From d00081426f4721a77c6501a1fafdb3d894d8a1e3 Mon Sep 17 00:00:00 2001
From: Dennis Leon <leonde@vmware.com>
Date: Tue, 21 Sep 2021 18:00:40 -0700
Subject: [PATCH] Disable defaultDockerConfigProvider

- This interferes with the ordering of auth imgpkg uses.
-- Specifically, it will prefer the docker config.json file over the
auth cli flags.

- There doesn't seem to be a nice way to configure / turn this provider
off. Patching the vendor directory. Will try to make the change
upstream.

Authored-by: Dennis Leon <leonde@vmware.com>
---
 hack/build-binaries.sh                        |  6 ++++
 hack/build.sh                                 |  6 ++++
 hack/patch-k8s-pkg-credentialprovider.patch   | 13 ++++++++
 pkg/imgpkg/registry/keychain_test.go          | 33 +++++++++++++++++++
 .../k8s-pkg-credentialprovider/provider.go    |  2 +-
 5 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 hack/patch-k8s-pkg-credentialprovider.patch

diff --git a/hack/build-binaries.sh b/hack/build-binaries.sh
index f917830f..22c93901 100755
--- a/hack/build-binaries.sh
+++ b/hack/build-binaries.sh
@@ -12,6 +12,12 @@ go fmt ./cmd/... ./pkg/... ./test/...
 go mod vendor
 go mod tidy
 
+# related to https://github.com/vmware-tanzu/carvel-imgpkg/pull/255
+# there doesn't appear to be a simple way to disable the defaultDockerConfigProvider
+# Having defaultDockerConfigProvider enabled by default results in the imgpkg auth ordering not working correctly
+# Specifically, the docker config.json is loaded before cli flags (and maybe even IaaS metadata services)
+git apply ./hack/patch-k8s-pkg-credentialprovider.patch
+
 # makes builds reproducible
 export CGO_ENABLED=0
 LDFLAGS="-X github.com/k14s/imgpkg/pkg/imgpkg/cmd.Version=$VERSION -buildid="
diff --git a/hack/build.sh b/hack/build.sh
index 03088188..7736aee1 100755
--- a/hack/build.sh
+++ b/hack/build.sh
@@ -10,6 +10,12 @@ go fmt ./cmd/... ./pkg/... ./test/...
 go mod vendor
 go mod tidy
 
+# related to https://github.com/vmware-tanzu/carvel-imgpkg/pull/255
+# there doesn't appear to be a simple way to disable the defaultDockerConfigProvider
+# Having defaultDockerConfigProvider enabled by default results in the imgpkg auth ordering not working correctly
+# Specifically, the docker config.json is loaded before cli flags (and maybe even IaaS metadata services)
+git apply ./hack/patch-k8s-pkg-credentialprovider.patch
+
 # export GOOS=linux GOARCH=amd64
 go build -ldflags="$LDFLAGS" -trimpath -o imgpkg ./cmd/imgpkg/...
 ./imgpkg version
diff --git a/hack/patch-k8s-pkg-credentialprovider.patch b/hack/patch-k8s-pkg-credentialprovider.patch
new file mode 100644
index 00000000..101f91f8
--- /dev/null
+++ b/hack/patch-k8s-pkg-credentialprovider.patch
@@ -0,0 +1,13 @@
+diff --git a/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go b/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
+index 8c9ad34..f953bb4 100644
+--- a/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
++++ b/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
+@@ -70,7 +70,7 @@ type CachingDockerConfigProvider struct {
+ 
+ // Enabled implements dockerConfigProvider
+ func (d *defaultDockerConfigProvider) Enabled() bool {
+-	return true
++	return false
+ }
+ 
+ // Provide implements dockerConfigProvider
diff --git a/pkg/imgpkg/registry/keychain_test.go b/pkg/imgpkg/registry/keychain_test.go
index 53ed7e82..cefebc80 100644
--- a/pkg/imgpkg/registry/keychain_test.go
+++ b/pkg/imgpkg/registry/keychain_test.go
@@ -36,6 +36,9 @@ func TestMain(m *testing.M) {
 	gcpRegistryURL, server = registerGCPProvider()
 	defer server.Close()
 
+	tempConfigJSONProviderDir := registerDefaultDockerProvider()
+	defer os.RemoveAll(tempConfigJSONProviderDir)
+
 	os.Exit(m.Run())
 }
 
@@ -664,6 +667,36 @@ func TestOrderingOfAuthOpts(t *testing.T) {
 	})
 }
 
+func registerDefaultDockerProvider() string {
+	// TestOrderingOfAuthOpts does *not* use the default .docker/config.json location (they use the DOCKER_CONFIG env var)
+	// (to avoid test pollution and/or messing with a dev's docker files they may rely on)
+	// Setting up the ordering tests in that way resulted in a slight loss of test coverage.
+	// for e.g. the introduction of credentialprovider.defaultDockerConfigProvider resulted in none of the tests failing
+	// So, in order to assert that credentialprovider.defaultDockerConfigProvider is disabled now and in the future
+	// we configure the credentialprovider.defaultDockerConfigProvider with a docker config json file with credentials
+	// (that shouldn't be chosen ever) for the same registry as the ordering tests.
+	// This is also done before any test is run since the credentialprovider.defaultDockerConfigProvider is cached
+	tempConfigJSONProviderDir, err := ioutil.TempDir(os.TempDir(), "test-default-keychain-provider")
+	if err != nil {
+		panic(fmt.Errorf("unable to run test: %s", err))
+	}
+
+	err = ioutil.WriteFile(filepath.Join(tempConfigJSONProviderDir, "config.json"), []byte(`{
+  "auths" : {
+    "http://some.fake.registry/v1/" : {
+		"username": "provider-username",
+		"password": "provider-password"
+    }
+  }
+}`), os.ModePerm)
+	if err != nil {
+		panic(fmt.Errorf("unable to run test: %s", err))
+	}
+
+	credentialprovider.SetPreferredDockercfgPath(tempConfigJSONProviderDir)
+	return tempConfigJSONProviderDir
+}
+
 func registerGCPProvider() (string, *httptest.Server) {
 	registryURL := "imgpkg-testing.kubernetes.carvel"
 	email := "foo@bar.baz"
diff --git a/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go b/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
index 8c9ad347..f953bb47 100644
--- a/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
+++ b/vendor/github.com/vdemeester/k8s-pkg-credentialprovider/provider.go
@@ -70,7 +70,7 @@ type CachingDockerConfigProvider struct {
 
 // Enabled implements dockerConfigProvider
 func (d *defaultDockerConfigProvider) Enabled() bool {
-	return true
+	return false
 }
 
 // Provide implements dockerConfigProvider