Merge pull request #13040 from bitsf/replication_ecr_auth_role

feature(replication) enable role based auth for AWS ECR
This commit is contained in:
Wenkai Yin(尹文开) 2020-09-15 19:13:05 +08:00 committed by GitHub
commit 5d22644136
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 66 additions and 118 deletions

View File

@ -16,15 +16,10 @@ package awsecr
import ( import (
"errors" "errors"
"net/http"
"regexp" "regexp"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
awsecrapi "github.com/aws/aws-sdk-go/service/ecr" awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
commonhttp "github.com/goharbor/harbor/src/common/http"
"github.com/goharbor/harbor/src/lib/log" "github.com/goharbor/harbor/src/lib/log"
adp "github.com/goharbor/harbor/src/replication/adapter" adp "github.com/goharbor/harbor/src/replication/adapter"
"github.com/goharbor/harbor/src/replication/adapter/native" "github.com/goharbor/harbor/src/replication/adapter/native"
@ -52,11 +47,16 @@ func newAdapter(registry *model.Registry) (*adapter, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
authorizer := NewAuth(region, registry.Credential.AccessKey, registry.Credential.AccessSecret, registry.Insecure) svc, err := getAwsSvc(
region, registry.Credential.AccessKey, registry.Credential.AccessSecret, registry.Insecure, nil)
if err != nil {
return nil, err
}
authorizer := NewAuth(registry.Credential.AccessKey, svc)
return &adapter{ return &adapter{
registry: registry, registry: registry,
Adapter: native.NewAdapterWithAuthorizer(registry, authorizer), Adapter: native.NewAdapterWithAuthorizer(registry, authorizer),
region: region, cacheSvc: svc,
}, nil }, nil
} }
@ -89,8 +89,7 @@ var (
type adapter struct { type adapter struct {
*native.Adapter *native.Adapter
registry *model.Registry registry *model.Registry
region string cacheSvc *awsecrapi.ECR
forceEndpoint *string
} }
func (*adapter) Info() (info *model.RegistryInfo, err error) { func (*adapter) Info() (info *model.RegistryInfo, err error) {
@ -205,11 +204,6 @@ func getAdapterInfo() *model.AdapterPattern {
// HealthCheck checks health status of a registry // HealthCheck checks health status of a registry
func (a *adapter) HealthCheck() (model.HealthStatus, error) { func (a *adapter) HealthCheck() (model.HealthStatus, error) {
if a.registry.Credential == nil ||
len(a.registry.Credential.AccessKey) == 0 || len(a.registry.Credential.AccessSecret) == 0 {
log.Errorf("no credential to ping registry %s", a.registry.URL)
return model.Unhealthy, nil
}
if err := a.Ping(); err != nil { if err := a.Ping(); err != nil {
log.Errorf("failed to ping registry %s: %v", a.registry.URL, err) log.Errorf("failed to ping registry %s: %v", a.registry.URL, err)
return model.Unhealthy, nil return model.Unhealthy, nil
@ -242,33 +236,7 @@ func (a *adapter) PrepareForPush(resources []*model.Resource) error {
} }
func (a *adapter) createRepository(repository string) error { func (a *adapter) createRepository(repository string) error {
if a.registry.Credential == nil || _, err := a.cacheSvc.CreateRepository(&awsecrapi.CreateRepositoryInput{
len(a.registry.Credential.AccessKey) == 0 || len(a.registry.Credential.AccessSecret) == 0 {
return errors.New("no credential ")
}
cred := credentials.NewStaticCredentials(
a.registry.Credential.AccessKey,
a.registry.Credential.AccessSecret,
"")
if a.region == "" {
return errors.New("no region parsed")
}
config := &aws.Config{
Credentials: cred,
Region: &a.region,
HTTPClient: &http.Client{
Transport: commonhttp.GetHTTPTransportByInsecure(a.registry.Insecure),
},
}
if a.forceEndpoint != nil {
config.Endpoint = a.forceEndpoint
}
sess := session.Must(session.NewSession(config))
svc := awsecrapi.New(sess)
_, err := svc.CreateRepository(&awsecrapi.CreateRepositoryInput{
RepositoryName: &repository, RepositoryName: &repository,
}) })
if err != nil { if err != nil {
@ -284,40 +252,7 @@ func (a *adapter) createRepository(repository string) error {
// DeleteManifest ... // DeleteManifest ...
func (a *adapter) DeleteManifest(repository, reference string) error { func (a *adapter) DeleteManifest(repository, reference string) error {
// AWS doesn't implement standard OCI delete manifest API, so use it's sdk. _, err := a.cacheSvc.BatchDeleteImage(&awsecrapi.BatchDeleteImageInput{
if a.registry.Credential == nil ||
len(a.registry.Credential.AccessKey) == 0 || len(a.registry.Credential.AccessSecret) == 0 {
return errors.New("no credential ")
}
cred := credentials.NewStaticCredentials(
a.registry.Credential.AccessKey,
a.registry.Credential.AccessSecret,
"")
if a.region == "" {
return errors.New("no region parsed")
}
var tr *http.Transport
if a.registry.Insecure {
tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
} else {
tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
}
config := &aws.Config{
Credentials: cred,
Region: &a.region,
HTTPClient: &http.Client{
Transport: tr,
},
}
if a.forceEndpoint != nil {
config.Endpoint = a.forceEndpoint
}
sess := session.Must(session.NewSession(config))
svc := awsecrapi.New(sess)
_, err := svc.BatchDeleteImage(&awsecrapi.BatchDeleteImageInput{
RepositoryName: &repository, RepositoryName: &repository,
ImageIds: []*awsecrapi.ImageIdentifier{{ImageTag: &reference}}, ImageIds: []*awsecrapi.ImageIdentifier{{ImageTag: &reference}},
}) })

View File

@ -3,6 +3,8 @@ package awsecr
import ( import (
"errors" "errors"
"fmt" "fmt"
awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
"github.com/stretchr/testify/require"
"io" "io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
@ -149,17 +151,23 @@ func getMockAdapter(t *testing.T, hasCred, health bool) (*adapter, *httptest.Ser
Type: model.RegistryTypeAwsEcr, Type: model.RegistryTypeAwsEcr,
URL: server.URL, URL: server.URL,
} }
var svc *awsecrapi.ECR
if hasCred { if hasCred {
registry.Credential = &model.Credential{ registry.Credential = &model.Credential{
AccessKey: "xxx", AccessKey: "xxx",
AccessSecret: "ppp", AccessSecret: "ppp",
} }
svc, _ = getAwsSvc(
"test-region", registry.Credential.AccessKey, registry.Credential.AccessSecret, registry.Insecure, &server.URL)
} else {
svc, _ = getAwsSvc(
"test-region", "", "", registry.Insecure, &server.URL)
} }
return &adapter{ return &adapter{
registry: registry, registry: registry,
Adapter: native.NewAdapter(registry), Adapter: native.NewAdapter(registry),
region: "test-region", cacheSvc: svc,
forceEndpoint: &server.URL,
}, server }, server
} }
@ -180,7 +188,7 @@ func TestAdapter_HealthCheck(t *testing.T) {
status, err := a.HealthCheck() status, err := a.HealthCheck()
assert.Nil(t, err) assert.Nil(t, err)
assert.NotNil(t, status) assert.NotNil(t, status)
assert.EqualValues(t, model.Unhealthy, status) assert.EqualValues(t, model.Healthy, status)
a, s = getMockAdapter(t, true, false) a, s = getMockAdapter(t, true, false)
defer s.Close() defer s.Close()
@ -260,16 +268,18 @@ func TestAwsAuthCredential_Modify(t *testing.T) {
}, },
) )
defer server.Close() defer server.Close()
a, _ := NewAuth("test-region", "xxx", "ppp", true).(*awsAuthCredential) svc, err := getAwsSvc(
a.forceEndpoint = &server.URL "test-region", "xxx", "ppp", true, &server.URL)
require.Nil(t, err)
a, _ := NewAuth("xxx", svc).(*awsAuthCredential)
req := httptest.NewRequest(http.MethodGet, "https://1234.dkr.ecr.test-region.amazonaws.com/v2/", nil) req := httptest.NewRequest(http.MethodGet, "https://1234.dkr.ecr.test-region.amazonaws.com/v2/", nil)
err := a.Modify(req)
assert.Nil(t, err)
err = a.Modify(req) err = a.Modify(req)
assert.Nil(t, err) require.Nil(t, err)
err = a.Modify(req)
require.Nil(t, err)
time.Sleep(time.Second) time.Sleep(time.Second)
err = a.Modify(req) err = a.Modify(req)
assert.Nil(t, err) require.Nil(t, err)
} }
var urlForBenchmark = []string{ var urlForBenchmark = []string{

View File

@ -18,19 +18,19 @@ import (
"encoding/base64" "encoding/base64"
"errors" "errors"
"fmt" "fmt"
"net/http"
"net/url"
"strings"
"time"
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
awsecrapi "github.com/aws/aws-sdk-go/service/ecr" awsecrapi "github.com/aws/aws-sdk-go/service/ecr"
commonhttp "github.com/goharbor/harbor/src/common/http" commonhttp "github.com/goharbor/harbor/src/common/http"
"github.com/goharbor/harbor/src/common/http/modifier" "github.com/goharbor/harbor/src/common/http/modifier"
"github.com/goharbor/harbor/src/lib/log" "github.com/goharbor/harbor/src/lib/log"
"net/http"
"net/url"
"strings"
"time"
) )
// Credential ... // Credential ...
@ -38,11 +38,8 @@ type Credential modifier.Modifier
// Implements interface Credential // Implements interface Credential
type awsAuthCredential struct { type awsAuthCredential struct {
region string
accessKey string accessKey string
accessSecret string awssvc *awsecrapi.ECR
insecure bool
forceEndpoint *string
cacheToken *cacheToken cacheToken *cacheToken
cacheExpired *time.Time cacheExpired *time.Time
@ -91,36 +88,44 @@ func (a *awsAuthCredential) Modify(req *http.Request) error {
return nil return nil
} }
func (a *awsAuthCredential) getAuthorization() (string, string, string, *time.Time, error) { func getAwsSvc(region, accessKey, accessSecret string, insecure bool, forceEndpoint *string) (*awsecrapi.ECR, error) {
log.Infof("Aws Ecr getAuthorization %s", a.accessKey) sess, err := session.NewSession()
cred := credentials.NewStaticCredentials( if err != nil {
a.accessKey, return nil, err
a.accessSecret, }
var cred *credentials.Credentials
log.Debugf("Aws Ecr getAuthorization %s", accessKey)
if accessKey != "" {
cred = credentials.NewStaticCredentials(
accessKey,
accessSecret,
"") "")
} else {
cred = ec2rolecreds.NewCredentials(sess)
}
var tr *http.Transport var tr *http.Transport
if a.insecure { if insecure {
tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport) tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport)
} else { } else {
tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport) tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
} }
config := &aws.Config{ config := &aws.Config{
Credentials: cred, Credentials: cred,
Region: &a.region, Region: &region,
HTTPClient: &http.Client{ HTTPClient: &http.Client{
Transport: tr, Transport: tr,
}, },
} }
if a.forceEndpoint != nil { if forceEndpoint != nil {
config.Endpoint = a.forceEndpoint config.Endpoint = forceEndpoint
}
sess, err := session.NewSession(config)
if err != nil {
return "", "", "", nil, err
} }
svc := awsecrapi.New(sess) svc := awsecrapi.New(sess, config)
return svc, nil
}
func (a *awsAuthCredential) getAuthorization() (string, string, string, *time.Time, error) {
svc := a.awssvc
result, err := svc.GetAuthorizationToken(nil) result, err := svc.GetAuthorizationToken(nil)
if err != nil { if err != nil {
if aerr, ok := err.(awserr.Error); ok { if aerr, ok := err.(awserr.Error); ok {
@ -161,11 +166,9 @@ func (a *awsAuthCredential) isTokenValid() bool {
} }
// NewAuth new aws auth // NewAuth new aws auth
func NewAuth(region, accessKey, accessSecret string, insecure bool) Credential { func NewAuth(accessKey string, awssvc *awsecrapi.ECR) Credential {
return &awsAuthCredential{ return &awsAuthCredential{
region: region,
accessKey: accessKey, accessKey: accessKey,
accessSecret: accessSecret, awssvc: awssvc,
insecure: insecure,
} }
} }