3d2fd1b538
1. add new registry api under resources.kubesphere.io/v1alpha3 2. deprecate registry api v1alpha2 Registry API v1alpha2 uses docker client to authenticate image registry secret, which depends on docker.sock. We used to mount host `/var/run/docker.sock` to deployment. It will prevent us imgrating to containerd since no `docker.sock` exists. Registry API v1alpha3 comes to rescure, it wraps library go-containerregistry and compatible with docker registry, Harbor etc.
112 lines
2.6 KiB
Go
112 lines
2.6 KiB
Go
package v2
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
|
|
"encoding/base64"
|
|
|
|
"github.com/google/go-cmp/cmp"
|
|
"github.com/google/go-containerregistry/pkg/authn"
|
|
v1 "k8s.io/api/core/v1"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
func buildSecret(registry, username, password string, insecure bool) *v1.Secret {
|
|
auth := fmt.Sprintf("%s:%s", username, password)
|
|
authString := fmt.Sprintf("{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"\",\"auth\":\"%s\"}}}", registry, username, password, base64.StdEncoding.EncodeToString([]byte(auth)))
|
|
|
|
secret := &v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "docker",
|
|
Namespace: v1.NamespaceDefault,
|
|
},
|
|
Data: map[string][]byte{
|
|
v1.DockerConfigJsonKey: []byte(authString),
|
|
},
|
|
Type: v1.SecretTypeDockerConfigJson,
|
|
}
|
|
|
|
if insecure {
|
|
secret.Annotations = make(map[string]string)
|
|
secret.Annotations[forceInsecure] = "true"
|
|
}
|
|
|
|
return secret
|
|
}
|
|
|
|
func TestSecretAuthenticator(t *testing.T) {
|
|
secret := buildSecret("dockerhub.qingcloud.com", "guest", "guest", false)
|
|
|
|
secretAuthenticator, err := NewSecretAuthenticator(secret)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
auth, err := secretAuthenticator.Authorization()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
expected := &authn.AuthConfig{
|
|
Username: "guest",
|
|
Password: "guest",
|
|
Auth: "Z3Vlc3Q6Z3Vlc3Q=",
|
|
}
|
|
|
|
if diff := cmp.Diff(auth, expected); len(diff) != 0 {
|
|
t.Errorf("%T, got+ expected-, %s", expected, diff)
|
|
}
|
|
}
|
|
|
|
func TestAuthn(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
secret *v1.Secret
|
|
auth bool
|
|
expectErr bool
|
|
}{
|
|
{
|
|
name: "Should authenticate with correct credential",
|
|
secret: buildSecret("https://dockerhub.qingcloud.com", "guest", "guest", false),
|
|
auth: true,
|
|
expectErr: false,
|
|
},
|
|
{
|
|
name: "Shouldn't authenticate with incorrect credentials",
|
|
secret: buildSecret("https://index.docker.io", "foo", "bar", false),
|
|
auth: false,
|
|
expectErr: true,
|
|
},
|
|
{
|
|
name: "Shouldn't authenticate with no credentials",
|
|
secret: nil,
|
|
auth: false,
|
|
expectErr: true,
|
|
},
|
|
}
|
|
|
|
for _, testCase := range testCases {
|
|
t.Run(testCase.name, func(t *testing.T) {
|
|
secretAuthenticator, err := NewSecretAuthenticator(testCase.secret)
|
|
if err != nil {
|
|
t.Errorf("error creating secretAuthenticator, %v", err)
|
|
}
|
|
|
|
ok, err := secretAuthenticator.Auth()
|
|
if testCase.auth != ok {
|
|
t.Errorf("expected auth result: %v, but got %v", testCase.auth, ok)
|
|
}
|
|
|
|
if testCase.expectErr && err == nil {
|
|
t.Errorf("expected error, but got nil")
|
|
}
|
|
|
|
if !testCase.expectErr && err != nil {
|
|
t.Errorf("authentication error, %v", err)
|
|
}
|
|
})
|
|
}
|
|
}
|