WIP - Bug 1918376: ICSP support during Image Registry pullthrough

go.mod

@@ -12,8 +12,10 @@ require (
 	github.com/dnaeon/go-vcr v1.0.1 // indirect
 	github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f
 	github.com/docker/docker v1.4.2-0.20200229013735-71373c6105e3
+	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7 // indirect
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/gorilla/context v0.0.0-20140604161150-14f550f51af5 // indirect
@@ -22,28 +24,30 @@ require (
 	github.com/hashicorp/golang-lru v0.5.3
 	github.com/imdario/mergo v0.3.8 // indirect
 	github.com/marstr/guid v1.1.1-0.20170427235115-8bdf7d1a087c // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 	github.com/ncw/swift v1.0.49 // indirect
 	github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2
 	github.com/opencontainers/image-spec v1.0.1
 	github.com/opencontainers/runc v1.0.0-rc5.0.20180920170208-00dc70017d22 // indirect
-	github.com/openshift/api v0.0.0-20200827090112-c05698d102cf
-	github.com/openshift/client-go v0.0.0-20200827190008-3062137373b5
+	github.com/openshift/api v0.0.0-20210331193751-3acddb19d360
+	github.com/openshift/client-go v0.0.0-20210331195552-cf6c2669e01f
 	github.com/openshift/library-go v0.0.0-20200921120329-c803a7b7bb2c
 	github.com/pborman/uuid v1.2.0
 	github.com/prometheus/client_golang v1.7.1
 	github.com/satori/go.uuid v1.2.1-0.20180103174451-36e9d2ebbde5 // indirect
-	github.com/sirupsen/logrus v1.6.0
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	github.com/sirupsen/logrus v1.7.0
+	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
 	google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8 // indirect
-	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/api v0.19.0
-	k8s.io/apimachinery v0.19.0
-	k8s.io/client-go v0.19.0
-	k8s.io/klog/v2 v2.3.0
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.21.0-rc.0
+	k8s.io/apimachinery v0.21.0-rc.0
+	k8s.io/client-go v0.21.0-rc.0
+	k8s.io/klog/v2 v2.8.0
 )
 
 replace (
 	github.com/docker/distribution => github.com/openshift/docker-distribution v0.0.0-20210209103229-0526a4ae41e1
+	github.com/openshift/library-go => github.com/sallyom/library-go v0.0.0-20210424131009-3defb0b0a5e6
 	google.golang.org/api => google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff
 )

pkg/dockerregistry/server/client/client.go

@@ -6,6 +6,7 @@ import (
 	restclient "k8s.io/client-go/rest"
 
 	imageclientv1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1"
+	operatorclientv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
 	userclientv1 "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 	"github.com/openshift/image-registry/pkg/origin-common/clientcmd"
 )
@@ -32,29 +33,37 @@ type Interface interface {
 	LocalSubjectAccessReviewsNamespacer
 	SelfSubjectAccessReviewsNamespacer
 	UsersInterfacer
+	ImageContentSourcePolicyInterfacer
 }
 
 type apiClient struct {
-	kube  coreclientv1.CoreV1Interface
-	auth  authclientv1.AuthorizationV1Interface
-	image imageclientv1.ImageV1Interface
-	user  userclientv1.UserV1Interface
+	kube     coreclientv1.CoreV1Interface
+	auth     authclientv1.AuthorizationV1Interface
+	image    imageclientv1.ImageV1Interface
+	user     userclientv1.UserV1Interface
+	operator operatorclientv1alpha1.OperatorV1alpha1Interface
 }
 
 func newAPIClient(
 	kc coreclientv1.CoreV1Interface,
 	authClient authclientv1.AuthorizationV1Interface,
 	imageClient imageclientv1.ImageV1Interface,
 	userClient userclientv1.UserV1Interface,
+	operatorClient operatorclientv1alpha1.OperatorV1alpha1Interface,
 ) Interface {
 	return &apiClient{
-		kube:  kc,
-		auth:  authClient,
-		image: imageClient,
-		user:  userClient,
+		kube:     kc,
+		auth:     authClient,
+		image:    imageClient,
+		user:     userClient,
+		operator: operatorClient,
 	}
 }
 
+func (c *apiClient) ImageContentSourcePolicy() operatorclientv1alpha1.ImageContentSourcePolicyInterface {
+	return c.operator.ImageContentSourcePolicies()
+}
+
 func (c *apiClient) Users() UserInterface {
 	return c.user.Users()
 }
@@ -117,6 +126,7 @@ func (c *registryClient) Client() (Interface, error) {
 		authclientv1.NewForConfigOrDie(c.kubeConfig),
 		imageclientv1.NewForConfigOrDie(c.kubeConfig),
 		userclientv1.NewForConfigOrDie(c.kubeConfig),
+		operatorclientv1alpha1.NewForConfigOrDie(c.kubeConfig),
 	), nil
 }
 

pkg/dockerregistry/server/client/interfaces.go

@@ -12,6 +12,7 @@ import (
 	authapiv1 "k8s.io/api/authorization/v1"
 
 	imageclientv1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1"
+	operatorclientv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
 	userclientv1 "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 
 	authclientv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
@@ -21,6 +22,10 @@ type UsersInterfacer interface {
 	Users() UserInterface
 }
 
+type ImageContentSourcePolicyInterfacer interface {
+	ImageContentSourcePolicy() operatorclientv1alpha1.ImageContentSourcePolicyInterface
+}
+
 type ImagesInterfacer interface {
 	Images() ImageInterface
 }
@@ -111,7 +116,7 @@ type ImageStreamTagInterface interface {
 var _ ImageStreamSecretInterface = imageclientv1.ImageStreamInterface(nil)
 
 type ImageStreamSecretInterface interface {
-	Secrets(ctx context.Context, imageStreamName string, options metav1.GetOptions) (*corev1.SecretList, error)
+	Secrets(ctx context.Context, imageStreamName string, options metav1.GetOptions) (*imageapiv1.SecretList, error)
 }
 
 var _ LimitRangeInterface = coreclientv1.LimitRangeInterface(nil)

pkg/dockerregistry/server/client/test.go

@@ -4,6 +4,7 @@ import (
 	coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	imageclientv1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
 )
 
 type fakeRegistryClient struct {
@@ -20,9 +21,11 @@ func NewFakeRegistryClient(imageclient imageclientv1.ImageV1Interface) RegistryC
 }
 
 func (c *fakeRegistryClient) Client() (Interface, error) {
-	return newAPIClient(nil, nil, c.images, nil), nil
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1()
+	return newAPIClient(nil, nil, c.images, nil, icsp), nil
 }
 
 func NewFakeRegistryAPIClient(kc coreclientv1.CoreV1Interface, imageclient imageclientv1.ImageV1Interface) Interface {
-	return newAPIClient(nil, nil, imageclient, nil)
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1()
+	return newAPIClient(nil, nil, imageclient, nil, icsp)
 }

pkg/dockerregistry/server/pullthroughblobstore_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/opencontainers/go-digest"
 
 	imageapiv1 "github.com/openshift/api/image/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
 	"github.com/openshift/library-go/pkg/image/registryclient"
 
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
@@ -33,6 +34,7 @@ import (
 )
 
 func TestPullthroughServeBlob(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	ctx := context.Background()
 	ctx = testutil.WithTestLogger(ctx, t)
 
@@ -168,6 +170,7 @@ func TestPullthroughServeBlob(t *testing.T) {
 			imageStream.GetSecrets,
 			cache,
 			metrics.NewNoopMetrics(),
+			icsp,
 		)
 
 		ptbs := &pullthroughBlobStore{
@@ -327,6 +330,7 @@ func TestPullthroughServeNotSeekableBlob(t *testing.T) {
 }
 
 func TestPullthroughServeBlobInsecure(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "user"
 	repo1 := "app1"
 	repo2 := "app2"
@@ -603,6 +607,7 @@ func TestPullthroughServeBlobInsecure(t *testing.T) {
 				imageStream.GetSecrets,
 				cache,
 				metrics.NewNoopMetrics(),
+				icsp,
 			)
 
 			ptbs := &pullthroughBlobStore{
@@ -669,6 +674,7 @@ func TestPullthroughServeBlobInsecure(t *testing.T) {
 }
 
 func TestPullthroughMetrics(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	ctx := context.Background()
 	ctx = testutil.WithTestLogger(ctx, t)
 
@@ -728,6 +734,7 @@ func TestPullthroughMetrics(t *testing.T) {
 		imageStream.GetSecrets,
 		cache,
 		metrics.NewMetrics(sink),
+		icsp,
 	)
 
 	ptbs := &pullthroughBlobStore{

pkg/dockerregistry/server/pullthroughmanifestservice.go

@@ -8,6 +8,8 @@ import (
 	dcontext "github.com/docker/distribution/context"
 	"github.com/opencontainers/go-digest"
 
+	operatorv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
+
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/metrics"
 	"github.com/openshift/image-registry/pkg/errors"
@@ -27,6 +29,7 @@ type pullthroughManifestService struct {
 	mirror                  bool
 	registryAddr            string
 	metrics                 metrics.Pullthrough
+	icsp                    operatorv1alpha1.ImageContentSourcePolicyInterface
 }
 
 var _ distribution.ManifestService = &pullthroughManifestService{}
@@ -112,12 +115,13 @@ func (m *pullthroughManifestService) mirrorManifest(ctx context.Context, manifes
 }
 
 func (m *pullthroughManifestService) getRemoteRepositoryClient(ctx context.Context, ref *imageapi.DockerImageReference, dgst digest.Digest, options ...distribution.ManifestServiceOption) (distribution.Repository, error) {
+	dcontext.GetLogger(ctx).Info("(*pullthroughManifestService).getRemoteRepositoryClient")
 	secrets, err := m.imageStream.GetSecrets()
 	if err != nil {
 		dcontext.GetLogger(ctx).Errorf("error getting secrets: %v", err)
 	}
 
-	retriever, impErr := getImportContext(ctx, ref, secrets, m.metrics)
+	retriever, impErr := getImportContext(ctx, ref, secrets, m.metrics, m.icsp)
 	if impErr != nil {
 		return nil, impErr
 	}

pkg/dockerregistry/server/pullthroughmanifestservice_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/opencontainers/go-digest"
 
 	imageapiv1 "github.com/openshift/api/image/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
 
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
 	registryclient "github.com/openshift/image-registry/pkg/dockerregistry/server/client"
@@ -54,6 +55,7 @@ func createTestRegistryServer(t *testing.T, ctx context.Context) *httptest.Serve
 }
 
 func TestPullthroughManifests(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "fuser"
 	repo := "zapp"
 	repoName := fmt.Sprintf("%s/%s", namespace, repo)
@@ -187,6 +189,7 @@ func TestPullthroughManifests(t *testing.T) {
 			cache:           cache,
 			registryAddr:    "localhost:5000",
 			metrics:         metrics.NewNoopMetrics(),
+			icsp:            icsp,
 		}
 
 		manifestResult, err := ptms.Get(ctx, tc.manifestDigest)
@@ -225,6 +228,7 @@ func TestPullthroughManifests(t *testing.T) {
 }
 
 func TestPullthroughManifestInsecure(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "fuser"
 	repo := "zapp"
 	repoName := fmt.Sprintf("%s/%s", namespace, repo)
@@ -428,6 +432,7 @@ func TestPullthroughManifestInsecure(t *testing.T) {
 				imageStream:     imageStream,
 				cache:           cache,
 				metrics:         metrics.NewNoopMetrics(),
+				icsp:            icsp,
 			}
 
 			manifestResult, err := ptms.Get(ctx, tc.manifestDigest)
@@ -468,6 +473,7 @@ func TestPullthroughManifestInsecure(t *testing.T) {
 }
 
 func TestPullthroughManifestDockerReference(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "user"
 	repo1 := "repo1"
 	repo2 := "repo2"
@@ -567,6 +573,7 @@ func TestPullthroughManifestDockerReference(t *testing.T) {
 			ManifestService: newTestManifestService(tc.repoName, nil),
 			imageStream:     imageStream,
 			metrics:         metrics.NewNoopMetrics(),
+			icsp:            icsp,
 		}
 
 		ptms.Get(ctx, digest.Digest(img.Name))
@@ -661,6 +668,7 @@ func (ms *putWaiterManifestService) Put(ctx context.Context, manifest distributi
 }
 
 func TestPullthroughManifestMirroring(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	const timeout = 5 * time.Second
 
 	namespace := "myproject"
@@ -725,6 +733,7 @@ func TestPullthroughManifestMirroring(t *testing.T) {
 		imageStream:             imageStream,
 		mirror:                  true,
 		metrics:                 metrics.NewNoopMetrics(),
+		icsp:                    icsp,
 	}
 
 	_, err = ptms.Get(ctx, digest.Digest(img.Name))
@@ -740,6 +749,7 @@ func TestPullthroughManifestMirroring(t *testing.T) {
 }
 
 func TestPullthroughManifestMetrics(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "myproject"
 	repo := "myapp"
 	repoName := fmt.Sprintf("%s/%s", namespace, repo)
@@ -801,6 +811,7 @@ func TestPullthroughManifestMetrics(t *testing.T) {
 		newLocalManifestService: func(ctx context.Context) (distribution.ManifestService, error) { return ms, nil },
 		imageStream:             imageStream,
 		metrics:                 metrics.NewMetrics(sink),
+		icsp:                    icsp,
 	}
 
 	_, err = ptms.Get(ctx, digest.Digest(img.Name))

pkg/dockerregistry/server/remoteblobgetter.go

@@ -11,6 +11,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 
+	operatorv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
 	"github.com/openshift/library-go/pkg/image/registryclient"
 
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
@@ -68,6 +69,7 @@ type remoteBlobGetterService struct {
 	cache         cache.RepositoryDigest
 	digestToStore *digestBlobStoreCache
 	metrics       metrics.Pullthrough
+	icsp          operatorv1alpha1.ImageContentSourcePolicyInterface
 }
 
 var _ BlobGetterService = &remoteBlobGetterService{}
@@ -79,13 +81,15 @@ func NewBlobGetterService(
 	secretsGetter secretsGetter,
 	cache cache.RepositoryDigest,
 	m metrics.Pullthrough,
+	icsp operatorv1alpha1.ImageContentSourcePolicyInterface,
 ) BlobGetterService {
 	return &remoteBlobGetterService{
 		imageStream:   imageStream,
 		getSecrets:    secretsGetter,
 		cache:         cache,
 		digestToStore: newDigestBlobStoreCache(m),
 		metrics:       m,
+		icsp:          icsp,
 	}
 }
 
@@ -272,7 +276,7 @@ func (rbgs *remoteBlobGetterService) findCandidateRepository(
 			continue
 		}
 
-		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics)
+		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics, rbgs.icsp)
 		if impErr != nil {
 			return distribution.Descriptor{}, nil, impErr
 		}
@@ -293,7 +297,7 @@ func (rbgs *remoteBlobGetterService) findCandidateRepository(
 			continue
 		}
 
-		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics)
+		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics, rbgs.icsp)
 		if impErr != nil {
 			return distribution.Descriptor{}, nil, impErr
 		}