Add back ability to disable iaas auth providers

carvel-dev · Jun 30, 2022 · 3107294 · 3107294
1 parent 1eab10b
commit 3107294
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 15 deletions.
diff --git a/pkg/imgpkg/cmd/registry_flags.go b/pkg/imgpkg/cmd/registry_flags.go
@@ -70,6 +70,9 @@ func (r *RegistryFlags) AsRegistryOpts() registry.Opts {
 	if os.Getenv("IMGPKG_ANON") == "true" {
 		opts.Anon = true
 	}
+	if os.Getenv("IMGPKG_ENABLE_IAAS_AUTH") != "false" {
+		opts.EnableIaasAuthProviders = true
+	}
 
 	return opts
 }
diff --git a/pkg/imgpkg/registry/auth/custom_keychain.go b/pkg/imgpkg/registry/auth/custom_keychain.go
@@ -15,10 +15,11 @@ var _ regauthn.Keychain = CustomRegistryKeychain{}
 
 // KeychainOpts Contains credentials (passed down via flags) used by custom keychain to auth with a registry
 type KeychainOpts struct {
-	Username string
-	Password string
-	Token    string
-	Anon     bool
+	Username                string
+	Password                string
+	Token                   string
+	Anon                    bool
+	EnableIaasAuthProviders bool
 }
 
 // NewSingleAuthKeychain Builds a SingleAuthKeychain struct

diff --git a/pkg/imgpkg/registry/keychain.go b/pkg/imgpkg/registry/keychain.go
@@ -20,14 +20,20 @@ import (
 // keychains that contain credentials for 'any' target. i.e. env keychain takes precedence over the custom keychain.
 // Since env keychain contains credentials per HOSTNAME, and custom keychain doesn't.
 func Keychain(keychainOpts auth.KeychainOpts, environFunc func() []string) (regauthn.Keychain, error) {
-	keychain := []authn.Keychain{
-		auth.CustomRegistryKeychain{Opts: keychainOpts},
-		auth.NewEnvKeychain(environFunc),
-		google.Keychain,
-		authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
-		authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
-		github.Keychain,
+	// env keychain comes first
+	keychain := []authn.Keychain{auth.NewEnvKeychain(environFunc)}
+
+	if keychainOpts.EnableIaasAuthProviders {
+		// if enabled, fall back to iaas keychains
+		keychain = append(keychain,
+			google.Keychain,
+			authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
+			authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
+			github.Keychain,
+		)
 	}
+	// command-line flags and docker keychain comes last
+	keychain = append(keychain, auth.CustomRegistryKeychain{Opts: keychainOpts})
 
 	return regauthn.NewMultiKeychain(keychain...), nil
 }
diff --git a/pkg/imgpkg/registry/registry.go b/pkg/imgpkg/registry/registry.go
@@ -35,6 +35,8 @@ type Opts struct {
 	Token    string
 	Anon     bool
 
+	EnableIaasAuthProviders bool
+
 	ResponseHeaderTimeout time.Duration
 	RetryCount            int
 
@@ -117,10 +119,11 @@ func NewSimpleRegistryWithTransport(opts Opts, rTripper http.RoundTripper, regOp
 
 	keychain, err := Keychain(
 		auth.KeychainOpts{
-			Username: opts.Username,
-			Password: opts.Password,
-			Token:    opts.Token,
-			Anon:     opts.Anon,
+			Username:                opts.Username,
+			Password:                opts.Password,
+			Token:                   opts.Token,
+			Anon:                    opts.Anon,
+			EnableIaasAuthProviders: opts.EnableIaasAuthProviders,
 		},
 		opts.EnvironFunc,
 	)