support for sharing registry credentials with invocation images

Adds a new boolean parameter to the CNAB bundles which app generates,
`"docker.share-registry-creds"` (exposed as `$DOCKER_SHARE_REGISTRY_CREDS`)

Also adds a new credential `docker.registry-creds` which contains a JSON
document mapping strings to `github.com/docker/docker/api/types.AuthConfig`.
The file must always be present but has content only if
`$DOCKER_SHARE_REGISTRY_CREDS` is true (otherwise it is an empty JSON map).

The `install` and `upgrade` subcommands gain a new `--with-registry-auth` flag
which indicates that registry credentials should be provided to the invocation
image.

Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
Signed-off-by: Ian Campbell <ijc@docker.com>

Author: simonferquel

cmd/cnab-run/env.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"encoding/json"
+	"io/ioutil"
 	"os"
 
 	"github.com/docker/app/internal"
@@ -32,9 +34,23 @@ func setupDockerContext() (command.Cli, error) {
 	if err != nil {
 		return nil, err
 	}
-	return cli, cli.Initialize(&cliflags.ClientOptions{
+	if err := cli.Initialize(&cliflags.ClientOptions{
 		Common: &cliflags.CommonOptions{
 			Context: "cnab",
 		},
-	})
+	}); err != nil {
+		return nil, err
+	}
+	authConfigsJSON, err := ioutil.ReadFile(internal.CredentialRegistryPath)
+	if err != nil {
+		return nil, err
+	}
+
+	configFile := cli.ConfigFile()
+
+	if err := json.Unmarshal(authConfigsJSON, &configFile.AuthConfigs); err != nil {
+		return nil, err
+	}
+
+	return cli, nil
 }

cmd/cnab-run/install.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
+	"strconv"
 
 	"github.com/deislabs/duffle/pkg/bundle"
 	"github.com/docker/app/internal"
@@ -52,11 +53,15 @@ func installAction(instanceName string) error {
 	if err := os.Chdir(app.Path); err != nil {
 		return err
 	}
+	sendRegistryAuth, err := strconv.ParseBool(os.Getenv("DOCKER_SHARE_REGISTRY_CREDS"))
+	if err != nil {
+		return err
+	}
 	// todo: pass registry auth to invocation image
 	return stack.RunDeploy(cli, getFlagset(orchestrator), rendered, orchestrator, options.Deploy{
 		Namespace:        instanceName,
 		ResolveImage:     swarm.ResolveImageAlways,
-		SendRegistryAuth: false,
+		SendRegistryAuth: sendRegistryAuth,
 	})
 }
 

cmd/cnab-run/main.go

@@ -13,7 +13,7 @@ type cnabAction func(string) error
 var (
 	cnabActions = map[string]cnabAction{
 		"install":                  installAction,
-		"upgrade":                  installAction,
+		"upgrade":                  installAction, // upgrade is implemented as reinstall.
 		"uninstall":                uninstallAction,
 		internal.ActionStatusName:  statusAction,
 		internal.ActionInspectName: inspectAction,

e2e/testdata/simple-bundle.json.golden

@@ -106,6 +106,16 @@
 				"com.docker.app.render"
 			]
 		},
+		"com.docker.app.share-registry-creds": {
+			"type": "bool",
+			"defaultValue": false,
+			"metadata": {
+				"description": "Share registry credentials with the invocation image"
+			},
+			"destination": {
+				"env": "DOCKER_SHARE_REGISTRY_CREDS"
+			}
+		},
 		"static_subdir": {
 			"type": "string",
 			"defaultValue": "data/static",
@@ -122,6 +132,9 @@
 		}
 	},
 	"credentials": {
+		"com.docker.app.registry-creds": {
+			"path": "/cnab/app/registry-creds.json"
+		},
 		"docker.context": {
 			"path": "/cnab/app/context.dockercontext"
 		}

internal/commands/cnab.go

@@ -2,6 +2,8 @@ package commands
 
 import (
 	"bytes"
+	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -23,8 +25,10 @@ import (
 	"github.com/docker/cli/cli/context/docker"
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/registry"
 	"github.com/pkg/errors"
 )
 
@@ -77,6 +81,50 @@ func addDockerCredentials(contextName string, contextStore store.Store) credenti
 	}
 }
 
+func shouldPopulateRegistryCreds(parameterValues map[string]interface{}) bool {
+	v, ok := parameterValues[internal.ParameterShareRegistryCredsName]
+	if !ok {
+		return false
+	}
+	result, ok := v.(bool)
+	if !ok {
+		return false
+	}
+	return result
+}
+
+func addRegistryCredentials(parameterValues map[string]interface{}, dockerCli command.Cli) credentialSetOpt {
+	return func(b *bundle.Bundle, creds map[string]string) error {
+		if _, ok := b.Credentials[internal.CredentialRegistryName]; !ok {
+			return nil
+		}
+
+		registryCreds := map[string]types.AuthConfig{}
+		if shouldPopulateRegistryCreds(parameterValues) {
+			for _, img := range b.Images {
+				named, err := reference.ParseNormalizedNamed(img.Image)
+				if err != nil {
+					return err
+				}
+				info, err := registry.ParseRepositoryInfo(named)
+				if err != nil {
+					return err
+				}
+				key := registry.GetAuthConfigKey(info.Index)
+				if _, ok := registryCreds[key]; !ok {
+					registryCreds[key] = command.ResolveAuthConfig(context.Background(), dockerCli, info.Index)
+				}
+			}
+		}
+		registryCredsJSON, err := json.Marshal(registryCreds)
+		if err != nil {
+			return err
+		}
+		creds[internal.CredentialRegistryName] = string(registryCredsJSON)
+		return nil
+	}
+}
+
 func prepareCredentialSet(b *bundle.Bundle, opts ...credentialSetOpt) (map[string]string, error) {
 	creds := map[string]string{}
 	for _, op := range opts {

internal/commands/cnab_test.go

@@ -1,9 +1,14 @@
 package commands
 
 import (
+	"encoding/json"
 	"testing"
 
+	"github.com/deislabs/duffle/pkg/bundle"
+	"github.com/docker/app/internal"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
 	cliflags "github.com/docker/cli/cli/flags"
 	"gotest.tools/assert"
 )
@@ -122,3 +127,108 @@ func TestSocketPath(t *testing.T) {
 		})
 	}
 }
+
+type registryConfigMock struct {
+	command.Cli
+	configFile *configfile.ConfigFile
+}
+
+func (r *registryConfigMock) ConfigFile() *configfile.ConfigFile {
+	return r.configFile
+}
+
+func TestShareRegistryCreds(t *testing.T) {
+	cases := []struct {
+		name       string
+		shareCreds bool
+		stored     map[string]types.AuthConfig
+		expected   map[string]types.AuthConfig
+		images     map[string]bundle.Image
+	}{
+		{
+			name:       "no-share",
+			shareCreds: false,
+			stored: map[string]types.AuthConfig{
+				"my-registry.com": {
+					Username: "test",
+					Password: "test",
+				},
+			},
+			expected: map[string]types.AuthConfig{},
+			images: map[string]bundle.Image{
+				"component1": {
+					BaseImage: bundle.BaseImage{
+						Image: "my-registry.com/ns/repo:tag",
+					},
+				},
+			},
+		},
+		{
+			name:       "share",
+			shareCreds: true,
+			stored: map[string]types.AuthConfig{
+				"my-registry.com": {
+					Username: "test",
+					Password: "test",
+				},
+				"my-registry2.com": {
+					Username: "test",
+					Password: "test",
+				},
+			},
+			expected: map[string]types.AuthConfig{
+				"my-registry.com": {
+					Username: "test",
+					Password: "test",
+				}},
+			images: map[string]bundle.Image{
+				"component1": {
+					BaseImage: bundle.BaseImage{
+						Image: "my-registry.com/ns/repo:tag",
+					},
+				},
+			},
+		},
+		{
+			name:       "share-missing",
+			shareCreds: true,
+			stored: map[string]types.AuthConfig{
+				"my-registry2.com": {
+					Username: "test",
+					Password: "test",
+				},
+			},
+			expected: map[string]types.AuthConfig{
+				"my-registry.com": {}},
+			images: map[string]bundle.Image{
+				"component1": {
+					BaseImage: bundle.BaseImage{
+						Image: "my-registry.com/ns/repo:tag",
+					},
+				},
+			},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			params := map[string]interface{}{
+				internal.ParameterShareRegistryCredsName: c.shareCreds,
+			}
+			creds, err := prepareCredentialSet(
+				&bundle.Bundle{
+					Credentials: map[string]bundle.Location{internal.CredentialRegistryName: {}},
+					Images:      c.images,
+				},
+				addNamedCredentialSets(nil),
+				addDockerCredentials("", nil),
+				addRegistryCredentials(params, &registryConfigMock{configFile: &configfile.ConfigFile{
+					AuthConfigs: c.stored,
+				}}))
+			assert.NilError(t, err)
+			var result map[string]types.AuthConfig
+			assert.NilError(t, json.Unmarshal([]byte(creds[internal.CredentialRegistryName]), &result))
+			assert.DeepEqual(t, c.expected, result)
+		})
+	}
+}

internal/commands/install.go

@@ -9,7 +9,6 @@ import (
 	"github.com/deislabs/duffle/pkg/utils/crud"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -69,9 +68,6 @@ func installCmd(dockerCli command.Cli) *cobra.Command {
 
 func runInstall(dockerCli command.Cli, appname string, opts installOptions) error {
 	defer muteDockerCli(dockerCli)()
-	if opts.sendRegistryAuth {
-		return errors.New("with-registry-auth is not supported at the moment")
-	}
 	targetContext := getTargetContext(opts.targetContext, dockerCli.CurrentContext())
 	bind, err := requiredBindMount(targetContext, opts.orchestrator, dockerCli.ContextStore())
 	if err != nil {
@@ -102,26 +98,27 @@ func runInstall(dockerCli command.Cli, appname string, opts installOptions) erro
 	if err != nil {
 		return err
 	}
-	creds, err := prepareCredentialSet(bndl,
-		addNamedCredentialSets(opts.credentialsets),
-		addDockerCredentials(targetContext, dockerCli.ContextStore()))
-	if err != nil {
-		return err
-	}
-	if err := credentials.Validate(creds, bndl.Credentials); err != nil {
-		return err
-	}
-
 	c.Bundle = bndl
 
 	c.Parameters, err = mergeBundleParameters(bndl,
 		withFileParameters(opts.parametersFiles),
 		withCommandLineParameters(opts.overrides),
 		withOrchestratorParameters(opts.orchestrator, opts.kubeNamespace),
+		withSendRegistryAuth(opts.sendRegistryAuth),
 	)
 	if err != nil {
 		return err
 	}
+	creds, err := prepareCredentialSet(bndl,
+		addNamedCredentialSets(opts.credentialsets),
+		addDockerCredentials(targetContext, dockerCli.ContextStore()),
+		addRegistryCredentials(c.Parameters, dockerCli))
+	if err != nil {
+		return err
+	}
+	if err := credentials.Validate(creds, bndl.Credentials); err != nil {
+		return err
+	}
 
 	inst := &action.Install{
 		Driver: driverImpl,

internal/commands/parameters.go

@@ -35,6 +35,19 @@ func withCommandLineParameters(overrides []string) parameterOperation {
 	}
 }
 
+func withSendRegistryAuth(sendRegistryAuth bool) parameterOperation {
+	return func(bndl *bundle.Bundle, params map[string]string) error {
+		if _, ok := bndl.Parameters[internal.ParameterShareRegistryCredsName]; ok {
+			val := "false"
+			if sendRegistryAuth {
+				val = "true"
+			}
+			params[internal.ParameterShareRegistryCredsName] = val
+		}
+		return nil
+	}
+}
+
 func withOrchestratorParameters(orchestrator string, kubeNamespace string) parameterOperation {
 	return func(bndl *bundle.Bundle, params map[string]string) error {
 		if _, ok := bndl.Parameters[internal.ParameterOrchestratorName]; ok {

internal/commands/status.go

@@ -49,7 +49,8 @@ func runStatus(dockerCli command.Cli, claimName string, opts credentialOptions)
 	}
 	creds, err := prepareCredentialSet(c.Bundle,
 		addNamedCredentialSets(opts.credentialsets),
-		addDockerCredentials(targetContext, dockerCli.ContextStore()))
+		addDockerCredentials(targetContext, dockerCli.ContextStore()),
+		addRegistryCredentials(c.Parameters, dockerCli))
 	if err != nil {
 		return err
 	}

internal/commands/uninstall.go

@@ -48,7 +48,8 @@ func runUninstall(dockerCli command.Cli, claimName string, opts credentialOption
 	}
 	creds, err := prepareCredentialSet(c.Bundle,
 		addNamedCredentialSets(opts.credentialsets),
-		addDockerCredentials(targetContext, dockerCli.ContextStore()))
+		addDockerCredentials(targetContext, dockerCli.ContextStore()),
+		addRegistryCredentials(c.Parameters, dockerCli))
 	if err != nil {
 		return err
 	}