add basic auth

dskiff · Apr 27, 2024 · 65e20a5 · 65e20a5
1 parent 9a3d40d
commit 65e20a5
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 2 deletions.
diff --git a/pkg/cmd/build.go b/pkg/cmd/build.go
@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"fmt"
 	"log"
 	"os"
 
@@ -30,6 +31,9 @@ type BuildCmd struct {
 	DefaultAnnotations map[string]string `short:"A" help:"Default annotations to apply to the image" env:"TKO_DEFAULT_ANNOTATIONS" default:"" mapsep:"," sep:"="`
 	Annotations        map[string]string `short:"a" help:"Additional annotations to apply to the image. Can override default-annotations." env:"TKO_ANNOTATIONS" default:"" mapsep:"," sep:"="`
 
+	RegistryUser string `help:"Registry user. Used for target registry url. You can use standard docker config for more complex auth." env:"TKO_REGISTRY_USER"`
+	RegistryPass string `help:"Registry password. Used for target registry url. You can use standard docker config for more complex auth." env:"TKO_REGISTRY_PASS"`
+
 	Tmp     string `help:"Path where tko can write temporary files. Defaults to golang's tmp logic." env:"TKO_TMP" default:""`
 	Verbose bool   `short:"v" help:"Enable verbose output"`
 }
@@ -45,11 +49,21 @@ func (b *BuildCmd) Run(cliCtx *CliCtx) error {
 		return err
 	}
 
-	keychain := authn.NewMultiKeychain(
+	keychains := []authn.Keychain{
 		authn.DefaultKeychain,
 		google.Keychain,
 		github.Keychain,
-	)
+	}
+
+	if b.RegistryUser != "" && b.RegistryPass != "" {
+		k, err := newSimpleKeychain(b.RegistryUser, b.RegistryPass, b.TargetRepo)
+		if err != nil {
+			return fmt.Errorf("failed to create keychain: %w", err)
+		}
+
+		keychains = append([]authn.Keychain{k.toKeychain()}, keychains...)
+	}
+	keychain := authn.NewMultiKeychain(keychains...)
 
 	// Annotations would ideally be merged by kong, but this works too
 	annotations := make(map[string]string)

diff --git a/pkg/cmd/simpleKeychain.go b/pkg/cmd/simpleKeychain.go
@@ -0,0 +1,57 @@
+package cmd
+
+import (
+	"fmt"
+	"log"
+	"net/url"
+	"strings"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
+)
+
+type SimpleKeychain struct {
+	Username string
+	Password string
+	Registry string
+}
+
+func newSimpleKeychain(username, password, targetRepo string) (SimpleKeychain, error) {
+	// Resolve the name first (should auto-inject default docker, for example)
+	ref, err := name.ParseReference(targetRepo)
+	if err != nil {
+		return SimpleKeychain{}, err
+	}
+
+	uri := ref.Context().Name()
+	if !strings.Contains(uri, "://") {
+		uri = "https://" + uri
+	}
+
+	// get domain from target repo
+	url, err := url.Parse(uri)
+	if err != nil {
+		return SimpleKeychain{}, err
+	}
+
+	return SimpleKeychain{
+		Username: username,
+		Password: password,
+		Registry: url.Hostname(),
+	}, nil
+}
+
+func (s *SimpleKeychain) toKeychain() authn.Keychain {
+	return authn.NewKeychainFromHelper(s)
+}
+
+func (s *SimpleKeychain) Get(serverURL string) (string, string, error) {
+	// if the serverURL is not the same as the registry, return an error
+	if serverURL != s.Registry {
+		log.Printf("Not using provided credentials for %s because it does not match target registry %s", serverURL, s.Registry)
+		return "", "", fmt.Errorf("serverURL %s does not match registry %s", serverURL, s.Registry)
+	}
+
+	log.Println("Using provided credentials for", s.Registry)
+	return s.Username, s.Password, nil
+}