Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for the Authenticated Registries #744

Merged
merged 1 commit into from
Apr 24, 2024
Merged

Add support for the Authenticated Registries #744

merged 1 commit into from
Apr 24, 2024

Conversation

anujc25
Copy link
Contributor

@anujc25 anujc25 commented Apr 22, 2024
edited

What this PR does / why we need it

  • Add support for the Authenticated Registry
  • To use registries that require authentication to host Tanzu CLI Plugins images users are expected to do the following:
  1. Use docker login <registry> or crane auth login <registry> to authenticate with the registry
  2. Specify environment variable TANZU_CLI_AUTHENTICATED_REGISTRY=<registry>. By specifying this environment variable, Tanzu CLI will use the default authentication mechanism instead of using Anonymous access to fetch images.

Pending

  • Add E2E tests

Which issue(s) this PR fixes

Fixes #

Describe testing done for PR

  • Start local authenticated registry for testing
# Start local registry at `localhost:5001`
$ make start-test-central-repo

# Start local registry requiring authentication at `localhost:6002`
$ make start-airgapped-local-registry
  • Setup local authenticated registry with plugins
$ tz plugin download-bundle --to-tar /tmp/plugins.tar.gz --image localhost:9876/tanzu-cli/plugins/airgapped:small
...
[i] saving plugin bundle at: /tmp/plugins.tar.gz

---

$ tz plugin upload-bundle --tar /tmp/plugins.tar.gz --to-repo localhost:6002/test/plugins
[i] extracting "/tmp/plugins.tar.gz" for processing...
[i] ---------------------------
[i] uploading image "localhost:6002/test/plugins/airgapped"
[i] copy | importing 2 images...

[i] copy |
copy | done uploading images
[i] copy | Error: Error uploading images: HEAD http://localhost:6002/v2/test/plugins/airgapped/manifests/sha256-b3e204740c44151562050f9f5b839386231c135a7cde944f150bca0503cbeb8f.imgpkg: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)
[x] : error while uploading image: HEAD http://localhost:6002/v2/test/plugins/airgapped/manifests/sha256-b3e204740c44151562050f9f5b839386231c135a7cde944f150bca0503cbeb8f.imgpkg: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)

---

$ docker login localhost:6002
Username: testuser
Password:
Login Succeeded

---

$ tz plugin upload-bundle --tar /tmp/plugins.tar.gz --to-repo localhost:6002/test/plugins
...
[i] successfully published all plugin images to "localhost:6002/test/plugins/airgapped:small"

---

$ docker logout localhost:6002
Removing login credentials for localhost:6002
  • Now, Try to use the authenticated registry localhost:6002 as discovery source
export TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_VERIFICATION_SKIP_LIST=localhost:6002/test/plugins/airgapped:small
export TANZU_CLI_AUTHENTICATED_REGISTRY=localhost:6002/test/plugins/airgapped:small

$ tz plugin source update default -u localhost:6002/test/plugins/airgapped:small
[i] Refreshing plugin inventory cache for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds.
[x] : unable to fetch the inventory of discovery 'default' for plugins: plugins discovery image resolution failed. Please check that the repository image URL "localhost:6002/test/plugins/airgapped:small" is correct: error getting the image digest: GET http://localhost:6002/v2/test/plugins/airgapped/manifests/small: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:test/plugins/airgapped Type:repository]]
  • Authenticate with the registry with (docker login or crane auth login) and try again
$ docker login localhost:6002
Username: testuser
Password:
Login Succeeded

---

$ tz plugin source update default -u localhost:6002/test/plugins/airgapped:small
[i] Refreshing plugin inventory cache for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds.
[i] Reading plugin inventory for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds.
[!] Skipping the plugins discovery image signature verification for "localhost:6002/test/plugins/airgapped:small"

[ok] updated discovery source default

---

$ tz plugin search
[i] The tanzu cli essential plugins are outdated and are being updated now. The update may take a few seconds.
[i] Installing plugins from plugin group 'vmware-tanzucli/essentials:v9.9.9'
[i] Installed plugin 'telemetry:v9.9.9' with target 'global'

  NAME              DESCRIPTION                     TARGET           LATEST
  account           account functionality           mission-control  v9.9.9
  cluster           cluster functionality           kubernetes       v9.9.9
  clustergroup      clustergroup functionality      operations       v9.9.9
  isolated-cluster  isolated-cluster functionality  global           v9.9.9
  plugin-with-sha   plugin-with-sha functionality   global           v9.9.9
  telemetry         telemetry functionality         global           v9.9.9

---

$ tz plugin install account
[i] Installed plugin 'account:v9.9.9' with target 'mission-control'
[ok] successfully installed 'account' plugin

Release note

Add support for the Authenticated Registry to host Tanzu CLI plugin images

Additional information

Special notes for your reviewer

@anujc25 anujc25 force-pushed the support-authenticated-registries branch 4 times, most recently from 236a069 to cf269d4 Compare April 22, 2024 18:31
@anujc25 anujc25 marked this pull request as ready for review April 22, 2024 18:56
@anujc25 anujc25 requested a review from a team as a code owner April 22, 2024 18:56
marckhouzam
marckhouzam approved these changes Apr 23, 2024
View reviewed changes
Copy link
Contributor

@marckhouzam marckhouzam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works beautifully!
I particularly like the fact that we don't default to authenticated access which would uselessly slow down the production central repo access. Using the environment variable allows to only affect repos that really need authentication.

pkg/utils/url.go Outdated Show resolved Hide resolved
test/e2e/airgapped/airgapped_test.go Outdated Show resolved Hide resolved
@marckhouzam marckhouzam added this to the v1.3.0 milestone Apr 23, 2024
@anujc25 anujc25 added the docs-impact issues with documentation impact label Apr 23, 2024
@anujc25
Add support for the Authenticated Registries
84ed515 
To use registries that require authentication to host Tanzu CLI Plugins images users are expected to do the following:
1. Use `docker login <registry>` or `crane auth login <registry>` to authenticate with the registry
2. Specify environment variable `TANZU_CLI_AUTHENTICATED_REGISTRY=<registry>`. By specifying this environment variable, Tanzu CLI will use the default authentication mechanism instead of using Anonymous access to fetch images.
@anujc25 anujc25 force-pushed the support-authenticated-registries branch from cf269d4 to 84ed515 Compare April 24, 2024 04:56
marckhouzam
marckhouzam approved these changes Apr 24, 2024
View reviewed changes
Copy link
Contributor

@marckhouzam marckhouzam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @anujc25
LGTM

prkalle
prkalle approved these changes Apr 24, 2024
View reviewed changes
Copy link
Contributor

@prkalle prkalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@anujc25 anujc25 merged commit be59137 into vmware-tanzu:main Apr 24, 2024
7 checks passed
vuil pushed a commit to vuil/tanzu-cli that referenced this pull request May 1, 2024
@anujc25 @vuil
Add support for the Authenticated Registries (vmware-tanzu#744)
6449943 
To use registries that require authentication to host Tanzu CLI Plugins images users are expected to do the following:
1. Use `docker login <registry>` or `crane auth login <registry>` to authenticate with the registry
2. Specify environment variable `TANZU_CLI_AUTHENTICATED_REGISTRY=<registry>`. By specifying this environment variable, Tanzu CLI will use the default authentication mechanism instead of using Anonymous access to fetch images.
vuil pushed a commit that referenced this pull request May 1, 2024
@anujc25 @vuil
Add support for the Authenticated Registries (#744)
5f42c9f 
To use registries that require authentication to host Tanzu CLI Plugins images users are expected to do the following:
1. Use `docker login <registry>` or `crane auth login <registry>` to authenticate with the registry
2. Specify environment variable `TANZU_CLI_AUTHENTICATED_REGISTRY=<registry>`. By specifying this environment variable, Tanzu CLI will use the default authentication mechanism instead of using Anonymous access to fetch images.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marckhouzam marckhouzam marckhouzam approved these changes

@prkalle prkalle prkalle approved these changes

Assignees
No one assigned
Labels
cla-not-required docs-impact issues with documentation impact
Projects
None yet
Milestone
v1.3.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@anujc25 @marckhouzam @prkalle @vmwclabot