support dockerconfigjson secret for oci registry authentication (#202)

* add AuthSecretSelector
refactor descriptor parse to support different auth keychain

* add test for private registry

* make lint happy

* change CredSecretSelector to imagespec

* add cred secret support to config image

* remove AuthSecretSelector

* remove OCIRegistryCred as a fixed secret label selector

* upgrade k8s.io/* package to the same version

* downgrade k8s.io/* package due to controller-runtime breaking changes

* upgrade controller-runtime to latest v0.14.1

* resolve lint

* add todo

* refactor how to apply options

Author: ruanxin

api/v1alpha1/zz_generated.deepcopy.go

@@ -45,6 +45,54 @@ spec:
               config:
                 description: Config specifies OCI image configuration for Manifest
                 properties:
+                  credSecretSelector:
+                    description: CredSecretSelector is on optional field, for OCI
+                      image saved in private registry, use it to indicate the secret
+                      which contains registry credentials, must exist in the namespace
+                      same as manifest
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector
+                            that contains values, a key, and an operator that relates
+                            the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship
+                                to a set of values. Valid operators are In, NotIn,
+                                Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If
+                                the operator is In or NotIn, the values array must
+                                be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced
+                                during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A
+                          single {key,value} in the matchLabels map is equivalent
+                          to an element of matchExpressions, whose key field is "key",
+                          the operator is "In", and the values array contains only
+                          "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                    x-kubernetes-map-type: atomic
                   name:
                     description: Name defines the Image name
                     type: string
@@ -66,6 +114,54 @@ spec:
               crds:
                 description: CRDs specifies the custom resource definitions' ImageSpec
                 properties:
+                  credSecretSelector:
+                    description: CredSecretSelector is on optional field, for OCI
+                      image saved in private registry, use it to indicate the secret
+                      which contains registry credentials, must exist in the namespace
+                      same as manifest
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector
+                            that contains values, a key, and an operator that relates
+                            the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship
+                                to a set of values. Valid operators are In, NotIn,
+                                Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If
+                                the operator is In or NotIn, the values array must
+                                be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced
+                                during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A
+                          single {key,value} in the matchLabels map is equivalent
+                          to an element of matchExpressions, whose key field is "key",
+                          the operator is "In", and the values array contains only
+                          "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                    x-kubernetes-map-type: atomic
                   name:
                     description: Name defines the Image name
                     type: string

config/crd/bases/operator.kyma-project.io_manifests.yaml

@@ -106,7 +106,20 @@ func PushToRemoteOCIRegistry(layerName string, ociLayerType OCILayerType) {
 	Expect(gotHash).To(Equal(digest))
 }
 
-func createImageSpec(name, repo string, ociLayerType OCILayerType) manifestTypes.ImageSpec {
+func createOCIImageSpecWithCredSelect(name, repo, digest string,
+	credSecretSelector metav1.LabelSelector,
+) manifestTypes.ImageSpec {
+	imageSpec := manifestTypes.ImageSpec{
+		Name:               name,
+		Repo:               repo,
+		Type:               "oci-ref",
+		Ref:                digest,
+		CredSecretSelector: &credSecretSelector,
+	}
+	return imageSpec
+}
+
+func createOCIImageSpec(name, repo string, ociLayerType OCILayerType) manifestTypes.ImageSpec {
 	imageSpec := manifestTypes.ImageSpec{
 		Name: name,
 		Repo: repo,

controllers/manifest_controller_helper_test.go

@@ -145,8 +145,7 @@ var _ = Describe("Given manifest with OCI specs", Ordered, func() {
 		Entry("When Manifest CR contains an invalid install OCI image specification, "+
 			"expect state in error and no helmClient cache exit",
 			withInvalidInstallImageSpec(false),
-			expectManifestStateIn(v1alpha1.ManifestStateError), expectHelmClientCacheExist(false),
-		),
+			expectManifestStateIn(v1alpha1.ManifestStateError), expectHelmClientCacheExist(false)),
 	)
 })
 
@@ -185,7 +184,7 @@ var _ = Describe("Test multiple Manifest CRs with same parent and OCI spec", Ord
 		manifestWithInstall := NewTestManifest("multi-oci1")
 		Eventually(withValidInstallImageSpec(installName, false), standardTimeout, standardInterval).
 			WithArguments(manifestWithInstall).Should(Succeed())
-		validImageSpec := createImageSpec(installName, server.Listener.Addr().String(), layerInstalls)
+		validImageSpec := createOCIImageSpec(installName, server.Listener.Addr().String(), layerInstalls)
 		Eventually(expectHelmClientCacheExist(true), standardTimeout, standardInterval).
 			WithArguments(manifestWithInstall.GetLabels()[labels.ComponentOwner]).Should(BeTrue())
 		// this will ensure only manifest.yaml remains
@@ -218,7 +217,7 @@ func skipExpect() func() bool {
 
 func withInvalidInstallImageSpec(remote bool) func(manifest *v1alpha1.Manifest) error {
 	return func(manifest *v1alpha1.Manifest) error {
-		invalidImageSpec := createImageSpec("invalid-image-spec", "domain.invalid", layerInstalls)
+		invalidImageSpec := createOCIImageSpec("invalid-image-spec", "domain.invalid", layerInstalls)
 		imageSpecByte, err := json.Marshal(invalidImageSpec)
 		Expect(err).ToNot(HaveOccurred())
 		return installManifest(manifest, imageSpecByte, types.ImageSpec{}, remote)
@@ -227,7 +226,7 @@ func withInvalidInstallImageSpec(remote bool) func(manifest *v1alpha1.Manifest)
 
 func withValidInstallImageSpec(name string, remote bool) func(manifest *v1alpha1.Manifest) error {
 	return func(manifest *v1alpha1.Manifest) error {
-		validImageSpec := createImageSpec(name, server.Listener.Addr().String(), layerInstalls)
+		validImageSpec := createOCIImageSpec(name, server.Listener.Addr().String(), layerInstalls)
 		imageSpecByte, err := json.Marshal(validImageSpec)
 		Expect(err).ToNot(HaveOccurred())
 		return installManifest(manifest, imageSpecByte, types.ImageSpec{}, remote)
@@ -244,11 +243,11 @@ func withValidInstallAndCRDsImageSpec(installName,
 	crdName string, remote bool,
 ) func(manifest *v1alpha1.Manifest) error {
 	return func(manifest *v1alpha1.Manifest) error {
-		validInstallImageSpec := createImageSpec(installName, server.Listener.Addr().String(), layerInstalls)
+		validInstallImageSpec := createOCIImageSpec(installName, server.Listener.Addr().String(), layerInstalls)
 		installSpecByte, err := json.Marshal(validInstallImageSpec)
 		Expect(err).ToNot(HaveOccurred())
 
-		validCRDsImageSpec := createImageSpec(crdName, server.Listener.Addr().String(), layerCRDs)
+		validCRDsImageSpec := createOCIImageSpec(crdName, server.Listener.Addr().String(), layerCRDs)
 		return installManifest(manifest, installSpecByte, validCRDsImageSpec, remote)
 	}
 }

controllers/manifest_controller_test.go

@@ -0,0 +1,64 @@
+package controllers_test
+
+import (
+	"os"
+
+	"github.com/kyma-project/module-manager/internal/pkg/prepare"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
+)
+
+var _ = Describe("test authnKeyChain", func() {
+	It("should fetch authnKeyChain from secret correctly", func() {
+		By("install secret")
+		installCredSecret()
+		const repo = "test.registry.io"
+		imageSpecWithCredSelect := createOCIImageSpecWithCredSelect("imageName",
+			repo, "digest",
+			credSecretLabel())
+		keychain, err := prepare.GetAuthnKeychain(ctx, imageSpecWithCredSelect, k8sClient, metav1.NamespaceDefault)
+		Expect(err).ToNot(HaveOccurred())
+		dig := &TestRegistry{target: repo, registry: repo}
+		authenticator, err := keychain.Resolve(dig)
+		Expect(err).ToNot(HaveOccurred())
+		authConfig, err := authenticator.Authorization()
+		Expect(err).ToNot(HaveOccurred())
+		Expect(authConfig.Username).To(Equal("test_user"))
+		Expect(authConfig.Password).To(Equal("test_pass"))
+	})
+})
+
+type TestRegistry struct {
+	target   string
+	registry string
+}
+
+func (d TestRegistry) String() string {
+	return d.target
+}
+
+func (d TestRegistry) RegistryStr() string {
+	return d.registry
+}
+
+func installCredSecret() {
+	secret := &corev1.Secret{}
+	secretFile, err := os.ReadFile("../pkg/test_samples/auth_secret.yaml")
+	Expect(err).ToNot(HaveOccurred())
+	err = yaml.Unmarshal(secretFile, secret)
+	Expect(err).ToNot(HaveOccurred())
+	err = k8sClient.Create(ctx, secret)
+	Expect(err).ToNot(HaveOccurred())
+	err = k8sClient.Get(ctx, client.ObjectKeyFromObject(secret), &corev1.Secret{})
+	Eventually(err, standardTimeout, standardInterval).Should(Succeed())
+}
+
+func credSecretLabel() metav1.LabelSelector {
+	return metav1.LabelSelector{
+		MatchLabels: map[string]string{"operator.kyma-project.io/oci-registry-cred": "test-operator"},
+	}
+}