Skip to content

Commit

Permalink
pkg/auth: remove CRI Alpha API
Browse files Browse the repository at this point in the history
CRI v1alpha2 is deprecated since containerd 1.7:
https://github.com/containerd/containerd/blob/v1.7.0/RELEASES.md#deprecated-features

Co-authored-by: apostasie <spam_blackhole@farcloser.world>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
  • Loading branch information
thaJeztah and apostasie committed Aug 1, 2024
1 parent 15fe071 commit 98bd867
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 82 deletions.
21 changes: 3 additions & 18 deletions pkg/auth/image_proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,8 @@ import (
"github.com/containerd/containerd/defaults"
"github.com/containerd/containerd/pkg/dialer"
"github.com/containerd/containerd/reference"
runtime_alpha "github.com/containerd/containerd/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
"github.com/containerd/log"
"github.com/containerd/stargz-snapshotter/service/keychain/cri"
"github.com/containerd/stargz-snapshotter/service/keychain/crialpha"
"github.com/containerd/stargz-snapshotter/service/resolver"
distribution "github.com/distribution/reference"
"github.com/pkg/errors"
Expand Down Expand Up @@ -57,30 +55,17 @@ func AddImageProxy(ctx context.Context, rpc *grpc.Server, imageServiceAddress st
criAddr = imageServiceAddress
}

connectAlphaCRI := func() (runtime_alpha.ImageServiceClient, error) {
conn, err := newCRIConn(criAddr)
if err != nil {
return nil, err
}
return runtime_alpha.NewImageServiceClient(conn), nil
}

connectCri := func() (runtime.ImageServiceClient, error) {
criCred, criServer := cri.NewCRIKeychain(ctx, func() (runtime.ImageServiceClient, error) {
conn, err := newCRIConn(criAddr)
if err != nil {
return nil, err
}

return runtime.NewImageServiceClient(conn), nil
}

criAlphaCred, criAlphaServer := crialpha.NewCRIAlphaKeychain(ctx, connectAlphaCRI)
runtime_alpha.RegisterImageServiceServer(rpc, criAlphaServer)

criCred, criServer := cri.NewCRIKeychain(ctx, connectCri)
})
runtime.RegisterImageServiceServer(rpc, criServer)

Credentials = append(Credentials, criAlphaCred, criCred)
Credentials = append(Credentials, criCred)

log.G(ctx).WithField("target-image-service", criAddr).Info("setup image proxy keychain")
}
Expand Down
115 changes: 51 additions & 64 deletions pkg/auth/image_proxy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,26 +9,16 @@ package auth
import (
"context"
"net"
"os"
"path/filepath"
"testing"

"github.com/containerd/containerd/pkg/dialer"
runtime_alpha "github.com/containerd/containerd/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
"github.com/stretchr/testify/assert"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
)

type MockAlphaImageService struct {
runtime_alpha.UnimplementedImageServiceServer
}

func (*MockAlphaImageService) PullImage(_ context.Context, _ *runtime_alpha.PullImageRequest) (*runtime_alpha.PullImageResponse, error) {
return &runtime_alpha.PullImageResponse{}, nil
}

type MockImageService struct {
runtime.UnimplementedImageServiceServer
}
Expand All @@ -39,120 +29,117 @@ func (*MockImageService) PullImage(_ context.Context, _ *runtime.PullImageReques

func TestFromImagePull(t *testing.T) {
var err error
assert := assert.New(t)
assertions := assert.New(t)

ctx := context.TODO()
d := t.TempDir()
defer os.RemoveAll(d)

tagImage := "docker.io/library/busybox:latest"

// should return nil if no proxy
kc, err := FromCRI("docker.io", tagImage)
assert.Nil(kc)
assert.NoError(err)
assertions.Nil(kc)
assertions.NoError(err)

// Mocking the end CRI request consumer.
mockRPC := grpc.NewServer()
mockSocket := filepath.Join(d, "mock.sock")
lm, err := net.Listen("unix", mockSocket)
assert.NoError(err)

// The server of CRI image service proxy.
proxyRPC := grpc.NewServer()
proxySocket := filepath.Join(d, "proxy.sock")
lp, err := net.Listen("unix", proxySocket)
assert.NoError(err)
listenMock, err := net.Listen("unix", mockSocket)
assertions.NoError(err)

// Mocking the end CRI request consumer.
serverAlpha := &MockAlphaImageService{}
server := &MockImageService{}
runtime_alpha.RegisterImageServiceServer(mockRPC, serverAlpha)
runtime.RegisterImageServiceServer(mockRPC, server)

go func() {
err := mockRPC.Serve(lm)
assert.NoError(err)
err := mockRPC.Serve(listenMock)
assertions.NoError(err)
}()
defer mockRPC.Stop()

// The server of CRI image service proxy.
proxyRPC := grpc.NewServer()
proxySocket := filepath.Join(d, "proxy.sock")
listenProxy, err := net.Listen("unix", proxySocket)
assertions.NoError(err)
AddImageProxy(ctx, proxyRPC, mockSocket)
go func() {
err := proxyRPC.Serve(lp)
assert.NoError(err)
err := proxyRPC.Serve(listenProxy)
assertions.NoError(err)
}()
defer proxyRPC.Stop()

kc, err = FromCRI("docker.io", tagImage)
// should return empty kc before pulling
assert.Nil(kc)
assert.NoError(err)
kc, err = FromCRI("docker.io", tagImage)
assertions.Nil(kc)
assertions.NoError(err)

gopts := []grpc.DialOption{
grpc.WithTransportCredentials(insecure.NewCredentials()),
grpc.WithContextDialer(dialer.ContextDialer),
}
conn, err := grpc.Dial(dialer.DialAddress(proxySocket), gopts...)
assert.NoError(err)
criAlphaClient := runtime_alpha.NewImageServiceClient(conn)
irAlpha := &runtime_alpha.PullImageRequest{
Image: &runtime_alpha.ImageSpec{
assertions.NoError(err)

criClient := runtime.NewImageServiceClient(conn)

_, err = criClient.PullImage(ctx, &runtime.PullImageRequest{
Image: &runtime.ImageSpec{
Image: tagImage,
},
Auth: &runtime_alpha.AuthConfig{
Auth: &runtime.AuthConfig{
Username: "test",
Password: "passwd",
},
}
_, err = criAlphaClient.PullImage(ctx, irAlpha)
assert.NoError(err)
})
assertions.NoError(err)

criClient := runtime.NewImageServiceClient(conn)

kc, err = FromCRI("docker.io", tagImage)
// get correct kc after pulling
assert.Equal("test", kc.Username)
assert.Equal("passwd", kc.Password)
assert.NoError(err)
kc, err = FromCRI("docker.io", tagImage)
assertions.NoError(err)
assertions.Equal("test", kc.Username)
assertions.Equal("passwd", kc.Password)

kc, err = FromCRI("docker.io", "docker.io/library/busybox:another")
// get empty kc with wrong tag
assert.Nil(kc)
assert.NoError(err)
kc, err = FromCRI("docker.io", "docker.io/library/busybox:another")
assertions.Nil(kc)
assertions.NoError(err)

image2 := "ghcr.io/busybox:latest"

ir := &runtime.PullImageRequest{
_, err = criClient.PullImage(ctx, &runtime.PullImageRequest{
Image: &runtime.ImageSpec{
Image: image2,
},
Auth: &runtime.AuthConfig{
Username: "test_1",
Password: "passwd_1",
},
}
_, err = criClient.PullImage(ctx, ir)
assert.NoError(err)
})
assertions.NoError(err)

// get correct kc after pulling
kc, err = FromCRI("ghcr.io", image2)
assert.Equal(kc.Username, "test_1")
assert.Equal(kc.Password, "passwd_1")
assert.NoError(err)
assertions.NoError(err)
assertions.Equal(kc.Username, "test_1")
assertions.Equal(kc.Password, "passwd_1")

// should work with digest
digestImage := "docker.io/library/busybox@sha256:7cc4b5aefd1d0cadf8d97d4350462ba51c694ebca145b08d7d41b41acc8db5aa"
irAlpha = &runtime_alpha.PullImageRequest{
Image: &runtime_alpha.ImageSpec{
_, err = criClient.PullImage(ctx, &runtime.PullImageRequest{
Image: &runtime.ImageSpec{
Image: digestImage,
},
Auth: &runtime_alpha.AuthConfig{
Auth: &runtime.AuthConfig{
Username: "digest",
Password: "dpwd",
},
}
_, err = criAlphaClient.PullImage(ctx, irAlpha)
assert.NoError(err)
})
assertions.NoError(err)

// get correct kc after pulling
kc, err = FromCRI("docker.io", digestImage)
assert.Equal("digest", kc.Username)
assert.Equal("dpwd", kc.Password)
assert.NoError(err)
assertions.NoError(err)
assertions.Equal("digest", kc.Username)
assertions.Equal("dpwd", kc.Password)
}

0 comments on commit 98bd867

Please sign in to comment.