Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authentication to utility registry #144

Merged
merged 10 commits into from
Nov 5, 2021
Merged

Add authentication to utility registry #144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
e1b56d0
wip: Add authentication to utility registry
RothAndrew Oct 29, 2021
252b91c
Merge branch 'master' into feature/5-utility-registry-requires-creden…
RothAndrew Nov 1, 2021
753d67f
wip: Utility registry requires credentials
RothAndrew Nov 2, 2021
2919f4a
wip: Utility registry requires credentials
RothAndrew Nov 3, 2021
2e4c4fc
Merge branch 'master' into feature/5-utility-registry-requires-creden…
RothAndrew Nov 3, 2021
79ee70c
wip: Utility registry requires credentials
RothAndrew Nov 3, 2021
f187c23
wip: Utility registry requires credentials
RothAndrew Nov 3, 2021
5f2bd7a
wip: Utility registry requires credentials
RothAndrew Nov 3, 2021
0d1b727
Merge branch 'master' into feature/5-utility-registry-requires-creden…
RothAndrew Nov 4, 2021
9385da7
wip: Utility registry requires credentials
RothAndrew Nov 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions assets/manifests/registry/registry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ spec:
image:
repository: registry1.dso.mil/ironbank/opensource/docker/registry-v2
pullPolicy: Never
secrets:
htpasswd: ###ZARF_HTPASSWD###
resources:
requests:
cpu: "100m"
Expand Down
6 changes: 6 additions & 0 deletions assets/misc/registries.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,9 @@ mirrors:
registry-1.docker.io:
endpoint:
- "https://127.0.0.1"
ghcr.io:
endpoint:
- "https://127.0.0.1"
registry.opensource.zalan.do:
endpoint:
- "https://127.0.0.1"
7 changes: 7 additions & 0 deletions cli/internal/k3s/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,13 @@ func Install(options InstallOptions) {

gitSecret := git.GetOrCreateZarfSecret()

// Now that we have what the password will be, we should add the login entry to the system's registry config
err := utils.Login(config.ZarfLocalIP, config.ZarfGitUser, gitSecret)
if err != nil {
logrus.Debug(err)
logrus.Fatal("Unable to add login credentials for the utility registry")
}

logrus.Info("Installation complete. You can run \"/usr/local/bin/k9s\" to monitor the status of the deployment.")
logrus.WithFields(logrus.Fields{
"Gitea Username (if installed)": config.ZarfGitUser,
Expand Down
11 changes: 10 additions & 1 deletion cli/internal/packager/deploy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@ package packager

import (
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"fmt"
"io"
"net/http"
"net/url"
Expand Down Expand Up @@ -168,10 +170,17 @@ func deployComponents(tempPath componentPaths, assets config.ZarfComponent) {
// Get a list of all the k3s manifest files
manifests := utils.RecursiveFileList(tempPath.manifests)

// Iterate through all the manifests and replace any ZARF_SECRET values
// Iterate through all the manifests and replace any ZARF_SECRET, ZARF_HTPASSWD, or ZARF_DOCKERAUTH values
for _, manifest := range manifests {
logrus.WithField("path", manifest).Info("Processing manifest file")
utils.ReplaceText(manifest, "###ZARF_SECRET###", gitSecret)
htpasswd, err := utils.GetHtpasswdString(config.ZarfGitUser, gitSecret)
if err != nil {
logrus.Debug(err)
logrus.Fatal("Unable to define `htpasswd` string for the Zarf user")
}
utils.ReplaceText(manifest, "###ZARF_HTPASSWD###", htpasswd)
utils.ReplaceText(manifest, "###ZARF_DOCKERAUTH###", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", config.ZarfGitUser, gitSecret))))
}

utils.CreatePathAndCopy(tempPath.manifests, config.K3sManifestPath)
Expand Down
36 changes: 36 additions & 0 deletions cli/internal/utils/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
package utils

import (
"github.com/docker/cli/cli/config"
"github.com/docker/cli/cli/config/types"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"log"
"os"
)
// Login adds the given creds to the user's Docker config, usually located at $HOME/.docker/config.yaml. It does not try
// to connect to the given registry, it just simply adds another entry to the config file.
// This function was mostly adapted from https://github.com/google/go-containerregistry/blob/5c9c442d5d68cd96787559ebf6e984c7eb084913/cmd/crane/cmd/auth.go
func Login(serverAddress string, user string, password string) error {
cf, err := config.Load(os.Getenv("DOCKER_CONFIG"))
if err != nil {
return err
}
creds := cf.GetCredentialsStore(serverAddress)
if serverAddress == name.DefaultRegistry {
serverAddress = authn.DefaultAuthKey
}
if err := creds.Store(types.AuthConfig{
ServerAddress: serverAddress,
Username: user,
Password: password,
}); err != nil {
return err
}

if err := cf.Save(); err != nil {
return err
}
log.Printf("logged in via %s", cf.Filename)
return nil
}
15 changes: 15 additions & 0 deletions cli/internal/utils/htpasswd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
package utils

import (
"fmt"
"golang.org/x/crypto/bcrypt"
)

// GetHtpasswdString converts a username and password to a properly formatted and hashed format for `htpasswd`
func GetHtpasswdString(username string, password string) (string, error) {
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return "", err
}
return fmt.Sprintf("%s:%s", username, hash), nil
}
10 changes: 5 additions & 5 deletions examples/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,16 +54,12 @@ vm-destroy: ## Cleanup plz
@vagrant destroy -f

.PHONY: package-examples
package-examples: package-example-big-bang package-example-appliance package-example-data-injection package-example-game package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples
package-examples: package-example-big-bang package-example-data-injection package-example-game package-example-gitops-data package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples

.PHONY: package-example-big-bang
package-example-big-bang: ## Create the Big Bang Core example
cd big-bang && kustomize build template/bigbang > manifests/bigbang_generated.yaml && kustomize build template/flux > manifests/flux_generated.yaml && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-appliance
package-example-appliance: ## Create the Podinfo example
cd appliance && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-data-injection
package-example-data-injection: ## Create the Data Injection example
cd data-injection && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
Expand All @@ -72,6 +68,10 @@ package-example-data-injection: ## Create the Data Injection example
package-example-game: ## Create the Doom example
cd game && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-gitops-data
package-example-gitops-data: ## Create the gitops-data example
cd gitops-data && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-single-big-bang-package
package-example-single-big-bang-package: ## Create the Single Big Bang Package example
cd single-big-bang-package && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
Expand Down
2 changes: 1 addition & 1 deletion examples/Vagrantfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,6 @@ Vagrant.configure("2") do |config|
sysctl -w vm.max_map_count=262144
# Airgap images please
echo "0.0.0.0 registry.hub.docker.com hub.docker.com charts.helm.sh repo1.dso.mil github.com registry.dso.mil registry1.dso.mil docker.io index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com" >> /etc/hosts
echo "0.0.0.0 registry.opensource.zalan.do ghcr.io registry.hub.docker.com hub.docker.com charts.helm.sh repo1.dso.mil github.com registry.dso.mil registry1.dso.mil docker.io index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com" >> /etc/hosts
SHELL
end
7 changes: 0 additions & 7 deletions examples/appliance/README.md
View file
Open in desktop

This file was deleted.

26 changes: 0 additions & 26 deletions examples/appliance/manifests/podinfo.yaml
View file
Open in desktop

This file was deleted.

17 changes: 0 additions & 17 deletions examples/appliance/zarf.yaml
View file
Open in desktop

This file was deleted.

28 changes: 28 additions & 0 deletions examples/big-bang/manifests/other_manifests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,31 @@ metadata:
stringData:
username: "zarf-git-user"
password: "###ZARF_SECRET###"
---
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: private-registry
namespace: flux-system
stringData:
.dockerconfigjson: |
{
"auths": {
"registry.dso.mil": {
"auth":"###ZARF_DOCKERAUTH###"
},
"registry1.dso.mil": {
"auth":"###ZARF_DOCKERAUTH###"
},
"docker.io": {
"auth":"###ZARF_DOCKERAUTH###"
},
"registry-1.docker.io": {
"auth":"###ZARF_DOCKERAUTH###"
},
"ghcr.io": {
"auth":"###ZARF_DOCKERAUTH###"
}
}
}
5 changes: 5 additions & 0 deletions examples/big-bang/template/bigbang/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
domain: bigbang.dev

registryCredentials:
registry: "registry1.dso.mil"
username: "zarf-git-user"
password: "###ZARF_SECRET###"

git:
existingSecret: "zarf-git-secret"

Expand Down
2 changes: 2 additions & 0 deletions examples/data-injection/manifests/data-injection.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,5 @@ spec:
- name: data-injection
image: registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.4
command: ["/bin/sh", "-ec", "mkdir -p /test && while :; do ls -lah /test; sleep 5 ; done"]
imagePullSecrets:
- name: private-registry
27 changes: 27 additions & 0 deletions examples/data-injection/manifests/image-pull-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: private-registry
namespace: demo
stringData:
.dockerconfigjson: |
{
"auths": {
"registry.dso.mil": {
"auth":"###ZARF_DOCKERAUTH###"
},
"registry1.dso.mil": {
"auth":"###ZARF_DOCKERAUTH###"
},
"docker.io": {
"auth":"###ZARF_DOCKERAUTH###"
},
"registry-1.docker.io": {
"auth":"###ZARF_DOCKERAUTH###"
},
"ghcr.io": {
"auth":"###ZARF_DOCKERAUTH###"
}
}
}
5 changes: 5 additions & 0 deletions examples/game/manifests/game.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "traefik"
traefik.ingress.kubernetes.io/router.middlewares: kube-system-ssl-redirect@kubernetescrd
Expand All @@ -21,6 +22,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: game
namespace: default
spec:
selector:
matchLabels:
Expand All @@ -37,11 +39,14 @@ spec:
- name: http
containerPort: 8000
protocol: TCP
imagePullSecrets:
- name: private-registry
---
apiVersion: v1
kind: Service
metadata:
name: game
namespace: default
spec:
type: ClusterIP
selector:
Expand Down
27 changes: 27 additions & 0 deletions examples/game/manifests/image-pull-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: private-registry
namespace: default
stringData:
.dockerconfigjson: |
{
"auths": {
"registry.dso.mil": {
"auth":"###ZARF_DOCKERAUTH###"
},
"registry1.dso.mil": {
"auth":"###ZARF_DOCKERAUTH###"
},
"docker.io": {
"auth":"###ZARF_DOCKERAUTH###"
},
"registry-1.docker.io": {
"auth":"###ZARF_DOCKERAUTH###"
},
"ghcr.io": {
"auth":"###ZARF_DOCKERAUTH###"
}
}
}
0 ...stgres-operator/manifests/namespaces.yaml → ...es-operator/manifests/000-namespaces.yaml
View file
Open in desktop
File renamed without changes.
Loading