Configure pulp_sync with registry secret if provided

osbs/build/build_request.py

@@ -568,31 +568,39 @@ def render_pulp_sync(self):
             return
 
         pulp_registry = self.spec.pulp_registry.value
-        docker_v2_registries = [registry
-                                for registry in self.spec.registry_uris.value
-                                if registry.version == 'v2']
 
-        if pulp_registry and docker_v2_registries:
+        # Find which registry to use
+        docker_registry = None
+        registry_secret = None
+        insecure_registry = None
+        registries = zip_longest(self.spec.registry_uris.value,
+                                 self.spec.registry_secrets.value)
+        for registry, secret in registries:
+            if registry.version == 'v2':
+                # First specified v2 registry is the one we'll tell pulp
+                # to sync from. Keep the http prefix -- pulp wants it.
+                docker_registry = registry.uri
+                registry_secret = secret
+                logger.info("using docker v2 registry %s for pulp_sync",
+                            docker_registry)
+                break
+
+        if pulp_registry and docker_registry:
             self.dj.dock_json_set_arg('postbuild_plugins', 'pulp_sync',
                                       'pulp_registry_name', pulp_registry)
 
-            # First specified v2 registry is the one we'll tell pulp
-            # to sync from. Keep the http prefix -- pulp wants it.
-            docker_registry = docker_v2_registries[0].uri
-            logger.info("using docker v2 registry %s for pulp_sync",
-                        docker_registry)
-
             self.dj.dock_json_set_arg('postbuild_plugins', 'pulp_sync',
                                       'docker_registry', docker_registry)
 
-            # Verify we have either a secret or username/password
+            self.set_secret_for_plugin(('postbuild_plugins',
+                                        'pulp_sync',
+                                        'registry_secret_path'),
+                                       registry_secret)
+
+            # Verify we have a pulp secret
             if self.spec.pulp_secret.value is None:
-                conf = self.dj.dock_json_get_plugin_conf('postbuild_plugins',
-                                                         'pulp_sync')
-                args = conf.get('args', {})
-                if 'username' not in args:
-                    raise OsbsValidationException("Pulp registry specified "
-                                                  "but no auth config")
+                raise OsbsValidationException("Pulp registry specified "
+                                              "but no auth config")
         else:
             # If no pulp registry is specified, don't run the pulp plugin
             logger.info("removing pulp_sync from request, "
@@ -735,6 +743,9 @@ def render(self, validate=True):
                            'pulp_secret_path'):
                           self.spec.pulp_secret.value,
 
+                          # pulp_sync registry_secret_path set
+                          # in render_pulp_sync
+
                           ('exit_plugins', 'sendmail', 'pdc_secret_path'):
                           self.spec.pdc_secret.value,
 

tests/build/test_build_request.py

@@ -656,13 +656,14 @@ def test_render_prod_request_requires_newer(self):
         ['v1', 'v2'],
         ['v2'],
     ])
-    @pytest.mark.parametrize('openshift_version', ['1.0.0', '1.0.6'])
-    def test_render_prod_request_v1_v2(self, registry_api_versions, openshift_version):
+    def test_render_prod_request_v1_v2(self, registry_api_versions):
         build_request = BuildRequest(INPUTS_PATH)
-        build_request.set_openshift_required_version(parse_version(openshift_version))
+        # OpenShift Origin >= 1.0.6 is required for v2
+        build_request.set_openshift_required_version(parse_version('1.0.6'))
         name_label = "fedora/resultingimage"
         pulp_env = 'v1pulp'
         pulp_secret = pulp_env + 'secret'
+        registry_secret = 'registry_secret'
         kwargs = {
             'pulp_registry': pulp_env,
             'pulp_secret': pulp_secret,
@@ -682,6 +683,10 @@ def test_render_prod_request_v1_v2(self, registry_api_versions, openshift_versio
 
                 "http://registry2.example.com:5000/v2"
             ],
+            'registry_secrets': [
+                "",
+                registry_secret,
+            ],
             'nfs_server_path': "server:path",
             'source_registry_uri': "registry.example.com",
             'openshift_uri': "http://openshift/",
@@ -714,7 +719,10 @@ def test_render_prod_request_v1_v2(self, registry_api_versions, openshift_versio
 
         # tag_and_push configuration. Must not have the scheme part.
         expected_registries = {
-            'registry2.example.com:5000': {'insecure': True},
+            'registry2.example.com:5000': {
+                'insecure': True,
+                'secret': '/var/run/secrets/atomic-reactor/registry_secret'
+            },
         }
 
         if 'v1' in registry_api_versions:
@@ -725,21 +733,25 @@ def test_render_prod_request_v1_v2(self, registry_api_versions, openshift_versio
         assert plugin_value_get(plugins, "postbuild_plugins", "tag_and_push",
                                 "args", "registries") == expected_registries
 
-        if openshift_version == '1.0.0':
-            assert 'secrets' not in build_json['spec']['strategy']['customStrategy']
-            assert build_json['spec']['source']['sourceSecret']['name'] == pulp_secret
-        else:
-            assert 'sourceSecret' not in build_json['spec']['source']
-            secrets = build_json['spec']['strategy']['customStrategy']['secrets']
-            for version, plugin in [('v1', 'pulp_push'), ('v2', 'pulp_sync')]:
-                if version not in registry_api_versions:
-                    continue
+        assert 'sourceSecret' not in build_json['spec']['source']
+        secrets = build_json['spec']['strategy']['customStrategy']['secrets']
+        for version, plugin in [('v1', 'pulp_push'), ('v2', 'pulp_sync')]:
+            if version not in registry_api_versions:
+                continue
 
-                path = plugin_value_get(plugins, "postbuild_plugins", plugin,
+            path = plugin_value_get(plugins, "postbuild_plugins", plugin,
                                         "args", "pulp_secret_path")
-                pulp_secrets = [secret for secret in secrets if secret['mountPath'] == path]
-                assert len(pulp_secrets) == 1
-                assert pulp_secrets[0]['secretSource']['name'] == pulp_secret
+            pulp_secrets = [secret for secret in secrets if secret['mountPath'] == path]
+            assert len(pulp_secrets) == 1
+            assert pulp_secrets[0]['secretSource']['name'] == pulp_secret
+
+            if plugin == 'pulp_sync':
+                path = plugin_value_get(plugins, "postbuild_plugins", plugin,
+                                        "args", "registry_secret_path")
+                reg_secrets = [secret for secret in secrets
+                               if secret['mountPath'] == path]
+                assert len(reg_secrets) == 1
+                assert reg_secrets[0]['secretSource']['name'] == registry_secret
 
         with pytest.raises(NoSuchPluginException):
             get_plugin(plugins, "postbuild_plugins", "cp_built_image_to_nfs")
@@ -762,6 +774,9 @@ def test_render_prod_request_v1_v2(self, registry_api_versions, openshift_versio
                                    "args", "pulp_registry_name")
             assert env == pulp_env
 
+            pulp_secret = plugin_value_get(plugins, "postbuild_plugins",
+                                           "pulp_sync", "args",
+                                           "pulp_secret_path")
             docker_registry = plugin_value_get(plugins, "postbuild_plugins",
                                                "pulp_sync", "args",
                                                "docker_registry")