From d0bcaf9e4f6a1f66566cdacb2cc8b2636d1807c1 Mon Sep 17 00:00:00 2001
From: Bin Tang <tangbin.bin@bytedance.com>
Date: Thu, 20 Jul 2023 14:06:38 +0800
Subject: [PATCH 1/3] nydusd: parse image pull auth from env

Signed-off-by: Bin Tang <tangbin.bin@bytedance.com>
---
 api/src/config.rs      | 11 +++++++++++
 src/bin/nydusd/main.rs | 13 +++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/api/src/config.rs b/api/src/config.rs
index 616da06cac6..c00eb649be6 100644
--- a/api/src/config.rs
+++ b/api/src/config.rs
@@ -202,6 +202,17 @@ impl ConfigV2 {
             false
         }
     }
+
+    /// Fill authorization for registry backend.
+    pub fn update_registry_auth_info(&mut self, auth: &Option<String>) {
+        if let Some(auth) = auth {
+            if let Some(backend) = self.backend.as_mut() {
+                if let Some(registry) = backend.registry.as_mut() {
+                    registry.auth = Some(auth.to_string());
+                }
+            }
+        }
+    }
 }
 
 impl FromStr for ConfigV2 {
diff --git a/src/bin/nydusd/main.rs b/src/bin/nydusd/main.rs
index 6a8eeab6988..63a4db0265e 100644
--- a/src/bin/nydusd/main.rs
+++ b/src/bin/nydusd/main.rs
@@ -21,7 +21,7 @@ use nix::sys::signal;
 use rlimit::Resource;
 
 use nydus::{get_build_time_info, SubCmdArgs};
-use nydus_api::BuildTimeInfo;
+use nydus_api::{BuildTimeInfo, ConfigV2};
 use nydus_app::{dump_program_info, setup_logging};
 use nydus_service::daemon::DaemonController;
 use nydus_service::{
@@ -423,7 +423,16 @@ fn process_fs_service(
                 )
             }
             None => match args.value_of("config") {
-                Some(v) => std::fs::read_to_string(v)?,
+                Some(v) => {
+                    let auth = std::env::var("IMAGE_PULL_AUTH").ok();
+                    if auth.is_some() {
+                        let mut config = ConfigV2::from_file(v)?;
+                        config.update_registry_auth_info(&auth);
+                        serde_json::to_string(&config)?
+                    } else {
+                        std::fs::read_to_string(v)?
+                    }
+                }
                 None => {
                     let e = NydusError::InvalidArguments(
                         "both --config and --localfs-dir are missing".to_string(),

From c86641673f41922289ce1bae1b774e37c9fef474 Mon Sep 17 00:00:00 2001
From: Bin Tang <tangbin.bin@bytedance.com>
Date: Fri, 21 Jul 2023 17:53:17 +0800
Subject: [PATCH 2/3] docs: introduce IMAGE_PULL_AUTH env

Signed-off-by: Bin Tang <tangbin.bin@bytedance.com>
---
 docs/nydusd.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/nydusd.md b/docs/nydusd.md
index 1cf86bacdd3..8180dc1ceb1 100644
--- a/docs/nydusd.md
+++ b/docs/nydusd.md
@@ -34,6 +34,8 @@ sudo nydusd \
   --log-level info
 ```
 
+For registry backend, we can set authorization with environment variable `IMAGE_PULL_AUTH` to avoid loading `auth` from nydusd configuration file.
+
 ### Run With Virtio-FS
 If no `/path/to/bootstrap` is available, please refer to [nydus-image.md](https://github.com/dragonflyoss/image-service/blob/master/docs/nydus-image.md) for more details.
 
@@ -227,7 +229,8 @@ Document located at: https://github.com/adamqqqplay/nydus-localdisk/blob/master/
   },
   ...
 }
-```
+``` 
+Note: The value of `device.backend.config.auth` will be overwrite if running the nydusd with environment variable `IMAGE_PULL_AUTH`.
 
 ##### Enable P2P Proxy for Storage Backend
 

From 45ee93633d8054a9c2e5cfb8dfd61d612d7513ee Mon Sep 17 00:00:00 2001
From: Bin Tang <tangbin.bin@bytedance.com>
Date: Mon, 24 Jul 2023 17:40:18 +0800
Subject: [PATCH 3/3] fs: add test for filling auth

Signed-off-by: Bin Tang <tangbin.bin@bytedance.com>
---
 api/src/config.rs | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/api/src/config.rs b/api/src/config.rs
index c00eb649be6..a58d72b00d3 100644
--- a/api/src/config.rs
+++ b/api/src/config.rs
@@ -1906,4 +1906,48 @@ mod tests {
         assert_eq!(&config.id, "id1");
         assert_eq!(config.backend.as_ref().unwrap().backend_type, "localfs");
     }
+
+    #[test]
+    fn test_update_registry_auth_info() {
+        let config = r#"
+        {
+            "device": {
+              "id": "test",
+              "backend": {
+                "type": "registry",
+                "config": {
+                    "readahead": false,
+                    "host": "docker.io",
+                    "repo": "library/nginx",
+                    "scheme": "https",
+                    "proxy": {
+                        "fallback": false
+                    },
+                    "timeout": 5,
+                    "connect_timeout": 5,
+                    "retry_limit": 8
+                }
+              }
+            },
+            "mode": "direct",
+            "digest_validate": false,
+            "enable_xattr": true,
+            "fs_prefetch": {
+              "enable": true,
+              "threads_count": 10,
+              "merging_size": 131072,
+              "bandwidth_rate": 10485760
+            }
+          }"#;
+
+        let mut rafs_config = ConfigV2::from_str(&config).unwrap();
+        let test_auth = "test_auth".to_string();
+
+        rafs_config.update_registry_auth_info(&Some(test_auth.clone()));
+
+        let backend = rafs_config.backend.unwrap();
+        let registry = backend.registry.unwrap();
+        let auth = registry.auth.unwrap();
+        assert_eq!(auth, test_auth);
+    }
 }