackServer)
-	result += "\n"
+	fallbackRegistry := extractRegistryHostname(fallbackServer)
+	result += fmt.Sprintf("server = \"https://%s/v2", fallbackRegistry)
+	if orgPath := extractRegistryOrgPath(fallbackServer); orgPath != "" {
+		result += "/" + orgPath
+	}
+	result += "\"\n"
+	result += "\noverride_path = true\n"
 
 	// Each mirror should result in an entry followed by a set of settings for interacting with the mirror host
 	for _, m := range ms.mirrors {
+		hostRegistry := extractRegistryHostname(m.host)
+		hostOrgPath := extractRegistryOrgPath(m.host)
 		result += "\n"
-		result += fmt.Sprintf("[host.\"https://%s\"]", m.host)
-		result += "\n"
+		result += fmt.Sprintf("[host.\"https://%s/v2", hostRegistry)
+		if hostOrgPath != "" {
+			result += "/" + hostOrgPath
+		}
+		result += "\"]\n"
 
 		// Specify the operations the registry host may perform. IDMS mirrors can only be pulled by directly by digest,
 		// whereas ITMS mirrors have the additional resolve capability, which allows converting a tag name into a digest
@@ -237,15 +258,19 @@ func (ms *mirrorSet) generateConfig(secretsConfig credentialprovider.DockerConfi
 		}
 		result += hostCapabilities
 		result += "\n"
+		result += "  override_path = true\n"
 
 		// Extract the mirror repo's authorization credentials, if one exists
 		if entry, ok := secretsConfig.Auths[extractRegistryHostname(m.host)]; ok {
 			credentials := entry.Username + ":" + entry.Password
 			token := base64.StdEncoding.EncodeToString([]byte(credentials))
 
 			// Add the access token as a request header
-			result += fmt.Sprintf("  [host.\"https://%s\".header]", m.host)
-			result += "\n"
+			result += fmt.Sprintf("  [host.\"https://%s/v2", hostRegistry)
+			if hostOrgPath != "" {
+				result += "/" + hostOrgPath
+			}
+			result += "\".header]\n"
 			result += fmt.Sprintf("    authorization = \"Basic %s\"", token)
 			result += "\n"
 		}

pkg/registries/registries_test.go

@@ -237,7 +237,7 @@ func TestGenerateConfig(t *testing.T) {
 		{
 			name: "empty mirrors",
 			input: mirrorSet{
-				source:             "registry.access.redhat.com/ubi9/ubi-minimal",
+				source:             "registry.access.redhat.com/ubi9",
 				mirrors:            []mirror{},
 				mirrorSourcePolicy: config.AllowContactingSource,
 			},
@@ -246,114 +246,136 @@ func TestGenerateConfig(t *testing.T) {
 		{
 			name: "basic one digest mirror",
 			input: mirrorSet{
-				source: "registry.access.redhat.com/ubi9/ubi-minimal",
+				source: "registry.access.redhat.com",
 				mirrors: []mirror{
-					{host: "example.io/example/ubi-minimal", resolveTags: false},
+					{host: "example.io/example", resolveTags: false},
 				},
 				mirrorSourcePolicy: config.AllowContactingSource,
 			},
-			expectedOutput: `server = "https://registry.access.redhat.com/ubi9/ubi-minimal"
+			expectedOutput: `server = "https://registry.access.redhat.com/v2"
 
-[host."https://example.io/example/ubi-minimal"]
+override_path = true
+
+[host."https://example.io/v2/example"]
   capabilities = ["pull"]
+  override_path = true
 `,
 		},
 		{
 			name: "basic one tag mirror",
 			input: mirrorSet{
-				source: "registry.access.redhat.com/ubi9/ubi-minimal",
+				source: "registry.access.redhat.com",
 				mirrors: []mirror{
-					{host: "example.io/example/ubi-minimal", resolveTags: true},
+					{host: "example.io/example", resolveTags: true},
 				},
 				mirrorSourcePolicy: config.AllowContactingSource,
 			},
-			expectedOutput: `server = "https://registry.access.redhat.com/ubi9/ubi-minimal"
+			expectedOutput: `server = "https://registry.access.redhat.com/v2"
+
+override_path = true
 
-[host."https://example.io/example/ubi-minimal"]
+[host."https://example.io/v2/example"]
   capabilities = ["pull", "resolve"]
+  override_path = true
 `,
 		},
 		{
 			name: "one digest mirror never contact source",
 			input: mirrorSet{
-				source: "registry.access.redhat.com/ubi9/ubi-minimal",
+				source: "registry.access.redhat.com",
 				mirrors: []mirror{
-					{host: "example.io/example/ubi-minimal", resolveTags: false},
+					{host: "example.io/example", resolveTags: false},
 				},
 				mirrorSourcePolicy: config.NeverContactSource,
 			},
-			expectedOutput: `server = "https://example.io/example/ubi-minimal"
+			expectedOutput: `server = "https://example.io/v2/example"
+
+override_path = true
 
-[host."https://example.io/example/ubi-minimal"]
+[host."https://example.io/v2/example"]
   capabilities = ["pull"]
+  override_path = true
 `,
 		},
 		{
 			name: "tags mirror never contact source",
 			input: mirrorSet{
-				source: "registry.access.redhat.com/ubi9/ubi-minimal",
+				source: "registry.access.redhat.com",
 				mirrors: []mirror{
-					{host: "example.io/example/ubi-minimal", resolveTags: true},
+					{host: "example.io/example", resolveTags: true},
 				},
 				mirrorSourcePolicy: config.NeverContactSource,
 			},
-			expectedOutput: `server = "https://example.io/example/ubi-minimal"
+			expectedOutput: `server = "https://example.io/v2/example"
 
-[host."https://example.io/example/ubi-minimal"]
+override_path = true
+
+[host."https://example.io/v2/example"]
   capabilities = ["pull", "resolve"]
+  override_path = true
 `,
 		},
 		{
 			name: "multiple mirrors",
 			input: mirrorSet{
-				source: "registry.access.redhat.com/ubi9/ubi-minimal",
+				source: "registry.access.redhat.com",
 				mirrors: []mirror{
-					{host: "example.io/example/ubi-minimal", resolveTags: false},
+					{host: "example.io/example", resolveTags: false},
 					{host: "mirror.example.com/redhat", resolveTags: false},
-					{host: "mirror.example.net/image", resolveTags: true},
+					{host: "mirror.example.net", resolveTags: true},
 				},
 				mirrorSourcePolicy: config.AllowContactingSource,
 			},
-			expectedOutput: `server = "https://registry.access.redhat.com/ubi9/ubi-minimal"
+			expectedOutput: `server = "https://registry.access.redhat.com/v2"
+
+override_path = true
 
-[host."https://example.io/example/ubi-minimal"]
+[host."https://example.io/v2/example"]
   capabilities = ["pull"]
+  override_path = true
 
-[host."https://mirror.example.com/redhat"]
+[host."https://mirror.example.com/v2/redhat"]
   capabilities = ["pull"]
-  [host."https://mirror.example.com/redhat".header]
+  override_path = true
+  [host."https://mirror.example.com/v2/redhat".header]
     authorization = "Basic dXNlcjpwYXNz"
 
-[host."https://mirror.example.net/image"]
+[host."https://mirror.example.net/v2"]
   capabilities = ["pull", "resolve"]
-  [host."https://mirror.example.net/image".header]
+  override_path = true
+  [host."https://mirror.example.net/v2".header]
     authorization = "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
 `,
 		},
 		{
 			name: "multiple mirrors never contact source",
 			input: mirrorSet{
-				source: "registry.access.redhat.com/ubi9/ubi-minimal",
+				source: "registry.access.redhat.com",
 				mirrors: []mirror{
-					{host: "example.io/example/ubi-minimal", resolveTags: false},
+					{host: "example.io/example", resolveTags: false},
 					{host: "mirror.example.com/redhat", resolveTags: false},
 					{host: "mirror.example.net", resolveTags: true},
 				},
 				mirrorSourcePolicy: config.NeverContactSource,
 			},
-			expectedOutput: `server = "https://example.io/example/ubi-minimal"
+			expectedOutput: `server = "https://example.io/v2/example"
 
-[host."https://example.io/example/ubi-minimal"]
+override_path = true
+
+[host."https://example.io/v2/example"]
   capabilities = ["pull"]
+  override_path = true
 
-[host."https://mirror.example.com/redhat"]
+[host."https://mirror.example.com/v2/redhat"]
   capabilities = ["pull"]
-  [host."https://mirror.example.com/redhat".header]
+  override_path = true
+  [host."https://mirror.example.com/v2/redhat".header]
     authorization = "Basic dXNlcjpwYXNz"
 
-[host."https://mirror.example.net"]
+[host."https://mirror.example.net/v2"]
   capabilities = ["pull", "resolve"]
-  [host."https://mirror.example.net".header]
+  override_path = true
+  [host."https://mirror.example.net/v2".header]
     authorization = "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
 `,
 		},
@@ -681,3 +703,29 @@ func TestExtractMirrorURL(t *testing.T) {
 		})
 	}
 }
+
+func TestExtractOrgPath(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected string
+	}{
+		{
+			input:    "registry.local/org",
+			expected: "org",
+		},
+		{
+			input:    "registry.local/org/sub_org",
+			expected: "org/sub_org",
+		},
+		{
+			input:    "registry.local",
+			expected: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			result := extractRegistryOrgPath(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}