open-component-model · jschicktanz · Sep 2, 2022 · Jul 8, 2022 · Jul 13, 2022 · Jul 13, 2022
@@ -25,4 +25,5 @@ const (
 	ATTR_TOKEN                 = "token"
 	ATTR_AWS_ACCESS_KEY_ID     = "awsAccessKeyID"
 	ATTR_AWS_SECRET_ACCESS_KEY = "awsSecretAccessKey"
+	ATTR_KEY                   = "key"
 )
@@ -147,17 +147,24 @@ func (i ConsumerIdentity) Match(obj map[string]string) bool {
 }
 
 // Copy copies identity
-func (l ConsumerIdentity) Copy() ConsumerIdentity {
-	if l == nil {
+func (i ConsumerIdentity) Copy() ConsumerIdentity {
+	if i == nil {
 		return nil
 	}
 	n := ConsumerIdentity{}
-	for k, v := range l {
+	for k, v := range i {
 		n[k] = v
 	}
 	return n
 }
 
+// SetNonEmptyValue sets a key-value pair only if the value is not empty
+func (i ConsumerIdentity) SetNonEmptyValue(name, value string) {
+	if value != "" {
+		i[name] = value
+	}
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 
 type IdentityMatcherInfo struct {

@@ -26,4 +26,5 @@ const (
 	ATTR_SERVER_ADDRESS = core.ATTR_SERVER_ADDRESS
 	ATTR_IDENTITY_TOKEN = core.ATTR_IDENTITY_TOKEN
 	ATTR_REGISTRY_TOKEN = core.ATTR_REGISTRY_TOKEN
+	ATTR_KEY            = core.ATTR_KEY
 )
@@ -33,6 +33,9 @@ const ID_PORT = "port"
 // ID_PATHPREFIX is the path prefix below the host.
 const ID_PATHPREFIX = "pathprefix"
 
+// ID_SCHEME is the scheme prefix.
+const ID_SCHEME = "scheme"
+
 func init() {
 	cpi.RegisterStandardIdentityMatcher(IDENTITY_TYPE, IdentityMatcher(""), `Host and path based credential matcher
 
@@ -60,6 +63,12 @@ func IdentityMatcher(identityType string) cpi.IdentityMatcher {
 			}
 		}
 
+		if pattern[ID_SCHEME] != "" {
+			if id[ID_SCHEME] != "" && id[ID_SCHEME] != pattern[ID_SCHEME] {
+				return false
+			}
+		}
+
 		if pattern[ID_PATHPREFIX] != "" {
 			if id[ID_PATHPREFIX] != "" {
 				if len(id[ID_PATHPREFIX]) > len(pattern[ID_PATHPREFIX]) {

@@ -40,7 +40,7 @@ func (r *Repository) LookupCredentials(name string) (cpi.Credentials, error) {
 	return r.Credentials, nil
 }
 
-func (r Repository) WriteCredentials(name string, creds cpi.Credentials) (cpi.Credentials, error) {
+func (r *Repository) WriteCredentials(name string, creds cpi.Credentials) (cpi.Credentials, error) {
 	return nil, errors.ErrNotSupported(cpi.KIND_CREDENTIALS, "write", "constant credential")
 }
 

@@ -29,7 +29,7 @@ func init() {
 	cpi.RegisterRepositoryType(TypeV1, cpi.NewRepositoryType(TypeV1, &RepositorySpec{}))
 }
 
-// RepositorySpec describes a cocker config based credential repository interface.
+// RepositorySpec describes a docker config based credential repository interface.
 type RepositorySpec struct {
 	runtime.ObjectVersionedType `json:",inline"`
 	DockerConfigFile            string `json:"dockerConfigFile"`

@@ -0,0 +1,3 @@
+# Gardener Config Credential Repository
+
+The gardener config credential repository implements the retrieval of secrets in a data format specified by the gardener concourse utils (https://github.com/gardener/cc-utils/tree/master/model). It supports either handing in the data via a local json file or retrieve it from a secret server (as defined in https://github.com/gardener/cc-utils/blob/master/ccc/secrets_server.py#L29).
@@ -0,0 +1,36 @@
+package gardenerconfig
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/cpi"
+	gardenercfgcpi "github.com/open-component-model/ocm/pkg/contexts/credentials/repositories/gardenerconfig/cpi"
+	"github.com/open-component-model/ocm/pkg/contexts/datacontext"
+)
+
+const ATTR_REPOS = "github.com/open-component-model/ocm/pkg/contexts/credentials/repositories/gardenerconfig"
+
+type Repositories struct {
+	lock  sync.Mutex
+	repos map[string]*Repository
+}
+
+func newRepositories(datacontext.Context) interface{} {
+	return &Repositories{
+		repos: map[string]*Repository{},
+	}
+}
+
+func (r *Repositories) GetRepository(ctx cpi.Context, url string, configType gardenercfgcpi.ConfigType, cipher Cipher, key []byte, propagateConsumerIdentity bool) (*Repository, error) {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	if _, ok := r.repos[url]; !ok {
+		repo, err := NewRepository(ctx, url, configType, cipher, key, propagateConsumerIdentity)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create repository: %w", err)
+		}
+		r.repos[url] = repo
+	}
+	return r.repos[url], nil
+}
@@ -0,0 +1,51 @@
+package cpi
+
+import (
+	"io"
+	"sync"
+
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/cpi"
+)
+
+type ConfigType string
+
+const (
+	ContainerRegistry ConfigType = "container_registry"
+)
+
+type Credential interface {
+	Name() string
+	ConsumerIdentity() cpi.ConsumerIdentity
+	Properties() cpi.Credentials
+}
+
+type Handler interface {
+	ConfigType() ConfigType
+	ParseConfig(io.Reader) ([]Credential, error)
+}
+
+var handlers = map[ConfigType]Handler{}
+var lock sync.RWMutex
+
+func RegisterHandler(h Handler) {
+	lock.Lock()
+	defer lock.Unlock()
+	handlers[h.ConfigType()] = h
+}
+
+func GetHandler(configType ConfigType) Handler {
+	lock.RLock()
+	defer lock.RUnlock()
+	return handlers[configType]
+}
+
+func GetHandlers() map[ConfigType]Handler {
+	lock.RLock()
+	defer lock.RUnlock()
+
+	m := map[ConfigType]Handler{}
+	for k, v := range handlers {
+		m[k] = v
+	}
+	return m
+}
@@ -0,0 +1,15 @@
+package gardenerconfig
+
+import (
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/cpi"
+)
+
+type CredentialGetter struct {
+	getCredentials func() (cpi.Credentials, error)
+}
+
+var _ cpi.CredentialsSource = CredentialGetter{}
+
+func (c CredentialGetter) Credentials(ctx cpi.Context, cs ...cpi.CredentialsSource) (cpi.Credentials, error) {
+	return c.getCredentials()
+}
@@ -0,0 +1,26 @@
+package container_registry
+
+import (
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/cpi"
+	gardenercfgcpi "github.com/open-component-model/ocm/pkg/contexts/credentials/repositories/gardenerconfig/cpi"
+)
+
+type credentials struct {
+	name             string
+	consumerIdentity cpi.ConsumerIdentity
+	properties       cpi.Credentials
+}
+
+func (c credentials) Name() string {
+	return c.name
+}
+
+func (c credentials) ConsumerIdentity() cpi.ConsumerIdentity {
+	return c.consumerIdentity
+}
+
+func (c credentials) Properties() cpi.Credentials {
+	return c.properties
+}
+
+var _ gardenercfgcpi.Credential = credentials{}
@@ -0,0 +1,99 @@
+package container_registry
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/open-component-model/ocm/pkg/common"
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/cpi"
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/identity/hostpath"
+	gardenercfgcpi "github.com/open-component-model/ocm/pkg/contexts/credentials/repositories/gardenerconfig/cpi"
+	"github.com/open-component-model/ocm/pkg/contexts/oci/identity"
+	"github.com/open-component-model/ocm/pkg/utils"
+)
+
+func init() {
+	gardenercfgcpi.RegisterHandler(Handler{})
+}
+
+// config is the struct that describes the gardener config data structure
+type config struct {
+	ContainerRegistry map[string]*containerRegistryCredentials `json:"container_registry"`
+}
+
+// containerRegistryCredentials describes the container registry credentials struct as defined by the gardener config.
+type containerRegistryCredentials struct {
+	Username               string   `json:"username"`
+	Password               string   `json:"password"`
+	Privileges             string   `json:"privileges"`
+	Host                   string   `json:"host,omitempty"`
+	ImageReferencePrefixes []string `json:"image_reference_prefixes,omitempty"`
+}
+
+type Handler struct{}
+
+func (h Handler) ConfigType() gardenercfgcpi.ConfigType {
+	return gardenercfgcpi.ContainerRegistry
+}
+
+func (h Handler) ParseConfig(configReader io.Reader) ([]gardenercfgcpi.Credential, error) {
+	config := &config{}
+	if err := json.NewDecoder(configReader).Decode(&config); err != nil {
+		return nil, fmt.Errorf("unable to unmarshal config: %w", err)
+	}
+
+	creds := []gardenercfgcpi.Credential{}
+	for credentialName, credential := range config.ContainerRegistry {
+		var (
+			scheme string
+			port   string
+		)
+		if credential.Host != "" {
+			parsedHost, err := utils.ParseURL(credential.Host)
+			if err != nil {
+				return nil, fmt.Errorf("unable to parse host: %w", err)
+			}
+			scheme = parsedHost.Scheme
+			port = parsedHost.Port()
+		}
+
+		for _, imgRef := range credential.ImageReferencePrefixes {
+			parsedImgPrefix, err := utils.ParseURL(imgRef)
+			if err != nil {
+				return nil, fmt.Errorf("unable to parse image prefix: %w", err)
+			}
+			if parsedImgPrefix.Host == "index.docker.io" {
+				parsedImgPrefix.Host = "docker.io"
+			}
+
+			consumerIdentity := cpi.ConsumerIdentity{
+				cpi.CONSUMER_ATTR_TYPE: identity.CONSUMER_TYPE,
+				hostpath.ID_HOSTNAME:   parsedImgPrefix.Host,
+				hostpath.ID_PATHPREFIX: strings.Trim(parsedImgPrefix.Path, "/"),
+			}
+			consumerIdentity.SetNonEmptyValue(hostpath.ID_SCHEME, scheme)
+			consumerIdentity.SetNonEmptyValue(hostpath.ID_PORT, port)
+
+			c := credentials{
+				name:             credentialName,
+				consumerIdentity: consumerIdentity,
+				properties:       newCredentialsFromContainerRegistryCredentials(credential),
+			}
+
+			creds = append(creds, c)
+		}
+	}
+
+	return creds, nil
+}
+
+func newCredentialsFromContainerRegistryCredentials(auth *containerRegistryCredentials) cpi.Credentials {
+	props := common.Properties{
+		cpi.ATTR_USERNAME: auth.Username,
+		cpi.ATTR_PASSWORD: auth.Password,
+	}
+	props.SetNonEmptyValue(cpi.ATTR_SERVER_ADDRESS, auth.Host)
+	return cpi.NewCredentials(props)
+}
@@ -0,0 +1,5 @@
+package gardenerconfig
+
+import (
+	_ "github.com/open-component-model/ocm/pkg/contexts/credentials/repositories/gardenerconfig/handler/container_registry"
+)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Gardener Config Credential Repository

		The gardener config credential repository implements the retrieval of secrets in a data format specified by the gardener concourse utils (https://github.com/gardener/cc-utils/tree/master/model). It supports either handing in the data via a local json file or retrieve it from a secret server (as defined in https://github.com/gardener/cc-utils/blob/master/ccc/secrets_server.py#L29).