diff --git a/deploy/Dockerfile_debug b/deploy/Dockerfile_debug index 4368361af8..3a58dce47f 100644 --- a/deploy/Dockerfile_debug +++ b/deploy/Dockerfile_debug @@ -31,6 +31,9 @@ RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/doc # Get ACR docker env credential helper RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419 +# Get GitLab CI env credential helper +RUN go install github.com/ePirat/docker-credential-gitlabci@10832279bfb8014babd85f3acef86600c59e09e4 # v1.0.0 + # Add .docker config dir RUN mkdir -p /kaniko/.docker @@ -56,6 +59,7 @@ COPY --from=0 /src/out/warmer /kaniko/warmer COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr-env +COPY --from=0 /usr/local/bin/docker-credential-gitlabci /kaniko/docker-credential-gitlabci COPY --from=busybox:1.32.0 /bin /busybox # Since busybox needs some lib files which lie in /lib directory to run the executables on s390x, # the below COPY command is added to address "ld64.so.1 not found" issue. This extra copy action will not diff --git a/go.mod b/go.mod index c1490ce1c4..f5aa02882d 100644 --- a/go.mod +++ b/go.mod @@ -93,6 +93,7 @@ require ( github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.4.0 // indirect github.com/docker/swarmkit v1.12.1-0.20180726190244-7567d47988d8 // indirect + github.com/ePirat/docker-credential-gitlabci v1.0.0 github.com/emirpasic/gods v1.12.0 // indirect github.com/fsnotify/fsnotify v1.5.1 // indirect github.com/go-git/gcfg v1.5.0 // indirect diff --git a/go.sum b/go.sum index 547fe08792..6c3e39051c 100644 --- a/go.sum +++ b/go.sum @@ -604,6 +604,8 @@ github.com/docker/swarmkit v1.12.1-0.20180726190244-7567d47988d8/go.mod h1:n3Z4l github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/ePirat/docker-credential-gitlabci v1.0.0 h1:YRkUSvkON6rT88vtscClAmPEYWhtltGEAuRVYtz1/+Y= +github.com/ePirat/docker-credential-gitlabci v1.0.0/go.mod h1:Ptmh+D0lzBQtgb6+QHjXl9HqOn3T1P8fKUHldiSQQGA= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= diff --git a/pkg/creds/creds.go b/pkg/creds/creds.go index 394bf3f64e..5c95eaeeb3 100644 --- a/pkg/creds/creds.go +++ b/pkg/creds/creds.go @@ -21,6 +21,7 @@ import ( ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" + gitlab "github.com/ePirat/docker-credential-gitlabci/pkg/credhelper" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/v1/google" ) @@ -32,5 +33,6 @@ func GetKeychain() authn.Keychain { google.Keychain, authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))), authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()), + authn.NewKeychainFromHelper(gitlab.NewGitLabCredentialsHelper()), ) } diff --git a/vendor/github.com/ePirat/docker-credential-gitlabci/LICENSE b/vendor/github.com/ePirat/docker-credential-gitlabci/LICENSE new file mode 100644 index 0000000000..a29567155d --- /dev/null +++ b/vendor/github.com/ePirat/docker-credential-gitlabci/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2022 Marvin Scholz + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/ePirat/docker-credential-gitlabci/pkg/credhelper/credhelper.go b/vendor/github.com/ePirat/docker-credential-gitlabci/pkg/credhelper/credhelper.go new file mode 100644 index 0000000000..3d44d7ff76 --- /dev/null +++ b/vendor/github.com/ePirat/docker-credential-gitlabci/pkg/credhelper/credhelper.go @@ -0,0 +1,108 @@ +/* Copyright (c) 2022 Marvin Scholz + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package credhelper + +import ( + "errors" + "fmt" + "net/url" + "os" + "strings" + + "github.com/docker/docker-credential-helpers/credentials" +) + +type GitLabCredentialsHelper struct{} + +var ErrUnsupportedOperation = errors.New("unsupported operation") + +func NewGitLabCredentialsHelper() credentials.Helper { + return &GitLabCredentialsHelper{} +} + +func parseRegistryURL(urlString string) (*url.URL, error) { + // If no scheme is given, use https as it is the default + // for docker registries + if !(strings.HasPrefix(urlString, "https://") || + strings.HasPrefix(urlString, "http://")) { + urlString = "https://" + urlString + } + return url.Parse(urlString) +} + +func matchRegistryURL(serverURLString string) error { + // Read registry URL from predefined CI environment variable + // https://docs.gitlab.com/ee/ci/variables/predefined_variables.html + envURLString, urlFound := os.LookupEnv("CI_REGISTRY") + if !urlFound { + return errors.New("no CI_REGISTRY env var set") + } + envURL, err := parseRegistryURL(envURLString) + if err != nil { + return fmt.Errorf("failed to parse CI_REGISTRY URL: %w", err) + } + serverURL, err := parseRegistryURL(serverURLString) + if err != nil { + return fmt.Errorf("failed to parse registry URL: %w", err) + } + if serverURL.Hostname() == "" || envURL.Hostname() == "" { + return errors.New("failed getting hosts for matching") + } + if serverURL.Scheme != envURL.Scheme { + return fmt.Errorf("protocol for '%s' does not match CI_REGISTRY host '%s'", + serverURLString, + envURLString) + } + if serverURL.Hostname() != envURL.Hostname() { + return fmt.Errorf("host '%s' does not match CI_REGISTRY host '%s'", + serverURL.Hostname(), + envURL.Hostname()) + } + return nil +} + +func (credHelper GitLabCredentialsHelper) Add(c *credentials.Credentials) error { + return ErrUnsupportedOperation +} + +func (credHelper GitLabCredentialsHelper) Delete(serverURL string) error { + return ErrUnsupportedOperation +} + +func (credHelper GitLabCredentialsHelper) Get(serverURL string) (string, string, error) { + if err := matchRegistryURL(serverURL); err != nil { + return "", "", fmt.Errorf("server URL does not match CI_REGISTRY URL: %w", err) + } + user, found := os.LookupEnv("CI_REGISTRY_USER") + if !found { + return "", "", errors.New("no CI_REGISTRY_USER env var set") + } + pass, found := os.LookupEnv("CI_REGISTRY_PASSWORD") + if !found { + return "", "", errors.New("no CI_REGISTRY_PASSWORD env var set") + } + return user, pass, nil +} + +func (credHelper GitLabCredentialsHelper) List() (map[string]string, error) { + return nil, ErrUnsupportedOperation +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 224a43e9ca..09b4d3aecb 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -434,6 +434,9 @@ github.com/docker/swarmkit/log github.com/docker/swarmkit/manager/raftselector github.com/docker/swarmkit/protobuf/plugin github.com/docker/swarmkit/protobuf/ptypes +# github.com/ePirat/docker-credential-gitlabci v1.0.0 +## explicit; go 1.17 +github.com/ePirat/docker-credential-gitlabci/pkg/credhelper # github.com/emirpasic/gods v1.12.0 ## explicit github.com/emirpasic/gods/containers