Skip to content

Commit 20b9962

Browse files
author
Max Jonas Werner
committed
dockerconfigjson for OCI registry authentication
`loginOptionFromSecret` now derives username/password from a docker config stored in Secrets of type "kubernetes.io/dockerconfigjson". Signed-off-by: Max Jonas Werner <[email protected]>
1 parent a23567c commit 20b9962

File tree

3 files changed

+39
-4
lines changed

3 files changed

+39
-4
lines changed

controllers/helmchart_controller.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -492,7 +492,7 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
492492
}
493493

494494
// Build registryClient options from secret
495-
logOpt, err := loginOptionFromSecret(*secret)
495+
logOpt, err := loginOptionFromSecret(repo.Spec.URL, *secret)
496496
if err != nil {
497497
e := &serror.Event{
498498
Err: fmt.Errorf("failed to configure Helm client with secret data: %w", err),

controllers/helmrepository_controller_oci.go

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,15 @@ limitations under the License.
1717
package controllers
1818

1919
import (
20+
"bytes"
2021
"context"
2122
"fmt"
23+
"net/url"
2224
"os"
2325
"strings"
2426
"time"
2527

28+
"github.com/docker/cli/cli/config"
2629
"github.com/fluxcd/pkg/apis/meta"
2730
"github.com/fluxcd/pkg/runtime/conditions"
2831
helper "github.com/fluxcd/pkg/runtime/controller"
@@ -273,7 +276,7 @@ func (r *HelmRepositoryOCIReconciler) reconcileSource(ctx context.Context, obj *
273276
}
274277

275278
// Construct actual options
276-
logOpt, err := loginOptionFromSecret(secret)
279+
logOpt, err := loginOptionFromSecret(obj.Spec.URL, secret)
277280
if err != nil {
278281
e := &serror.Event{
279282
Err: fmt.Errorf("failed to configure Helm client with secret data: %w", err),
@@ -352,8 +355,26 @@ func (r *HelmRepositoryOCIReconciler) validateSource(ctx context.Context, obj *s
352355
return sreconcile.ResultSuccess, nil
353356
}
354357

355-
func loginOptionFromSecret(secret corev1.Secret) (registry.LoginOption, error) {
356-
username, password := string(secret.Data["username"]), string(secret.Data["password"])
358+
func loginOptionFromSecret(registryURL string, secret corev1.Secret) (registry.LoginOption, error) {
359+
var username, password string
360+
if secret.Type == corev1.SecretTypeDockerConfigJson {
361+
dockerCfg, err := config.LoadFromReader(bytes.NewReader(secret.Data[corev1.DockerConfigJsonKey]))
362+
if err != nil {
363+
return nil, fmt.Errorf("unable to load Docker config: %w", err)
364+
}
365+
parsedURL, err := url.Parse(registryURL)
366+
if err != nil {
367+
return nil, fmt.Errorf("unable to parse registry URL: %w", err)
368+
}
369+
authConfig, err := dockerCfg.GetAuthConfig(parsedURL.Host)
370+
if err != nil {
371+
return nil, fmt.Errorf("unable to get authentication data from Secret: %w", err)
372+
}
373+
username = authConfig.Username
374+
password = authConfig.Password
375+
} else {
376+
username, password = string(secret.Data["username"]), string(secret.Data["password"])
377+
}
357378
switch {
358379
case username == "" && password == "":
359380
return nil, nil

controllers/helmrepository_controller_oci_test.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ limitations under the License.
1717
package controllers
1818

1919
import (
20+
"encoding/base64"
2021
"fmt"
2122
"testing"
2223

@@ -36,6 +37,7 @@ import (
3637
func TestHelmRepositoryOCIReconciler_Reconcile(t *testing.T) {
3738
tests := []struct {
3839
name string
40+
secretType corev1.SecretType
3941
secretData map[string][]byte
4042
}{
4143
{
@@ -49,6 +51,15 @@ func TestHelmRepositoryOCIReconciler_Reconcile(t *testing.T) {
4951
name: "no auth data",
5052
secretData: nil,
5153
},
54+
{
55+
name: "dockerconfigjson Secret",
56+
secretType: corev1.SecretTypeDockerConfigJson,
57+
secretData: map[string][]byte{
58+
".dockerconfigjson": []byte(`{"auths":{"` +
59+
testRegistryserver.DockerRegistryHost + `":{"` +
60+
`auth":"` + base64.StdEncoding.EncodeToString([]byte(testUsername+":"+testPassword)) + `"}}}`),
61+
},
62+
},
5263
}
5364

5465
for _, tt := range tests {
@@ -66,6 +77,9 @@ func TestHelmRepositoryOCIReconciler_Reconcile(t *testing.T) {
6677
},
6778
Data: tt.secretData,
6879
}
80+
if tt.secretType != "" {
81+
secret.Type = tt.secretType
82+
}
6983

7084
g.Expect(testEnv.CreateAndWait(ctx, secret)).To(Succeed())
7185

0 commit comments

Comments
 (0)