Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass docker auth when retrieving bundle metadata #2366

Merged
merged 3 commits into from
Sep 21, 2022
Merged

Pass docker auth when retrieving bundle metadata #2366

merged 3 commits into from
Sep 21, 2022

Conversation

carolynvs
Copy link
Member

What does this change

Before we publish or copy a bundle, we retrieve the destination bundle's metadata as a way to check if it already exists, and requires --force to overwrite. By default crane passes the current keychain when interacting with registries. Crane uses go-containerregistry under the hood and at the time I didn't realize that it was crane, and not go-containerregistry specifying the authentication. The go-containerregistry library authenticates as anonymous by default.

So when a bundle was published to a new location, we would get a 401 auth error because authentication was not supplied, when we expected a 404 to tell that the bundle didn't exist at the destination location. I have fixed our call to get the bundle metadata so that we pass in the keychain.

What issue does it fix

Closes #2365

Notes for the reviewer

N/A

Checklist

  • Did you write tests?
  • Did you write documentation?
  • Did you change porter.yaml or a storage document record? Update the corresponding schema file.
  • If this is your first pull request, please add your name to the bottom of our Contributors list. Thank you for making Porter better! 🙇‍♀️

Reviewer Checklist

  • Comment with /azp run test-porter-release if a magefile or build script was modified
  • Comment with /azp run porter-integration if it's a non-trivial PR

@carolynvs carolynvs force-pushed the fix-bundle-check-auth branch from a05f8f0 to 4367243 Compare September 20, 2022 18:15
VinozzZ
VinozzZ approved these changes Sep 20, 2022
View reviewed changes
Copy link
Contributor

@VinozzZ VinozzZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wow, that's such a subtle thing. Do you think we could add this discovery as a
comment above the change for the auth keychain in the code? I hope that will
help to explain why that code is needed in the future

@carolynvs
Copy link
Member Author

Do you mean the part about what crane does by default vs go-container registry?

@carolynvs
Copy link
Member Author

When I first implemented this function, I used go-containerregistry instead of crane because I was returning more than just the digest. Now that the function only returns digest, I can just use crane. I've added another commit that re-implements the function using just crane. That way we don't need to explain the differences between how the two libraries authenticate.

What do you think?

@carolynvs carolynvs force-pushed the fix-bundle-check-auth branch 2 times, most recently from d9ff9e7 to d73d0d0 Compare September 20, 2022 20:06
@carolynvs
Pass docker auth when retrieving bundle metadata
b6df647 
Before we publish or copy a bundle, we retrieve the destination bundle's metadata as a way to check if it already exists, and requires --force to overwrite. By default crane passes the current keychain when interacting with registries. Crane uses go-containerregistry under the hood and at the time I didn't realize that it was crane, and not go-containerregistry specifying the authentication. The go-containerregistry library authenticates as anonymous by default. So when a bundle was published to a new location, we would get a 401 auth error because authentication was not supplied, when we expected a 404 to tell that the bundle didn't exist at the destination location.

I have updated the implementation of GetBundleMetadata to use crane for consistency and consolidated the set up of the crane options.

Signed-off-by: Carolyn Van Slyck <[email protected]>
@carolynvs
Log into docker registry during integration tests
1ae2394 
TestRegistry requires that the current user is logged into ghcr.io in order to test that we are passing authentication properly.

Signed-off-by: Carolyn Van Slyck <[email protected]>
@carolynvs
Add caching to integration tests
b579f27 
These tests are slow, speed them up!

Signed-off-by: Carolyn Van Slyck <[email protected]>
@carolynvs carolynvs force-pushed the fix-bundle-check-auth branch from f060cbe to b579f27 Compare September 21, 2022 14:31
@carolynvs carolynvs marked this pull request as ready for review September 21, 2022 15:22
@carolynvs carolynvs requested a review from vdice as a code owner September 21, 2022 15:22
@carolynvs
Copy link
Member Author

@VinozzZ I have updated the solution to use crane only. Can you take another look?

@VinozzZ
Copy link
Contributor

VinozzZ commented Sep 21, 2022

@VinozzZ I have updated the solution to use crane only. Can you take another look?

Looks good to me

@carolynvs carolynvs merged commit 2688610 into getporter:release/v1 Sep 21, 2022
@carolynvs carolynvs deleted the fix-bundle-check-auth branch September 21, 2022 15:48
@github-actions github-actions bot mentioned this pull request Sep 21, 2022
Closed
@carolynvs carolynvs mentioned this pull request Sep 21, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VinozzZ VinozzZ VinozzZ approved these changes

@vdice vdice Awaiting requested review from vdice

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Existing bundle check during publish isn't using docker credentials
2 participants
@carolynvs @VinozzZ