Unverified Commit 4c490e84 authored by Sebastiaan van Steenis's avatar Sebastiaan van Steenis Committed by GitHub
Browse files

Merge pull request #2659 from ibrokethecloud/ecr-helper

Changed credentialHelper to ECRCredentialHelper
parents 92a381bd da26a5ab
......@@ -54,11 +54,6 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
return err
}
// validate registry credential plugin
if err := validateRegistryAuthPlugin(c); err != nil {
return err
}
// validate services options
return validateServicesOptions(c)
}
......@@ -654,19 +649,3 @@ func validateCRIDockerdOption(c *Cluster) error {
}
return nil
}
func validateRegistryAuthPlugin(c *Cluster) error {
for _, pr := range c.PrivateRegistriesMap {
if len(pr.CredentialPlugin) != 0 {
if credPluginType, ok := pr.CredentialPlugin["type"]; ok {
switch credPluginType {
case "ecr":
logrus.Debugf("Plugin type %s is valid", credPluginType)
default:
return fmt.Errorf("invalid registry plugin helper provided for %s", pr.URL)
}
}
}
}
return nil
}
This diff is collapsed.
......@@ -9467,7 +9467,7 @@
],
"type": "array"
},
"disable-api-server": {
"disable-apiserver": {
"default": false,
"type": "boolean"
},
......@@ -672,18 +672,10 @@ func tryRegistryAuth(pr v3.PrivateRegistry) types.RequestPrivilegeFunc {
func getRegistryAuth(pr v3.PrivateRegistry) (string, error) {
var authConfig types.AuthConfig
var err error
if len(pr.User) == 0 && len(pr.Password) == 0 && len(pr.CredentialPlugin) != 0 {
if regType, ok := pr.CredentialPlugin["type"]; ok {
switch regType {
case "ecr":
// generate ecr authConfig
authConfig, err = util.ECRCredentialPlugin(pr.CredentialPlugin, pr.URL)
if err != nil {
return "", err
}
default:
return "", fmt.Errorf("Unsupported Credential Plugin")
}
if len(pr.User) == 0 && len(pr.Password) == 0 && pr.ECRCredentialPlugin != nil {
authConfig, err = util.ECRCredentialPlugin(pr.ECRCredentialPlugin, pr.URL)
if err != nil {
return "", err
}
} else {
authConfig = types.AuthConfig{
......@@ -761,12 +753,8 @@ func GetKubeletDockerConfig(prsMap map[string]v3.PrivateRegistry) (string, error
auths := map[string]authConfig{}
credHelper := make(map[string]string)
for url, pr := range prsMap {
if len(pr.CredentialPlugin) != 0 {
if credPluginType, ok := pr.CredentialPlugin["type"]; ok {
if credPluginType == "ecr" {
credHelper[pr.URL] = "ecr-login"
}
}
if pr.ECRCredentialPlugin != nil {
credHelper[pr.URL] = "ecr-login"
} else {
auth := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", pr.User, pr.Password)))
auths[url] = authConfig{Auth: auth}
......
......@@ -110,8 +110,8 @@ type PrivateRegistry struct {
Password string `yaml:"password" json:"password,omitempty" norman:"type=password"`
// Default registry
IsDefault bool `yaml:"is_default" json:"isDefault,omitempty"`
// CredentialPlugin
CredentialPlugin map[string]string `yaml:"credentialPlugin" json:"credentialPlugin,omitempty"`
// ECRCredentialPlugin
ECRCredentialPlugin *ECRCredentialPlugin `yaml:"ecr_credential_plugin" json:"ecrCredentialPlugin,omitempty"`
}
type RKESystemImages struct {
......@@ -1011,3 +1011,9 @@ type NodeDrainInput struct {
// Time to wait (in seconds) before giving up for one try
Timeout int `yaml:"timeout" json:"timeout" norman:"min=1,max=10800,default=120"`
}
type ECRCredentialPlugin struct {
AwsAccessKeyID string `yaml:"aws_access_key_id" json:"awsAccessKeyId,omitempty"`
AwsSecretAccessKey string `yaml:"aws_secret_access_key" json:"awsSecretAccessKey,omitempty"`
AwsSessionToken string `yaml:"aws_session_token" json:"awsAccessToken,omitempty"`
}
......@@ -554,6 +554,22 @@ func (in *DiskVsphereOpts) DeepCopy() *DiskVsphereOpts {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ECRCredentialPlugin) DeepCopyInto(out *ECRCredentialPlugin) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ECRCredentialPlugin.
func (in *ECRCredentialPlugin) DeepCopy() *ECRCredentialPlugin {
if in == nil {
return nil
}
out := new(ECRCredentialPlugin)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ETCDService) DeepCopyInto(out *ETCDService) {
*out = *in
......@@ -1354,12 +1370,10 @@ func (in *PortCheck) DeepCopy() *PortCheck {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PrivateRegistry) DeepCopyInto(out *PrivateRegistry) {
*out = *in
if in.CredentialPlugin != nil {
in, out := &in.CredentialPlugin, &out.CredentialPlugin
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
if in.ECRCredentialPlugin != nil {
in, out := &in.ECRCredentialPlugin, &out.ECRCredentialPlugin
*out = new(ECRCredentialPlugin)
**out = **in
}
return
}
......
......@@ -6,11 +6,14 @@ import (
"regexp"
"strings"
"github.com/sirupsen/logrus"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ecr"
"github.com/docker/docker/api/types"
v3 "github.com/rancher/rke/types"
)
const proxyEndpointScheme = "https://"
......@@ -18,7 +21,13 @@ const proxyEndpointScheme = "https://"
var ecrPattern = regexp.MustCompile(`(^[a-zA-Z0-9][a-zA-Z0-9-_]*)\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.amazonaws\.com(\.cn)?`)
// ECRCredentialPlugin is a wrapper to generate ECR token using the AWS Credentials
func ECRCredentialPlugin(plugin map[string]string, pr string) (authConfig types.AuthConfig, err error) {
func ECRCredentialPlugin(plugin *v3.ECRCredentialPlugin, pr string) (authConfig types.AuthConfig, err error) {
if plugin == nil {
err = fmt.Errorf("ECRCredentialPlugin: ECRCredentialPlugin called with nil plugin data")
return authConfig, err
}
logrus.Tracef("ECRCredentialPlugin: ECRCredentialPlugin called with plugin [%v] and pr [%s]", plugin, pr)
if strings.HasPrefix(pr, proxyEndpointScheme) {
pr = strings.TrimPrefix(pr, proxyEndpointScheme)
......@@ -34,17 +43,16 @@ func ECRCredentialPlugin(plugin map[string]string, pr string) (authConfig types.
Region: aws.String(matches[3]),
}
logrus.Debugf("ECRCredentialPlugin: Setting Region to [%s]", matches[3])
var sess *session.Session
awsAccessKeyID, accessKeyOK := plugin["aws_access_key_id"]
awsSecretAccessKey, secretKeyOK := plugin["aws_secret_access_key"]
// Use predefined keys and override env lookup if keys are present //
if accessKeyOK && secretKeyOK {
// if session token doesnt exist just pass empty string
awsSessionToken := plugin["aws_session_token"]
config.Credentials = credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, awsSessionToken)
if plugin.AwsAccessKeyID != "" && plugin.AwsSecretAccessKey != "" {
// if session token doesn't exist just pass empty string
config.Credentials = credentials.NewStaticCredentials(plugin.AwsAccessKeyID, plugin.AwsSecretAccessKey, plugin.AwsSessionToken)
sess, err = session.NewSession(config)
} else {
logrus.Debug("ECRCredentialPlugin: aws_access_key_id and aws_secret_access_key keys not in plugin, using IAM role or env variables")
sess, err = session.NewSessionWithOptions(session.Options{
Config: *config,
SharedConfigState: session.SharedConfigEnable,
......@@ -52,6 +60,7 @@ func ECRCredentialPlugin(plugin map[string]string, pr string) (authConfig types.
}
if err != nil {
logrus.Trace("ECRCredentialPlugin: Error found while constructing auth session, returning authConfig")
return authConfig, err
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment