feat: container keychains exclusion (#138)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: Miguel Martínez Triviño

cmd/chart.go

@@ -112,12 +112,16 @@ func moveChart(cmd *cobra.Command, args []string) error {
 		Source: mover.Source{
 			Chart:          mover.ChartSpec{},
 			ImageHintsFile: imagePatternsFile,
+			// Use local keychain for authentication
+			Containers: mover.Containers{UseDefaultLocalKeychain: true},
 		},
 		Target: mover.Target{
-			Chart: mover.ChartSpec{},
-			Rules: *targetRewriteRules,
+			Chart:      mover.ChartSpec{},
+			Rules:      *targetRewriteRules,
+			Containers: mover.Containers{UseDefaultLocalKeychain: true},
 		},
 	}
+
 	inputChartPath := args[0]
 	if mover.IsIntermediateBundle(inputChartPath) {
 		cmd.Println("Intermediate bundle provided")

pkg/mover/auth.go

@@ -10,13 +10,14 @@ import "github.com/google/go-containerregistry/pkg/authn"
 // See https://pkg.go.dev/github.com/google/go-containerregistry/pkg/authn#Keychain
 //
 // Returns a custom credentials authn.Authenticator if the given resource
-// RegistryStr() matches the Repository, otherwise it falls back to the default
-// KeyChain which may include local docker credentials.
+// RegistryStr() matches the Repository, otherwise it returns annonymous access
 func (repo ContainerRepository) Resolve(resource authn.Resource) (authn.Authenticator, error) {
 	if repo.Server == resource.RegistryStr() {
 		return repo, nil
 	}
-	return authn.DefaultKeychain.Resolve(resource)
+
+	// if no credentials are provided we return annon authentication
+	return authn.Anonymous, nil
 }
 
 // Authorization implements an authn.Authenticator
@@ -27,3 +28,13 @@ func (repo ContainerRepository) Resolve(resource authn.Resource) (authn.Authenti
 func (repo ContainerRepository) Authorization() (*authn.AuthConfig, error) {
 	return &authn.AuthConfig{Username: repo.Username, Password: repo.Password}, nil
 }
+
+// Define a container images keychain based on the settings provided via the containers struct
+// If useDefaultKeychain is set, use config/docker.json otherwise load the provided creds (if any)
+func getContainersKeychain(c Containers) authn.Keychain {
+	if c.UseDefaultLocalKeychain {
+		return authn.DefaultKeychain
+	}
+
+	return c.ContainerRepository
+}

pkg/mover/chart.go

@@ -76,7 +76,7 @@ func (nl noLogger) Println(i ...interface{}) {}
 // DefaultLogger to stdout
 var DefaultLogger Logger = defaultLogger{}
 
-// DefaultNoLogger swallows all logs
+// NoLogger swallows all logs
 var NoLogger Logger = noLogger{}
 
 // ChartMetadata exposes metadata about the Helm Chart to be relocated
@@ -103,6 +103,9 @@ type ContainerRepository struct {
 // Containers is the section for private repository definition
 type Containers struct {
 	ContainerRepository
+	// Use local keychain in the system (config/docker.json)
+	// This is useful to offer a CLI experience similar to docker
+	UseDefaultLocalKeychain bool
 }
 
 // ChartSpec of possible chart inputs or outputs
@@ -151,13 +154,11 @@ type ChartMover struct {
 // NewChartMover creates a ChartMover to relocate a chart following the given
 // imagePatters and rules.
 func NewChartMover(req *ChartMoveRequest, opts ...Option) (*ChartMover, error) {
-	sourceAuth := req.Source.Containers.ContainerRepository
-	targetAuth := req.Target.Containers.ContainerRepository
 	cm := &ChartMover{
 		logger:                  defaultLogger{},
 		retries:                 DefaultRetries,
-		sourceContainerRegistry: internal.NewContainerRegistryClient(sourceAuth),
-		targetContainerRegistry: internal.NewContainerRegistryClient(targetAuth),
+		sourceContainerRegistry: internal.NewContainerRegistryClient(getContainersKeychain(req.Source.Containers)),
+		targetContainerRegistry: internal.NewContainerRegistryClient(getContainersKeychain(req.Target.Containers)),
 	}
 
 	if err := validateTarget(&req.Target); err != nil {

pkg/mover/registry_test.go

@@ -58,8 +58,8 @@ func dockerLogout(t *testing.T, domain string) {
 	dockerLogin(t, domain, "", "")
 }
 
-func NewMoveRequest(chartPath, hints, target, targetRegistry, targetPrefix string) *mover.ChartMoveRequest {
-	return &mover.ChartMoveRequest{
+func NewMoveRequest(chartPath, hints, target, targetRegistry, targetPrefix string, useLocalKeychain bool) *mover.ChartMoveRequest {
+	req := &mover.ChartMoveRequest{
 		Source: mover.Source{
 			// The Helm Chart can be provided in either tarball or directory form
 			Chart: mover.ChartSpec{Local: &mover.LocalChart{Path: chartPath}},
@@ -76,6 +76,13 @@ func NewMoveRequest(chartPath, hints, target, targetRegistry, targetPrefix strin
 			},
 		},
 	}
+
+	if useLocalKeychain {
+		req.Source.Containers = mover.Containers{UseDefaultLocalKeychain: true}
+		req.Target.Containers = mover.Containers{UseDefaultLocalKeychain: true}
+	}
+
+	return req
 }
 
 func NewSaveRequest(chartPath, hints, bundle string) *mover.ChartMoveRequest {
@@ -85,6 +92,7 @@ func NewSaveRequest(chartPath, hints, bundle string) *mover.ChartMoveRequest {
 			Chart: mover.ChartSpec{Local: &mover.LocalChart{Path: chartPath}},
 			// path to file containing rules such as // {{.image.registry}}:{{.image.tag}}
 			ImageHintsFile: hints,
+			Containers:     mover.Containers{UseDefaultLocalKeychain: true},
 		},
 		Target: mover.Target{
 			Chart: mover.ChartSpec{IntermediateBundle: &mover.IntermediateBundle{Path: bundle}},
@@ -99,7 +107,8 @@ func NewLoadRequest(bundle, target, targetRegistry, targetPrefix string) *mover.
 			Chart: mover.ChartSpec{IntermediateBundle: &mover.IntermediateBundle{Path: bundle}},
 		},
 		Target: mover.Target{
-			Chart: mover.ChartSpec{Local: &mover.LocalChart{Path: target}},
+			Chart:      mover.ChartSpec{Local: &mover.LocalChart{Path: target}},
+			Containers: mover.Containers{UseDefaultLocalKeychain: true},
 			// Where to push and how to rewrite the found images
 			// i.e docker.io/bitnami/mariadb => myregistry.com/myteam/mariadb
 			Rules: mover.RewriteRules{
@@ -144,7 +153,7 @@ func TestRegistryDockerCredentials(t *testing.T) {
 	params := loadParamsFromEnv()
 	prepareDockerCA(t, params.certFile)
 	dockerLogin(t, params.domain, params.user, params.passwd)
-	got := relok8s(t, NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix))
+	got := relok8s(t, NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix, true))
 	var want error
 	if got != want {
 		t.Fatalf("want error %v got %v", want, got)
@@ -156,7 +165,7 @@ func TestRegistryCustomCredentials(t *testing.T) {
 	params := loadParamsFromEnv()
 	prepareDockerCA(t, params.certFile)
 	dockerLogout(t, params.domain)
-	req := NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix)
+	req := NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix, false)
 	req.Target.Containers.ContainerRepository = repo(params.domain, params.user, params.passwd)
 	got := relok8s(t, req)
 	var want error
@@ -170,7 +179,7 @@ func TestRegistryBadDockerCredentials(t *testing.T) {
 	params := loadParamsFromEnv()
 	prepareDockerCA(t, params.certFile)
 	dockerLogin(t, params.domain, BadUser, BadPasswd)
-	got := relok8s(t, NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix))
+	got := relok8s(t, NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix, true))
 	// retry.Error is incompatible with errors package, it cannot be unwrapped
 	_, ok := got.(retry.Error)
 	if !ok {
@@ -183,7 +192,7 @@ func TestRegistryBadCustomCredentials(t *testing.T) {
 	params := loadParamsFromEnv()
 	prepareDockerCA(t, params.certFile)
 	dockerLogout(t, params.domain)
-	req := NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix)
+	req := NewMoveRequest(TestChart, Hints, Target, params.domain, Prefix, false)
 	req.Target.Containers.ContainerRepository = repo(params.domain, BadUser, BadPasswd)
 	got := relok8s(t, req)
 	// retry.Error is incompatible with errors package, it cannot be unwrapped
@@ -198,7 +207,7 @@ func TestMovePerformance(t *testing.T) {
 	params := loadParamsFromEnv()
 	prepareDockerCA(t, params.certFile)
 	dockerLogin(t, params.domain, params.user, params.passwd)
-	got := relok8s(t, NewMoveRequest(ComplexChart, ComplexHints, Target, params.domain, Prefix))
+	got := relok8s(t, NewMoveRequest(ComplexChart, ComplexHints, Target, params.domain, Prefix, true))
 	var want error
 	if got != want {
 		t.Fatalf("want error %v got %v", want, got)