Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

e2e podman private registry #17642

Merged
merged 5 commits into from
Jul 19, 2023
Merged

e2e podman private registry #17642

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
79844cb
e2e: add tests for using private registry with podman driver
shoenig Jun 21, 2023
abaa4fd
packer: use nomad-driver-podman v0.5.0
shoenig Jul 19, 2023
675ad74
e2e: eliminate unnecessary chmod
shoenig Jul 19, 2023
5e2d6be
cr: no need to install nomad twice
shoenig Jul 19, 2023
3777d6d
cl: no need to install docker twice
shoenig Jul 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions e2e/podman/input/auth_basic.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# This job runs a podman task using a container stored in a private registry
# configured with basic authentication. The registry.hcl job should be running
# and healthy before running this job. The registry_address and registry_port
# HCL variables must be provided.

variable "registry_address" {
type = string
description = "The HTTP address of the local registry"
default = "localhost"
}

variable "registry_port" {
type = number
description = "The HTTP port of the local registry"
default = "7511"
}

variable "registry_username" {
type = string
description = "The Basic Auth username of the local registry"
default = "auth_basic_user"
}

variable "registry_password" {
type = string
description = "The Basic Auth password of the local registry"
default = "auth_basic_pass"
}

locals {
registry_auth = base64encode("${var.registry_username}:${var.registry_password}")
}

job "auth_basic" {
type = "batch"

constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}

group "basic" {
reschedule {
attempts = 0
unlimited = false
}

network {
mode = "host"
}

task "echo" {
driver = "podman"

config {
image = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_basic:private"
args = ["echo", "The auth basic test is OK!"]
auth_soft_fail = true

auth {
username = "${var.registry_username}"
password = "${var.registry_password}"
tls_verify = false
}
}

resources {
cpu = 100
memory = 64
}
}
}
}
58 changes: 58 additions & 0 deletions e2e/podman/input/auth_helper.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# This job runs a podman task using a container stored in a private registry
# configured with credentials helper authentication. The registry.hcl job should
# be running and healthy before running this job.

variable "registry_address" {
type = string
description = "The HTTP address of the local registry"
default = "localhost"
}

variable "registry_port" {
type = number
description = "The HTTP port of the local registry"
default = "7511"
}

job "auth_static" {
type = "batch"

constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}

group "helper" {
reschedule {
attempts = 0
unlimited = false
}

network {
mode = "host"
}

task "echo" {
driver = "podman"

config {
image = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_helper:private"
args = ["echo", "The credentials helper auth test is OK!"]

auth {
# usename and password come from [docker-credential-]test.sh found on
# $PATH as specified by "helper=test.sh" in plugin config
tls_verify = false
}
}

resources {
cpu = 100
memory = 64
}
}
}
}
68 changes: 68 additions & 0 deletions e2e/podman/input/auth_static.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# This job runs a podman task using a container stored in a private registry
# configured with file config static authentication. The registry.hcl job should
# be running and healthy before running this job.

variable "registry_address" {
type = string
description = "The HTTP address of the local registry"
default = "localhost"
}

variable "registry_port" {
type = number
description = "The HTTP port of the local registry"
default = "7511"
}

job "auth_static" {
type = "batch"

constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}

group "static" {
reschedule {
attempts = 0
unlimited = false
}

network {
mode = "host"
}

task "echo" {
driver = "podman"

config {
image = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_static:private"
args = ["echo", "The static auth test is OK!"]

auth {
# usename and password come from auth.json in plugin config
tls_verify = false
}
}

resources {
cpu = 100
memory = 64
}
}
}
}

# auth.json (must be pointed to by config=<path>/auth.json)
#
# {
# "auths": {
# "127.0.0.1:7511/docker.io/library/bash_auth_static": {
# "auth": "YXV0aF9zdGF0aWNfdXNlcjphdXRoX3N0YXRpY19wYXNz"
# }
# }
# }

9 changes: 6 additions & 3 deletions e2e/podman/input/podman_basic.hcl → e2e/podman/input/redis.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

job "podman_basic" {
# This is a simple redis job using the podman task driver.

job "redis" {

constraint {
attribute = "${attr.kernel.name}"
Expand All @@ -19,8 +21,9 @@ job "podman_basic" {
driver = "podman"

config {
image = "redis:7"
ports = ["db"]
image = "docker.io/library/redis:7"
ports = ["db"]
auth_soft_fail = true
}

resources {
Expand Down
120 changes: 120 additions & 0 deletions e2e/podman/input/registry-auths.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# This job runs after the private registry is up and running, when we know
# address and port provided by the bridge network. It is a sysbatch job
# that writes these files on every linux client.
# - /usr/local/bin/docker-credential-test.sh
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is "docker-credential-" rather than "podman-credential-" because the registry itself is docker?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's just because the "official" credentials helpers in the ecosystem are provided by docker and their documentation prefixes everything using "docker-credential-"

https://github.com/docker/docker-credential-helpers/tree/master

I suppose we could search for either prefix, but unless someone actually asks for it I think we should just keep it simple and working with the known tools.

# - /etc/docker-registry-auth.json

variable "registry_address" {
type = string
description = "The HTTP address of the local registry"
}

variable "auth_dir" {
type = string
description = "The destination directory of the auth.json file."
default = "/tmp"
}

variable "helper_dir" {
type = string
description = "The directory in which test.sh will be written."
default = "/tmp"
}

variable "user" {
type = string
description = "The user to create files as. Should be root in e2e."
# no default because dealing with root files is annoying locally
# try -var=user=$USER for local development
}

job "registry-auths" {
type = "sysbatch"

constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}

group "create-files" {
reschedule {
attempts = 0
unlimited = false
}

# write out the test.sh file into var.helper_dir
task "create-helper-file" {
driver = "pledge"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fun use of pledge 🧼

user = "${var.user}"

config {
command = "cp"
args = ["${NOMAD_TASK_DIR}/test.sh", "${var.helper_dir}/docker-credential-test.sh"]
promises = "stdio rpath wpath cpath"
unveil = ["r:${NOMAD_TASK_DIR}/test.sh", "rwc:${var.helper_dir}"]
}
template {
destination = "local/test.sh"
perms = "755"
data = <<EOH
#!/usr/bin/env bash

set -euo pipefail

value=$(cat /dev/stdin)

username="auth_helper_user"
password="auth_helper_pass"

case "${value}" in
docker.io/*)
echo "must use local registry"
exit 3
;;
*)
echo "{\"Username\": \"$username\", \"Secret\": \"$password\"}"
exit 0
;;
esac
EOH
}
resources {
cpu = 100
memory = 32
}
}

# write out the auth.json file into var.auth_dir
task "create-auth-file" {
driver = "pledge"
user = "${var.user}"

config {
command = "cp"
args = ["${NOMAD_TASK_DIR}/auth.json", "${var.auth_dir}/auth.json"]
promises = "stdio rpath wpath cpath"
unveil = ["r:${NOMAD_TASK_DIR}/auth.json", "rwc:${var.auth_dir}"]
}
template {
perms = "644"
destination = "local/auth.json"
data = <<EOH
{
"auths": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one's pretty trivial, but I like jsonencode to avoid possibly-invalid raw json.

"${var.registry_address}:/docker.io/library/bash_auth_static": {
"auth": "YXV0aF9zdGF0aWNfdXNlcjphdXRoX3N0YXRpY19wYXNz"
}
}
}
EOH
}
resources {
cpu = 100
memory = 32
}
}
}
}
Loading
Loading