oci: refactors pusher auth (#2979)

Signed-off-by: kapil <kapilsareen584@gmail.com>

Author: KapilSareen

cmd/build.go

@@ -394,9 +394,14 @@ func (c buildConfig) clientOptions() ([]fn.Option, error) {
 	o := []fn.Option{fn.WithRegistry(c.Registry)}
 	switch c.Builder {
 	case builders.Host:
+		t := newTransport(c.RegistryInsecure) // may provide a custom impl which proxies
+		creds := newCredentialsProvider(config.Dir(), t)
 		o = append(o,
 			fn.WithBuilder(oci.NewBuilder(builders.Host, c.Verbose)),
-			fn.WithPusher(oci.NewPusher(c.RegistryInsecure, false, c.Verbose)))
+			fn.WithPusher(oci.NewPusher(c.RegistryInsecure, false, c.Verbose,
+				oci.WithCredentialsProvider(creds),
+				oci.WithVerbose(c.Verbose))),
+		)
 	case builders.Pack:
 		o = append(o,
 			fn.WithBuilder(pack.NewBuilder(

cmd/client.go

@@ -8,12 +8,13 @@ import (
 	"knative.dev/func/cmd/prompt"
 	"knative.dev/func/pkg/builders/buildpacks"
 	"knative.dev/func/pkg/config"
+	"knative.dev/func/pkg/creds"
 	"knative.dev/func/pkg/docker"
-	"knative.dev/func/pkg/docker/creds"
 	fn "knative.dev/func/pkg/functions"
 	fnhttp "knative.dev/func/pkg/http"
 	"knative.dev/func/pkg/k8s"
 	"knative.dev/func/pkg/knative"
+	"knative.dev/func/pkg/oci"
 	"knative.dev/func/pkg/pipelines/tekton"
 )
 
@@ -100,19 +101,22 @@ func newTransport(insecureSkipVerify bool) fnhttp.RoundTripCloser {
 // newCredentialsProvider returns a credentials provider which possibly
 // has cluster-flavor specific additional credential loaders to take advantage
 // of features or configuration nuances of cluster variants.
-func newCredentialsProvider(configPath string, t http.RoundTripper) docker.CredentialsProvider {
+func newCredentialsProvider(configPath string, t http.RoundTripper) oci.CredentialsProvider {
+	additionalLoaders := append(k8s.GetOpenShiftDockerCredentialLoaders(), k8s.GetGoogleCredentialLoader()...)
+	additionalLoaders = append(additionalLoaders, k8s.GetECRCredentialLoader()...)
+	additionalLoaders = append(additionalLoaders, k8s.GetACRCredentialLoader()...)
 	options := []creds.Opt{
 		creds.WithPromptForCredentials(prompt.NewPromptForCredentials(os.Stdin, os.Stdout, os.Stderr)),
 		creds.WithPromptForCredentialStore(prompt.NewPromptForCredentialStore()),
 		creds.WithTransport(t),
-		creds.WithAdditionalCredentialLoaders(k8s.GetOpenShiftDockerCredentialLoaders()...),
+		creds.WithAdditionalCredentialLoaders(additionalLoaders...),
 	}
 
 	// Other cluster variants can be supported here
 	return creds.NewCredentialsProvider(configPath, options...)
 }
 
-func newTektonPipelinesProvider(creds docker.CredentialsProvider, verbose bool) *tekton.PipelinesProvider {
+func newTektonPipelinesProvider(creds oci.CredentialsProvider, verbose bool) *tekton.PipelinesProvider {
 	options := []tekton.Opt{
 		tekton.WithCredentialsProvider(creds),
 		tekton.WithVerbose(verbose),

cmd/prompt/prompt.go

@@ -11,14 +11,14 @@ import (
 	"github.com/AlecAivazis/survey/v2/terminal"
 	"golang.org/x/term"
 
-	"knative.dev/func/pkg/docker"
-	"knative.dev/func/pkg/docker/creds"
+	"knative.dev/func/pkg/creds"
+	"knative.dev/func/pkg/oci"
 )
 
-func NewPromptForCredentials(in io.Reader, out, errOut io.Writer) func(repository string) (docker.Credentials, error) {
+func NewPromptForCredentials(in io.Reader, out, errOut io.Writer) func(repository string) (oci.Credentials, error) {
 	firstTime := true
-	return func(repository string) (docker.Credentials, error) {
-		var result docker.Credentials
+	return func(repository string) (oci.Credentials, error) {
+		var result oci.Credentials
 		if firstTime {
 			firstTime = false
 			fmt.Fprintf(out, "Please provide credentials for image repository '%s'.\n", repository)
@@ -56,26 +56,26 @@ func NewPromptForCredentials(in io.Reader, out, errOut io.Writer) func(repositor
 		if isTerm {
 			err := survey.Ask(qs, &result, survey.WithStdio(fr, out.(terminal.FileWriter), errOut))
 			if err != nil {
-				return docker.Credentials{}, err
+				return oci.Credentials{}, err
 			}
 		} else {
 			reader := bufio.NewReader(in)
 
 			fmt.Fprintf(out, "Username: ")
 			u, err := reader.ReadString('\n')
 			if err != nil {
-				return docker.Credentials{}, err
+				return oci.Credentials{}, err
 			}
 			u = strings.Trim(u, "\r\n")
 
 			fmt.Fprintf(out, "Password: ")
 			p, err := reader.ReadString('\n')
 			if err != nil {
-				return docker.Credentials{}, err
+				return oci.Credentials{}, err
 			}
 			p = strings.Trim(p, "\r\n")
 
-			result = docker.Credentials{Username: u, Password: p}
+			result = oci.Credentials{Username: u, Password: p}
 		}
 
 		return result, nil

cmd/prompt/prompt_test.go

@@ -12,16 +12,15 @@ import (
 	"github.com/Netflix/go-expect"
 	"github.com/creack/pty"
 	"github.com/hinshun/vt10x"
-
-	"knative.dev/func/pkg/docker"
+	"knative.dev/func/pkg/oci"
 )
 
 const (
 	enter = "\r"
 )
 
 func Test_NewPromptForCredentials(t *testing.T) {
-	expectedCreds := docker.Credentials{
+	expectedCreds := oci.Credentials{
 		Username: "testuser",
 		Password: "testpwd",
 	}

pkg/docker/creds/credentials.go pkg/creds/credentials.gopkg/docker/creds/credentials.go renamed to pkg/creds/credentials.go

@@ -22,18 +22,18 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 
-	"knative.dev/func/pkg/docker"
+	"knative.dev/func/pkg/oci"
 )
 
-type CredentialsCallback func(registry string) (docker.Credentials, error)
+type CredentialsCallback func(registry string) (oci.Credentials, error)
 
 var ErrUnauthorized = errors.New("bad credentials")
 
 var ErrCredentialsNotFound = errors.New("credentials not found")
 
 // VerifyCredentialsCallback checks if credentials are authorized for image push.
 // If credentials are incorrect this callback shall return ErrUnauthorized.
-type VerifyCredentialsCallback func(ctx context.Context, image string, credentials docker.Credentials) error
+type VerifyCredentialsCallback func(ctx context.Context, image string, credentials oci.Credentials) error
 
 type keyChain struct {
 	user string
@@ -48,7 +48,7 @@ func (k keyChain) Resolve(resource authn.Resource) (authn.Authenticator, error)
 }
 
 // CheckAuth verifies that credentials can be used for image push
-func CheckAuth(ctx context.Context, image string, credentials docker.Credentials, trans http.RoundTripper) error {
+func CheckAuth(ctx context.Context, image string, credentials oci.Credentials, trans http.RoundTripper) error {
 
 	ref, err := name.ParseReference(image)
 	if err != nil {
@@ -142,9 +142,8 @@ func WithAdditionalCredentialLoaders(loaders ...CredentialsCallback) Opt {
 // The picked value will be saved in the func config.
 //
 // To verify that credentials are correct custom callback can be used (see WithVerifyCredentials).
-func NewCredentialsProvider(configPath string, opts ...Opt) docker.CredentialsProvider {
+func NewCredentialsProvider(configPath string, opts ...Opt) oci.CredentialsProvider {
 	var c credentialsProvider
-
 	for _, o := range opts {
 		o(&c)
 	}
@@ -154,7 +153,7 @@ func NewCredentialsProvider(configPath string, opts ...Opt) docker.CredentialsPr
 	}
 
 	if c.verifyCredentials == nil {
-		c.verifyCredentials = func(ctx context.Context, registry string, credentials docker.Credentials) error {
+		c.verifyCredentials = func(ctx context.Context, registry string, credentials oci.Credentials) error {
 			return CheckAuth(ctx, registry, credentials, c.transport)
 		}
 	}
@@ -175,7 +174,7 @@ func NewCredentialsProvider(configPath string, opts ...Opt) docker.CredentialsPr
 
 	if _, err := os.Stat(c.authFilePath); err == nil {
 		defaultCredentialLoaders = append(defaultCredentialLoaders,
-			func(registry string) (docker.Credentials, error) {
+			func(registry string) (oci.Credentials, error) {
 				return getCredentialsByCredentialHelper(c.authFilePath, registry)
 			})
 	}
@@ -185,54 +184,54 @@ func NewCredentialsProvider(configPath string, opts ...Opt) docker.CredentialsPr
 	if err == nil {
 		dockerConfigPath := filepath.Join(home, ".docker", "config.json")
 		defaultCredentialLoaders = append(defaultCredentialLoaders,
-			func(registry string) (docker.Credentials, error) {
+			func(registry string) (oci.Credentials, error) {
 				return getCredentialsByCredentialHelper(dockerConfigPath, registry)
 			})
 	}
 	defaultCredentialLoaders = append(defaultCredentialLoaders,
-		func(registry string) (docker.Credentials, error) {
+		func(registry string) (oci.Credentials, error) {
 			creds, err := dockerConfig.GetCredentials(sys, registry)
 			if err != nil {
-				return docker.Credentials{}, err
+				return oci.Credentials{}, err
 			}
 			if creds.Username == "" || creds.Password == "" {
-				return docker.Credentials{}, ErrCredentialsNotFound
+				return oci.Credentials{}, ErrCredentialsNotFound
 			}
-			return docker.Credentials{
+			return oci.Credentials{
 				Username: creds.Username,
 				Password: creds.Password,
 			}, nil
 		})
 	defaultCredentialLoaders = append(defaultCredentialLoaders,
-		func(registry string) (docker.Credentials, error) {
+		func(registry string) (oci.Credentials, error) {
 			// Fallback onto default docker config locations
 			emptySys := &containersTypes.SystemContext{}
 			creds, err := dockerConfig.GetCredentials(emptySys, registry)
 			if err != nil {
-				return docker.Credentials{}, err
+				return oci.Credentials{}, err
 			}
-			return docker.Credentials{
+			return oci.Credentials{
 				Username: creds.Username,
 				Password: creds.Password,
 			}, nil
 		})
 	defaultCredentialLoaders = append(defaultCredentialLoaders,
-		func(registry string) (docker.Credentials, error) { // empty credentials provider for unsecured registries
-			return docker.Credentials{}, nil
+		func(registry string) (oci.Credentials, error) { // empty credentials provider for unsecured registries
+			return oci.Credentials{}, nil
 		})
 
 	c.credentialLoaders = append(c.credentialLoaders, defaultCredentialLoaders...)
 
 	return c.getCredentials
 }
 
-func (c *credentialsProvider) getCredentials(ctx context.Context, image string) (docker.Credentials, error) {
+func (c *credentialsProvider) getCredentials(ctx context.Context, image string) (oci.Credentials, error) {
 	var err error
-	result := docker.Credentials{}
+	result := oci.Credentials{}
 
 	ref, err := name.ParseReference(image)
 	if err != nil {
-		return docker.Credentials{}, fmt.Errorf("cannot parse the image reference: %w", err)
+		return oci.Credentials{}, fmt.Errorf("cannot parse the image reference: %w", err)
 	}
 
 	registry := ref.Context().RegistryStr()
@@ -244,22 +243,22 @@ func (c *credentialsProvider) getCredentials(ctx context.Context, image string)
 			if errors.Is(err, ErrCredentialsNotFound) {
 				continue
 			}
-			return docker.Credentials{}, err
+			return oci.Credentials{}, err
 		}
 
 		err = c.verifyCredentials(ctx, image, result)
 		if err == nil {
 			return result, nil
 		} else {
 			if !errors.Is(err, ErrUnauthorized) {
-				return docker.Credentials{}, err
+				return oci.Credentials{}, err
 			}
 		}
 
 	}
 
 	if c.promptForCredentials == nil {
-		return docker.Credentials{}, ErrCredentialsNotFound
+		return oci.Credentials{}, ErrCredentialsNotFound
 	}
 
 	// this is [registry] / [repository]
@@ -271,7 +270,7 @@ func (c *credentialsProvider) getCredentials(ctx context.Context, image string)
 		// use repo here to print it out in prompt
 		result, err = c.promptForCredentials(repository)
 		if err != nil {
-			return docker.Credentials{}, err
+			return oci.Credentials{}, err
 		}
 
 		err = c.verifyCredentials(ctx, image, result)
@@ -282,33 +281,33 @@ func (c *credentialsProvider) getCredentials(ctx context.Context, image string)
 				// This shouldn't be fatal error.
 				if strings.Contains(err.Error(), "not implemented") {
 					fmt.Fprintf(os.Stderr, "the cred-helper does not support write operation (consider changing the cred-helper it in auth.json)\n")
-					return docker.Credentials{}, nil
+					return oci.Credentials{}, nil
 				}
 
 				if !errors.Is(err, errNoCredentialHelperConfigured) {
-					return docker.Credentials{}, err
+					return oci.Credentials{}, err
 				}
 				helpers := listCredentialHelpers()
 				helper, err := c.promptForCredentialStore(helpers)
 				if err != nil {
-					return docker.Credentials{}, err
+					return oci.Credentials{}, err
 				}
 				helper = strings.TrimPrefix(helper, "docker-credential-")
 				err = setCredentialHelperToConfig(c.authFilePath, helper)
 				if err != nil {
-					return docker.Credentials{}, fmt.Errorf("faild to set the helper to the config: %w", err)
+					return oci.Credentials{}, fmt.Errorf("faild to set the helper to the config: %w", err)
 				}
 				err = setCredentialsByCredentialHelper(c.authFilePath, registry, result.Username, result.Password)
 				if err != nil {
 
 					// This shouldn't be fatal error.
 					if strings.Contains(err.Error(), "not implemented") {
 						fmt.Fprintf(os.Stderr, "the cred-helper does not support write operation (consider changing the cred-helper it in auth.json)\n")
-						return docker.Credentials{}, nil
+						return oci.Credentials{}, nil
 					}
 
 					if !errors.Is(err, errNoCredentialHelperConfigured) {
-						return docker.Credentials{}, err
+						return oci.Credentials{}, err
 					}
 				}
 			}
@@ -317,7 +316,7 @@ func (c *credentialsProvider) getCredentials(ctx context.Context, image string)
 			if errors.Is(err, ErrUnauthorized) {
 				continue
 			}
-			return docker.Credentials{}, err
+			return oci.Credentials{}, err
 		}
 	}
 }
@@ -374,8 +373,8 @@ func setCredentialHelperToConfig(confFilePath, helper string) error {
 	return nil
 }
 
-func getCredentialsByCredentialHelper(confFilePath, registry string) (docker.Credentials, error) {
-	result := docker.Credentials{}
+func getCredentialsByCredentialHelper(confFilePath, registry string) (oci.Credentials, error) {
+	result := oci.Credentials{}
 
 	helper, err := getCredentialHelperFromConfig(confFilePath)
 	if err != nil && !os.IsNotExist(err) {