Support multiple Docker secrets

This changes the credentials initialization to support multiple secrets not just of type basic-auth but also of type dockercfg and dockerconfigjson.
tektoncd · Jan 21, 2021 · 5003ca2 · 5003ca2
1 parent 338f8d3
commit 5003ca2
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 9 deletions.
diff --git a/pkg/credentials/dockercreds/creds.go b/pkg/credentials/dockercreds/creds.go
@@ -34,8 +34,8 @@ import (
 const annotationPrefix = "tekton.dev/docker-"
 
 var config basicDocker
-var dockerConfig string
-var dockerCfg string
+var dockerConfig arrayArg
+var dockerCfg arrayArg
 
 // AddFlags adds CLI flags that dockercreds supports to a given flag.FlagSet.
 func AddFlags(flagSet *flag.FlagSet) {
@@ -44,9 +44,11 @@ func AddFlags(flagSet *flag.FlagSet) {
 
 func flags(fs *flag.FlagSet) {
 	config = basicDocker{make(map[string]entry)}
+	dockerConfig = arrayArg{[]string{}}
+	dockerCfg = arrayArg{[]string{}}
 	fs.Var(&config, "basic-docker", "List of secret=url pairs.")
-	fs.StringVar(&dockerConfig, "docker-config", "", "Docker config.json secret file.")
-	fs.StringVar(&dockerCfg, "docker-cfg", "", "Docker .dockercfg secret file.")
+	fs.Var(&dockerConfig, "docker-config", "Docker config.json secret file.")
+	fs.Var(&dockerCfg, "docker-cfg", "Docker .dockercfg secret file.")
 }
 
 // As the flag is read, this status is populated.
@@ -87,6 +89,19 @@ func (dc *basicDocker) Set(value string) error {
 	return nil
 }
 
+type arrayArg struct {
+	Values []string
+}
+
+func (aa *arrayArg) Set(value string) error {
+	aa.Values = append(aa.Values, value)
+	return nil
+}
+
+func (aa *arrayArg) String() string {
+	return strings.Join(aa.Values, ",")
+}
+
 type configFile struct {
 	Auth map[string]entry `json:"auths"`
 }
@@ -158,17 +173,19 @@ func (*basicDockerBuilder) Write(directory string) error {
 	basicDocker := filepath.Join(dockerDir, "config.json")
 	cf := configFile{Auth: config.Entries}
 	auth := map[string]entry{}
-	if dockerCfg != "" {
-		dockerConfigAuthMap, err := authsFromDockerCfg(dockerCfg)
+
+	for _, secretName := range dockerCfg.Values {
+		dockerConfigAuthMap, err := authsFromDockerCfg(secretName)
 		if err != nil {
 			return err
 		}
 		for k, v := range dockerConfigAuthMap {
 			auth[k] = v
 		}
 	}
-	if dockerConfig != "" {
-		dockerConfigAuthMap, err := authsFromDockerConfig(dockerConfig)
+
+	for _, secretName := range dockerConfig.Values {
+		dockerConfigAuthMap, err := authsFromDockerConfig(secretName)
 		if err != nil {
 			return err
 		}

diff --git a/pkg/credentials/dockercreds/creds_test.go b/pkg/credentials/dockercreds/creds_test.go
@@ -244,6 +244,14 @@ func TestMultipleFlagHandling(t *testing.T) {
 		t.Fatalf("ioutil.WriteFile(username) = %v", err)
 	}
 
+	blubbDir := credentials.VolumeName("blubb")
+	if err := os.MkdirAll(blubbDir, os.ModePerm); err != nil {
+		t.Fatalf("os.MkdirAll(%s) = %v", blubbDir, err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(blubbDir, corev1.DockerConfigJsonKey), []byte(`{"auths":{"us.icr.io":{"auth":"fooisblubb"}}}`), 0777); err != nil {
+		t.Fatalf("ioutil.WriteFile(username) = %v", err)
+	}
+
 	bazDir := credentials.VolumeName("baz")
 	if err := os.MkdirAll(bazDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", bazDir, err)
@@ -252,12 +260,22 @@ func TestMultipleFlagHandling(t *testing.T) {
 		t.Fatalf("ioutil.WriteFile(username) = %v", err)
 	}
 
+	blaDir := credentials.VolumeName("bla")
+	if err := os.MkdirAll(blaDir, os.ModePerm); err != nil {
+		t.Fatalf("os.MkdirAll(%s) = %v", blaDir, err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(blaDir, corev1.DockerConfigKey), []byte(`{"de.icr.io":{"auth":"fooisbla"}}`), 0777); err != nil {
+		t.Fatalf("ioutil.WriteFile(username) = %v", err)
+	}
+
 	fs := flag.NewFlagSet("test", flag.ContinueOnError)
 	AddFlags(fs)
 	err := fs.Parse([]string{
 		"-basic-docker=foo=https://us.gcr.io",
 		"-docker-config=bar",
+		"-docker-config=blubb",
 		"-docker-cfg=baz",
+		"-docker-cfg=bla",
 	})
 	if err != nil {
 		t.Fatalf("flag.CommandLine.Parse() = %v", err)
@@ -274,7 +292,7 @@ func TestMultipleFlagHandling(t *testing.T) {
 	}
 
 	// Note: "auth" is base64(username + ":" + password)
-	expected := `{"auths":{"https://index.docker.io/v1":{"auth":"fooisbar"},"https://my.registry/v1":{"auth":"fooisbaz"},"https://us.gcr.io":{"username":"bar","password":"baz","auth":"YmFyOmJheg==","email":"not@val.id"}}}`
+	expected := `{"auths":{"de.icr.io":{"auth":"fooisbla"},"https://index.docker.io/v1":{"auth":"fooisbar"},"https://my.registry/v1":{"auth":"fooisbaz"},"https://us.gcr.io":{"username":"bar","password":"baz","auth":"YmFyOmJheg==","email":"not@val.id"},"us.icr.io":{"auth":"fooisblubb"}}}`
 	if string(b) != expected {
 		t.Errorf("got: %v, wanted: %v", string(b), expected)
 	}