Enable imgpkg keychains when environment variable is provided

Signed-off-by: Joao Pereira <[email protected]>

pkg/vendir/fetch/image/imgpkg.go

@@ -7,10 +7,12 @@ import (
 	"bytes"
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/registry"
+	"github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/registry/auth"
 	"github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/v1"
 	ctlconf "github.com/vmware-tanzu/carvel-vendir/pkg/vendir/config"
 	ctlfetch "github.com/vmware-tanzu/carvel-vendir/pkg/vendir/fetch"
@@ -154,11 +156,30 @@ func (t *Imgpkg) RegistryOpts() (registry.Opts, error) {
 		return registry.Opts{}, err
 	}
 
+	var activeKeychains []auth.IAASKeychain
+	for _, envVar := range t.opts.EnvironFunc() {
+		if strings.HasPrefix(envVar, "IMGPKG_ACTIVE_KEYCHAINS") {
+			keychains := strings.SplitN(envVar, "=", 2)
+			if len(keychains) != 2 {
+				return registry.Opts{}, fmt.Errorf("Expected 'IMGPKG_ACTIVE_KEYCHAINS' environment variable to have a list of keychains but got '%s'", envVar)
+			}
+
+			if strings.Contains(keychains[1], ",") {
+				for _, keychainName := range strings.Split(keychains[1], ",") {
+					activeKeychains = append(activeKeychains, auth.IAASKeychain(strings.TrimSpace(keychainName)))
+				}
+			} else {
+				activeKeychains = append(activeKeychains, auth.IAASKeychain(strings.TrimSpace(keychains[1])))
+			}
+		}
+	}
+
 	return registry.Opts{
 		VerifyCerts:           !t.opts.DangerousSkipTLSVerify,
 		Insecure:              false,
 		ResponseHeaderTimeout: 30 * time.Second,
 		RetryCount:            5,
+		ActiveKeychains:       activeKeychains,
 		EnvironFunc: func() []string {
 			return append(envVariables, t.opts.EnvironFunc()...)
 		},

pkg/vendir/fetch/image/imgpkg_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/phayes/freeport"
 	"github.com/stretchr/testify/require"
 	ctlregistry "github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/registry"
+	"github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/registry/auth"
 	ctlconf "github.com/vmware-tanzu/carvel-vendir/pkg/vendir/config"
 	ctlfetch "github.com/vmware-tanzu/carvel-vendir/pkg/vendir/fetch"
 	ctlcache "github.com/vmware-tanzu/carvel-vendir/pkg/vendir/fetch/cache"
@@ -139,6 +140,59 @@ func TestImgpkgAuth(t *testing.T) {
 
 		requireImgpkgEnv(t, nil, opts.EnvironFunc())
 	})
+
+	t.Run("enable keychain auth with list of keychains", func(t *testing.T) {
+		cache, err := ctlcache.NewCache("", "1Mi")
+		require.NoError(t, err)
+
+		imgpkg := ctlimg.NewImgpkg(
+			ctlimg.ImgpkgOpts{
+				EnvironFunc: func() []string {
+					return []string{"IMGPKG_ACTIVE_KEYCHAINS=gcr,ecr"}
+				},
+			},
+			ctlfetch.SingleSecretRefFetcher{},
+			cache,
+		)
+
+		opts, err := imgpkg.RegistryOpts()
+		require.NoError(t, err)
+		require.Equal(t, []auth.IAASKeychain{"gcr", "ecr"}, opts.ActiveKeychains)
+	})
+
+	t.Run("enable keychain auth with single keychain", func(t *testing.T) {
+		cache, err := ctlcache.NewCache("", "1Mi")
+		require.NoError(t, err)
+
+		imgpkg := ctlimg.NewImgpkg(
+			ctlimg.ImgpkgOpts{
+				EnvironFunc: func() []string {
+					return []string{"IMGPKG_ACTIVE_KEYCHAINS=single"}
+				},
+			},
+			ctlfetch.SingleSecretRefFetcher{},
+			cache,
+		)
+
+		opts, err := imgpkg.RegistryOpts()
+		require.NoError(t, err)
+		require.Equal(t, []auth.IAASKeychain{"single"}, opts.ActiveKeychains)
+	})
+
+	t.Run("no keychain enable when environment variable not set", func(t *testing.T) {
+		cache, err := ctlcache.NewCache("", "1Mi")
+		require.NoError(t, err)
+
+		imgpkg := ctlimg.NewImgpkg(
+			ctlimg.ImgpkgOpts{},
+			ctlfetch.SingleSecretRefFetcher{},
+			cache,
+		)
+
+		opts, err := imgpkg.RegistryOpts()
+		require.NoError(t, err)
+		require.Nil(t, opts.ActiveKeychains)
+	})
 }
 
 func TestImgpkgCache(t *testing.T) {