authn/kubernetes - fix auth config lookup (#1299)

google · Feb 19, 2022 · 4fcfd54 · 4fcfd54
1 parent 00c59d9
commit 4fcfd54
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 7 deletions.
diff --git a/pkg/authn/kubernetes/keychain.go b/pkg/authn/kubernetes/keychain.go
@@ -19,6 +19,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"net/url"
 	"strings"
 
 	"github.com/google/go-containerregistry/pkg/authn"
@@ -122,11 +123,37 @@ func NewFromPullSecrets(ctx context.Context, secrets []corev1.Secret) (authn.Key
 			}
 		}
 
-		for k, v := range auths {
-			// Don't overwrite previously specified Auths for a
-			// given key.
-			if _, found := m[k]; !found {
-				m[k] = v
+		for registry, v := range auths {
+			// From: https://github.com/kubernetes/kubernetes/blob/0dcafb1f37ee522be3c045753623138e5b907001/pkg/credentialprovider/keyring.go
+			value := registry
+			if !strings.HasPrefix(value, "https://") && !strings.HasPrefix(value, "http://") {
+				value = "https://" + value
+			}
+			parsed, err := url.Parse(value)
+			if err != nil {
+				return nil, fmt.Errorf("Entry %q in dockercfg invalid (%w)", value, err)
+			}
+
+			// The docker client allows exact matches:
+			//    foo.bar.com/namespace
+			// Or hostname matches:
+			//    foo.bar.com
+			// It also considers /v2/  and /v1/ equivalent to the hostname
+			// See ResolveAuthConfig in docker/registry/auth.go.
+			effectivePath := parsed.Path
+			if strings.HasPrefix(effectivePath, "/v2/") || strings.HasPrefix(effectivePath, "/v1/") {
+				effectivePath = effectivePath[3:]
+			}
+			var key string
+			if (len(effectivePath) > 0) && (effectivePath != "/") {
+				key = parsed.Host + effectivePath
+			} else {
+				key = parsed.Host
+			}
+
+			// Don't overwrite previously specified Auths for a given key.
+			if _, found := m[key]; !found {
+				m[key] = v
 			}
 		}
 	}
@@ -153,7 +180,6 @@ func (kc authsKeychain) Resolve(target authn.Resource) (authn.Authenticator, err
 	if cfg == empty {
 		return authn.Anonymous, nil
 	}
-
 	if cfg.Auth != "" {
 		dec, err := base64.StdEncoding.DecodeString(cfg.Auth)
 		if err != nil {

diff --git a/pkg/authn/kubernetes/keychain_test.go b/pkg/authn/kubernetes/keychain_test.go
@@ -191,7 +191,15 @@ func TestFromPullSecrets(t *testing.T) {
 		Type: corev1.SecretTypeDockercfg,
 		Data: map[string][]byte{
 			corev1.DockerConfigKey: []byte(
-				fmt.Sprintf(`{"fake.registry.io": {"auth": %q}, "fake.registry.io/more/specific": {"auth": %q}}`,
+				fmt.Sprintf(`
+					{
+						"fake.registry.io": {"auth": %q},
+						"fake.registry.io/more/specific": {"auth": %q},
+						"http://fake.scheme-registry.io": {"auth": %q},
+						"https://fake.scheme-registry.io/more/specific": {"auth": %q}
+					}`,
+					base64.StdEncoding.EncodeToString([]byte(username+":"+password)),
+					base64.StdEncoding.EncodeToString([]byte(specificUser+":"+specificPass)),
 					base64.StdEncoding.EncodeToString([]byte(username+":"+password)),
 					base64.StdEncoding.EncodeToString([]byte(specificUser+":"+specificPass))),
 			),
@@ -222,6 +230,11 @@ func TestFromPullSecrets(t *testing.T) {
 		t.Errorf("NewRegistry() = %v", err)
 	}
 
+	schemeRepo, err := name.NewRepository("fake.scheme-registry.io/more/specific", name.WeakValidation)
+	if err != nil {
+		t.Errorf("NewRegistry() = %v", err)
+	}
+
 	for _, tc := range []struct {
 		name   string
 		auth   authn.Authenticator
@@ -234,6 +247,14 @@ func TestFromPullSecrets(t *testing.T) {
 		name:   "repo",
 		auth:   &authn.Basic{Username: specificUser, Password: specificPass},
 		target: repo,
+	}, {
+		name:   "registry with scheme",
+		auth:   &authn.Basic{Username: username, Password: password},
+		target: schemeRepo.Registry,
+	}, {
+		name:   "repo with scheme",
+		auth:   &authn.Basic{Username: specificUser, Password: specificPass},
+		target: schemeRepo,
 	}} {
 		t.Run(tc.name, func(t *testing.T) {
 			tc := tc