Merge pull request #28 from bryopsida/11-private-registries

Private registry support

Author: bryopsida

README.md

@@ -8,9 +8,8 @@ This inspects your statefulsets, daemonsets, deployments and checks the associat
 
 This is still very early in development and has a few limitations.
 
-1. Does not support private registries
-2. Does not pull updates for things without `imagePullPolicy = Always`
-3. Only looks for updates to the same tag, IE for cases where base patches have been pushed to a tag
+1. Does not pull updates for things without `imagePullPolicy = Always`
+2. Only looks for updates to the same tag, IE for cases where base patches have been pushed to a tag
 
 ## How to deploy
 

charts/patchwork/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: patchwork
 description: Watches deployments, daemonsets, and statefulsets for image updates and will automatically trigger rollouts to pull in updates
 type: application
-version: 0.6.0
+version: 0.7.0
 appVersion: '0.4.0'
 dependencies:
   - name: redis

charts/patchwork/README.md

@@ -1,6 +1,6 @@
 # patchwork
 
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square)
 
 Watches deployments, daemonsets, and statefulsets for image updates and will automatically trigger rollouts to pull in updates
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "patchwork",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "",
   "author": "",
   "private": true,
@@ -45,6 +45,7 @@
     "ioredis": "^5.3.2",
     "nestjs-pino": "^3.3.0",
     "pino-http": "^8.3.3",
+    "psl": "^1.9.0",
     "reflect-metadata": "^0.1.13",
     "rxjs": "^7.2.0"
   },

package.json

@@ -1,19 +1,24 @@
 import { Processor, Process, InjectQueue } from '@nestjs/bull'
-import { Logger } from '@nestjs/common'
+import { Inject, Logger } from '@nestjs/common'
 import { Job, Queue } from 'bull'
-import { ImageDescriptor } from '../kubernetes/k8s.service'
+import { IK8sService, ImageDescriptor } from '../kubernetes/k8s.service'
 import { getManifest, contentTypes } from '@snyk/docker-registry-v2-client'
 @Processor('analyzer.check.updates')
 export class ImageDescriptorWorker {
   private readonly logger = new Logger(ImageDescriptorWorker.name)
   private readonly patchQueue: Queue
+  private readonly k8sService: IK8sService
 
-  constructor(@InjectQueue('patcher.update') queue: Queue) {
+  constructor(
+    @InjectQueue('patcher.update') queue: Queue,
+    @Inject('K8S_SERVICE') k8sService: IK8sService
+  ) {
     this.patchQueue = queue
+    this.k8sService = k8sService
   }
 
   @Process()
-  async fetchImageList(job: Job<ImageDescriptor>) {
+  async checkForUpdates(job: Job<ImageDescriptor>) {
     try {
       this.logger.debug(
         `Checking for updates of ${job.data.repository}:${
@@ -49,34 +54,42 @@ export class ImageDescriptorWorker {
               acceptManifest: `${contentTypes.MANIFEST_V2}, ${contentTypes.MANIFEST_LIST_V2}, ${contentTypes.OCI_INDEX_V1}, ${contentTypes.OCI_MANIFEST_V1}`,
             }
           : undefined
+      let username
+      let password
+      if (job.data.pullSecret) {
+        const creds = await this.k8sService.getPullSecretCredentials(job.data)
+        username = creds.username
+        password = creds.password
+      }
       const manifest = await getManifest(
         registry,
         repo,
         job.data.tag,
-        undefined,
-        undefined,
+        username,
+        password,
         reqOptions,
         {
           os: 'linux',
           architecture: job.data.arch,
         }
       )
-      if (manifest == null || manifest?.indexDigest == null) {
+      if (
+        manifest == null ||
+        (manifest?.indexDigest == null && manifest.manifestDigest == null)
+      ) {
         this.logger.warn(
           'Failed to get a workable manifest for %s with tag %s from registry %s',
           repo,
           job.data.tag,
           registry
         )
       }
+      const digest = manifest.indexDigest ?? manifest.manifestDigest
       this.logger.debug(
-        `Fetched manifest digest = ${manifest?.indexDigest}, running hash = ${job.data.hash}, repo = ${job.data.repository}`,
+        `Fetched manifest digest = ${digest}, running hash = ${job.data.hash}, repo = ${job.data.repository}`,
         manifest
       )
-      if (
-        manifest.indexDigest !== job.data.hash &&
-        manifest.indexDigest != null
-      ) {
+      if (digest !== job.data.hash && digest != null) {
         this.logger.warn(
           `Found an update for ${registry}/${repo}:${job.data.tag}`
         )
@@ -85,19 +98,19 @@ export class ImageDescriptorWorker {
           ...job.data,
           ...{
             currentSha: job.data.hash,
-            targetSha: manifest.indexDigest,
+            targetSha: digest,
           },
         })
         return {
           detectedUpdate: true,
           current: job.data.hash,
-          detectedLatest: manifest.indexDigest,
+          detectedLatest: digest,
         }
       } else {
         return {
           detectedUpdate: false,
           current: job.data.hash,
-          detectedLatest: manifest.indexDigest,
+          detectedLatest: digest,
         }
       }
     } catch (err) {