Skip to content

Commit

Permalink
Call remote.Image anonymously first
Browse files Browse the repository at this point in the history
Signed-off-by: Vincent Demeester <[email protected]>
  • Loading branch information
vdemeester committed Mar 14, 2019
1 parent 968814d commit 38a1e31
Showing 1 changed file with 12 additions and 20 deletions.
32 changes: 12 additions & 20 deletions pkg/reconciler/v1alpha1/taskrun/entrypoint/entrypoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,13 @@ func getRemoteImage(image string, kubeclient kubernetes.Interface, build *buildv
return nil, fmt.Errorf("Failed to parse image %s: %v", image, err)
}

// First try to get the image anonymously
// FIXME(vdemeester): once google.Keychain fails smoother, this could be removed
img, err := remote.Image(ref)
if err == nil {
return img, nil
}

kc, err := k8schain.New(kubeclient, k8schain.Options{
Namespace: build.Namespace,
ServiceAccountName: build.Spec.ServiceAccountName,
Expand All @@ -195,29 +202,14 @@ func getRemoteImage(image string, kubeclient kubernetes.Interface, build *buildv
return nil, fmt.Errorf("Failed to create k8schain: %v", err)
}

// this will first try to anonymous
// the fall back to authenticate using the k8schain,
// then fall back to the google keychain (it fill error out in case of `gcloud` binary not available)
mkc := authn.NewMultiKeychain(&anonymousKeychain{}, kc, google.Keychain)
img, err := remote.Image(ref, remote.WithAuthFromKeychain(mkc))
// this will first try to authenticate using the k8schain,
// then fall back to the google keychain,
// then fall back to anonymous
mkc := authn.NewMultiKeychain(kc, google.Keychain)
img, err = remote.Image(ref, remote.WithAuthFromKeychain(mkc))
if err != nil {
return nil, fmt.Errorf("Failed to get container image info from registry %s: %v", image, err)
}

return img, nil
}

type anonymousKeychain struct{}

func (a *anonymousKeychain) Resolve(_ name.Registry) (authn.Authenticator, error) {
// This anonymous keychain returns our own anonythous authenticator implementation,
// as authn.NewMultiKeychain has a special logic to detect authn.Anonymous, that will
// make it try anonymously on last resort ; whereas we want to try anonymously first.
return &anonymous{}, nil
}

type anonymous struct{}

func (a *anonymous) Authorization() (string, error) {
return "", nil
}

0 comments on commit 38a1e31

Please sign in to comment.