Bug 1918376: ICSP support during Image Registry pullthrough

Makefile

@@ -10,6 +10,7 @@
 
 OUT_DIR = _output
 OS_OUTPUT_GOPATH ?= 1
+TESTFLAGS ?= -mod vendor
 
 export GOFLAGS
 export TESTFLAGS

pkg/dockerregistry/server/client/client.go

@@ -6,6 +6,7 @@ import (
 	restclient "k8s.io/client-go/rest"
 
 	imageclientv1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1"
+	operatorclientv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
 	userclientv1 "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 	"github.com/openshift/image-registry/pkg/origin-common/clientcmd"
 )
@@ -32,29 +33,37 @@ type Interface interface {
 	LocalSubjectAccessReviewsNamespacer
 	SelfSubjectAccessReviewsNamespacer
 	UsersInterfacer
+	ImageContentSourcePolicyInterfacer
 }
 
 type apiClient struct {
-	kube  coreclientv1.CoreV1Interface
-	auth  authclientv1.AuthorizationV1Interface
-	image imageclientv1.ImageV1Interface
-	user  userclientv1.UserV1Interface
+	kube     coreclientv1.CoreV1Interface
+	auth     authclientv1.AuthorizationV1Interface
+	image    imageclientv1.ImageV1Interface
+	user     userclientv1.UserV1Interface
+	operator operatorclientv1alpha1.OperatorV1alpha1Interface
 }
 
 func newAPIClient(
 	kc coreclientv1.CoreV1Interface,
 	authClient authclientv1.AuthorizationV1Interface,
 	imageClient imageclientv1.ImageV1Interface,
 	userClient userclientv1.UserV1Interface,
+	operatorClient operatorclientv1alpha1.OperatorV1alpha1Interface,
 ) Interface {
 	return &apiClient{
-		kube:  kc,
-		auth:  authClient,
-		image: imageClient,
-		user:  userClient,
+		kube:     kc,
+		auth:     authClient,
+		image:    imageClient,
+		user:     userClient,
+		operator: operatorClient,
 	}
 }
 
+func (c *apiClient) ImageContentSourcePolicy() operatorclientv1alpha1.ImageContentSourcePolicyInterface {
+	return c.operator.ImageContentSourcePolicies()
+}
+
 func (c *apiClient) Users() UserInterface {
 	return c.user.Users()
 }
@@ -117,6 +126,7 @@ func (c *registryClient) Client() (Interface, error) {
 		authclientv1.NewForConfigOrDie(c.kubeConfig),
 		imageclientv1.NewForConfigOrDie(c.kubeConfig),
 		userclientv1.NewForConfigOrDie(c.kubeConfig),
+		operatorclientv1alpha1.NewForConfigOrDie(c.kubeConfig),
 	), nil
 }
 

pkg/dockerregistry/server/client/interfaces.go

@@ -12,6 +12,7 @@ import (
 	authapiv1 "k8s.io/api/authorization/v1"
 
 	imageclientv1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1"
+	operatorclientv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
 	userclientv1 "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 
 	authclientv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
@@ -21,6 +22,10 @@ type UsersInterfacer interface {
 	Users() UserInterface
 }
 
+type ImageContentSourcePolicyInterfacer interface {
+	ImageContentSourcePolicy() operatorclientv1alpha1.ImageContentSourcePolicyInterface
+}
+
 type ImagesInterfacer interface {
 	Images() ImageInterface
 }

pkg/dockerregistry/server/client/test.go

@@ -4,6 +4,7 @@ import (
 	coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	imageclientv1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
 )
 
 type fakeRegistryClient struct {
@@ -20,9 +21,11 @@ func NewFakeRegistryClient(imageclient imageclientv1.ImageV1Interface) RegistryC
 }
 
 func (c *fakeRegistryClient) Client() (Interface, error) {
-	return newAPIClient(nil, nil, c.images, nil), nil
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1()
+	return newAPIClient(nil, nil, c.images, nil, icsp), nil
 }
 
 func NewFakeRegistryAPIClient(kc coreclientv1.CoreV1Interface, imageclient imageclientv1.ImageV1Interface) Interface {
-	return newAPIClient(nil, nil, imageclient, nil)
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1()
+	return newAPIClient(nil, nil, imageclient, nil, icsp)
 }

pkg/dockerregistry/server/pullthroughblobstore_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/opencontainers/go-digest"
 
 	imageapiv1 "github.com/openshift/api/image/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
 	"github.com/openshift/library-go/pkg/image/registryclient"
 
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
@@ -33,6 +34,7 @@ import (
 )
 
 func TestPullthroughServeBlob(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	ctx := context.Background()
 	ctx = testutil.WithTestLogger(ctx, t)
 
@@ -168,6 +170,7 @@ func TestPullthroughServeBlob(t *testing.T) {
 			imageStream.GetSecrets,
 			cache,
 			metrics.NewNoopMetrics(),
+			icsp,
 		)
 
 		ptbs := &pullthroughBlobStore{
@@ -327,6 +330,7 @@ func TestPullthroughServeNotSeekableBlob(t *testing.T) {
 }
 
 func TestPullthroughServeBlobInsecure(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "user"
 	repo1 := "app1"
 	repo2 := "app2"
@@ -603,6 +607,7 @@ func TestPullthroughServeBlobInsecure(t *testing.T) {
 				imageStream.GetSecrets,
 				cache,
 				metrics.NewNoopMetrics(),
+				icsp,
 			)
 
 			ptbs := &pullthroughBlobStore{
@@ -669,6 +674,7 @@ func TestPullthroughServeBlobInsecure(t *testing.T) {
 }
 
 func TestPullthroughMetrics(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	ctx := context.Background()
 	ctx = testutil.WithTestLogger(ctx, t)
 
@@ -728,6 +734,7 @@ func TestPullthroughMetrics(t *testing.T) {
 		imageStream.GetSecrets,
 		cache,
 		metrics.NewMetrics(sink),
+		icsp,
 	)
 
 	ptbs := &pullthroughBlobStore{

pkg/dockerregistry/server/pullthroughmanifestservice.go

@@ -8,6 +8,8 @@ import (
 	dcontext "github.com/docker/distribution/context"
 	"github.com/opencontainers/go-digest"
 
+	operatorv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
+
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/metrics"
 	"github.com/openshift/image-registry/pkg/errors"
@@ -27,6 +29,7 @@ type pullthroughManifestService struct {
 	mirror                  bool
 	registryAddr            string
 	metrics                 metrics.Pullthrough
+	icsp                    operatorv1alpha1.ImageContentSourcePolicyInterface
 }
 
 var _ distribution.ManifestService = &pullthroughManifestService{}
@@ -112,12 +115,13 @@ func (m *pullthroughManifestService) mirrorManifest(ctx context.Context, manifes
 }
 
 func (m *pullthroughManifestService) getRemoteRepositoryClient(ctx context.Context, ref *imageapi.DockerImageReference, dgst digest.Digest, options ...distribution.ManifestServiceOption) (distribution.Repository, error) {
+	dcontext.GetLogger(ctx).Debug("(*pullthroughManifestService).getRemoteRepositoryClient")
 	secrets, err := m.imageStream.GetSecrets()
 	if err != nil {
 		dcontext.GetLogger(ctx).Errorf("error getting secrets: %v", err)
 	}
 
-	retriever, impErr := getImportContext(ctx, ref, secrets, m.metrics)
+	retriever, impErr := getImportContext(ctx, ref, secrets, m.metrics, m.icsp)
 	if impErr != nil {
 		return nil, impErr
 	}

pkg/dockerregistry/server/pullthroughmanifestservice_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/opencontainers/go-digest"
 
 	imageapiv1 "github.com/openshift/api/image/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
 
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
 	registryclient "github.com/openshift/image-registry/pkg/dockerregistry/server/client"
@@ -54,6 +55,7 @@ func createTestRegistryServer(t *testing.T, ctx context.Context) *httptest.Serve
 }
 
 func TestPullthroughManifests(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "fuser"
 	repo := "zapp"
 	repoName := fmt.Sprintf("%s/%s", namespace, repo)
@@ -187,6 +189,7 @@ func TestPullthroughManifests(t *testing.T) {
 			cache:           cache,
 			registryAddr:    "localhost:5000",
 			metrics:         metrics.NewNoopMetrics(),
+			icsp:            icsp,
 		}
 
 		manifestResult, err := ptms.Get(ctx, tc.manifestDigest)
@@ -225,6 +228,7 @@ func TestPullthroughManifests(t *testing.T) {
 }
 
 func TestPullthroughManifestInsecure(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "fuser"
 	repo := "zapp"
 	repoName := fmt.Sprintf("%s/%s", namespace, repo)
@@ -428,6 +432,7 @@ func TestPullthroughManifestInsecure(t *testing.T) {
 				imageStream:     imageStream,
 				cache:           cache,
 				metrics:         metrics.NewNoopMetrics(),
+				icsp:            icsp,
 			}
 
 			manifestResult, err := ptms.Get(ctx, tc.manifestDigest)
@@ -468,6 +473,7 @@ func TestPullthroughManifestInsecure(t *testing.T) {
 }
 
 func TestPullthroughManifestDockerReference(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "user"
 	repo1 := "repo1"
 	repo2 := "repo2"
@@ -567,6 +573,7 @@ func TestPullthroughManifestDockerReference(t *testing.T) {
 			ManifestService: newTestManifestService(tc.repoName, nil),
 			imageStream:     imageStream,
 			metrics:         metrics.NewNoopMetrics(),
+			icsp:            icsp,
 		}
 
 		ptms.Get(ctx, digest.Digest(img.Name))
@@ -661,6 +668,7 @@ func (ms *putWaiterManifestService) Put(ctx context.Context, manifest distributi
 }
 
 func TestPullthroughManifestMirroring(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	const timeout = 5 * time.Second
 
 	namespace := "myproject"
@@ -725,6 +733,7 @@ func TestPullthroughManifestMirroring(t *testing.T) {
 		imageStream:             imageStream,
 		mirror:                  true,
 		metrics:                 metrics.NewNoopMetrics(),
+		icsp:                    icsp,
 	}
 
 	_, err = ptms.Get(ctx, digest.Digest(img.Name))
@@ -740,6 +749,7 @@ func TestPullthroughManifestMirroring(t *testing.T) {
 }
 
 func TestPullthroughManifestMetrics(t *testing.T) {
+	icsp := operatorfake.NewSimpleClientset().OperatorV1alpha1().ImageContentSourcePolicies()
 	namespace := "myproject"
 	repo := "myapp"
 	repoName := fmt.Sprintf("%s/%s", namespace, repo)
@@ -801,6 +811,7 @@ func TestPullthroughManifestMetrics(t *testing.T) {
 		newLocalManifestService: func(ctx context.Context) (distribution.ManifestService, error) { return ms, nil },
 		imageStream:             imageStream,
 		metrics:                 metrics.NewMetrics(sink),
+		icsp:                    icsp,
 	}
 
 	_, err = ptms.Get(ctx, digest.Digest(img.Name))

pkg/dockerregistry/server/remoteblobgetter.go

@@ -11,6 +11,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 
+	operatorv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
 	"github.com/openshift/library-go/pkg/image/registryclient"
 
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
@@ -68,6 +69,7 @@ type remoteBlobGetterService struct {
 	cache         cache.RepositoryDigest
 	digestToStore *digestBlobStoreCache
 	metrics       metrics.Pullthrough
+	icsp          operatorv1alpha1.ImageContentSourcePolicyInterface
 }
 
 var _ BlobGetterService = &remoteBlobGetterService{}
@@ -79,13 +81,15 @@ func NewBlobGetterService(
 	secretsGetter secretsGetter,
 	cache cache.RepositoryDigest,
 	m metrics.Pullthrough,
+	icsp operatorv1alpha1.ImageContentSourcePolicyInterface,
 ) BlobGetterService {
 	return &remoteBlobGetterService{
 		imageStream:   imageStream,
 		getSecrets:    secretsGetter,
 		cache:         cache,
 		digestToStore: newDigestBlobStoreCache(m),
 		metrics:       m,
+		icsp:          icsp,
 	}
 }
 
@@ -272,7 +276,7 @@ func (rbgs *remoteBlobGetterService) findCandidateRepository(
 			continue
 		}
 
-		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics)
+		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics, rbgs.icsp)
 		if impErr != nil {
 			return distribution.Descriptor{}, nil, impErr
 		}
@@ -293,7 +297,7 @@ func (rbgs *remoteBlobGetterService) findCandidateRepository(
 			continue
 		}
 
-		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics)
+		retriever, impErr := getImportContext(ctx, spec.DockerImageReference, secrets, rbgs.metrics, rbgs.icsp)
 		if impErr != nil {
 			return distribution.Descriptor{}, nil, impErr
 		}

pkg/dockerregistry/server/repository.go

@@ -11,6 +11,8 @@ import (
 
 	restclient "k8s.io/client-go/rest"
 
+	operatorv1alpha1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1alpha1"
+
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/audit"
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
 	"github.com/openshift/image-registry/pkg/imagestream"
@@ -44,6 +46,7 @@ type repository struct {
 	crossmount bool
 
 	imageStream imagestream.ImageStream
+	icsp        operatorv1alpha1.ImageContentSourcePolicyInterface
 
 	// remoteBlobGetter is used to fetch blobs from remote registries if pullthrough is enabled.
 	remoteBlobGetter BlobGetterService
@@ -71,13 +74,15 @@ func (app *App) Repository(ctx context.Context, repo distribution.Repository, cr
 
 		imageStream: imagestream.New(ctx, namespace, name, registryOSClient),
 		cache:       cache.NewRepositoryDigest(app.cache),
+		icsp:        registryOSClient.ImageContentSourcePolicy(),
 	}
 
 	r.remoteBlobGetter = NewBlobGetterService(
 		r.imageStream,
 		r.imageStream.GetSecrets,
 		r.cache,
 		r.app.metrics,
+		r.icsp,
 	)
 
 	repo = distribution.Repository(r)
@@ -117,6 +122,7 @@ func (r *repository) Manifests(ctx context.Context, options ...distribution.Mani
 		mirror:       r.app.config.Pullthrough.Mirror,
 		registryAddr: r.app.config.Server.Addr,
 		metrics:      r.app.metrics,
+		icsp:         r.icsp,
 	}
 
 	ms = newPendingErrorsManifestService(ms, r)