mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-18 14:47:38 +01:00
Merge pull request #13040 from bitsf/replication_ecr_auth_role
feature(replication) enable role based auth for AWS ECR
This commit is contained in:
commit
5d22644136
@ -16,15 +16,10 @@ package awsecr
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"net/http"
|
|
||||||
"regexp"
|
"regexp"
|
||||||
|
|
||||||
"github.com/aws/aws-sdk-go/aws"
|
|
||||||
"github.com/aws/aws-sdk-go/aws/awserr"
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
||||||
"github.com/aws/aws-sdk-go/aws/credentials"
|
|
||||||
"github.com/aws/aws-sdk-go/aws/session"
|
|
||||||
awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
|
awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
|
||||||
commonhttp "github.com/goharbor/harbor/src/common/http"
|
|
||||||
"github.com/goharbor/harbor/src/lib/log"
|
"github.com/goharbor/harbor/src/lib/log"
|
||||||
adp "github.com/goharbor/harbor/src/replication/adapter"
|
adp "github.com/goharbor/harbor/src/replication/adapter"
|
||||||
"github.com/goharbor/harbor/src/replication/adapter/native"
|
"github.com/goharbor/harbor/src/replication/adapter/native"
|
||||||
@ -52,11 +47,16 @@ func newAdapter(registry *model.Registry) (*adapter, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
authorizer := NewAuth(region, registry.Credential.AccessKey, registry.Credential.AccessSecret, registry.Insecure)
|
svc, err := getAwsSvc(
|
||||||
|
region, registry.Credential.AccessKey, registry.Credential.AccessSecret, registry.Insecure, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
authorizer := NewAuth(registry.Credential.AccessKey, svc)
|
||||||
return &adapter{
|
return &adapter{
|
||||||
registry: registry,
|
registry: registry,
|
||||||
Adapter: native.NewAdapterWithAuthorizer(registry, authorizer),
|
Adapter: native.NewAdapterWithAuthorizer(registry, authorizer),
|
||||||
region: region,
|
cacheSvc: svc,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -89,8 +89,7 @@ var (
|
|||||||
type adapter struct {
|
type adapter struct {
|
||||||
*native.Adapter
|
*native.Adapter
|
||||||
registry *model.Registry
|
registry *model.Registry
|
||||||
region string
|
cacheSvc *awsecrapi.ECR
|
||||||
forceEndpoint *string
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (*adapter) Info() (info *model.RegistryInfo, err error) {
|
func (*adapter) Info() (info *model.RegistryInfo, err error) {
|
||||||
@ -205,11 +204,6 @@ func getAdapterInfo() *model.AdapterPattern {
|
|||||||
|
|
||||||
// HealthCheck checks health status of a registry
|
// HealthCheck checks health status of a registry
|
||||||
func (a *adapter) HealthCheck() (model.HealthStatus, error) {
|
func (a *adapter) HealthCheck() (model.HealthStatus, error) {
|
||||||
if a.registry.Credential == nil ||
|
|
||||||
len(a.registry.Credential.AccessKey) == 0 || len(a.registry.Credential.AccessSecret) == 0 {
|
|
||||||
log.Errorf("no credential to ping registry %s", a.registry.URL)
|
|
||||||
return model.Unhealthy, nil
|
|
||||||
}
|
|
||||||
if err := a.Ping(); err != nil {
|
if err := a.Ping(); err != nil {
|
||||||
log.Errorf("failed to ping registry %s: %v", a.registry.URL, err)
|
log.Errorf("failed to ping registry %s: %v", a.registry.URL, err)
|
||||||
return model.Unhealthy, nil
|
return model.Unhealthy, nil
|
||||||
@ -242,33 +236,7 @@ func (a *adapter) PrepareForPush(resources []*model.Resource) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (a *adapter) createRepository(repository string) error {
|
func (a *adapter) createRepository(repository string) error {
|
||||||
if a.registry.Credential == nil ||
|
_, err := a.cacheSvc.CreateRepository(&awsecrapi.CreateRepositoryInput{
|
||||||
len(a.registry.Credential.AccessKey) == 0 || len(a.registry.Credential.AccessSecret) == 0 {
|
|
||||||
return errors.New("no credential ")
|
|
||||||
}
|
|
||||||
cred := credentials.NewStaticCredentials(
|
|
||||||
a.registry.Credential.AccessKey,
|
|
||||||
a.registry.Credential.AccessSecret,
|
|
||||||
"")
|
|
||||||
if a.region == "" {
|
|
||||||
return errors.New("no region parsed")
|
|
||||||
}
|
|
||||||
|
|
||||||
config := &aws.Config{
|
|
||||||
Credentials: cred,
|
|
||||||
Region: &a.region,
|
|
||||||
HTTPClient: &http.Client{
|
|
||||||
Transport: commonhttp.GetHTTPTransportByInsecure(a.registry.Insecure),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
if a.forceEndpoint != nil {
|
|
||||||
config.Endpoint = a.forceEndpoint
|
|
||||||
}
|
|
||||||
sess := session.Must(session.NewSession(config))
|
|
||||||
|
|
||||||
svc := awsecrapi.New(sess)
|
|
||||||
|
|
||||||
_, err := svc.CreateRepository(&awsecrapi.CreateRepositoryInput{
|
|
||||||
RepositoryName: &repository,
|
RepositoryName: &repository,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -284,40 +252,7 @@ func (a *adapter) createRepository(repository string) error {
|
|||||||
|
|
||||||
// DeleteManifest ...
|
// DeleteManifest ...
|
||||||
func (a *adapter) DeleteManifest(repository, reference string) error {
|
func (a *adapter) DeleteManifest(repository, reference string) error {
|
||||||
// AWS doesn't implement standard OCI delete manifest API, so use it's sdk.
|
_, err := a.cacheSvc.BatchDeleteImage(&awsecrapi.BatchDeleteImageInput{
|
||||||
if a.registry.Credential == nil ||
|
|
||||||
len(a.registry.Credential.AccessKey) == 0 || len(a.registry.Credential.AccessSecret) == 0 {
|
|
||||||
return errors.New("no credential ")
|
|
||||||
}
|
|
||||||
cred := credentials.NewStaticCredentials(
|
|
||||||
a.registry.Credential.AccessKey,
|
|
||||||
a.registry.Credential.AccessSecret,
|
|
||||||
"")
|
|
||||||
if a.region == "" {
|
|
||||||
return errors.New("no region parsed")
|
|
||||||
}
|
|
||||||
|
|
||||||
var tr *http.Transport
|
|
||||||
if a.registry.Insecure {
|
|
||||||
tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
|
|
||||||
} else {
|
|
||||||
tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
|
|
||||||
}
|
|
||||||
config := &aws.Config{
|
|
||||||
Credentials: cred,
|
|
||||||
Region: &a.region,
|
|
||||||
HTTPClient: &http.Client{
|
|
||||||
Transport: tr,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
if a.forceEndpoint != nil {
|
|
||||||
config.Endpoint = a.forceEndpoint
|
|
||||||
}
|
|
||||||
sess := session.Must(session.NewSession(config))
|
|
||||||
|
|
||||||
svc := awsecrapi.New(sess)
|
|
||||||
|
|
||||||
_, err := svc.BatchDeleteImage(&awsecrapi.BatchDeleteImageInput{
|
|
||||||
RepositoryName: &repository,
|
RepositoryName: &repository,
|
||||||
ImageIds: []*awsecrapi.ImageIdentifier{{ImageTag: &reference}},
|
ImageIds: []*awsecrapi.ImageIdentifier{{ImageTag: &reference}},
|
||||||
})
|
})
|
||||||
|
@ -3,6 +3,8 @@ package awsecr
|
|||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
@ -149,17 +151,23 @@ func getMockAdapter(t *testing.T, hasCred, health bool) (*adapter, *httptest.Ser
|
|||||||
Type: model.RegistryTypeAwsEcr,
|
Type: model.RegistryTypeAwsEcr,
|
||||||
URL: server.URL,
|
URL: server.URL,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var svc *awsecrapi.ECR
|
||||||
if hasCred {
|
if hasCred {
|
||||||
registry.Credential = &model.Credential{
|
registry.Credential = &model.Credential{
|
||||||
AccessKey: "xxx",
|
AccessKey: "xxx",
|
||||||
AccessSecret: "ppp",
|
AccessSecret: "ppp",
|
||||||
}
|
}
|
||||||
|
svc, _ = getAwsSvc(
|
||||||
|
"test-region", registry.Credential.AccessKey, registry.Credential.AccessSecret, registry.Insecure, &server.URL)
|
||||||
|
} else {
|
||||||
|
svc, _ = getAwsSvc(
|
||||||
|
"test-region", "", "", registry.Insecure, &server.URL)
|
||||||
}
|
}
|
||||||
return &adapter{
|
return &adapter{
|
||||||
registry: registry,
|
registry: registry,
|
||||||
Adapter: native.NewAdapter(registry),
|
Adapter: native.NewAdapter(registry),
|
||||||
region: "test-region",
|
cacheSvc: svc,
|
||||||
forceEndpoint: &server.URL,
|
|
||||||
}, server
|
}, server
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -180,7 +188,7 @@ func TestAdapter_HealthCheck(t *testing.T) {
|
|||||||
status, err := a.HealthCheck()
|
status, err := a.HealthCheck()
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
assert.NotNil(t, status)
|
assert.NotNil(t, status)
|
||||||
assert.EqualValues(t, model.Unhealthy, status)
|
assert.EqualValues(t, model.Healthy, status)
|
||||||
|
|
||||||
a, s = getMockAdapter(t, true, false)
|
a, s = getMockAdapter(t, true, false)
|
||||||
defer s.Close()
|
defer s.Close()
|
||||||
@ -260,16 +268,18 @@ func TestAwsAuthCredential_Modify(t *testing.T) {
|
|||||||
},
|
},
|
||||||
)
|
)
|
||||||
defer server.Close()
|
defer server.Close()
|
||||||
a, _ := NewAuth("test-region", "xxx", "ppp", true).(*awsAuthCredential)
|
svc, err := getAwsSvc(
|
||||||
a.forceEndpoint = &server.URL
|
"test-region", "xxx", "ppp", true, &server.URL)
|
||||||
|
require.Nil(t, err)
|
||||||
|
a, _ := NewAuth("xxx", svc).(*awsAuthCredential)
|
||||||
req := httptest.NewRequest(http.MethodGet, "https://1234.dkr.ecr.test-region.amazonaws.com/v2/", nil)
|
req := httptest.NewRequest(http.MethodGet, "https://1234.dkr.ecr.test-region.amazonaws.com/v2/", nil)
|
||||||
err := a.Modify(req)
|
|
||||||
assert.Nil(t, err)
|
|
||||||
err = a.Modify(req)
|
err = a.Modify(req)
|
||||||
assert.Nil(t, err)
|
require.Nil(t, err)
|
||||||
|
err = a.Modify(req)
|
||||||
|
require.Nil(t, err)
|
||||||
time.Sleep(time.Second)
|
time.Sleep(time.Second)
|
||||||
err = a.Modify(req)
|
err = a.Modify(req)
|
||||||
assert.Nil(t, err)
|
require.Nil(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
var urlForBenchmark = []string{
|
var urlForBenchmark = []string{
|
||||||
|
@ -18,19 +18,19 @@ import (
|
|||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
|
||||||
"net/url"
|
|
||||||
"strings"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/aws/aws-sdk-go/aws"
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
"github.com/aws/aws-sdk-go/aws/awserr"
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
||||||
"github.com/aws/aws-sdk-go/aws/credentials"
|
"github.com/aws/aws-sdk-go/aws/credentials"
|
||||||
|
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
|
||||||
"github.com/aws/aws-sdk-go/aws/session"
|
"github.com/aws/aws-sdk-go/aws/session"
|
||||||
awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
|
awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
|
||||||
commonhttp "github.com/goharbor/harbor/src/common/http"
|
commonhttp "github.com/goharbor/harbor/src/common/http"
|
||||||
"github.com/goharbor/harbor/src/common/http/modifier"
|
"github.com/goharbor/harbor/src/common/http/modifier"
|
||||||
"github.com/goharbor/harbor/src/lib/log"
|
"github.com/goharbor/harbor/src/lib/log"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Credential ...
|
// Credential ...
|
||||||
@ -38,11 +38,8 @@ type Credential modifier.Modifier
|
|||||||
|
|
||||||
// Implements interface Credential
|
// Implements interface Credential
|
||||||
type awsAuthCredential struct {
|
type awsAuthCredential struct {
|
||||||
region string
|
|
||||||
accessKey string
|
accessKey string
|
||||||
accessSecret string
|
awssvc *awsecrapi.ECR
|
||||||
insecure bool
|
|
||||||
forceEndpoint *string
|
|
||||||
|
|
||||||
cacheToken *cacheToken
|
cacheToken *cacheToken
|
||||||
cacheExpired *time.Time
|
cacheExpired *time.Time
|
||||||
@ -91,36 +88,44 @@ func (a *awsAuthCredential) Modify(req *http.Request) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *awsAuthCredential) getAuthorization() (string, string, string, *time.Time, error) {
|
func getAwsSvc(region, accessKey, accessSecret string, insecure bool, forceEndpoint *string) (*awsecrapi.ECR, error) {
|
||||||
log.Infof("Aws Ecr getAuthorization %s", a.accessKey)
|
sess, err := session.NewSession()
|
||||||
cred := credentials.NewStaticCredentials(
|
if err != nil {
|
||||||
a.accessKey,
|
return nil, err
|
||||||
a.accessSecret,
|
}
|
||||||
|
var cred *credentials.Credentials
|
||||||
|
log.Debugf("Aws Ecr getAuthorization %s", accessKey)
|
||||||
|
if accessKey != "" {
|
||||||
|
cred = credentials.NewStaticCredentials(
|
||||||
|
accessKey,
|
||||||
|
accessSecret,
|
||||||
"")
|
"")
|
||||||
|
} else {
|
||||||
|
cred = ec2rolecreds.NewCredentials(sess)
|
||||||
|
}
|
||||||
var tr *http.Transport
|
var tr *http.Transport
|
||||||
if a.insecure {
|
if insecure {
|
||||||
tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
|
tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
|
||||||
} else {
|
} else {
|
||||||
tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
|
tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
|
||||||
}
|
}
|
||||||
config := &aws.Config{
|
config := &aws.Config{
|
||||||
Credentials: cred,
|
Credentials: cred,
|
||||||
Region: &a.region,
|
Region: ®ion,
|
||||||
HTTPClient: &http.Client{
|
HTTPClient: &http.Client{
|
||||||
Transport: tr,
|
Transport: tr,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
if a.forceEndpoint != nil {
|
if forceEndpoint != nil {
|
||||||
config.Endpoint = a.forceEndpoint
|
config.Endpoint = forceEndpoint
|
||||||
}
|
|
||||||
sess, err := session.NewSession(config)
|
|
||||||
if err != nil {
|
|
||||||
return "", "", "", nil, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
svc := awsecrapi.New(sess)
|
svc := awsecrapi.New(sess, config)
|
||||||
|
return svc, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *awsAuthCredential) getAuthorization() (string, string, string, *time.Time, error) {
|
||||||
|
svc := a.awssvc
|
||||||
result, err := svc.GetAuthorizationToken(nil)
|
result, err := svc.GetAuthorizationToken(nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if aerr, ok := err.(awserr.Error); ok {
|
if aerr, ok := err.(awserr.Error); ok {
|
||||||
@ -161,11 +166,9 @@ func (a *awsAuthCredential) isTokenValid() bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NewAuth new aws auth
|
// NewAuth new aws auth
|
||||||
func NewAuth(region, accessKey, accessSecret string, insecure bool) Credential {
|
func NewAuth(accessKey string, awssvc *awsecrapi.ECR) Credential {
|
||||||
return &awsAuthCredential{
|
return &awsAuthCredential{
|
||||||
region: region,
|
|
||||||
accessKey: accessKey,
|
accessKey: accessKey,
|
||||||
accessSecret: accessSecret,
|
awssvc: awssvc,
|
||||||
insecure: insecure,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user