Fix apache#2834: We should automatically register the Image Registry…

…'s CA and Authentication with Maven when using the Image Registry as a Maven Registry
bouskaJ · Apr 7, 2022 · 38603e9 · 38603e9
1 parent 97c4162
commit 38603e9
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 22 deletions.
diff --git a/pkg/apis/camel/v1/zz_generated.deepcopy.go b/pkg/apis/camel/v1/zz_generated.deepcopy.go
diff --git a/pkg/trait/registry.go b/pkg/trait/registry.go
@@ -18,7 +18,18 @@ limitations under the License.
 package trait
 
 import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
+
+	base64 "encoding/base64"
+
+	"github.com/apache/camel-k/pkg/util/kubernetes"
+	"github.com/apache/camel-k/pkg/util/registry"
+
 	v1 "github.com/apache/camel-k/pkg/apis/camel/v1"
+	corev1 "k8s.io/api/core/v1"
 )
 
 // The Registry trait sets up Maven to use the Image registry
@@ -60,21 +71,89 @@ func (t *registryTrait) Apply(e *Environment) error {
 		Enabled:        true,
 		ChecksumPolicy: "fail",
 	}
-	// TODO: If we are running on openshift then then fetch the credentials
-	// needed to lookup the image registry
-	// append namespace to the repository URL
-	// current workaround is to setup Maven manually during installation
-	if e.Platform.Spec.Cluster != v1.IntegrationPlatformClusterOpenShift {
-		repo := v1.Repository{
-			ID:        "image-registry",
-			URL:       "docker://" + e.Platform.Spec.Build.Registry.Address,
-			Snapshots: policy,
-			Releases:  policy,
+
+	if e.Platform.Spec.Build.Registry.CA != "" {
+		secret, err := decodeSecretKeySelector(e.Platform.Spec.Build.Registry.CA)
+		if err != nil {
+			return err
+		}
+		contains := false
+		for _, ca := range build.Maven.CASecret {
+			if ca.Name == secret.Name && ca.Key == secret.Key {
+				contains = true
+			}
+		}
+		if !contains {
+			build.Maven.CASecret = append(build.Maven.CASecret, *secret)
 		}
-		// configure Maven to lookup dependencies in the Image registry
-		build.Maven.Repositories = append(build.Maven.Repositories, repo)
 	}
 
+	if e.Platform.Spec.Build.Registry.Secret != "" {
+		secret, err := decodeSecretKeySelector(e.Platform.Spec.Build.Registry.Secret)
+		if err != nil {
+			return err
+		}
+		secretData, err := kubernetes.GetSecretRefData(e.Ctx, e.Client, e.Platform.Namespace, secret)
+		if err != nil {
+			return err
+		}
+		dockerAuth := registry.DockerConfigList{}
+		err = json.Unmarshal(secretData, &dockerAuth)
+		if err != nil {
+			return err
+		}
+		config, ok := dockerAuth.Auths[e.Platform.Spec.Build.Registry.Address]
+		if !ok {
+			return nil
+		}
+		username := config.Username
+		password := config.Password
+		if username == "" && config.Auth != "" {
+			decoded := base64.StdEncoding.EncodeToString([]byte(config.Auth))
+			parts := strings.Split(decoded, ":")
+			if len(parts) == 2 {
+				username = strings.Split(decoded, ":")[0]
+			}
+		}
+		if password == "" && config.Auth != "" {
+			decoded := base64.StdEncoding.EncodeToString([]byte(config.Auth))
+			parts := strings.Split(decoded, ":")
+			if len(parts) == 2 {
+				password = strings.Split(decoded, ":")[1]
+			}
+		}
+		server := v1.Server{
+			ID:       "image-registry",
+			Username: username,
+			Password: password,
+		}
+		build.Maven.Servers = append(build.Maven.Servers, server)
+	}
+	repo := v1.Repository{
+		ID:        "image-registry",
+		URL:       "docker://" + e.Platform.Spec.Build.Registry.Address,
+		Snapshots: policy,
+		Releases:  policy,
+	}
+	// configure Maven to lookup dependencies in the Image registry
+	build.Maven.Repositories = append(build.Maven.Repositories, repo)
 	build.Maven.Extension = append(build.Maven.Extension, ext)
 	return nil
 }
+
+func decodeSecretKeySelector(secretKey string) (*corev1.SecretKeySelector, error) {
+	r := regexp.MustCompile(`^([a-zA-Z0-9-]*)/([a-zA-Z0-9].*)$`)
+
+	if !r.MatchString(secretKey) {
+		return nil, fmt.Errorf("illegal Maven CA certificates secret key selector, syntax: secret-name/secret-key")
+	}
+
+	match := r.FindStringSubmatch(secretKey)
+
+	return &corev1.SecretKeySelector{
+		LocalObjectReference: corev1.LocalObjectReference{
+			Name: match[1],
+		},
+		Key: match[2],
+	}, nil
+}
diff --git a/pkg/util/registry/registry.go b/pkg/util/registry/registry.go
@@ -38,12 +38,14 @@ type Auth struct {
 	Registry string
 }
 
-type dockerConfigList struct {
-	Auths map[string]dockerConfig `json:"auths,omitempty"`
+type DockerConfigList struct {
+	Auths map[string]DockerConfig `json:"auths,omitempty"`
 }
 
-type dockerConfig struct {
-	Auth string `json:"auth,omitempty"`
+type DockerConfig struct {
+	Auth     string `json:"auth,omitempty"`
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
 }
 
 // IsSet returns if information has been set on the object.
@@ -72,11 +74,11 @@ func (a Auth) GenerateDockerConfig() ([]byte, error) {
 	return json.Marshal(content)
 }
 
-func (a Auth) generateDockerConfigObject() dockerConfigList {
-	return dockerConfigList{
-		map[string]dockerConfig{
+func (a Auth) generateDockerConfigObject() DockerConfigList {
+	return DockerConfigList{
+		map[string]DockerConfig{
 			a.getActualServer(): {
-				a.encodedCredentials(),
+				Auth: a.encodedCredentials(),
 			},
 		},
 	}