From 366be679fcc5e636ff7af0272b388312d8f592ff Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Mon, 14 Feb 2022 15:35:11 -0500 Subject: [PATCH] Pick up per-repository auth changes from go-containerregistry --- go.mod | 2 +- go.sum | 2 ++ .../pkg/authn/keychain.go | 25 +++++++++------ .../pkg/v1/google/auth.go | 3 +- .../pkg/v1/google/keychain.go | 31 ++++++++++++------- .../pkg/v1/tarball/layer.go | 30 +++++++++++++----- vendor/modules.txt | 2 +- 7 files changed, 63 insertions(+), 32 deletions(-) diff --git a/go.mod b/go.mod index 0878a43fc8..a3e4dbdb92 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/golang/mock v1.6.0 github.com/google/go-cmp v0.5.7 - github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15 + github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a github.com/google/go-github v17.0.0+incompatible github.com/google/slowjam v1.0.0 github.com/karrick/godirwalk v1.16.1 diff --git a/go.sum b/go.sum index 240c5bc266..f87059b860 100644 --- a/go.sum +++ b/go.sum @@ -807,6 +807,8 @@ github.com/google/go-containerregistry v0.1.2/go.mod h1:GPivBPgdAyd2SU+vf6EpsgOt github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0= github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15 h1:yzCJSh/ZFHLiZ92yidtkRRENjtJML4teFEch7vzuL+U= github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15/go.mod h1:cwx3SjrH84Rh9VFJSIhPh43ovyOp3DCWgY3h8nWmdGQ= +github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a h1:dc718J30nnewleBWCCDQXgpWeZWp17cgTmw6mpbF0xM= +github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a/go.mod h1:cwx3SjrH84Rh9VFJSIhPh43ovyOp3DCWgY3h8nWmdGQ= github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= diff --git a/vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go b/vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go index 2020c41c17..cfc749b627 100644 --- a/vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go +++ b/vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go @@ -114,20 +114,27 @@ func (dk *defaultKeychain) Resolve(target Resource) (Authenticator, error) { // See: // https://github.com/google/ko/issues/90 // https://github.com/moby/moby/blob/fc01c2b481097a6057bec3cd1ab2d7b4488c50c4/registry/config.go#L397-L404 - key := target.RegistryStr() - if key == name.DefaultRegistry { - key = DefaultAuthKey - } + var cfg, empty types.AuthConfig + for _, key := range []string{ + target.String(), + target.RegistryStr(), + } { + if key == name.DefaultRegistry { + key = DefaultAuthKey + } - cfg, err := cf.GetAuthConfig(key) - if err != nil { - return nil, err + cfg, err = cf.GetAuthConfig(key) + if err != nil { + return nil, err + } + if cfg != empty { + break + } } - - empty := types.AuthConfig{} if cfg == empty { return Anonymous, nil } + return FromConfig(AuthConfig{ Username: cfg.Username, Password: cfg.Password, diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/google/auth.go b/vendor/github.com/google/go-containerregistry/pkg/v1/google/auth.go index 4ce979577b..343eae0bc8 100644 --- a/vendor/github.com/google/go-containerregistry/pkg/v1/google/auth.go +++ b/vendor/github.com/google/go-containerregistry/pkg/v1/google/auth.go @@ -19,7 +19,6 @@ import ( "context" "encoding/json" "fmt" - "os" "os/exec" "time" @@ -155,7 +154,7 @@ func (gs gcloudSource) Token() (*oauth2.Token, error) { cmd.Stdout = &out // Don't attempt to interpret stderr, just pass it through. - cmd.Stderr = os.Stderr + cmd.Stderr = logs.Warn.Writer() if err := cmd.Run(); err != nil { return nil, fmt.Errorf("error executing `gcloud config config-helper`: %w", err) diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/google/keychain.go b/vendor/github.com/google/go-containerregistry/pkg/v1/google/keychain.go index 7471a01734..482cf4a913 100644 --- a/vendor/github.com/google/go-containerregistry/pkg/v1/google/keychain.go +++ b/vendor/github.com/google/go-containerregistry/pkg/v1/google/keychain.go @@ -15,11 +15,11 @@ package google import ( - "fmt" "strings" "sync" "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/logs" ) // Keychain exports an instance of the google Keychain. @@ -28,7 +28,6 @@ var Keychain authn.Keychain = &googleKeychain{} type googleKeychain struct { once sync.Once auth authn.Authenticator - err error } // Resolve implements authn.Keychain a la docker-credential-gcr. @@ -55,27 +54,37 @@ type googleKeychain struct { func (gk *googleKeychain) Resolve(target authn.Resource) (authn.Authenticator, error) { // Only authenticate GCR and AR so it works with authn.NewMultiKeychain to fallback. host := target.RegistryStr() - if host != "gcr.io" && !strings.HasSuffix(host, ".gcr.io") && !strings.HasSuffix(host, ".pkg.dev") && !strings.HasSuffix(host, ".google.com") { + if host != "gcr.io" && + !strings.HasSuffix(host, ".gcr.io") && + !strings.HasSuffix(host, ".pkg.dev") && + !strings.HasSuffix(host, ".google.com") { return authn.Anonymous, nil } gk.once.Do(func() { - gk.auth, gk.err = resolve() + gk.auth = resolve() }) - return gk.auth, gk.err + return gk.auth, nil } -func resolve() (authn.Authenticator, error) { +func resolve() authn.Authenticator { auth, envErr := NewEnvAuthenticator() - if envErr == nil { - return auth, nil + if envErr == nil && auth != authn.Anonymous { + return auth } auth, gErr := NewGcloudAuthenticator() - if gErr == nil { - return auth, nil + if gErr == nil && auth != authn.Anonymous { + return auth } - return nil, fmt.Errorf("failed to create token source from env: %v or gcloud: %v", envErr, gErr) //nolint: errorlint + logs.Debug.Println("Failed to get any Google credentials, falling back to Anonymous") + if envErr != nil { + logs.Debug.Printf("Google env error: %v", envErr) + } + if gErr != nil { + logs.Debug.Printf("gcloud error: %v", gErr) + } + return authn.Anonymous } diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/tarball/layer.go b/vendor/github.com/google/go-containerregistry/pkg/v1/tarball/layer.go index 5ec1d5515a..29c5fa0607 100644 --- a/vendor/github.com/google/go-containerregistry/pkg/v1/tarball/layer.go +++ b/vendor/github.com/google/go-containerregistry/pkg/v1/tarball/layer.go @@ -17,6 +17,7 @@ package tarball import ( "bytes" "compress/gzip" + "fmt" "io" "io/ioutil" "os" @@ -39,6 +40,7 @@ type layer struct { compression int annotations map[string]string estgzopts []estargz.Option + mediaType types.MediaType } // Descriptor implements partial.withDescriptor. @@ -51,7 +53,7 @@ func (l *layer) Descriptor() (*v1.Descriptor, error) { Size: l.size, Digest: digest, Annotations: l.annotations, - MediaType: types.DockerLayer, + MediaType: l.mediaType, }, nil } @@ -82,7 +84,7 @@ func (l *layer) Size() (int64, error) { // MediaType implements v1.Layer func (l *layer) MediaType() (types.MediaType, error) { - return types.DockerLayer, nil + return l.mediaType, nil } // LayerOption applies options to layer @@ -96,6 +98,13 @@ func WithCompressionLevel(level int) LayerOption { } } +// WithMediaType is a functional option for overriding the layer's media type. +func WithMediaType(mt types.MediaType) LayerOption { + return func(l *layer) { + l.mediaType = mt + } +} + // WithCompressedCaching is a functional option that overrides the // logic for accessing the compressed bytes to memoize the result // and avoid expensive repeated gzips. @@ -204,6 +213,7 @@ func LayerFromOpener(opener Opener, opts ...LayerOption) (v1.Layer, error) { layer := &layer{ compression: gzip.BestSpeed, annotations: make(map[string]string, 1), + mediaType: types.DockerLayer, } if estgz := os.Getenv("GGCR_EXPERIMENT_ESTARGZ"); estgz == "1" { @@ -249,15 +259,19 @@ func LayerFromOpener(opener Opener, opts ...LayerOption) (v1.Layer, error) { } // LayerFromReader returns a v1.Layer given a io.Reader. +// +// The reader's contents are read and buffered to a temp file in the process. +// +// Deprecated: Use LayerFromOpener or stream.NewLayer instead, if possible. func LayerFromReader(reader io.Reader, opts ...LayerOption) (v1.Layer, error) { - // Buffering due to Opener requiring multiple calls. - a, err := ioutil.ReadAll(reader) + tmp, err := ioutil.TempFile("", "") if err != nil { - return nil, err + return nil, fmt.Errorf("creating temp file to buffer reader: %w", err) + } + if _, err := io.Copy(tmp, reader); err != nil { + return nil, fmt.Errorf("writing temp file to buffer reader: %w", err) } - return LayerFromOpener(func() (io.ReadCloser, error) { - return ioutil.NopCloser(bytes.NewReader(a)), nil - }, opts...) + return LayerFromFile(tmp.Name(), opts...) } func computeDigest(opener Opener) (v1.Hash, int64, error) { diff --git a/vendor/modules.txt b/vendor/modules.txt index 98f697852f..691994476c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -538,7 +538,7 @@ github.com/google/go-cmp/cmp/internal/diff github.com/google/go-cmp/cmp/internal/flags github.com/google/go-cmp/cmp/internal/function github.com/google/go-cmp/cmp/internal/value -# github.com/google/go-containerregistry v0.8.1-0.20220128225446-c63684ed5f15 +# github.com/google/go-containerregistry v0.8.1-0.20220214202839-625fe7b4276a ## explicit; go 1.14 github.com/google/go-containerregistry/internal/and github.com/google/go-containerregistry/internal/estargz