feat: agent registry auth

cmd/agent/docker/docker_actions.go

@@ -7,10 +7,14 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"strings"
 
+	dockerconfig "github.com/docker/cli/cli/config"
 	"github.com/glasskube/distr/api"
 	"github.com/glasskube/distr/internal/agentauth"
+	"github.com/glasskube/distr/internal/agentenv"
 	"go.uber.org/zap"
+	"gopkg.in/yaml.v3"
 )
 
 func ApplyComposeFile(ctx context.Context, deployment api.DockerAgentDeployment) (*AgentDeployment, string, error) {
@@ -46,7 +50,7 @@ func ApplyComposeFile(ctx context.Context, deployment api.DockerAgentDeployment)
 
 	cmd := exec.CommandContext(ctx, "docker", composeArgs...)
 	cmd.Stdin = bytes.NewReader(deployment.ComposeFile)
-	cmd.Env = append(os.Environ(), agentauth.DockerConfigEnv(deployment.AgentDeployment)...)
+	cmd.Env = append(os.Environ(), DockerConfigEnv(deployment)...)
 
 	var cmdOut []byte
 	cmdOut, err = cmd.CombinedOutput()
@@ -68,3 +72,32 @@ func UninstallDockerCompose(ctx context.Context, deployment AgentDeployment) err
 	}
 	return nil
 }
+
+func DockerConfigEnv(deployment api.DockerAgentDeployment) []string {
+	if len(deployment.RegistryAuth) > 0 || hasRegistryImages(deployment) {
+		return []string{
+			dockerconfig.EnvOverrideConfigDir + "=" + agentauth.DockerConfigDir(deployment.AgentDeployment),
+		}
+	} else {
+		return nil
+	}
+}
+
+// hasRegistryImages parses the compose file in order to check whether one of the services uses an image hosted on
+// [agentenv.DistrRegistryHost].
+func hasRegistryImages(deployment api.DockerAgentDeployment) bool {
+	var compose struct {
+		Services map[string]struct {
+			Image string
+		}
+	}
+	if err := yaml.Unmarshal(deployment.ComposeFile, &compose); err != nil {
+		return false
+	}
+	for _, svc := range compose.Services {
+		if strings.HasPrefix(svc.Image, agentenv.DistrRegistryHost) {
+			return true
+		}
+	}
+	return false
+}

cmd/agent/docker/main.go

@@ -2,45 +2,33 @@ package main
 
 import (
 	"context"
-	"os"
 	"os/signal"
 	"syscall"
 	"time"
 
 	"github.com/glasskube/distr/internal/agentauth"
 	"github.com/glasskube/distr/internal/agentclient"
+	"github.com/glasskube/distr/internal/agentenv"
 	"github.com/glasskube/distr/internal/types"
 	"github.com/glasskube/distr/internal/util"
 	"go.uber.org/multierr"
 	"go.uber.org/zap"
 )
 
 var (
-	interval       = 5 * time.Second
-	logger         = util.Require(zap.NewDevelopment())
-	client         = util.Require(agentclient.NewFromEnv(logger))
-	agentVersionID = os.Getenv("DISTR_AGENT_VERSION_ID")
+	logger = util.Require(zap.NewDevelopment())
+	client = util.Require(agentclient.NewFromEnv(logger))
 )
 
 func init() {
-	if intervalStr, ok := os.LookupEnv("DISTR_INTERVAL"); ok {
-		interval = util.Require(time.ParseDuration(intervalStr))
-	}
-	if agentVersionID == "" {
-		logger.Warn("DISTR_AGENT_VERSION_ID is not set. self updates will be disabled")
+	if agentenv.AgentVersionID == "" {
+		logger.Warn("AgentVersionID is not set. self updates will be disabled")
 	}
 }
 
 func main() {
-	ctx, cancel := context.WithCancel(context.Background())
-	go func() {
-		sigint := make(chan os.Signal, 1)
-		signal.Notify(sigint, syscall.SIGTERM, syscall.SIGINT)
-		<-sigint
-		logger.Info("received termination signal")
-		cancel()
-	}()
-	tick := time.Tick(interval)
+	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGTERM, syscall.SIGINT)
+	tick := time.Tick(agentenv.Interval)
 loop:
 	for ctx.Err() == nil {
 		select {
@@ -52,8 +40,8 @@ loop:
 		if resource, err := client.DockerResource(ctx); err != nil {
 			logger.Error("failed to get resource", zap.Error(err))
 		} else {
-			if agentVersionID != "" {
-				if agentVersionID != resource.Version.ID.String() {
+			if agentenv.AgentVersionID != "" {
+				if agentenv.AgentVersionID != resource.Version.ID.String() {
 					logger.Info("agent version has changed. starting self-update")
 					if err := RunAgentSelfUpdate(ctx); err != nil {
 						logger.Error("self update failed", zap.Error(err))
@@ -95,10 +83,10 @@ loop:
 
 			progressCtx, progressCancel := context.WithCancel(ctx)
 			go func(ctx context.Context) {
-				tick := time.Tick(interval)
+				tick := time.Tick(agentenv.Interval)
 				for {
 					select {
-					case <-progressCtx.Done():
+					case <-ctx.Done():
 						logger.Info("stop sending progress updates")
 						return
 					case <-tick:
@@ -118,7 +106,7 @@ loop:
 
 			var agentDeployment *AgentDeployment
 			var status string
-			_, err = agentauth.EnsureAuth(ctx, resource.Deployment.AgentDeployment)
+			_, err = agentauth.EnsureAuth(ctx, client.RawToken(), resource.Deployment.AgentDeployment)
 			if err != nil {
 				logger.Error("docker auth error", zap.Error(err))
 			} else if agentDeployment, status, err = ApplyComposeFile(ctx, *resource.Deployment); err == nil {

cmd/agent/kubernetes/agent_deployment.go

@@ -23,6 +23,10 @@ func (d *AgentDeployment) SecretName() string {
 	return fmt.Sprintf("sh.distr.agent.v1.%v", d.ReleaseName)
 }
 
+func PullSecretName(releaseName string) string {
+	return fmt.Sprintf("sh.distr.agent.v1.%v.pull", releaseName)
+}
+
 func GetExistingDeployments(ctx context.Context, namespace string) ([]AgentDeployment, error) {
 	if secrets, err := k8sClient.CoreV1().Secrets(namespace).
 		List(ctx, metav1.ListOptions{LabelSelector: LabelDeplyoment}); err != nil {

cmd/agent/kubernetes/helm_actions.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/glasskube/distr/api"
 	"github.com/glasskube/distr/internal/agentauth"
+	"github.com/glasskube/distr/internal/agentenv"
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
@@ -24,17 +25,23 @@ var (
 func GetHelmActionConfig(
 	ctx context.Context,
 	namespace string,
-	deployment *api.AgentDeployment,
+	deployment *api.KubernetesAgentDeployment,
 ) (*action.Configuration, error) {
 	if cfg, ok := helmActionConfigCache[namespace]; ok {
 		return cfg, nil
 	}
 
 	var cfg action.Configuration
+	var clientOpts []registry.ClientOption
+	if agentenv.DistrRegistryPlainHTTP {
+		clientOpts = append(clientOpts, registry.ClientOptPlainHTTP())
+	}
 	if deployment != nil {
-		if authorizer, err := agentauth.EnsureAuth(ctx, *deployment); err != nil {
+		if authorizer, err :=
+			agentauth.EnsureAuth(ctx, agentClient.RawToken(), deployment.AgentDeployment); err != nil {
 			return nil, err
-		} else if rc, err := registry.NewClient(registry.ClientOptAuthorizer(authorizer)); err != nil {
+		} else if rc, err :=
+			registry.NewClient(append(clientOpts, registry.ClientOptAuthorizer(authorizer))...); err != nil {
 			return nil, err
 		} else {
 			cfg.RegistryClient = rc
@@ -44,7 +51,7 @@ func GetHelmActionConfig(
 		k8sConfigFlags,
 		namespace,
 		"secret",
-		func(format string, v ...interface{}) { logger.Sugar().Debugf(format, v...) },
+		func(format string, v ...any) { logger.Sugar().Debugf(format, v...) },
 	); err != nil {
 		return nil, err
 	} else {
@@ -57,7 +64,7 @@ func GetLatestHelmRelease(
 	namespace string,
 	deployment api.KubernetesAgentDeployment,
 ) (*release.Release, error) {
-	cfg, err := GetHelmActionConfig(ctx, namespace, &deployment.AgentDeployment)
+	cfg, err := GetHelmActionConfig(ctx, namespace, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -85,6 +92,7 @@ func RunHelmPreflight(
 	} else if chart, err := loader.Load(chartPath); err != nil {
 		return nil, fmt.Errorf("chart loading failed: %w", err)
 	} else {
+		addImagePullSecretToValues(deployment.ReleaseName, deployment.Values)
 		return chart, nil
 	}
 }
@@ -94,7 +102,7 @@ func RunHelmInstall(
 	namespace string,
 	deployment api.KubernetesAgentDeployment,
 ) (*AgentDeployment, error) {
-	config, err := GetHelmActionConfig(ctx, namespace, &deployment.AgentDeployment)
+	config, err := GetHelmActionConfig(ctx, namespace, &deployment)
 	if err != nil {
 		return nil, err
 	}
@@ -106,6 +114,7 @@ func RunHelmInstall(
 	installAction.Wait = true
 	installAction.Atomic = true
 	installAction.Namespace = namespace
+	installAction.PlainHTTP = agentenv.DistrRegistryPlainHTTP
 	if chart, err := RunHelmPreflight(&installAction.ChartPathOptions, deployment); err != nil {
 		return nil, fmt.Errorf("helm preflight failed: %w", err)
 	} else if release, err := installAction.RunWithContext(ctx, chart, deployment.Values); err != nil {
@@ -114,6 +123,7 @@ func RunHelmInstall(
 		return &AgentDeployment{
 			ReleaseName:  release.Name,
 			HelmRevision: release.Version,
+			ID:           deployment.ID,
 			RevisionID:   deployment.RevisionID,
 		}, nil
 	}
@@ -124,7 +134,7 @@ func RunHelmUpgrade(
 	namespace string,
 	deployment api.KubernetesAgentDeployment,
 ) (*AgentDeployment, error) {
-	cfg, err := GetHelmActionConfig(ctx, namespace, &deployment.AgentDeployment)
+	cfg, err := GetHelmActionConfig(ctx, namespace, &deployment)
 	if err != nil {
 		return nil, err
 	}
@@ -136,6 +146,7 @@ func RunHelmUpgrade(
 	upgradeAction.Wait = true
 	upgradeAction.Atomic = true
 	upgradeAction.Namespace = namespace
+	upgradeAction.PlainHTTP = agentenv.DistrRegistryPlainHTTP
 	if chart, err := RunHelmPreflight(&upgradeAction.ChartPathOptions, deployment); err != nil {
 		return nil, fmt.Errorf("helm preflight failed: %w", err)
 	} else if release, err := upgradeAction.RunWithContext(
@@ -145,6 +156,7 @@ func RunHelmUpgrade(
 		return &AgentDeployment{
 			ReleaseName:  release.Name,
 			HelmRevision: release.Version,
+			ID:           deployment.ID,
 			RevisionID:   deployment.RevisionID,
 		}, nil
 	}
@@ -171,7 +183,7 @@ func GetHelmManifest(
 	namespace string,
 	deployment api.KubernetesAgentDeployment,
 ) ([]*unstructured.Unstructured, error) {
-	cfg, err := GetHelmActionConfig(ctx, namespace, &deployment.AgentDeployment)
+	cfg, err := GetHelmActionConfig(ctx, namespace, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -183,3 +195,14 @@ func GetHelmManifest(
 		return DecodeResourceYaml([]byte(release.Manifest))
 	}
 }
+
+func addImagePullSecretToValues(relaseName string, values map[string]any) {
+	if s, ok := values["imagePullSecrets"].([]any); ok {
+		values["imagePullSecrets"] = append(s, map[string]any{"name": PullSecretName(relaseName)})
+	}
+	for _, v := range values {
+		if m, ok := v.(map[string]any); ok {
+			addImagePullSecretToValues(relaseName, m)
+		}
+	}
+}