Support the platform specific authentication of krane in "auth get" command (#1413)

ingwonsong · web-flow · commit 5749ee68eb46 · 2022-07-20T16:26:27.000-07:00
* Support the platform specific authentication of krane in "auth get" command

* Add tests for "krane auth get"

* Update the doc

* Use gcrane.Keychain in gcrane

* Fix misaligned doc

* Remove a space

* Remove unused environment variable from the ECR test
diff --git a/.github/workflows/ecr-auth.yaml b/.github/workflows/ecr-auth.yaml
@@ -39,6 +39,18 @@ jobs:
           # List the tags
           krane ls ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/go-containerregistry-test
 
+      - name: Test krane auth get + ECR
+        shell: bash
+        run: |
+          CRED1=$(krane auth get ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com)
+          CRED2=$(krane auth get ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com)
+          if [[ "$CRED1" == "" ]] ; then
+            exit 1
+          fi
+          if [[ "$CRED1" == "$CRED2" ]] ; then
+            echo "credentials are cached by infrastructure"
+          fi
+
   crane-ecr-login:
     runs-on: ubuntu-latest
     env:
diff --git a/.github/workflows/ghcr-auth.yaml b/.github/workflows/ghcr-auth.yaml
@@ -30,3 +30,18 @@ jobs:
         run: |
           # List the tags
           krane ls ghcr.io/${{ github.repository }}/testimage
+
+      - name: Test krane auth get + GHCR
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          CRED1=$(krane auth get ghcr.io)
+          CRED2=$(krane auth get ghcr.io)
+          if [[ "$CRED1" == "" ]] ; then
+            exit 1
+          fi
+          if [[ "$CRED1" == "$CRED2" ]] ; then
+            echo "credentials are cached by infrastructure"
+          fi
+          
diff --git a/cmd/crane/cmd/auth.go b/cmd/crane/cmd/auth.go
@@ -26,19 +26,20 @@ import (
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/types"
 	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 )
 
 // NewCmdAuth creates a new cobra.Command for the auth subcommand.
-func NewCmdAuth(argv ...string) *cobra.Command {
+func NewCmdAuth(options []crane.Option, argv ...string) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "auth",
 		Short: "Log in or access credentials",
 		Args:  cobra.NoArgs,
 		RunE:  func(cmd *cobra.Command, _ []string) error { return cmd.Usage() },
 	}
-	cmd.AddCommand(NewCmdAuthGet(argv...), NewCmdAuthLogin(argv...))
+	cmd.AddCommand(NewCmdAuthGet(options, argv...), NewCmdAuthLogin(argv...))
 	return cmd
 }
 
@@ -62,30 +63,41 @@ func toCreds(config *authn.AuthConfig) credentials {
 }
 
 // NewCmdAuthGet creates a new `crane auth get` command.
-func NewCmdAuthGet(argv ...string) *cobra.Command {
+func NewCmdAuthGet(options []crane.Option, argv ...string) *cobra.Command {
 	if len(argv) == 0 {
 		argv = []string{os.Args[0]}
 	}
 
+	baseCmd := strings.Join(argv, " ")
 	eg := fmt.Sprintf(`  # Read configured credentials for reg.example.com
-  echo "reg.example.com" | %s get
-  {"username":"AzureDiamond","password":"hunter2"}`, strings.Join(argv, " "))
+  $ echo "reg.example.com" | %s get
+  {"username":"AzureDiamond","password":"hunter2"}
+  # or
+  $ %s get reg.example.com
+  {"username":"AzureDiamond","password":"hunter2"}`, baseCmd, baseCmd)
 
 	return &cobra.Command{
-		Use:     "get",
+		Use:     "get [REGISTRY_ADDR]",
 		Short:   "Implements a credential helper",
 		Example: eg,
-		Args:    cobra.NoArgs,
+		Args:    cobra.MaximumNArgs(1),
 		RunE: func(_ *cobra.Command, args []string) error {
-			b, err := ioutil.ReadAll(os.Stdin)
-			if err != nil {
-				return err
+			registryAddr := ""
+			if len(args) == 1 {
+				registryAddr = args[0]
+			} else {
+				b, err := ioutil.ReadAll(os.Stdin)
+				if err != nil {
+					return err
+				}
+				registryAddr = strings.TrimSpace(string(b))
 			}
-			reg, err := name.NewRegistry(strings.TrimSpace(string(b)))
+
+			reg, err := name.NewRegistry(registryAddr)
 			if err != nil {
 				return err
 			}
-			authorizer, err := authn.DefaultKeychain.Resolve(reg)
+			authorizer, err := crane.GetOptions(options...).Keychain.Resolve(reg)
 			if err != nil {
 				return err
 			}
diff --git a/cmd/crane/cmd/root.go b/cmd/crane/cmd/root.go
@@ -93,7 +93,7 @@ func New(use, short string, options []crane.Option) *cobra.Command {
 
 	commands := []*cobra.Command{
 		NewCmdAppend(&options),
-		NewCmdAuth("crane", "auth"),
+		NewCmdAuth(options, "crane", "auth"),
 		NewCmdBlob(&options),
 		NewCmdCatalog(&options),
 		NewCmdConfig(&options),
diff --git a/cmd/crane/doc/crane_auth_get.md b/cmd/crane/doc/crane_auth_get.md
diff --git a/cmd/gcrane/main.go b/cmd/gcrane/main.go
@@ -38,11 +38,12 @@ const (
 )
 
 func main() {
+	options := []crane.Option{crane.WithAuthFromKeychain(gcrane.Keychain)}
 	// Same as crane, but override usage and keychain.
-	root := cmd.New(use, short, []crane.Option{crane.WithAuthFromKeychain(gcrane.Keychain)})
+	root := cmd.New(use, short, options)
 
 	// Add or override commands.
-	gcraneCmds := []*cobra.Command{gcmd.NewCmdList(), gcmd.NewCmdGc(), gcmd.NewCmdCopy(), cmd.NewCmdAuth("gcrane", "auth")}
+	gcraneCmds := []*cobra.Command{gcmd.NewCmdList(), gcmd.NewCmdGc(), gcmd.NewCmdCopy(), cmd.NewCmdAuth(options, "gcrane", "auth")}
 
 	// Maintain a map of google-specific commands that we "override".
 	used := make(map[string]bool)
diff --git a/pkg/crane/options.go b/pkg/crane/options.go
@@ -29,6 +29,7 @@ type Options struct {
 	Name     []name.Option
 	Remote   []remote.Option
 	Platform *v1.Platform
+	Keychain authn.Keychain
 }
 
 // GetOptions exposes the underlying []remote.Option, []name.Option, and
@@ -44,6 +45,7 @@ func makeOptions(opts ...Option) Options {
 		Remote: []remote.Option{
 			remote.WithAuthFromKeychain(authn.DefaultKeychain),
 		},
+		Keychain: authn.DefaultKeychain,
 	}
 	for _, o := range opts {
 		o(&opt)
@@ -86,6 +88,7 @@ func WithAuthFromKeychain(keys authn.Keychain) Option {
 	return func(o *Options) {
 		// Replace the default keychain at position 0.
 		o.Remote[0] = remote.WithAuthFromKeychain(keys)
+		o.Keychain = keys
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ type Options struct {`
`29`	`29`	`Name []name.Option`
`30`	`30`	`Remote []remote.Option`
`31`	`31`	`Platform *v1.Platform`
	`32`	`+ Keychain authn.Keychain`
`32`	`33`	`}`
`33`	`34`
`34`	`35`	`// GetOptions exposes the underlying []remote.Option, []name.Option, and`
`@@ -44,6 +45,7 @@ func makeOptions(opts ...Option) Options {`
`44`	`45`	`Remote: []remote.Option{`
`45`	`46`	`remote.WithAuthFromKeychain(authn.DefaultKeychain),`
`46`	`47`	`},`
	`48`	`+ Keychain: authn.DefaultKeychain,`
`47`	`49`	`}`
`48`	`50`	`for _, o := range opts {`
`49`	`51`	`o(&opt)`
`@@ -86,6 +88,7 @@ func WithAuthFromKeychain(keys authn.Keychain) Option {`
`86`	`88`	`return func(o *Options) {`
`87`	`89`	`// Replace the default keychain at position 0.`
`88`	`90`	`o.Remote[0] = remote.WithAuthFromKeychain(keys)`
	`91`	`+ o.Keychain = keys`
`89`	`92`	`}`
`90`	`93`	`}`
`91`	`94`