Disable defaultDockerConfigProvider

- This interferes with the ordering of auth imgpkg uses. -- Specifically, it will prefer the docker config.json file over the auth cli flags. - There doesn't seem to be a nice way to configure / turn this provider off. Patching the vendor directory. Will try to make the change upstream. Authored-by: Dennis Leon <leonde@vmware.com>
carvel-dev · Sep 22, 2021 · d000814 · d000814
1 parent 1b95535
commit d000814
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 1 deletion.
diff --git a/hack/build-binaries.sh b/hack/build-binaries.sh
@@ -12,6 +12,12 @@ go fmt ./cmd/... ./pkg/... ./test/...
 go mod vendor
 go mod tidy
 
+# related to https://github.com/vmware-tanzu/carvel-imgpkg/pull/255
+# there doesn't appear to be a simple way to disable the defaultDockerConfigProvider
+# Having defaultDockerConfigProvider enabled by default results in the imgpkg auth ordering not working correctly
+# Specifically, the docker config.json is loaded before cli flags (and maybe even IaaS metadata services)
+git apply ./hack/patch-k8s-pkg-credentialprovider.patch
+
 # makes builds reproducible
 export CGO_ENABLED=0
 LDFLAGS="-X github.com/k14s/imgpkg/pkg/imgpkg/cmd.Version=$VERSION -buildid="

diff --git a/hack/build.sh b/hack/build.sh
@@ -10,6 +10,12 @@ go fmt ./cmd/... ./pkg/... ./test/...
 go mod vendor
 go mod tidy
 
+# related to https://github.com/vmware-tanzu/carvel-imgpkg/pull/255
+# there doesn't appear to be a simple way to disable the defaultDockerConfigProvider
+# Having defaultDockerConfigProvider enabled by default results in the imgpkg auth ordering not working correctly
+# Specifically, the docker config.json is loaded before cli flags (and maybe even IaaS metadata services)
+git apply ./hack/patch-k8s-pkg-credentialprovider.patch
+
 # export GOOS=linux GOARCH=amd64
 go build -ldflags="$LDFLAGS" -trimpath -o imgpkg ./cmd/imgpkg/...
 ./imgpkg version

diff --git a/hack/patch-k8s-pkg-credentialprovider.patch b/hack/patch-k8s-pkg-credentialprovider.patch
@@ -0,0 +1,13 @@
+diff --git a/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go b/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
+index 8c9ad34..f953bb4 100644
+--- a/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
++++ b/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
+@@ -70,7 +70,7 @@ type CachingDockerConfigProvider struct {
+
+ // Enabled implements dockerConfigProvider
+ func (d *defaultDockerConfigProvider) Enabled() bool {
+-	return true
++	return false
+ }
+
+ // Provide implements dockerConfigProvider
diff --git a/pkg/imgpkg/registry/keychain_test.go b/pkg/imgpkg/registry/keychain_test.go
@@ -36,6 +36,9 @@ func TestMain(m *testing.M) {
 	gcpRegistryURL, server = registerGCPProvider()
 	defer server.Close()
 
+	tempConfigJSONProviderDir := registerDefaultDockerProvider()
+	defer os.RemoveAll(tempConfigJSONProviderDir)
+
 	os.Exit(m.Run())
 }
 
@@ -664,6 +667,36 @@ func TestOrderingOfAuthOpts(t *testing.T) {
 	})
 }
 
+func registerDefaultDockerProvider() string {
+	// TestOrderingOfAuthOpts does *not* use the default .docker/config.json location (they use the DOCKER_CONFIG env var)
+	// (to avoid test pollution and/or messing with a dev's docker files they may rely on)
+	// Setting up the ordering tests in that way resulted in a slight loss of test coverage.
+	// for e.g. the introduction of credentialprovider.defaultDockerConfigProvider resulted in none of the tests failing
+	// So, in order to assert that credentialprovider.defaultDockerConfigProvider is disabled now and in the future
+	// we configure the credentialprovider.defaultDockerConfigProvider with a docker config json file with credentials
+	// (that shouldn't be chosen ever) for the same registry as the ordering tests.
+	// This is also done before any test is run since the credentialprovider.defaultDockerConfigProvider is cached
+	tempConfigJSONProviderDir, err := ioutil.TempDir(os.TempDir(), "test-default-keychain-provider")
+	if err != nil {
+		panic(fmt.Errorf("unable to run test: %s", err))
+	}
+
+	err = ioutil.WriteFile(filepath.Join(tempConfigJSONProviderDir, "config.json"), []byte(`{
+  "auths" : {
+    "http://some.fake.registry/v1/" : {
+		"username": "provider-username",
+		"password": "provider-password"
+    }
+  }
+}`), os.ModePerm)
+	if err != nil {
+		panic(fmt.Errorf("unable to run test: %s", err))
+	}
+
+	credentialprovider.SetPreferredDockercfgPath(tempConfigJSONProviderDir)
+	return tempConfigJSONProviderDir
+}
+
 func registerGCPProvider() (string, *httptest.Server) {
 	registryURL := "imgpkg-testing.kubernetes.carvel"
 	email := "foo@bar.baz"

diff --git a/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go b/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go