forked from kubermatic/machine-controller
/
config.go
132 lines (110 loc) · 4.26 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
Copyright 2022 The Machine Controller Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package containerruntime
import (
"context"
"encoding/json"
"fmt"
"net/url"
"regexp"
"strings"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
ctrlruntimeclient "sigs.k8s.io/controller-runtime/pkg/client"
)
type Opts struct {
ContainerRuntime string
ContainerdVersion string
InsecureRegistries string
RegistryMirrors string
RegistryCredentialsSecret string
PauseImage string
ContainerdRegistryMirrors RegistryMirrorsFlags
}
type DockerCfgJSON struct {
Auths map[string]AuthConfig `json:"auths,omitempty"`
}
func BuildConfig(opts Opts) (Config, error) {
var insecureRegistries []string
for _, registry := range strings.Split(opts.InsecureRegistries, ",") {
if trimmedRegistry := strings.TrimSpace(registry); trimmedRegistry != "" {
insecureRegistries = append(insecureRegistries, trimmedRegistry)
}
}
// we want to match e.g. docker.io=registry.docker-cn.com, having docker.io as the first
// match group and registry.docker-cn.com as the second one.
registryMirrorRegexp := regexp.MustCompile(`^([a-zA-Z0-9\.-]+)=(.*)`)
if opts.ContainerdRegistryMirrors == nil {
opts.ContainerdRegistryMirrors = make(RegistryMirrorsFlags)
}
for _, mirror := range strings.Split(opts.RegistryMirrors, ",") {
if trimmedMirror := strings.TrimSpace(mirror); trimmedMirror != "" {
registry := "docker.io"
if matches := registryMirrorRegexp.FindStringSubmatch(trimmedMirror); matches != nil {
registry = matches[1]
trimmedMirror = matches[2]
}
if !strings.HasPrefix(trimmedMirror, "http") {
trimmedMirror = "https://" + trimmedMirror
}
_, err := url.Parse(trimmedMirror)
if err != nil {
return Config{}, fmt.Errorf("incorrect mirror provided: %w", err)
}
if opts.ContainerdRegistryMirrors[registry] == nil {
opts.ContainerdRegistryMirrors[registry] = make([]string, 0, 1)
}
opts.ContainerdRegistryMirrors[registry] = append(opts.ContainerdRegistryMirrors[registry], trimmedMirror)
}
}
// Only validate registry credential here
if opts.RegistryCredentialsSecret != "" {
if secRef := strings.Split(opts.RegistryCredentialsSecret, "/"); len(secRef) != 2 {
return Config{}, fmt.Errorf("-node-registry-credentials-secret is in incorrect format %q, should be in 'namespace/secretname'", opts.RegistryCredentialsSecret)
}
}
return get(
opts.ContainerRuntime,
withInsecureRegistries(insecureRegistries),
withRegistryMirrors(opts.ContainerdRegistryMirrors),
withSandboxImage(opts.PauseImage),
withContainerdVersion(opts.ContainerdVersion),
), nil
}
func GetContainerdAuthConfig(ctx context.Context, client ctrlruntimeclient.Client, registryCredentialsSecret string) (map[string]AuthConfig, error) {
registryCredentials := map[string]AuthConfig{}
if secRef := strings.SplitN(registryCredentialsSecret, "/", 2); len(secRef) == 2 {
var credsSecret corev1.Secret
err := client.Get(ctx, types.NamespacedName{Namespace: secRef[0], Name: secRef[1]}, &credsSecret)
if err != nil {
return nil, fmt.Errorf("failed to retrieve registry credentials secret object: %w", err)
}
switch credsSecret.Type {
case corev1.SecretTypeDockerConfigJson:
var regCred DockerCfgJSON
if err := json.Unmarshal(credsSecret.Data[".dockerconfigjson"], ®Cred); err != nil {
return nil, fmt.Errorf("failed to unmarshal registry credentials: %w", err)
}
registryCredentials = regCred.Auths
default:
for registry, data := range credsSecret.Data {
var regCred AuthConfig
if err := json.Unmarshal(data, ®Cred); err != nil {
return nil, fmt.Errorf("failed to unmarshal registry credentials: %w", err)
}
registryCredentials[registry] = regCred
}
}
}
return registryCredentials, nil
}