e2e podman private registry (hashicorp#17642)

* e2e: add tests for using private registry with podman driver This PR adds e2e tests that stands up a private docker registry and has a podman tasks run a container from an image in that private registry. Tests - user:password set in task config - auth_soft_fail works for public images when auth is set in driver - credentials helper is set in driver auth config - config auth.json file is set in driver auth config * packer: use nomad-driver-podman v0.5.0 * e2e: eliminate unnecessary chmod Co-authored-by: Daniel Bennett <dbennett@hashicorp.com> * cr: no need to install nomad twice * cl: no need to install docker twice --------- Co-authored-by: Daniel Bennett <dbennett@hashicorp.com>
lattwood · Jul 19, 2023 · 8d28946 · 8d28946
1 parent ce0f60f
commit 8d28946
Show file tree

Hide file tree

Showing 9 changed files with 587 additions and 34 deletions.
diff --git a/e2e/podman/input/auth_basic.hcl b/e2e/podman/input/auth_basic.hcl
@@ -0,0 +1,76 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# This job runs a podman task using a container stored in a private registry
+# configured with basic authentication. The registry.hcl job should be running
+# and healthy before running this job. The registry_address and registry_port
+# HCL variables must be provided.
+
+variable "registry_address" {
+  type        = string
+  description = "The HTTP address of the local registry"
+  default     = "localhost"
+}
+
+variable "registry_port" {
+  type        = number
+  description = "The HTTP port of the local registry"
+  default     = "7511"
+}
+
+variable "registry_username" {
+  type        = string
+  description = "The Basic Auth username of the local registry"
+  default     = "auth_basic_user"
+}
+
+variable "registry_password" {
+  type        = string
+  description = "The Basic Auth password of the local registry"
+  default     = "auth_basic_pass"
+}
+
+locals {
+  registry_auth = base64encode("${var.registry_username}:${var.registry_password}")
+}
+
+job "auth_basic" {
+  type = "batch"
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "basic" {
+    reschedule {
+      attempts  = 0
+      unlimited = false
+    }
+
+    network {
+      mode = "host"
+    }
+
+    task "echo" {
+      driver = "podman"
+
+      config {
+        image          = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_basic:private"
+        args           = ["echo", "The auth basic test is OK!"]
+        auth_soft_fail = true
+
+        auth {
+          username   = "${var.registry_username}"
+          password   = "${var.registry_password}"
+          tls_verify = false
+        }
+      }
+
+      resources {
+        cpu    = 100
+        memory = 64
+      }
+    }
+  }
+}
diff --git a/e2e/podman/input/auth_helper.hcl b/e2e/podman/input/auth_helper.hcl
@@ -0,0 +1,58 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# This job runs a podman task using a container stored in a private registry
+# configured with credentials helper authentication. The registry.hcl job should
+# be running and healthy before running this job.
+
+variable "registry_address" {
+  type        = string
+  description = "The HTTP address of the local registry"
+  default     = "localhost"
+}
+
+variable "registry_port" {
+  type        = number
+  description = "The HTTP port of the local registry"
+  default     = "7511"
+}
+
+job "auth_static" {
+  type = "batch"
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "helper" {
+    reschedule {
+      attempts  = 0
+      unlimited = false
+    }
+
+    network {
+      mode = "host"
+    }
+
+    task "echo" {
+      driver = "podman"
+
+      config {
+        image = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_helper:private"
+        args  = ["echo", "The credentials helper auth test is OK!"]
+
+        auth {
+          # usename and password come from [docker-credential-]test.sh found on
+          # $PATH as specified by "helper=test.sh" in plugin config
+          tls_verify = false
+        }
+      }
+
+      resources {
+        cpu    = 100
+        memory = 64
+      }
+    }
+  }
+}
diff --git a/e2e/podman/input/auth_static.hcl b/e2e/podman/input/auth_static.hcl
@@ -0,0 +1,68 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# This job runs a podman task using a container stored in a private registry
+# configured with file config static authentication. The registry.hcl job should
+# be running and healthy before running this job.
+
+variable "registry_address" {
+  type        = string
+  description = "The HTTP address of the local registry"
+  default     = "localhost"
+}
+
+variable "registry_port" {
+  type        = number
+  description = "The HTTP port of the local registry"
+  default     = "7511"
+}
+
+job "auth_static" {
+  type = "batch"
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "static" {
+    reschedule {
+      attempts  = 0
+      unlimited = false
+    }
+
+    network {
+      mode = "host"
+    }
+
+    task "echo" {
+      driver = "podman"
+
+      config {
+        image = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_static:private"
+        args  = ["echo", "The static auth test is OK!"]
+
+        auth {
+          # usename and password come from auth.json in plugin config
+          tls_verify = false
+        }
+      }
+
+      resources {
+        cpu    = 100
+        memory = 64
+      }
+    }
+  }
+}
+
+# auth.json (must be pointed to by config=<path>/auth.json)
+#
+# {
+#   "auths": {
+#     "127.0.0.1:7511/docker.io/library/bash_auth_static": {
+#       "auth": "YXV0aF9zdGF0aWNfdXNlcjphdXRoX3N0YXRpY19wYXNz"
+#     }
+#   }
+# }
+
diff --git a/e2e/podman/input/podman_basic.hcl → e2e/podman/input/redis.hcl b/e2e/podman/input/podman_basic.hcl → e2e/podman/input/redis.hcl
@@ -1,7 +1,9 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-job "podman_basic" {
+# This is a simple redis job using the podman task driver.
+
+job "redis" {
 
   constraint {
     attribute = "${attr.kernel.name}"
@@ -19,8 +21,9 @@ job "podman_basic" {
       driver = "podman"
 
       config {
-        image = "redis:7"
-        ports = ["db"]
+        image          = "docker.io/library/redis:7"
+        ports          = ["db"]
+        auth_soft_fail = true
       }
 
       resources {

diff --git a/e2e/podman/input/registry-auths.hcl b/e2e/podman/input/registry-auths.hcl
@@ -0,0 +1,120 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# This job runs after the private registry is up and running, when we know
+# address and port provided by the bridge network. It is a sysbatch job
+# that writes these files on every linux client.
+#   - /usr/local/bin/docker-credential-test.sh
+#   - /etc/docker-registry-auth.json
+
+variable "registry_address" {
+  type        = string
+  description = "The HTTP address of the local registry"
+}
+
+variable "auth_dir" {
+  type        = string
+  description = "The destination directory of the auth.json file."
+  default     = "/tmp"
+}
+
+variable "helper_dir" {
+  type        = string
+  description = "The directory in which test.sh will be written."
+  default     = "/tmp"
+}
+
+variable "user" {
+  type        = string
+  description = "The user to create files as. Should be root in e2e."
+  # no default because dealing with root files is annoying locally
+  # try -var=user=$USER for local development
+}
+
+job "registry-auths" {
+  type = "sysbatch"
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "create-files" {
+    reschedule {
+      attempts  = 0
+      unlimited = false
+    }
+
+    # write out the test.sh file into var.helper_dir
+    task "create-helper-file" {
+      driver = "pledge"
+      user   = "${var.user}"
+
+      config {
+        command  = "cp"
+        args     = ["${NOMAD_TASK_DIR}/test.sh", "${var.helper_dir}/docker-credential-test.sh"]
+        promises = "stdio rpath wpath cpath"
+        unveil   = ["r:${NOMAD_TASK_DIR}/test.sh", "rwc:${var.helper_dir}"]
+      }
+      template {
+        destination = "local/test.sh"
+        perms       = "755"
+        data        = <<EOH
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+value=$(cat /dev/stdin)
+
+username="auth_helper_user"
+password="auth_helper_pass"
+
+case "${value}" in
+  docker.io/*)
+    echo "must use local registry"
+    exit 3
+    ;;
+  *)
+    echo "{\"Username\": \"$username\", \"Secret\": \"$password\"}"
+    exit 0
+    ;;
+esac
+EOH
+      }
+      resources {
+        cpu    = 100
+        memory = 32
+      }
+    }
+
+    # write out the auth.json file into var.auth_dir
+    task "create-auth-file" {
+      driver = "pledge"
+      user   = "${var.user}"
+
+      config {
+        command  = "cp"
+        args     = ["${NOMAD_TASK_DIR}/auth.json", "${var.auth_dir}/auth.json"]
+        promises = "stdio rpath wpath cpath"
+        unveil   = ["r:${NOMAD_TASK_DIR}/auth.json", "rwc:${var.auth_dir}"]
+      }
+      template {
+        perms       = "644"
+        destination = "local/auth.json"
+        data        = <<EOH
+{
+  "auths": {
+    "${var.registry_address}:/docker.io/library/bash_auth_static": {
+      "auth": "YXV0aF9zdGF0aWNfdXNlcjphdXRoX3N0YXRpY19wYXNz"
+    }
+  }
+}
+EOH
+      }
+      resources {
+        cpu    = 100
+        memory = 32
+      }
+    }
+  }
+}