Consume docker auth info in order

Hannes Hörlrequested to merge
hhoerl/38707-docker-auth into main

What does this MR do?

Consume docker auth info in order

To ensure we handle the docker auth info in order, we move away from using a map to hold them, but rather use a slice. We expect a small amount of auth configurations, thus there shouldn't be any (measurable) negative impact. We don't need the previous map's key, because that will already be set as part of the auth data when reading in docker configs, so we can rely on that.

New debug logs are exposed when resolved creds are not used, because they have already been resolved by a higher priority mechanism (e.g. $DOCKER_AUTH_CONFIG has higher priority than build job credentials).

The tests now also check on any logs we produce, which gives us another way to assert, that the system handles the auth info in order.

Also, an Auth Resolver has been introduced. This is mostly to be able to inject things, most notably the home dir getter: Overwritting package global variables have proven not to be deterministic, e.g. when running a lot of tests (go test -count=100 ...). This gives us a better way to inject dependencies and swap them out for tests. Note: More things could have been pushed down to the Resolver struct, however I wanted to do the least amount of change to make the system deterministic again; if we want to, we can put additional things which might make sense (the logger as a prime example) onto the struct and consume it from there.

Why was this MR needed?

To ensure we use the correct image pull creds, by ensuring we always use the same order of resolved creds (ie. slice vs map).

What's the best way to test this MR?

Same image/repo:

  • Setup multiple image pull creds for the same repo/image (e.g. in the home directory & as DOCKER_AUTH_CONFIG)
  • Ensure the correct creds are used (this is the expected prio: 1.) $DOCKER_AUTH_CONFIG, 2.) docker config (and stores & helpers) in the user's home dir (~/.docker/config, ~/.dockercfg), 3.) job credentials)
  • Ensure you see runner debug logs for the creds being used, and the ones being ignored

Similar image/repo:

  • Same as above, but when pulling an image like docker.io/foo/bar/barz:latest set up creds for docker.io/foo and creds for docker.io/foo/bar
  • Ensure the correct ones are used and you see debug logs.

What are the relevant issue numbers?

closes: #38707 (closed)

Edited by Hannes Hörl

Merge request reports