diff --git a/.github/workflows/integration-gcp.yaml b/.github/workflows/integration-gcp.yaml index ed4a05a7..2ab99edf 100644 --- a/.github/workflows/integration-gcp.yaml +++ b/.github/workflows/integration-gcp.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest defaults: run: - working-directory: ./oci/tests/integration + working-directory: ./auth/registry/tests/integration steps: - name: Checkout uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 diff --git a/auth/aws/config.go b/auth/aws/config.go new file mode 100644 index 00000000..0ea1bbaa --- /dev/null +++ b/auth/aws/config.go @@ -0,0 +1,76 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package aws + +import ( + "context" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" +) + +// Provider is an authentication provider for AWS. +type Provider struct { + optFns []func(*config.LoadOptions) error + config *aws.Config +} + +// ProviderOptFunc enables specifying options for the provider. +type ProviderOptFunc func(*Provider) + +// NewProvider returns a new authentication provider for AWS. +func NewProvider(opts ...ProviderOptFunc) *Provider { + p := &Provider{} + for _, opt := range opts { + opt(p) + } + return p +} + +// WithRegion configures the AWS region. +func WithRegion(region string) ProviderOptFunc { + return func(p *Provider) { + p.optFns = append(p.optFns, config.WithRegion(region)) + } +} + +// WithOptFns configures the AWS config with the provided load options. +func WithOptFns(optFns []func(*config.LoadOptions) error) ProviderOptFunc { + return func(p *Provider) { + p.optFns = append(p.optFns, optFns...) + } +} + +// WithConfig specifies the custom AWS config to use. +func WithConfig(config aws.Config) ProviderOptFunc { + return func(p *Provider) { + p.config = &config + } +} + +// GetConfig returns the default config constructed using any options that the +// provider was configured with. If OIDC/IRSA has been configured for the EKS +// cluster, then the config object will also be configured with the necessary +// credentials. The returned config object can be used to fetch tokens to access +// particular AWS services. +func (p *Provider) GetConfig(ctx context.Context) (aws.Config, error) { + if p.config != nil { + return *p.config, nil + } + cfg, err := config.LoadDefaultConfig(ctx, p.optFns...) + return cfg, err +} diff --git a/auth/aws/ecr_auth.go b/auth/aws/ecr_auth.go new file mode 100644 index 00000000..11532af3 --- /dev/null +++ b/auth/aws/ecr_auth.go @@ -0,0 +1,100 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package aws + +import ( + "context" + "encoding/base64" + "errors" + "fmt" + "regexp" + "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/ecr" + "github.com/google/go-containerregistry/pkg/authn" +) + +var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr.([^/.]*)\.(amazonaws\.com[.cn]*)`) + +// ParseRegistry returns the AWS account ID and region and `true` if +// the image registry/repository is hosted in AWS's Elastic Container Registry, +// otherwise empty strings and `false`. +func ParseRegistry(registry string) (accountId, awsEcrRegion string, ok bool) { + registryParts := registryPartRe.FindAllStringSubmatch(registry, -1) + if len(registryParts) < 1 || len(registryParts[0]) < 3 { + return "", "", false + } + return registryParts[0][1], registryParts[0][2], true +} + +// GetECRAuthConfig returns an AuthConfig that contains the credentials +// required to authenticate against ECR to access the provided image. +func (p *Provider) GetECRAuthConfig(ctx context.Context, image string) (authn.AuthConfig, time.Duration, error) { + var authConfig authn.AuthConfig + var expiresIn time.Duration + + _, awsEcrRegion, ok := ParseRegistry(image) + if !ok { + return authConfig, expiresIn, errors.New("failed to parse AWS ECR image, invalid ECR image") + } + p.optFns = append(p.optFns, config.WithRegion(awsEcrRegion)) + + cfg, err := p.GetConfig(ctx) + if err != nil { + return authConfig, expiresIn, err + } + + ecrService := ecr.NewFromConfig(cfg) + // NOTE: ecr.GetAuthorizationTokenInput has deprecated RegistryIds. Hence, + // pass nil input. + ecrToken, err := ecrService.GetAuthorizationToken(ctx, nil) + if err != nil { + return authConfig, expiresIn, err + } + + // Validate the authorization data. + if len(ecrToken.AuthorizationData) == 0 { + return authConfig, expiresIn, errors.New("no authorization data") + } + authData := ecrToken.AuthorizationData[0] + if authData.AuthorizationToken == nil { + return authConfig, expiresIn, fmt.Errorf("no authorization token") + } + token, err := base64.StdEncoding.DecodeString(*authData.AuthorizationToken) + if err != nil { + return authConfig, expiresIn, err + } + + tokenSplit := strings.Split(string(token), ":") + // Validate the tokens. + if len(tokenSplit) != 2 { + return authConfig, expiresIn, fmt.Errorf("invalid authorization token, expected the token to have two parts separated by ':', got %d parts", len(tokenSplit)) + } + + authConfig = authn.AuthConfig{ + Username: tokenSplit[0], + Password: tokenSplit[1], + } + if authData.ExpiresAt == nil { + return authConfig, expiresIn, fmt.Errorf("no expiration time") + } + expiresIn = authData.ExpiresAt.Sub(time.Now()) + + return authConfig, expiresIn, nil +} diff --git a/auth/aws/ecr_auth_test.go b/auth/aws/ecr_auth_test.go new file mode 100644 index 00000000..e50ecab0 --- /dev/null +++ b/auth/aws/ecr_auth_test.go @@ -0,0 +1,178 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package aws + +import ( + "context" + "fmt" + "net/http" + "net/http/httptest" + "strings" + "testing" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/credentials" + "github.com/google/go-containerregistry/pkg/authn" + . "github.com/onsi/gomega" +) + +const ( + testValidECRImage = "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo:v1" +) + +func TestParseRegistry(t *testing.T) { + tests := []struct { + registry string + wantAccountID string + wantRegion string + wantOK bool + }{ + { + registry: "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo:v1", + wantAccountID: "012345678901", + wantRegion: "us-east-1", + wantOK: true, + }, + { + registry: "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo", + wantAccountID: "012345678901", + wantRegion: "us-east-1", + wantOK: true, + }, + { + registry: "012345678901.dkr.ecr.us-east-1.amazonaws.com", + wantAccountID: "012345678901", + wantRegion: "us-east-1", + wantOK: true, + }, + { + registry: "gcr.io/foo/bar:baz", + wantOK: false, + }, + } + + for _, tt := range tests { + t.Run(tt.registry, func(t *testing.T) { + g := NewWithT(t) + + accId, region, ok := ParseRegistry(tt.registry) + g.Expect(ok).To(Equal(tt.wantOK), "unexpected OK") + g.Expect(accId).To(Equal(tt.wantAccountID), "unexpected account IDs") + g.Expect(region).To(Equal(tt.wantRegion), "unexpected regions") + }) + } +} + +func TestProvider_GetECRAuthConfig(t *testing.T) { + expiresAt := time.Now().Add(time.Hour) + tests := []struct { + name string + responseBody []byte + statusCode int + wantErr bool + wantAuthConfig authn.AuthConfig + }{ + { + // NOTE: The authorizationToken is base64 encoded. + name: "success", + responseBody: []byte(`{ + "authorizationData": [ + { + "authorizationToken": "c29tZS1rZXk6c29tZS1zZWNyZXQ=", + "expiresAt": + } + ] +}`), + statusCode: http.StatusOK, + wantAuthConfig: authn.AuthConfig{ + Username: "some-key", + Password: "some-secret", + }, + }, + { + name: "fail", + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + { + name: "invalid token", + responseBody: []byte(`{ + "authorizationData": [ + { + "authorizationToken": "c29tZS10b2tlbg==" + } + ] +}`), + statusCode: http.StatusOK, + wantErr: true, + }, + { + name: "invalid data", + responseBody: []byte(`{ + "authorizationData": [ + { + "foo": "bar" + } + ] +}`), + statusCode: http.StatusOK, + wantErr: true, + }, + { + name: "invalid response", + responseBody: []byte(`{}`), + statusCode: http.StatusOK, + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + handler := func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.statusCode) + w.Write([]byte(strings.ReplaceAll( + string(tt.responseBody), "", fmt.Sprint(expiresAt.Unix())), + )) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + cfg := aws.NewConfig() + cfg.EndpointResolverWithOptions = aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) { + return aws.Endpoint{URL: srv.URL}, nil + }) + cfg.Credentials = credentials.NewStaticCredentialsProvider("x", "y", "z") + + provider := NewProvider(WithConfig(*cfg)) + auth, expiry, err := provider.GetECRAuthConfig(context.TODO(), "0123.dkr.ecr.us-east-1.amazonaws.com/foo:v1") + if tt.wantErr { + g.Expect(err).To(HaveOccurred()) + } else { + g.Expect(err).ToNot(HaveOccurred()) + if tt.statusCode == http.StatusOK { + g.Expect(auth).To(Equal(tt.wantAuthConfig)) + g.Expect(time.Now().UTC().Add(expiry)).To(BeTemporally("~", expiresAt, time.Second)) + } + } + }) + } +} diff --git a/auth/azure/acr_auth.go b/auth/azure/acr_auth.go new file mode 100644 index 00000000..b8a59859 --- /dev/null +++ b/auth/azure/acr_auth.go @@ -0,0 +1,172 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package azure + +import ( + "context" + "encoding/json" + "errors" + "fmt" + "io" + "net/http" + "net/url" + "strings" + "time" + + "github.com/golang-jwt/jwt/v5" + "github.com/google/go-containerregistry/pkg/authn" +) + +// GetACRAuthConfig returns an AuthConfig that contains the credentials +// required to authenticate against ACR to access the provided image. +func (p *Provider) GetACRAuthConfig(ctx context.Context, registry string) (authn.AuthConfig, time.Duration, error) { + var authConfig authn.AuthConfig + var expiresIn time.Duration + + armToken, err := p.GetResourceManagerToken(ctx) + if err != nil { + return authConfig, expiresIn, err + } + + ex := newExchanger(registry) + refreshToken, err := ex.ExchangeACRAccessToken(string(armToken.Token)) + if err != nil { + return authConfig, expiresIn, fmt.Errorf("failed to exchange token: %w", err) + } + + authConfig = authn.AuthConfig{ + // This is the acr username used by Azure + // See documentation: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#az-acr-login-with---expose-token + Username: "00000000-0000-0000-0000-000000000000", + Password: refreshToken, + } + expiresIn, err = getExpirationFromJWT(refreshToken) + if err != nil { + return authConfig, expiresIn, fmt.Errorf("failed to determine token cache ttl: %w", err) + } + + return authConfig, expiresIn, nil +} + +// GetScopeProiderOption returns the cloud configuration based on the registry URL. +// List from https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/containers/azcontainerregistry/cloud_config.go#L16 +func GetScopeProiderOption(url string) ProviderOptFunc { + switch { + case strings.HasSuffix(url, ".azurecr.cn"): + return WithAzureChinaScope() + case strings.HasSuffix(url, ".azurecr.us"): + return WithAzureGovtScope() + default: + return nil + } +} + +type tokenResponse struct { + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` + Resource string `json:"resource"` + TokenType string `json:"token_type"` +} + +type acrError struct { + Code string `json:"code"` + Message string `json:"message"` +} + +type exchanger struct { + endpoint string +} + +func newExchanger(endpoint string) *exchanger { + return &exchanger{ + endpoint: endpoint, + } +} + +// ExchangeACRAccessToken exchanges an access token for a refresh token with the +// exchange service. +func (e *exchanger) ExchangeACRAccessToken(armToken string) (string, error) { + // If the endpoint doesn't have a scheme, then prepend the "https" scheme. + // This is required because the net/url package cannot parse an URL properly + // without a scheme causing issues such as returning an URL object with an + // empty host. + if !(strings.HasPrefix(e.endpoint, "https://") || strings.HasPrefix(e.endpoint, "http://")) { + e.endpoint = fmt.Sprintf("https://%s", e.endpoint) + } + + // Construct the exchange URL. + exchangeURL, err := url.Parse(e.endpoint) + if err != nil { + return "", err + } + exchangeURL.Path = "oauth2/exchange" + + parameters := url.Values{} + parameters.Add("grant_type", "access_token") + parameters.Add("service", exchangeURL.Hostname()) + parameters.Add("access_token", armToken) + + resp, err := http.PostForm(exchangeURL.String(), parameters) + if err != nil { + return "", fmt.Errorf("failed to send token exchange request: %w", err) + } + defer resp.Body.Close() + + b, err := io.ReadAll(resp.Body) + if err != nil { + return "", fmt.Errorf("failed to read the body of the response: %w", err) + } + if resp.StatusCode != http.StatusOK { + // Parse the error response. + var errors []acrError + if err = json.Unmarshal(b, &errors); err == nil { + return "", fmt.Errorf("unexpected status code %d from exchange request: %s", + resp.StatusCode, errors) + } + + // Error response could not be parsed, return a generic error. + return "", fmt.Errorf("unexpected status code %d from exchange request, response body: %s", + resp.StatusCode, string(b)) + } + + var tokenResp tokenResponse + if err = json.Unmarshal(b, &tokenResp); err != nil { + return "", fmt.Errorf("failed to decode the response: %w, response body: %s", err, string(b)) + } + return tokenResp.RefreshToken, nil +} + +// getExpirationFromJWT decodes the provided JWT and returns value +// of the `exp` key from the token claims. +func getExpirationFromJWT(tokenString string) (time.Duration, error) { + parser := jwt.NewParser() + // we don't care about verifying the JWT, we just want to extract the `exp` + // attribute from the token. + token, _, err := parser.ParseUnverified(tokenString, &jwt.RegisteredClaims{}) + if err != nil { + return 0, err + } + + if claims, ok := token.Claims.(*jwt.RegisteredClaims); ok { + if claims.ExpiresAt != nil { + expiration := claims.ExpiresAt.Time.Sub(time.Now()) + return expiration, nil + } + } + + return 0, errors.New("failed to extract expiration time from JWT") +} diff --git a/auth/azure/acr_auth_test.go b/auth/azure/acr_auth_test.go new file mode 100644 index 00000000..a255bc12 --- /dev/null +++ b/auth/azure/acr_auth_test.go @@ -0,0 +1,204 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package azure + +import ( + "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "errors" + "fmt" + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/golang-jwt/jwt/v5" + "github.com/google/go-containerregistry/pkg/authn" + . "github.com/onsi/gomega" +) + +func TestProvider_GetACRAuthConfig(t *testing.T) { + g := NewWithT(t) + + expiresAt := time.Now().UTC().Add(time.Hour) + token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.RegisteredClaims{ + Issuer: "auth.microsoft.com", + Subject: "fluxcd", + ExpiresAt: jwt.NewNumericDate(expiresAt), + }) + + pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + g.Expect(err).ToNot(HaveOccurred()) + tokenStr, err := token.SignedString(pk) + g.Expect(err).ToNot(HaveOccurred()) + + tests := []struct { + name string + tokenCredential azcore.TokenCredential + responseBody string + statusCode int + wantErr bool + wantAuthConfig authn.AuthConfig + }{ + { + name: "success", + tokenCredential: &FakeTokenCredential{Token: "foo"}, + responseBody: fmt.Sprintf(`{"refresh_token": "%s"}`, tokenStr), + statusCode: http.StatusOK, + wantAuthConfig: authn.AuthConfig{ + Username: "00000000-0000-0000-0000-000000000000", + Password: tokenStr, + }, + }, + { + name: "fail to get access token", + tokenCredential: &FakeTokenCredential{Err: errors.New("no access token")}, + wantErr: true, + }, + { + name: "error from exchange service", + tokenCredential: &FakeTokenCredential{Token: "foo"}, + responseBody: `[{"code": "111","message": "error message 1"}]`, + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + } + // + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + // Run a test server. + handler := func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.statusCode) + w.Write([]byte(tt.responseBody)) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + provider := NewProvider(WithCredential(tt.tokenCredential)) + auth, expiry, err := provider.GetACRAuthConfig(context.TODO(), srv.URL) + if tt.wantErr { + g.Expect(err).To(HaveOccurred()) + } else { + g.Expect(err).ToNot(HaveOccurred()) + } + if tt.statusCode == http.StatusOK { + g.Expect(auth).To(Equal(tt.wantAuthConfig)) + g.Expect(time.Now().UTC().Add(expiry)).To(BeTemporally("~", expiresAt, time.Second)) + } + }) + } +} + +func TestGetScopeProviderOption(t *testing.T) { + tests := []struct { + host string + scopes []string + }{ + {"foo.azurecr.io", []string{}}, + {"foo.azurecr.cn", []string{"https://management.chinacloudapi.cn/.default"}}, + {"foo.azurecr.de", []string{}}, + {"foo.azurecr.us", []string{"https://management.usgovcloudapi.net/.default"}}, + } + + for _, tt := range tests { + t.Run(tt.host, func(t *testing.T) { + g := NewWithT(t) + opt := GetScopeProiderOption(tt.host) + if len(tt.scopes) == 0 { + g.Expect(opt).To(BeNil()) + } else { + scopes := NewProvider(opt).scopes + g.Expect(scopes).To(Equal(tt.scopes)) + } + }) + } +} + +func Test_exchanger_ExchangeACRAccessToken(t *testing.T) { + tests := []struct { + name string + responseBody string + statusCode int + wantErr bool + wantToken string + }{ + { + name: "successful", + responseBody: `{ + "access_token": "aaaaa", + "refresh_token": "bbbbb", + "resource": "ccccc", + "token_type": "ddddd" +}`, + statusCode: http.StatusOK, + wantToken: "bbbbb", + }, + { + name: "fail", + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + { + name: "invalid response", + responseBody: "foo", + statusCode: http.StatusOK, + wantErr: true, + }, + { + name: "error response", + responseBody: `[ + { + "code": "111", + "message": "error message 1" + }, + { + "code": "112", + "message": "error message 2" + } +]`, + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + handler := func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.statusCode) + w.Write([]byte(tt.responseBody)) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + ex := newExchanger(srv.URL) + token, err := ex.ExchangeACRAccessToken("some-access-token") + g.Expect(err != nil).To(Equal(tt.wantErr)) + if tt.statusCode == http.StatusOK { + g.Expect(token).To(Equal(tt.wantToken)) + } + }) + } +} diff --git a/auth/azure/fake_credential.go b/auth/azure/fake_credential.go new file mode 100644 index 00000000..74723397 --- /dev/null +++ b/auth/azure/fake_credential.go @@ -0,0 +1,51 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package azure + +import ( + "context" + "fmt" + "time" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" +) + +// FakeTokenCredential is a fake Azure credential provider. +type FakeTokenCredential struct { + Token string + + ExpiresOn time.Time + Err error +} + +var _ azcore.TokenCredential = &FakeTokenCredential{} + +func (tc *FakeTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) { + if tc.Err != nil { + return azcore.AccessToken{}, tc.Err + } + + // Embed the scope inside the context. This enables consumers of a Provider configured with + // this credential, to verify that the desired scope was specified while fetching the token. + val, ok := ctx.Value("scope").(*string) + if ok { + *val = options.Scopes[0] + } + + return azcore.AccessToken{Token: fmt.Sprintf("%s", tc.Token), ExpiresOn: tc.ExpiresOn}, nil +} diff --git a/auth/azure/resource_manager.go b/auth/azure/resource_manager.go new file mode 100644 index 00000000..2647316d --- /dev/null +++ b/auth/azure/resource_manager.go @@ -0,0 +1,97 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package azure + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + _ "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" +) + +// Provider is an authentication provider for Azure. +type Provider struct { + credential azcore.TokenCredential + scopes []string +} + +// ProviderOptFunc enables specifying options for the provider. +type ProviderOptFunc func(*Provider) + +// NewProvider returns a new authentication provider for Azure. +func NewProvider(opts ...ProviderOptFunc) *Provider { + p := &Provider{} + for _, opt := range opts { + opt(p) + } + return p +} + +// WithCredential configures the credential to use to fetch the resource +// manager token. +func WithCredential(cred azcore.TokenCredential) ProviderOptFunc { + return func(p *Provider) { + p.credential = cred + } +} + +// WithAzureGovtScope configures the scopes of all Azure calls to +// target Azure Government. +func WithAzureGovtScope() ProviderOptFunc { + return func(p *Provider) { + p.scopes = []string{cloud.AzureGovernment.Services[cloud.ResourceManager].Endpoint + "/" + ".default"} + } +} + +// WithAzureChinaScope configures the scopes of all Azure calls to +// target Azure China. +func WithAzureChinaScope() ProviderOptFunc { + return func(p *Provider) { + p.scopes = []string{cloud.AzureChina.Services[cloud.ResourceManager].Endpoint + "/" + ".default"} + } +} + +// GetResourceManagerToken fetches the Azure Resource Manager token using the +// credential that the provider is configured with. If it isn't, then a new +// credential chain is constructed using the default method, which includes +// trying to use Workload Identity, Managed Identity, etc. +// By default, the scope of the request targets the Azure Public cloud, but this +// is configurable using WithAzureGovtScope or WithAzureChinaScope. +func (p *Provider) GetResourceManagerToken(ctx context.Context) (*azcore.AccessToken, error) { + if p.credential == nil { + cred, err := azidentity.NewDefaultAzureCredential(nil) + if err != nil { + return nil, err + } + p.credential = cred + } + if len(p.scopes) == 0 { + p.scopes = []string{cloud.AzurePublic.Services[cloud.ResourceManager].Endpoint + "/" + ".default"} + } + + accessToken, err := p.credential.GetToken(ctx, policy.TokenRequestOptions{ + Scopes: p.scopes, + }) + if err != nil { + return nil, err + } + + return &accessToken, nil +} diff --git a/auth/azure/resource_manager_test.go b/auth/azure/resource_manager_test.go new file mode 100644 index 00000000..7ec49cae --- /dev/null +++ b/auth/azure/resource_manager_test.go @@ -0,0 +1,86 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package azure + +import ( + "context" + "errors" + "testing" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + _ "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime" + . "github.com/onsi/gomega" + "k8s.io/utils/pointer" +) + +func TestGetResourceManagerToken(t *testing.T) { + tests := []struct { + name string + tokenCred azcore.TokenCredential + opts []ProviderOptFunc + wantToken string + wantScope string + wantErr error + }{ + { + name: "default scope", + tokenCred: &FakeTokenCredential{ + Token: "foo", + }, + // https://github.com/Azure/azure-sdk-for-go/blob/dd448cf29c643578b23016ca24bdc2316bd70931/sdk/azcore/arm/runtime/runtime.go#L22 + wantScope: "https://management.azure.com/.default", + wantToken: "foo", + }, + { + name: "custom scope", + tokenCred: &FakeTokenCredential{ + Token: "foo", + }, + opts: []ProviderOptFunc{WithAzureGovtScope()}, + // https://github.com/Azure/azure-sdk-for-go/blob/dd448cf29c643578b23016ca24bdc2316bd70931/sdk/azcore/arm/runtime/runtime.go#L18 + wantScope: "https://management.usgovcloudapi.net/.default", + wantToken: "foo", + }, + { + name: "error", + tokenCred: &FakeTokenCredential{ + Err: errors.New("oh no!"), + }, + wantErr: errors.New("oh no!"), + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + provider := NewProvider(tt.opts...) + provider.credential = tt.tokenCred + ctx := context.WithValue(context.TODO(), "scope", pointer.String("")) + token, err := provider.GetResourceManagerToken(ctx) + + if tt.wantErr != nil { + g.Expect(err).To(HaveOccurred()) + g.Expect(err).To(Equal(errors.New("oh no!"))) + } else { + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(token.Token).To(Equal(tt.wantToken)) + scope := ctx.Value("scope").(*string) + g.Expect(*scope).To(Equal(tt.wantScope)) + } + }) + } +} diff --git a/auth/cache.go b/auth/cache.go new file mode 100644 index 00000000..a3446a1b --- /dev/null +++ b/auth/cache.go @@ -0,0 +1,53 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "errors" + "time" +) + +var cache Store + +var ErrCacheAlreadyInitialized = errors.New("cache already initialized; cannot be re-initialized") +var ErrEmptyCache = errors.New("cannot initialize cache with an empty store") + +// InitCache intializes the pacakge cache with the provided cache object. +// Consumers that want automatic caching when using `GetRegistryAuthenticator()` +// or `GetGitCredentials()` must call this before. It should only be called once, +// all subsequent calls will return an error. +func InitCache(s Store) error { + if cache != nil { + return ErrCacheAlreadyInitialized + } + if s == nil { + return ErrEmptyCache + } + cache = s + return nil +} + +// GetCache returns a handle to the package level cache. +func GetCache() Store { + return cache +} + +// Store is a general purpose key value store. +type Store interface { + Set(key string, val interface{}, ttl time.Duration) error + Get(key string) (interface{}, bool) +} diff --git a/auth/gcp/gar_auth.go b/auth/gcp/gar_auth.go new file mode 100644 index 00000000..31fb0997 --- /dev/null +++ b/auth/gcp/gar_auth.go @@ -0,0 +1,45 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package gcp + +import ( + "context" + "time" + + "github.com/google/go-containerregistry/pkg/authn" +) + +const DefaultGARUsername = "oauth2accesstoken" + +// GetGARAuthConfig returns an AuthConfig that contains the credentials +// required to authenticate against GAR to access the provided image. +func (p *Provider) GetGARAuthConfig(ctx context.Context) (authn.AuthConfig, time.Duration, error) { + var authConfig authn.AuthConfig + var expiresIn time.Duration + + saToken, err := p.GetServiceAccountToken(ctx) + if err != nil { + return authConfig, expiresIn, err + } + + authConfig = authn.AuthConfig{ + Username: DefaultGARUsername, + Password: saToken.AccessToken, + } + expiresIn = time.Second * time.Duration(saToken.ExpiresIn) + + return authConfig, expiresIn, nil +} diff --git a/auth/gcp/gar_auth_test.go b/auth/gcp/gar_auth_test.go new file mode 100644 index 00000000..578b7fb1 --- /dev/null +++ b/auth/gcp/gar_auth_test.go @@ -0,0 +1,86 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package gcp + +import ( + "context" + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/google/go-containerregistry/pkg/authn" + . "github.com/onsi/gomega" +) + +func TestProvider_GetGARAuthConfig(t *testing.T) { + tests := []struct { + name string + responseBody string + statusCode int + wantErr bool + wantAuthConfig authn.AuthConfig + wantExpiry time.Duration + }{ + { + name: "success", + responseBody: `{ + "access_token": "access-token", + "expires_in": 10, + "token_type": "Bearer" +}`, + statusCode: http.StatusOK, + wantAuthConfig: authn.AuthConfig{ + Username: DefaultGARUsername, + Password: "access-token", + }, + wantExpiry: time.Second * 10, + }, + { + name: "fail", + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + handler := func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.statusCode) + w.Write([]byte(tt.responseBody)) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + provider := NewProvider(WithTokenURL(srv.URL)) + auth, expiry, err := provider.GetGARAuthConfig(context.TODO()) + if tt.wantErr { + g.Expect(err).To(HaveOccurred()) + } else { + g.Expect(err).ToNot(HaveOccurred()) + if tt.statusCode == http.StatusOK { + g.Expect(auth).To(Equal(tt.wantAuthConfig)) + g.Expect(expiry).To(Equal(tt.wantExpiry)) + } + } + }) + } +} diff --git a/auth/gcp/service_account.go b/auth/gcp/service_account.go new file mode 100644 index 00000000..882661fa --- /dev/null +++ b/auth/gcp/service_account.go @@ -0,0 +1,149 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package gcp + +import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" +) + +// SERVICE_ACCOUNT_TOKEN_URL is the default GCP metadata server endpoint to +// fetch the access token for a GCP service account. +const SERVICE_ACCOUNT_TOKEN_URL = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" + +// SERVICE_ACCOUNT_EMAIL_URL is the default GCP metadata server endpoint to +// fetch the email for a GCP service account. +const SERVICE_ACCOUNT_EMAIL_URL = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" + +// Provider is an authentication provider for GCP. +type Provider struct { + tokenURL string + emailURL string +} + +// ProviderOptFunc enables specifying options for the provider. +type ProviderOptFunc func(*Provider) + +// NewProvider returns a new authentication provider for GCP. +func NewProvider(opts ...ProviderOptFunc) *Provider { + p := &Provider{} + for _, opt := range opts { + opt(p) + } + return p +} + +// WithTokenURL configures the url that the provider should use +// to fetch the access token for a GCP service account. +func WithTokenURL(tokenURL string) ProviderOptFunc { + return func(p *Provider) { + p.tokenURL = tokenURL + } +} + +// WithEmailURL configures the url that the provider should use +// to fetch the email for a GCP service account. +func WithEmailURL(emailURL string) ProviderOptFunc { + return func(p *Provider) { + p.emailURL = emailURL + } +} + +// ServiceAccountToken is the object returned by the GKE metadata server +// upon requesting for a GCP service account token. +// Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#metadata_server +type ServiceAccountToken struct { + AccessToken string `json:"access_token"` + ExpiresIn int `json:"expires_in"` + TokenType string `json:"token_type"` +} + +// GetServiceAccountToken fetches the access token for the service account +// that the Pod is configured to run as, using Workload Identity. +// Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity +// The Kubernetes service account must be bound to a GCP service account with +// the appropriate permissions. +func (p *Provider) GetServiceAccountToken(ctx context.Context) (*ServiceAccountToken, error) { + if p.tokenURL == "" { + p.tokenURL = SERVICE_ACCOUNT_TOKEN_URL + } + + request, err := http.NewRequestWithContext(ctx, http.MethodGet, p.tokenURL, nil) + if err != nil { + return nil, err + } + + request.Header.Add("Metadata-Flavor", "Google") + + client := &http.Client{} + response, err := client.Do(request) + if err != nil { + return nil, err + } + defer response.Body.Close() + defer io.Copy(io.Discard, response.Body) + + if response.StatusCode != http.StatusOK { + return nil, fmt.Errorf("unexpected status from metadata service: %s", response.Status) + } + + var accessToken ServiceAccountToken + decoder := json.NewDecoder(response.Body) + if err := decoder.Decode(&accessToken); err != nil { + return nil, err + } + + return &accessToken, nil +} + +// GetServiceAccountEmail fetches the email for the service account +// that the Pod is configured to run as, using Workload Identity. +// Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity +func (p *Provider) GetServiceAccountEmail(ctx context.Context) (string, error) { + if p.emailURL == "" { + p.emailURL = SERVICE_ACCOUNT_EMAIL_URL + } + + request, err := http.NewRequestWithContext(ctx, http.MethodGet, p.emailURL, nil) + if err != nil { + return "", err + } + + request.Header.Add("Metadata-Flavor", "Google") + + client := &http.Client{} + response, err := client.Do(request) + if err != nil { + return "", err + } + defer response.Body.Close() + defer io.Copy(io.Discard, response.Body) + + if response.StatusCode != http.StatusOK { + return "", fmt.Errorf("unexpected status from metadata service: %s", response.Status) + } + + body, err := io.ReadAll(response.Body) + if err != nil { + return "", err + } + + return string(body), nil +} diff --git a/auth/gcp/service_account_test.go b/auth/gcp/service_account_test.go new file mode 100644 index 00000000..0829df3a --- /dev/null +++ b/auth/gcp/service_account_test.go @@ -0,0 +1,136 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package gcp + +import ( + "context" + "net/http" + "net/http/httptest" + "testing" + + . "github.com/onsi/gomega" +) + +func TestGetServiceAccountToken(t *testing.T) { + tests := []struct { + name string + responseBody string + statusCode int + wantErr bool + wantSAToken ServiceAccountToken + }{ + { + name: "success", + responseBody: `{ + "access_token": "access-token", + "expires_in": 10, + "token_type": "Bearer" +}`, + statusCode: http.StatusOK, + wantSAToken: ServiceAccountToken{ + AccessToken: "access-token", + ExpiresIn: 10, + TokenType: "Bearer", + }, + }, + { + name: "fail", + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + { + name: "invalid response", + responseBody: "foo", + statusCode: http.StatusOK, + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + handler := func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.statusCode) + w.Write([]byte(tt.responseBody)) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + provider := NewProvider(WithTokenURL(srv.URL)) + saToken, err := provider.GetServiceAccountToken(context.TODO()) + if tt.wantErr { + g.Expect(err).To(HaveOccurred()) + } else { + g.Expect(err).ToNot(HaveOccurred()) + if tt.statusCode == http.StatusOK { + g.Expect(*saToken).To(Equal(tt.wantSAToken)) + } + } + }) + } +} + +func TestGetServiceAccountEmail(t *testing.T) { + tests := []struct { + name string + responseBody string + statusCode int + wantErr bool + wantEmail string + }{ + { + name: "success", + responseBody: "git@fluxcd.com", + statusCode: http.StatusOK, + wantEmail: "git@fluxcd.com", + }, + { + name: "fail", + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + handler := func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.statusCode) + w.Write([]byte(tt.responseBody)) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + provider := NewProvider(WithEmailURL(srv.URL)) + email, err := provider.GetServiceAccountEmail(context.TODO()) + if tt.wantErr { + g.Expect(err).To(HaveOccurred()) + } else { + g.Expect(err).ToNot(HaveOccurred()) + if tt.statusCode == http.StatusOK { + g.Expect(email).To(Equal(tt.wantEmail)) + } + } + }) + } +} diff --git a/auth/git/credentials.go b/auth/git/credentials.go new file mode 100644 index 00000000..8eeab1d2 --- /dev/null +++ b/auth/git/credentials.go @@ -0,0 +1,149 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package git + +import ( + "context" + "time" + + "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/azure" + "github.com/fluxcd/pkg/auth/gcp" + "github.com/fluxcd/pkg/auth/github" +) + +const GitHubAccessTokenUsername = "x-access-token" + +// Credentials contains the various authentication data needed +// in order to access a Git repository. +type Credentials struct { + Username string `json:"username,omitempty"` + Password string `json:"password,omitempty"` + BearerToken string `json:"bearerToken,omitempty"` +} + +// ToSecretData returns the Credentials object in the format +// of the data found in Kubernetes Generic Secret. +func (c *Credentials) ToSecretData() map[string][]byte { + var data map[string][]byte + + if c.BearerToken != "" { + data["bearerToken"] = []byte(c.BearerToken) + } + if c.Password != "" { + data["password"] = []byte(c.Password) + } + if c.Username != "" { + data["username"] = []byte(c.Username) + } + return data +} + +// GetCredentials returns authentication credentials for accessing the provided +// Git repository. +// The authentication credentials will be cached if `authOpts.CacheOptions.Key` +// is not blank and caching is enabled. Caching can be enabled by either calling +// `auth.InitCache()` or specifying a cache via `authOpts.CacheOptions.Cache`. +// The credentials are cached according to the ttl advertised by the registry +// provider. +func GetCredentials(ctx context.Context, provider string, authOpts *auth.AuthOptions) (*Credentials, error) { + var creds Credentials + + var cache auth.Store + if authOpts != nil { + cache = authOpts.GetCache() + if cache != nil && authOpts.CacheOptions.Key != "" { + val, found := cache.Get(authOpts.CacheOptions.Key) + if found { + creds = val.(Credentials) + return &creds, nil + } + } + } + + var expiresIn time.Duration + switch provider { + case auth.ProviderAzure: + var opts []azure.ProviderOptFunc + if authOpts != nil { + opts = authOpts.ProviderOptions.AzureOpts + } + azureProvider := azure.NewProvider(opts...) + + armToken, err := azureProvider.GetResourceManagerToken(ctx) + if err != nil { + return nil, err + } + creds = Credentials{ + BearerToken: armToken.Token, + } + expiresIn = armToken.ExpiresOn.UTC().Sub(time.Now().UTC()) + case auth.ProviderGCP: + var opts []gcp.ProviderOptFunc + if authOpts != nil { + opts = authOpts.ProviderOptions.GcpOpts + } + gcpProvider := gcp.NewProvider(opts...) + + saToken, err := gcpProvider.GetServiceAccountToken(ctx) + if err != nil { + return nil, err + } + email, err := gcpProvider.GetServiceAccountEmail(ctx) + if err != nil { + return nil, err + } + + creds = Credentials{ + Username: email, + Password: saToken.AccessToken, + } + expiresIn = time.Duration(saToken.ExpiresIn) + case auth.ProviderGitHub: + var opts []github.ProviderOptFunc + if authOpts != nil { + if authOpts.Secret != nil { + opts = append(opts, github.WithSecret(*authOpts.Secret)) + } + opts = append(opts, authOpts.ProviderOptions.GitHubOpts...) + } + + ghProvider, err := github.NewProvider(opts...) + if err != nil { + return nil, err + } + + appToken, err := ghProvider.GetAppToken(ctx) + if err != nil { + return nil, err + } + creds = Credentials{ + Username: GitHubAccessTokenUsername, + Password: appToken.Token, + } + expiresIn = appToken.ExpiresIn + default: + return nil, nil + } + + if cache != nil && authOpts != nil && authOpts.CacheOptions.Key != "" { + if err := cache.Set(authOpts.CacheOptions.Key, creds, expiresIn); err != nil { + return nil, err + } + } + return &creds, nil +} diff --git a/auth/git/credentials_test.go b/auth/git/credentials_test.go new file mode 100644 index 00000000..429987e3 --- /dev/null +++ b/auth/git/credentials_test.go @@ -0,0 +1,318 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package git + +import ( + "context" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "fmt" + "net/http" + "net/http/httptest" + "strings" + "testing" + "time" + + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/pointer" + + "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/azure" + "github.com/fluxcd/pkg/auth/gcp" + "github.com/fluxcd/pkg/auth/github" + "github.com/fluxcd/pkg/auth/internal/testutils" +) + +func TestGetCredentials(t *testing.T) { + expiresAt := time.Now().UTC().Add(time.Hour) + auth.InitCache(testutils.NewDummyCache()) + customCache := testutils.NewDummyCache() + + tests := []struct { + name string + authOpts *auth.AuthOptions + provider string + responseBody string + beforeFunc func(t *WithT, authOpts *auth.AuthOptions, serverURL string) + afterFunc func(t *WithT, cache auth.Store, creds Credentials) + expectCacheHit bool + wantCredentials *Credentials + }{ + { + name: "get credentials from github", + provider: auth.ProviderGitHub, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "github-123", + }, + }, + responseBody: `{ + "token": "access-token", + "expires_at": "2029-11-10T23:00:00Z" +}`, + beforeFunc: func(t *WithT, authOpts *auth.AuthOptions, serverURL string) { + pk, err := createPrivateKey() + t.Expect(err).ToNot(HaveOccurred()) + authOpts.Secret = &corev1.Secret{ + Data: map[string][]byte{ + github.ApiURLKey: []byte(serverURL), + github.AppIDKey: []byte("127"), + github.AppInstallationIDKey: []byte("300"), + github.AppPkKey: pk, + }, + } + }, + afterFunc: func(t *WithT, cache auth.Store, creds Credentials) { + val, ok := cache.Get("github-123") + t.Expect(ok).To(BeTrue()) + credentials := val.(Credentials) + t.Expect(credentials).To(Equal(creds)) + }, + wantCredentials: &Credentials{ + Username: GitHubAccessTokenUsername, + Password: "access-token", + }, + }, + { + name: "get credentials from cache", + provider: auth.ProviderGitHub, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "github-123", + }, + }, + expectCacheHit: true, + wantCredentials: &Credentials{ + Username: GitHubAccessTokenUsername, + Password: "access-token", + }, + }, + { + name: "get credentials from github with local cache", + provider: auth.ProviderGitHub, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "github-local-123", + Cache: customCache, + }, + }, + responseBody: `{ + "token": "access-token", + "expires_at": "2029-11-10T23:00:00Z" +}`, + beforeFunc: func(t *WithT, authOpts *auth.AuthOptions, serverURL string) { + pk, err := createPrivateKey() + t.Expect(err).ToNot(HaveOccurred()) + authOpts.Secret = &corev1.Secret{ + Data: map[string][]byte{ + github.ApiURLKey: []byte(serverURL), + github.AppIDKey: []byte("127"), + github.AppInstallationIDKey: []byte("300"), + github.AppPkKey: pk, + }, + } + }, + afterFunc: func(t *WithT, cache auth.Store, creds Credentials) { + val, ok := cache.Get("github-local-123") + t.Expect(ok).To(BeTrue()) + credentials := val.(Credentials) + t.Expect(credentials).To(Equal(creds)) + }, + wantCredentials: &Credentials{ + Username: GitHubAccessTokenUsername, + Password: "access-token", + }, + }, + { + name: "get credentials from local cache", + provider: auth.ProviderGitHub, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "github-local-123", + Cache: customCache, + }, + }, + expectCacheHit: true, + wantCredentials: &Credentials{ + Username: GitHubAccessTokenUsername, + Password: "access-token", + }, + }, + { + name: "get credentials from github if cache key is absent", + provider: auth.ProviderGitHub, + responseBody: `{ + "token": "access-token", + "expires_at": "2029-11-10T23:00:00Z" +}`, + authOpts: &auth.AuthOptions{}, + beforeFunc: func(t *WithT, authOpts *auth.AuthOptions, serverURL string) { + pk, err := createPrivateKey() + t.Expect(err).ToNot(HaveOccurred()) + authOpts.Secret = &corev1.Secret{ + Data: map[string][]byte{ + github.ApiURLKey: []byte(serverURL), + github.AppIDKey: []byte("127"), + github.AppInstallationIDKey: []byte("300"), + github.AppPkKey: pk, + }, + } + }, + wantCredentials: &Credentials{ + Username: GitHubAccessTokenUsername, + Password: "access-token", + }, + }, + { + name: "get credentials from azure", + provider: auth.ProviderAzure, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "azure-123", + }, + ProviderOptions: auth.ProviderOptions{ + AzureOpts: []azure.ProviderOptFunc{ + azure.WithCredential(&azure.FakeTokenCredential{ + Token: "devops-token", + ExpiresOn: expiresAt, + }), + }, + }, + }, + afterFunc: func(t *WithT, cache auth.Store, creds Credentials) { + val, ok := cache.Get("azure-123") + t.Expect(ok).To(BeTrue()) + credentials := val.(Credentials) + t.Expect(credentials).To(Equal(creds)) + }, + wantCredentials: &Credentials{ + BearerToken: "devops-token", + }, + }, + { + name: "get credentials from gcp", + provider: auth.ProviderGCP, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "gcp-123", + }, + }, + responseBody: `{ + "access_token": "access-token", + "expires_in": 10, + "token_type": "Bearer" +}`, + beforeFunc: func(_ *WithT, authOpts *auth.AuthOptions, serverURL string) { + authOpts.ProviderOptions.GcpOpts = []gcp.ProviderOptFunc{ + gcp.WithTokenURL(serverURL), + gcp.WithEmailURL(fmt.Sprintf("%s/email", serverURL)), + } + }, + afterFunc: func(t *WithT, cache auth.Store, creds Credentials) { + val, ok := cache.Get("gcp-123") + t.Expect(ok).To(BeTrue()) + credentials := val.(Credentials) + t.Expect(credentials).To(Equal(creds)) + }, + wantCredentials: &Credentials{ + Username: "git@fluxcd.com", + Password: "access-token", + }, + }, + { + name: "unknown provider", + provider: "generic", + wantCredentials: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + var count int + handler := func(w http.ResponseWriter, r *http.Request) { + count += 1 + // this is required for the GCP provider to be able to fetch + // the Service Account email. + if tt.provider == auth.ProviderGCP && strings.HasSuffix(r.URL.Path, "email") { + w.WriteHeader(http.StatusOK) + w.Write([]byte(tt.wantCredentials.Username)) + return + } + + w.WriteHeader(http.StatusOK) + w.Write([]byte(tt.responseBody)) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + if tt.beforeFunc != nil { + tt.beforeFunc(g, tt.authOpts, srv.URL) + } + + ctx := context.WithValue(context.TODO(), "scope", pointer.String("")) + creds, err := GetCredentials(ctx, tt.provider, tt.authOpts) + g.Expect(err).ToNot(HaveOccurred()) + + if tt.wantCredentials == nil { + g.Expect(creds).To(BeNil()) + return + } + g.Expect(*creds).To(Equal(*tt.wantCredentials)) + + if tt.afterFunc != nil { + tt.afterFunc(g, tt.authOpts.GetCache(), *creds) + } + + if tt.expectCacheHit { + g.Expect(count).To(Equal(0)) + } else { + // For Azure, the token is returned through a static object, so verify + // that we didn't hit the cache by asserting that the scope was embedded + // inside the context as that is the behavior of FakeTokenCredential. + if tt.provider == auth.ProviderAzure { + val := ctx.Value("scope").(*string) + g.Expect(*val).ToNot(BeEmpty()) + } else { + g.Expect(count).To(BeNumerically(">", 0)) + } + } + }) + } +} + +func createPrivateKey() ([]byte, error) { + privatekey, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, err + } + + var privateKeyBytes []byte = x509.MarshalPKCS1PrivateKey(privatekey) + privateKeyBlock := &pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: privateKeyBytes, + } + + pk := pem.EncodeToMemory(privateKeyBlock) + return pk, nil +} diff --git a/auth/github/app_token.go b/auth/github/app_token.go new file mode 100644 index 00000000..15733eab --- /dev/null +++ b/auth/github/app_token.go @@ -0,0 +1,154 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package github + +import ( + "context" + "net/http" + "strconv" + "time" + + "github.com/bradleyfalzon/ghinstallation/v2" + corev1 "k8s.io/api/core/v1" +) + +const ( + AppIDKey = "githubAppID" + AppInstallationIDKey = "githubAppInstallationID" + AppPkKey = "githubAppPrivateKey" + ApiURLKey = "githubApiURL" +) + +// Provider is an authentication provider for GitHub Apps. +type Provider struct { + apiURL string + privateKey []byte + appID int + installationID int + transport http.RoundTripper +} + +// ProviderOptFunc enables specifying options for the provider. +type ProviderOptFunc func(*Provider) error + +// NewProvider returns a new authentication provider for GitHub Apps. +func NewProvider(opts ...ProviderOptFunc) (*Provider, error) { + p := &Provider{} + for _, opt := range opts { + err := opt(p) + if err != nil { + return nil, err + } + } + return p, nil +} + +// WithInstllationID configures the installation ID of the GitHub App. +func WithInstllationID(installationID int) ProviderOptFunc { + return func(p *Provider) error { + p.installationID = installationID + return nil + } +} + +// WithAppID configures the app ID of the GitHub App. +func WithAppID(appID int) ProviderOptFunc { + return func(p *Provider) error { + p.appID = appID + return nil + } +} + +// WithPrivateKey configures the private key related to the GitHub App. +func WithPrivateKey(pk []byte) ProviderOptFunc { + return func(p *Provider) error { + p.privateKey = pk + return nil + } +} + +// WithApiURL configures the API endpoint to use for fetching the token +// related to the GitHub App. +func WithApiURL(apiURL string) ProviderOptFunc { + return func(p *Provider) error { + p.apiURL = apiURL + return nil + } +} + +// WithTransport configures the HTTP transport to use while making API calls. +func WithTransport(t http.RoundTripper) ProviderOptFunc { + return func(p *Provider) error { + p.transport = t + return nil + } +} + +// WithSecret configures the provider using the data present in the provided +// Kubernetes Secret. +func WithSecret(secret corev1.Secret) ProviderOptFunc { + return func(p *Provider) error { + var err error + p.appID, err = strconv.Atoi(string(secret.Data[AppIDKey])) + if err != nil { + return err + } + p.installationID, err = strconv.Atoi(string(secret.Data[AppInstallationIDKey])) + if err != nil { + return err + } + p.privateKey = secret.Data[AppPkKey] + p.apiURL = string(secret.Data[ApiURLKey]) + return nil + } +} + +// AppToken contains a GitHub App instllation token and its TTL. +type AppToken struct { + Token string + ExpiresIn time.Duration +} + +// GetAppToken returns the token that can be used to authenticate +// as a GitHub App installation. +// Ref: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation +func (p *Provider) GetAppToken(ctx context.Context) (*AppToken, error) { + if p.transport == nil { + p.transport = http.DefaultTransport + } + + ghTransport, err := ghinstallation.New(p.transport, int64(p.appID), int64(p.installationID), p.privateKey) + if err != nil { + return nil, err + } + if p.apiURL != "" { + ghTransport.BaseURL = p.apiURL + } + + token, err := ghTransport.Token(ctx) + if err != nil { + return nil, err + } + expiresAt, _, err := ghTransport.Expiry() + if err != nil { + return nil, err + } + return &AppToken{ + Token: token, + ExpiresIn: expiresAt.UTC().Sub(time.Now().UTC()), + }, nil +} diff --git a/auth/github/app_token_test.go b/auth/github/app_token_test.go new file mode 100644 index 00000000..dc7952c0 --- /dev/null +++ b/auth/github/app_token_test.go @@ -0,0 +1,150 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package github + +import ( + "context" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "encoding/json" + "encoding/pem" + "net/http" + "net/http/httptest" + "testing" + "time" + + . "github.com/onsi/gomega" +) + +type accessToken struct { + Token string `json:"token"` + ExpiresAt time.Time `json:"expires_at"` +} + +var count int + +func TestProvider_GetAppToken(t *testing.T) { + expiresAt := time.Now().UTC().Add(time.Hour) + tests := []struct { + name string + accessToken *accessToken + transport http.RoundTripper + statusCode int + wantErr bool + wantAppToken *AppToken + }{ + { + name: "success with default transport", + accessToken: &accessToken{ + Token: "access-token", + ExpiresAt: expiresAt, + }, + statusCode: http.StatusOK, + wantAppToken: &AppToken{ + Token: "access-token", + ExpiresIn: time.Hour, + }, + }, + { + name: "success with custom transport", + accessToken: &accessToken{ + Token: "access-token", + ExpiresAt: expiresAt, + }, + statusCode: http.StatusOK, + transport: &testTransport{}, + wantAppToken: &AppToken{ + Token: "access-token", + ExpiresIn: time.Hour, + }, + }, + { + name: "fail", + statusCode: http.StatusInternalServerError, + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + handler := func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.statusCode) + var response []byte + var err error + if tt.accessToken != nil { + response, err = json.Marshal(tt.accessToken) + g.Expect(err).ToNot(HaveOccurred()) + } + w.Write(response) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + pk, err := createPrivateKey() + g.Expect(err).ToNot(HaveOccurred()) + opts := []ProviderOptFunc{ + WithApiURL(srv.URL), WithInstllationID(127), WithAppID(300), WithPrivateKey(pk), + } + if tt.transport != nil { + opts = append(opts, WithTransport(tt.transport)) + } + + provider, err := NewProvider(opts...) + g.Expect(err).ToNot(HaveOccurred()) + + appToken, err := provider.GetAppToken(context.TODO()) + if tt.wantErr { + g.Expect(err).To(HaveOccurred()) + } else { + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(appToken.Token).To(Equal(tt.wantAppToken.Token)) + g.Expect(appToken.ExpiresIn.Round(time.Hour)).To(Equal(tt.wantAppToken.ExpiresIn)) + if tt.transport != nil { + g.Expect(count).To(BeNumerically(">", 0)) + } + } + }) + } +} + +type testTransport struct{} + +func (tt *testTransport) RoundTrip(req *http.Request) (*http.Response, error) { + count += 1 + return http.DefaultTransport.RoundTrip(req) +} + +func createPrivateKey() ([]byte, error) { + privatekey, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, err + } + + var privateKeyBytes []byte = x509.MarshalPKCS1PrivateKey(privatekey) + privateKeyBlock := &pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: privateKeyBytes, + } + + pk := pem.EncodeToMemory(privateKeyBlock) + return pk, nil +} diff --git a/auth/go.mod b/auth/go.mod new file mode 100644 index 00000000..23755e6c --- /dev/null +++ b/auth/go.mod @@ -0,0 +1,68 @@ +module github.com/fluxcd/pkg/auth + +go 1.20 + +replace github.com/fluxcd/pkg/cache => ../cache + +require ( + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 + github.com/aws/aws-sdk-go-v2 v1.21.2 + github.com/aws/aws-sdk-go-v2/config v1.18.45 + github.com/aws/aws-sdk-go-v2/credentials v1.13.43 + github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 + github.com/bradleyfalzon/ghinstallation/v2 v2.7.0 + github.com/golang-jwt/jwt/v5 v5.0.0 + github.com/google/go-containerregistry v0.16.1 + github.com/onsi/gomega v1.28.0 + k8s.io/api v0.28.2 + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 +) + +require ( + github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect + github.com/aws/smithy-go v1.15.0 // indirect + github.com/cloudflare/circl v1.3.3 // indirect + github.com/docker/cli v24.0.0+incompatible // indirect + github.com/docker/docker v24.0.0+incompatible // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-github/v55 v55.0.0 // indirect + github.com/google/go-querystring v1.1.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/sirupsen/logrus v1.9.1 // indirect + golang.org/x/crypto v0.12.0 // indirect + golang.org/x/net v0.14.0 // indirect + golang.org/x/sys v0.11.0 // indirect + golang.org/x/text v0.12.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apimachinery v0.28.2 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect +) diff --git a/auth/go.sum b/auth/go.sum new file mode 100644 index 00000000..0791a0fa --- /dev/null +++ b/auth/go.sum @@ -0,0 +1,212 @@ +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 h1:t5+QXLCK9SVi0PPdaY0PrFvYUo24KwA0QwxnaHRSVd4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA= +github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g= +github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= +github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= +github.com/aws/aws-sdk-go-v2/config v1.18.45 h1:Aka9bI7n8ysuwPeFdm77nfbyHCAKQ3z9ghB3S/38zes= +github.com/aws/aws-sdk-go-v2/config v1.18.45/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE= +github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= +github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ= +github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8= +github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/bradleyfalzon/ghinstallation/v2 v2.7.0 h1:ranXaC3Zz/F6G/f0Joj3LrFp2OzOKfJZev5Q7OaMc88= +github.com/bradleyfalzon/ghinstallation/v2 v2.7.0/go.mod h1:ymxfmloxXBFXvvF1KpeUhOQM6Dfz9NYtfvTiJyk82UE= +github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= +github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= +github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM= +github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker v24.0.0+incompatible h1:z4bf8HvONXX9Tde5lGBMQ7yCJgNahmJumdrStZAbeY4= +github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ= +github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= +github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= +github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA= +github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI= +github.com/onsi/gomega v1.28.0 h1:i2rg/p9n/UqIDAMFUJ6qIUUMcsqOuUHgbpbu235Vr1c= +github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/sirupsen/logrus v1.9.1 h1:Ou41VVR3nMWWmTiEUnj0OlsgOSCUFgsPAOl6jRIcVtQ= +github.com/sirupsen/logrus v1.9.1/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= +k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= +k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= +k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= +k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= diff --git a/auth/internal/testutils/dummy_store.go b/auth/internal/testutils/dummy_store.go new file mode 100644 index 00000000..e5aa656c --- /dev/null +++ b/auth/internal/testutils/dummy_store.go @@ -0,0 +1,45 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package testutils + +import ( + "time" + + "github.com/fluxcd/pkg/auth" +) + +type dummyCache struct { + items map[string]interface{} +} + +func NewDummyCache() auth.Store { + return &dummyCache{ + items: make(map[string]interface{}), + } +} + +var _ auth.Store = &dummyCache{} + +func (c *dummyCache) Set(key string, item interface{}, _ time.Duration) error { + c.items[key] = item + return nil +} + +func (c *dummyCache) Get(key string) (interface{}, bool) { + item, ok := c.items[key] + return item, ok +} diff --git a/auth/options.go b/auth/options.go new file mode 100644 index 00000000..8fc2f2bf --- /dev/null +++ b/auth/options.go @@ -0,0 +1,77 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "github.com/fluxcd/pkg/auth/aws" + "github.com/fluxcd/pkg/auth/azure" + "github.com/fluxcd/pkg/auth/gcp" + "github.com/fluxcd/pkg/auth/github" + corev1 "k8s.io/api/core/v1" +) + +const ( + ProviderAWS = "aws" + ProviderAzure = "azure" + ProviderGCP = "gcp" + ProviderGitHub = "github" +) + +// AuthOptions contains options that can be used for authentication. +type AuthOptions struct { + // Secret contains information that can be used to obtain the required + // set of credentials. + Secret *corev1.Secret + + // ProviderOptions specifies the options to configure various authentication + // providers. + ProviderOptions ProviderOptions + + // CacheOptions specifies the options to configure caching behavior of the + // authentication credentials. + CacheOptions CacheOptions +} + +// GetCache returns the cache to use for fetching/storing authentication +// credentials. +func (a *AuthOptions) GetCache() Store { + if a.CacheOptions.Cache != nil { + return a.CacheOptions.Cache + } + return GetCache() +} + +// CacheOptions contains options to configure the caching behavior of the +// authentication credentials. +type CacheOptions struct { + // Key is the key to use for caching the authentication credentials. + Key string + + // Cache is the Store to use for caching the authentication credentials. + // If specified, then the global cache specified through `auth.InitCache()` + // is ignored and the credentials are cached in this Store instead. + Cache Store +} + +// ProviderOptions contains options to configure various authentication +// providers. +type ProviderOptions struct { + AwsOpts []aws.ProviderOptFunc + AzureOpts []azure.ProviderOptFunc + GcpOpts []gcp.ProviderOptFunc + GitHubOpts []github.ProviderOptFunc +} diff --git a/auth/registry/authenticator.go b/auth/registry/authenticator.go new file mode 100644 index 00000000..5c105798 --- /dev/null +++ b/auth/registry/authenticator.go @@ -0,0 +1,94 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry + +import ( + "context" + "time" + + "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/aws" + "github.com/fluxcd/pkg/auth/azure" + "github.com/fluxcd/pkg/auth/gcp" + "github.com/google/go-containerregistry/pkg/authn" +) + +// GetAuthenticator returns an authenticator that can provide credentials to +// access the provided registry. +// The authentication credentials will be cached if `authOpts.CacheOptions.Key` +// is not blank and caching is enabled. Caching can be enabled by either calling +// `auth.InitCache()` or specifying a cache via `authOpts.CacheOptions.Cache`. +// The credentials are cached according to the ttl advertised by the registry +// provider. +func GetAuthenticator(ctx context.Context, registry string, provider string, authOpts *auth.AuthOptions) (authn.Authenticator, error) { + var authConfig authn.AuthConfig + + var cache auth.Store + if authOpts != nil { + cache = authOpts.GetCache() + if cache != nil && authOpts.CacheOptions.Key != "" { + val, found := cache.Get(authOpts.CacheOptions.Key) + if found { + authConfig = val.(authn.AuthConfig) + return authn.FromConfig(authConfig), nil + } + } + } + + var err error + var expiresIn time.Duration + switch provider { + case auth.ProviderAWS: + var opts []aws.ProviderOptFunc + if authOpts != nil { + opts = authOpts.ProviderOptions.AwsOpts + } + awsProvider := aws.NewProvider(opts...) + authConfig, expiresIn, err = awsProvider.GetECRAuthConfig(ctx, registry) + case auth.ProviderAzure: + var opts []azure.ProviderOptFunc + scopeOpt := azure.GetScopeProiderOption(registry) + if scopeOpt != nil { + opts = append(opts, scopeOpt) + } + if authOpts != nil { + opts = authOpts.ProviderOptions.AzureOpts + } + + azureProvider := azure.NewProvider(opts...) + authConfig, expiresIn, err = azureProvider.GetACRAuthConfig(ctx, registry) + case auth.ProviderGCP: + var opts []gcp.ProviderOptFunc + if authOpts != nil { + opts = authOpts.ProviderOptions.GcpOpts + } + gcpProvider := gcp.NewProvider(opts...) + authConfig, expiresIn, err = gcpProvider.GetGARAuthConfig(ctx) + default: + return nil, nil + } + if err != nil { + return nil, err + } + + if cache != nil && authOpts != nil && authOpts.CacheOptions.Key != "" { + if err := cache.Set(authOpts.CacheOptions.Key, authConfig, expiresIn); err != nil { + return nil, err + } + } + return authn.FromConfig(authConfig), nil +} diff --git a/auth/registry/authenticator_test.go b/auth/registry/authenticator_test.go new file mode 100644 index 00000000..12821a8e --- /dev/null +++ b/auth/registry/authenticator_test.go @@ -0,0 +1,281 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry + +import ( + "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "fmt" + "net/http" + "net/http/httptest" + "testing" + "time" + + awssdk "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/credentials" + "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/aws" + "github.com/fluxcd/pkg/auth/azure" + "github.com/fluxcd/pkg/auth/gcp" + "github.com/fluxcd/pkg/auth/internal/testutils" + "github.com/golang-jwt/jwt/v5" + "github.com/google/go-containerregistry/pkg/authn" + + . "github.com/onsi/gomega" +) + +func TestGetAuthenticator(t *testing.T) { + g := NewWithT(t) + expiresAt := time.Now().UTC().Add(time.Hour) + token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.RegisteredClaims{ + Issuer: "auth.microsoft.com", + Subject: "fluxcd", + ExpiresAt: jwt.NewNumericDate(expiresAt), + }) + + pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + g.Expect(err).ToNot(HaveOccurred()) + tokenStr, err := token.SignedString(pk) + g.Expect(err).ToNot(HaveOccurred()) + + auth.InitCache(testutils.NewDummyCache()) + customCache := testutils.NewDummyCache() + + tests := []struct { + name string + authOpts *auth.AuthOptions + provider string + responseBody string + beforeFunc func(authOpts *auth.AuthOptions, serverURL string, registry *string) + afterFunc func(t *WithT, cache auth.Store, authConfig authn.AuthConfig) + expectCacheHit bool + wantAuthConfig *authn.AuthConfig + }{ + { + name: "get authenticator from gcp", + provider: auth.ProviderGCP, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "gcp-123", + }, + }, + responseBody: `{ + "access_token": "access-token", + "expires_in": 10, + "token_type": "Bearer" +}`, + beforeFunc: func(authOpts *auth.AuthOptions, serverURL string, registry *string) { + authOpts.ProviderOptions.GcpOpts = []gcp.ProviderOptFunc{gcp.WithTokenURL(serverURL), gcp.WithEmailURL(serverURL)} + }, + wantAuthConfig: &authn.AuthConfig{ + Username: gcp.DefaultGARUsername, + Password: "access-token", + }, + afterFunc: func(t *WithT, cache auth.Store, authConfig authn.AuthConfig) { + val, ok := cache.Get("gcp-123") + t.Expect(ok).To(BeTrue()) + ac := val.(authn.AuthConfig) + t.Expect(ac).To(Equal(authConfig)) + }, + }, + { + name: "get authenticator from global cache", + provider: auth.ProviderGCP, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "gcp-123", + }, + }, + expectCacheHit: true, + wantAuthConfig: &authn.AuthConfig{ + Username: gcp.DefaultGARUsername, + Password: "access-token", + }, + }, + { + name: "get authenticator from gcp with local cache", + provider: auth.ProviderGCP, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "gcp-local-123", + Cache: customCache, + }, + }, + responseBody: `{ + "access_token": "access-token", + "expires_in": 10, + "token_type": "Bearer" +}`, + beforeFunc: func(authOpts *auth.AuthOptions, serverURL string, registry *string) { + authOpts.ProviderOptions.GcpOpts = []gcp.ProviderOptFunc{gcp.WithTokenURL(serverURL), gcp.WithEmailURL(serverURL)} + }, + wantAuthConfig: &authn.AuthConfig{ + Username: gcp.DefaultGARUsername, + Password: "access-token", + }, + afterFunc: func(t *WithT, cache auth.Store, authConfig authn.AuthConfig) { + val, ok := cache.Get("gcp-local-123") + t.Expect(ok).To(BeTrue()) + ac := val.(authn.AuthConfig) + t.Expect(ac).To(Equal(authConfig)) + }, + }, + { + name: "get authenticator from global cache", + provider: auth.ProviderGCP, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "gcp-local-123", + Cache: customCache, + }, + }, + expectCacheHit: true, + wantAuthConfig: &authn.AuthConfig{ + Username: gcp.DefaultGARUsername, + Password: "access-token", + }, + }, + { + name: "get authenticator from gcp if cache key is absent", + provider: auth.ProviderGCP, + responseBody: `{ + "access_token": "access-token", + "expires_in": 10, + "token_type": "Bearer" +}`, + authOpts: &auth.AuthOptions{}, + beforeFunc: func(authOpts *auth.AuthOptions, serverURL string, _ *string) { + authOpts.ProviderOptions.GcpOpts = []gcp.ProviderOptFunc{gcp.WithTokenURL(serverURL), gcp.WithEmailURL(serverURL)} + }, + wantAuthConfig: &authn.AuthConfig{ + Username: gcp.DefaultGARUsername, + Password: "access-token", + }, + }, + { + name: "get authenticator from aws", + provider: auth.ProviderAWS, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "aws-123", + }, + }, + responseBody: fmt.Sprintf(`{ + "authorizationData": [ + { + "authorizationToken": "c29tZS1rZXk6c29tZS1zZWNyZXQ=", + "expiresAt": %d + } + ] +}`, expiresAt.Unix()), + beforeFunc: func(authOpts *auth.AuthOptions, serverURL string, registry *string) { + cfg := awssdk.NewConfig() + cfg.EndpointResolverWithOptions = awssdk.EndpointResolverWithOptionsFunc( + func(service, region string, options ...interface{}) (awssdk.Endpoint, error) { + return awssdk.Endpoint{URL: serverURL}, nil + }) + cfg.Credentials = credentials.NewStaticCredentialsProvider("x", "y", "z") + authOpts.ProviderOptions.AwsOpts = []aws.ProviderOptFunc{aws.WithConfig(*cfg)} + *registry = "0123.dkr.ecr.us-east-1.amazonaws.com" + }, + wantAuthConfig: &authn.AuthConfig{ + Username: "some-key", + Password: "some-secret", + }, + afterFunc: func(t *WithT, cache auth.Store, authConfig authn.AuthConfig) { + val, ok := cache.Get("aws-123") + t.Expect(ok).To(BeTrue()) + ac := val.(authn.AuthConfig) + t.Expect(ac).To(Equal(authConfig)) + }, + }, + { + name: "get authenticator from azure", + provider: auth.ProviderAzure, + authOpts: &auth.AuthOptions{ + CacheOptions: auth.CacheOptions{ + Key: "azure-123", + }, + }, + responseBody: fmt.Sprintf(`{"refresh_token": "%s"}`, tokenStr), + beforeFunc: func(authOpts *auth.AuthOptions, serverURL string, registry *string) { + authOpts.ProviderOptions.AzureOpts = []azure.ProviderOptFunc{ + azure.WithCredential(&azure.FakeTokenCredential{Token: "foo"}), + } + *registry = serverURL + }, + wantAuthConfig: &authn.AuthConfig{ + Username: "00000000-0000-0000-0000-000000000000", + Password: tokenStr, + }, + afterFunc: func(t *WithT, cache auth.Store, authConfig authn.AuthConfig) { + val, ok := cache.Get("azure-123") + t.Expect(ok).To(BeTrue()) + ac := val.(authn.AuthConfig) + t.Expect(ac).To(Equal(authConfig)) + }, + }, + { + name: "unknown provider", + provider: "generic", + wantAuthConfig: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + var count int + handler := func(w http.ResponseWriter, r *http.Request) { + count += 1 + w.WriteHeader(http.StatusOK) + w.Write([]byte(tt.responseBody)) + } + srv := httptest.NewServer(http.HandlerFunc(handler)) + t.Cleanup(func() { + srv.Close() + }) + + var registry string + if tt.beforeFunc != nil { + tt.beforeFunc(tt.authOpts, srv.URL, ®istry) + } + + authenticator, err := GetAuthenticator(context.TODO(), registry, tt.provider, tt.authOpts) + g.Expect(err).ToNot(HaveOccurred()) + if tt.wantAuthConfig == nil { + g.Expect(authenticator).To(BeNil()) + return + } + ac, err := authenticator.Authorization() + g.Expect(err).ToNot(HaveOccurred()) + + g.Expect(*ac).To(Equal(*tt.wantAuthConfig)) + if tt.afterFunc != nil { + tt.afterFunc(g, tt.authOpts.GetCache(), *ac) + } + if tt.expectCacheHit { + g.Expect(count).To(Equal(0)) + } else { + g.Expect(count).To(BeNumerically(">", 0)) + } + }) + } +} diff --git a/auth/registry/tests/integration/.env.sample b/auth/registry/tests/integration/.env.sample new file mode 100644 index 00000000..e5b919bd --- /dev/null +++ b/auth/registry/tests/integration/.env.sample @@ -0,0 +1,44 @@ +## AWS +# export AWS_ACCESS_KEY_ID= +# export AWS_SECRET_ACCESS_KEY= +# export AWS_REGION=us-east-2 +## This terraform variable should be different from +## the region set above. +# export TF_VAR_cross_region=us-east-1 +## This random value is needed for AWS only to prevent +## https://github.com/hashicorp/terraform-provider-aws/issues/19583 which +## happens when using dynamic "name" value in presence of more than one tag. +# export TF_VAR_rand=${RANDOM} + +## Azure +# export TF_VAR_azure_location=eastus +## Set the following only when authenticating using Service Principal (suited +## for CI environment). +# export ARM_CLIENT_ID= +# export ARM_CLIENT_SECRET= +# export ARM_SUBSCRIPTION_ID= +# export ARM_TENANT_ID= + +## GCP +# export TF_VAR_gcp_project_id= +# export TF_VAR_gcp_region=us-central1 +# export TF_VAR_gcp_zone=us-central1-c +## Leave GCR region empty to use gcr.io. Else set it to `us`, `eu` or `asia`. +# export TF_VAR_gcr_region= +## Set the following only when using service account. +## Provide absolute path to the service account JSON key file. +# export GOOGLE_APPLICATION_CREDENTIALS= + +## Common variables +# export TF_VAR_tags='{"environment"="dev"}' +# +## WARNING: For AWS, also set the "createdat" tag to overwrite the default +## timestamp and use a static value. Dynamic tag value causes the issue +## https://github.com/hashicorp/terraform-provider-aws/issues/19583. +## The date format is based on the format defined in +## fluxcd/test-infra/tf-modules/utils/tags tf-module that's compatible with the +## tags/labels value in all the cloud providers. +## Also, since "createdat" is a dynamic value, its value changes on subsequent +## apply. Overriding it with a static value helps avoid modifying the resource +## tags during development when the configurations are applied frequently. +# export TF_VAR_tags='{"environment"="dev", "createdat"='"\"$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)\""'}' diff --git a/auth/registry/tests/integration/.gitignore b/auth/registry/tests/integration/.gitignore new file mode 100644 index 00000000..2d438c25 --- /dev/null +++ b/auth/registry/tests/integration/.gitignore @@ -0,0 +1,5 @@ +app +.env +build +.terraform* +terraform.tfstate* diff --git a/auth/registry/tests/integration/Dockerfile b/auth/registry/tests/integration/Dockerfile new file mode 100644 index 00000000..70eaeb17 --- /dev/null +++ b/auth/registry/tests/integration/Dockerfile @@ -0,0 +1,8 @@ +# Using scratch base image results in `x509: certificate signed by unknown +# authority` error. +# Use alpine to include the necessary certificates. +FROM alpine:3.16 + +COPY app . + +ENTRYPOINT ["/app"] diff --git a/auth/registry/tests/integration/Makefile b/auth/registry/tests/integration/Makefile new file mode 100644 index 00000000..f3a89a5e --- /dev/null +++ b/auth/registry/tests/integration/Makefile @@ -0,0 +1,27 @@ +GO_TEST_ARGS ?= +PROVIDER_ARG ?= +TEST_TIMEOUT ?= 30m +GOARCH ?= amd64 +GOOS ?= linux + +TEST_IMG ?= fluxcd/testapp:test + +.PHONY: app +app: + CGO_ENABLED=0 GOARCH=$(GOARCH) GOOS=$(GOOS) go build -o app ./testapp + +docker-build: app + docker buildx build -t $(TEST_IMG) --load . + +test: + docker image inspect $(TEST_IMG) >/dev/null + TEST_IMG=$(TEST_IMG) go test -timeout $(TEST_TIMEOUT) -v ./ $(GO_TEST_ARGS) $(PROVIDER_ARG) --tags=integration + +test-aws: + $(MAKE) test PROVIDER_ARG="-provider aws" + +test-azure: + $(MAKE) test PROVIDER_ARG="-provider azure" + +test-gcp: + $(MAKE) test PROVIDER_ARG="-provider gcp" diff --git a/auth/registry/tests/integration/README.md b/auth/registry/tests/integration/README.md new file mode 100644 index 00000000..6db8667e --- /dev/null +++ b/auth/registry/tests/integration/README.md @@ -0,0 +1,258 @@ +# OCI integration test + +OCI integration test uses a test application(`testapp/`) to test the +oci package against each of the supported cloud providers. + +**NOTE:** Tests in this package aren't run automatically by the `test-*` make +target at the root of `fluxcd/pkg` repo. These tests are more complicated than +the regular go tests as it involves cloud infrastructure and have to be run +explicitly. + +Before running the tests, build the test app with `make docker-build` and use +the built container application in the integration test. + +The integration test provisions cloud infrastructure in a target provider and +runs the test app as a batch job which tries to log in and list tags from the +test registry repository. A successful job indicates successful test. If the job +fails, the test fails. + +Logs of a successful job run: +```console +$ kubectl logs test-job-93tbl-4jp2r +2022/07/28 21:59:06 repo: xxx.dkr.ecr.us-east-2.amazonaws.com/test-repo-flux-test-heroic-ram +1.659045546831094e+09 INFO logging in to AWS ECR for xxx.dkr.ecr.us-east-2.amazonaws.com/test-repo-flux-test-heroic-ram +2022/07/28 21:59:06 logged in +2022/07/28 21:59:06 tags: [v0.1.4 v0.1.3 v0.1.0 v0.1.2] +``` + +## Requirements + +### Amazon Web Services + +- AWS account with access key ID and secret access key with permissions to + create EKS cluster and ECR repository. +- AWS CLI v2.x, does not need to be configured with the AWS account. +- Docker CLI for registry login. +- kubectl for applying certain install manifests. + +### Microsoft Azure + +- Azure account with an active subscription to be able to create AKS and ACR, + and permission to assign roles. Role assignment is required for allowing AKS + workloads to access ACR. +- Azure CLI, need to be logged in using `az login` as a User (not a Service + Principal). + + **NOTE:** To use Service Principal (for example in CI environment), set the + `ARM-*` variables in `.env`, source it and authenticate Azure CLI with: + ```console + $ az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID + ``` + In this case, the AzureRM client in terraform uses the Service Principal to + authenticate and the Azure CLI is used only for authenticating with ACR for + logging in and pushing container images. Attempting to authenticate terraform + using Azure CLI with Service Principal results in the following error: + > Authenticating using the Azure CLI is only supported as a User (not a Service Principal). +- Docker CLI for registry login. +- kubectl for applying certain install manifests. + +#### Permissions + +Following permissions are needed for provisioning the infrastructure and running +the tests: +- `Microsoft.Kubernetes/*` +- `Microsoft.Resources/*` +- `Microsoft.Authorization/roleAssignments/{Read,Write,Delete}` +- `Microsoft.ContainerRegistry/*` +- `Microsoft.ContainerService/*` + +#### IAM and CI setup + +To create the necessary IAM role with all the permissions, set up CI secrets and +variables using +[azure-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/azure/github-actions) +use the terraform configuration below. Please make sure all the requirements of +azure-gh-actions are followed before running it. + +```hcl +provider "github" { + owner = "fluxcd" +} + +module "azure_gh_actions" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/github-actions" + + azure_owners = ["owner-id-1", "owner-id-2"] + azure_app_name = "pkg-oci-e2e" + azure_app_description = "pkg oci e2e" + azure_permissions = [ + "Microsoft.Kubernetes/*", + "Microsoft.Resources/*", + "Microsoft.Authorization/roleAssignments/Read", + "Microsoft.Authorization/roleAssignments/Write", + "Microsoft.Authorization/roleAssignments/Delete", + "Microsoft.ContainerRegistry/*", + "Microsoft.ContainerService/*" + ] + azure_location = "eastus" + + github_project = "pkg" + + github_secret_client_id_name = "OCI_E2E_AZ_ARM_CLIENT_ID" + github_secret_client_secret_name = "OCI_E2E_AZ_ARM_CLIENT_SECRET" + github_secret_subscription_id_name = "OCI_E2E_AZ_ARM_SUBSCRIPTION_ID" + github_secret_tenant_id_name = "OCI_E2E_AZ_ARM_TENANT_ID" +} +``` + +**NOTE:** The environment variables used above are for the GitHub workflow that +runs the tests. Change the variable names if needed accordingly. + +### Google Cloud Platform + +- GCP account with project and GKE, GCR and Artifact Registry services enabled + in the project. +- gcloud CLI, need to be logged in using `gcloud auth login` as a User (not a + Service Account), configure application default credentials with `gcloud auth + application-default login` and docker credential helper with `gcloud auth configure-docker`. + + **NOTE:** To use Service Account (for example in CI environment), set + `GOOGLE_APPLICATION_CREDENTIALS` variable in `.env` with the path to the JSON + key file, source it and authenticate gcloud CLI with: + ```console + $ gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS + ``` + Depending on the Container/Artifact Registry host used in the test, authenticate + docker accordingly + ```console + $ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev + $ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io + ``` + In this case, the GCP client in terraform uses the Service Account to + authenticate and the gcloud CLI is used only to authenticate with Google + Container Registry and Google Artifact Registry. + + **NOTE FOR CI USAGE:** When saving the JSON key file as a CI secret, compress + the file content with + ```console + $ cat key.json | jq -r tostring + ``` + to prevent aggressive masking in the logs. Refer + [aggressive replacement in logs](https://github.com/google-github-actions/auth/blob/v1.1.0/docs/TROUBLESHOOTING.md#aggressive--replacement-in-logs) + for more details. +- Docker CLI for registry login. +- kubectl for applying certain install manifests. + +**NOTE:** Unlike ECR, AKS and Google Artifact Registry, Google Container +Registry tests don't create a new registry. It pushes to an existing registry +host in a project, for example `gcr.io`. Due to this, the test images pushed to +GCR aren't cleaned up automatically at the end of the test and have to be +deleted manually. [`gcrgc`](https://github.com/graillus/gcrgc) can be used to +automatically delete all the GCR images. +```console +$ gcrgc gcr.io/ +``` + +#### Permissions + +Following roles are needed for provisioning the infrastructure and running the +tests: +- Artifact Registry Administrator - `roles/artifactregistry.admin` +- Compute Instance Admin (v1) - `roles/compute.instanceAdmin.v1` +- Compute Storage Admin - `roles/compute.storageAdmin` +- Kubernetes Engine Admin - `roles/container.admin` +- Service Account Admin - `roles/iam.serviceAccountAdmin` +- Service Account Token Creator - `roles/iam.serviceAccountTokenCreator` +- Service Account User - `roles/iam.serviceAccountUser` +- Storage Admin - `roles/storage.admin` + +#### IAM and CI setup + +To create the necessary IAM role with all the permissions, set up CI secrets and +variables using +[gcp-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/gcp/github-actions) +use the terraform configuration below. Please make sure all the requirements of +gcp-gh-actions are followed before running it. + +```hcl +provider "google" {} + +provider "github" { + owner = "fluxcd" +} + +module "gcp_gh_actions" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/github-actions" + + gcp_service_account_id = "pkg-oci-e2e" + gcp_service_account_name = "pkg-oci-e2e" + gcp_roles = [ + "roles/artifactregistry.admin", + "roles/compute.instanceAdmin.v1", + "roles/compute.storageAdmin", + "roles/container.admin", + "roles/iam.serviceAccountAdmin", + "roles/iam.serviceAccountTokenCreator", + "roles/iam.serviceAccountUser", + "roles/storage.admin" + ] + + github_project = "pkg" + + github_secret_credentials_name = "OCI_E2E_GOOGLE_CREDENTIALS" +} +``` + +**NOTE:** The environment variables used above are for the GitHub workflow that +runs the tests. Change the variable names if needed accordingly. + +## Test setup + +Copy `.env.sample` to `.env`, put the respective provider configurations in the +environment variables and source it, `source .env`. + +Ensure the test app container image is built and ready for testing. Test app +container image can be built with make target `docker-build`. + +Run the test with `make test-*`, setting the test app image with variable +`TEST_IMG`. By default, the default test app container image, +`fluxcd/testapp:test`, will be used. + +```console +$ make test-azure +make test PROVIDER_ARG="-provider azure" +docker image inspect fluxcd/testapp:test >/dev/null +TEST_IMG=fluxcd/testapp:test go test -timeout 30m -v ./ -verbose -retain -provider azure --tags=integration +2022/07/29 02:06:51 Terraform binary: /usr/bin/terraform +2022/07/29 02:06:51 Init Terraform +... +``` + +## Debugging the tests + +For debugging environment provisioning, enable verbose output with `-verbose` +test flag. + +```console +$ make test-aws GO_TEST_ARGS="-verbose" +``` + +The test environment is destroyed at the end by default. Run the tests with +`-retain` flag to retain the created test infrastructure. + +```console +$ make test-aws GO_TEST_ARGS="-retain" +``` + +The tests require the infrastructure state to be clean. For re-running the tests +with a retained infrastructure, set `-existing` flag. + +```console +$ make test-aws GO_TEST_ARGS="-retain -existing" +``` + +To delete an existing infrastructure created with `-retain` flag: + +```console +$ make test-aws GO_TEST_ARGS="-existing" +``` diff --git a/auth/registry/tests/integration/aws_test.go b/auth/registry/tests/integration/aws_test.go new file mode 100644 index 00000000..9e795f37 --- /dev/null +++ b/auth/registry/tests/integration/aws_test.go @@ -0,0 +1,82 @@ +//go:build integration +// +build integration + +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package integration + +import ( + "context" + + tfjson "github.com/hashicorp/terraform-json" + + "github.com/fluxcd/test-infra/tftestenv" +) + +// createKubeconfigEKS constructs kubeconfig from the terraform state output at +// the given kubeconfig path. +func createKubeconfigEKS(ctx context.Context, state map[string]*tfjson.StateOutput, kcPath string) error { + clusterName := state["eks_cluster_name"].Value.(string) + eksHost := state["eks_cluster_endpoint"].Value.(string) + eksClusterArn := state["eks_cluster_arn"].Value.(string) + eksCa := state["eks_cluster_ca_certificate"].Value.(string) + return tftestenv.CreateKubeconfigEKS(ctx, clusterName, eksHost, eksClusterArn, eksCa, kcPath) +} + +// registryLoginECR logs into the container/artifact registries using the +// provider's CLI tools and returns a list of test repositories. +func registryLoginECR(ctx context.Context, output map[string]*tfjson.StateOutput) (map[string]string, error) { + // NOTE: ECR provides pre-existing registry per account. It requires + // repositories to be created explicitly using their API before pushing + // image. + testRepos := map[string]string{} + region := output["region"].Value.(string) + + testRepoURL := output["ecr_repository_url"].Value.(string) + if err := tftestenv.RegistryLoginECR(ctx, region, testRepoURL); err != nil { + return nil, err + } + testRepos["ecr"] = testRepoURL + + // test the cross-region repository + cross_region := output["cross_region"].Value.(string) + testCrossRepo := output["ecr_cross_region_repository_url"].Value.(string) + if err := tftestenv.RegistryLoginECR(ctx, cross_region, testCrossRepo); err != nil { + return nil, err + } + testRepos["ecr_cross_region"] = testCrossRepo + + // Log into the test app repository to be able to push to it. + // This image is not used in testing and need not be included in + // testRepos. + ircRepoURL := output["ecr_test_app_repo_url"].Value.(string) + if err := tftestenv.RegistryLoginECR(ctx, region, ircRepoURL); err != nil { + return nil, err + } + + return testRepos, nil +} + +// pushAppTestImagesECR pushes test app image that is being tested. It must be +// called after registryLoginECR to ensure the local docker client is already +// logged in and is capable of pushing the test images. +func pushAppTestImagesECR(ctx context.Context, localImgs map[string]string, output map[string]*tfjson.StateOutput) (map[string]string, error) { + // Get the registry name and construct the image names accordingly. + repo := output["ecr_test_app_repo_url"].Value.(string) + remoteImage := repo + ":test" + return tftestenv.PushTestAppImagesECR(ctx, localImgs, remoteImage) +} diff --git a/auth/registry/tests/integration/azure_test.go b/auth/registry/tests/integration/azure_test.go new file mode 100644 index 00000000..8065ca29 --- /dev/null +++ b/auth/registry/tests/integration/azure_test.go @@ -0,0 +1,64 @@ +//go:build integration +// +build integration + +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package integration + +import ( + "context" + "fmt" + + tfjson "github.com/hashicorp/terraform-json" + + "github.com/fluxcd/test-infra/tftestenv" +) + +// createKubeConfigAKS constructs kubeconfig for an AKS cluster from the +// terraform state output at the given kubeconfig path. +func createKubeConfigAKS(ctx context.Context, state map[string]*tfjson.StateOutput, kcPath string) error { + kubeconfigYaml, ok := state["aks_kubeconfig"].Value.(string) + if !ok || kubeconfigYaml == "" { + return fmt.Errorf("failed to obtain kubeconfig from tf output") + } + return tftestenv.CreateKubeconfigAKS(ctx, kubeconfigYaml, kcPath) +} + +// registryLoginACR logs into the container/artifact registries using the +// provider's CLI tools and returns a list of test repositories. +func registryLoginACR(ctx context.Context, output map[string]*tfjson.StateOutput) (map[string]string, error) { + // NOTE: ACR registry accept dynamic repository creation by just pushing a + // new image with a new repository name. + testRepos := map[string]string{} + + registryURL := output["acr_registry_url"].Value.(string) + if err := tftestenv.RegistryLoginACR(ctx, registryURL); err != nil { + return nil, err + } + testRepos["acr"] = registryURL + "/" + randStringRunes(5) + + return testRepos, nil +} + +// pushAppTestImagesACR pushes test app images that are being tested. It must be +// called after registryLoginACR to ensure the local docker client is already +// logged in and is capable of pushing the test images. +func pushAppTestImagesACR(ctx context.Context, localImgs map[string]string, output map[string]*tfjson.StateOutput) (map[string]string, error) { + // Get the registry name and construct the image names accordingly. + registryURL := output["acr_registry_url"].Value.(string) + return tftestenv.PushTestAppImagesACR(ctx, localImgs, registryURL) +} diff --git a/auth/registry/tests/integration/gcp_test.go b/auth/registry/tests/integration/gcp_test.go new file mode 100644 index 00000000..c23a921b --- /dev/null +++ b/auth/registry/tests/integration/gcp_test.go @@ -0,0 +1,74 @@ +//go:build integration +// +build integration + +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package integration + +import ( + "context" + "fmt" + + tfjson "github.com/hashicorp/terraform-json" + + "github.com/fluxcd/test-infra/tftestenv" +) + +// createKubeconfigGKE constructs kubeconfig from the terraform state output at +// the given kubeconfig path. +func createKubeconfigGKE(ctx context.Context, state map[string]*tfjson.StateOutput, kcPath string) error { + kubeconfigYaml, ok := state["gcp_kubeconfig"].Value.(string) + if !ok || kubeconfigYaml == "" { + return fmt.Errorf("failed to obtain kubeconfig from tf output") + } + return tftestenv.CreateKubeconfigGKE(ctx, kubeconfigYaml, kcPath) +} + +// registryLoginGCR logs into the container/artifact registries using the +// provider's CLI tools and returns a list of test repositories. +func registryLoginGCR(ctx context.Context, output map[string]*tfjson.StateOutput) (map[string]string, error) { + // NOTE: GCR accepts dynamic repository creation by just pushing a new image + // with a new repository name. + testRepos := map[string]string{} + + repoURL := output["gcr_repository_url"].Value.(string) + if err := tftestenv.RegistryLoginGCR(ctx, repoURL); err != nil { + return nil, err + } + testRepos["gcr"] = repoURL + "/" + randStringRunes(5) + + project := output["gcp_project"].Value.(string) + region := output["gcp_region"].Value.(string) + repositoryID := output["gcp_artifact_repository"].Value.(string) + artifactRegistryURL, artifactRepoURL := tftestenv.GetGoogleArtifactRegistryAndRepository(project, region, repositoryID) + if err := tftestenv.RegistryLoginGCR(ctx, artifactRegistryURL); err != nil { + return nil, err + } + testRepos["artifact_registry"] = artifactRepoURL + "/" + randStringRunes(5) + + return testRepos, nil +} + +// pushAppTestImagesGCR pushes test app images that are being tested. It must be +// called after registryLoginGCR to ensure the local docker client is already +// logged in and is capable of pushing the test images. +func pushAppTestImagesGCR(ctx context.Context, localImgs map[string]string, output map[string]*tfjson.StateOutput) (map[string]string, error) { + project := output["gcp_project"].Value.(string) + region := output["gcp_region"].Value.(string) + repositoryID := output["gcp_artifact_repository"].Value.(string) + return tftestenv.PushTestAppImagesGCR(ctx, localImgs, project, region, repositoryID) +} diff --git a/auth/registry/tests/integration/go.mod b/auth/registry/tests/integration/go.mod new file mode 100644 index 00000000..a71a1418 --- /dev/null +++ b/auth/registry/tests/integration/go.mod @@ -0,0 +1,124 @@ +module github.com/fluxcd/pkg/auth/registry/tests/integration + +go 1.20 + +replace github.com/fluxcd/pkg/auth => ../../../ + +require ( + github.com/fluxcd/pkg/auth v0.0.1 + github.com/fluxcd/test-infra/tftestenv v0.0.0-20230720084205-d40ee5473f22 + github.com/google/go-containerregistry v0.16.1 + github.com/hashicorp/terraform-json v0.17.1 + github.com/onsi/gomega v1.28.0 + k8s.io/api v0.28.4 + k8s.io/apimachinery v0.28.4 + sigs.k8s.io/controller-runtime v0.16.3 +) + +require ( + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect + github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect + github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect + github.com/aws/aws-sdk-go-v2/config v1.18.45 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect + github.com/aws/smithy-go v1.15.0 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/bradleyfalzon/ghinstallation/v2 v2.7.0 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cloudflare/circl v1.3.3 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/docker/cli v24.0.0+incompatible // indirect + github.com/docker/distribution v2.8.2+incompatible // indirect + github.com/docker/docker v24.0.0+incompatible // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch/v5 v5.6.0 // indirect + github.com/fsnotify/fsnotify v1.6.0 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-logr/zapr v1.2.4 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.3 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.0.0 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-github/v55 v55.0.0 // indirect + github.com/google/go-querystring v1.1.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-version v1.6.0 // indirect + github.com/hashicorp/hc-install v0.5.1 // indirect + github.com/hashicorp/terraform-exec v0.18.1 // indirect + github.com/imdario/mergo v0.3.15 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.16.5 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.0-rc3 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/prometheus/client_golang v1.16.0 // indirect + github.com/prometheus/client_model v0.4.0 // indirect + github.com/prometheus/common v0.44.0 // indirect + github.com/prometheus/procfs v0.10.1 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/spf13/pflag v1.0.5 // indirect + github.com/vbatts/tar-split v0.11.3 // indirect + github.com/zclconf/go-cty v1.13.2 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.25.0 // indirect + golang.org/x/crypto v0.14.0 // indirect + golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect + golang.org/x/mod v0.10.0 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/sync v0.2.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/term v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect + golang.org/x/time v0.3.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.31.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apiextensions-apiserver v0.28.3 // indirect + k8s.io/client-go v0.28.3 // indirect + k8s.io/component-base v0.28.3 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect +) diff --git a/auth/registry/tests/integration/go.sum b/auth/registry/tests/integration/go.sum new file mode 100644 index 00000000..23ccec2e --- /dev/null +++ b/auth/registry/tests/integration/go.sum @@ -0,0 +1,383 @@ +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 h1:t5+QXLCK9SVi0PPdaY0PrFvYUo24KwA0QwxnaHRSVd4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA= +github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g= +github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ= +github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= +github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= +github.com/aws/aws-sdk-go-v2/config v1.18.45 h1:Aka9bI7n8ysuwPeFdm77nfbyHCAKQ3z9ghB3S/38zes= +github.com/aws/aws-sdk-go-v2/config v1.18.45/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE= +github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= +github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ= +github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8= +github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bradleyfalzon/ghinstallation/v2 v2.7.0 h1:ranXaC3Zz/F6G/f0Joj3LrFp2OzOKfJZev5Q7OaMc88= +github.com/bradleyfalzon/ghinstallation/v2 v2.7.0/go.mod h1:ymxfmloxXBFXvvF1KpeUhOQM6Dfz9NYtfvTiJyk82UE= +github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= +github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= +github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= +github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM= +github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= +github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v24.0.0+incompatible h1:z4bf8HvONXX9Tde5lGBMQ7yCJgNahmJumdrStZAbeY4= +github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= +github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= +github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/fluxcd/test-infra/tftestenv v0.0.0-20230720084205-d40ee5473f22 h1:1f0EQM0kPX2px9FanVMyD/UrHFQ9zqFg58M42Y8bBts= +github.com/fluxcd/test-infra/tftestenv v0.0.0-20230720084205-d40ee5473f22/go.mod h1:liFlLEXgambGVdWSJ4JzbIHf1Vjpp1HwUyPazPIVZug= +github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= +github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4= +github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= +github.com/go-git/go-git/v5 v5.6.1 h1:q4ZRqQl4pR/ZJHc1L5CFjGA1a10u76aV1iC+nh+bHsk= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= +github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ= +github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= +github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= +github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA= +github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= +github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/hc-install v0.5.1 h1:eCqToNCob7m2R8kM8Gr7XcVmcRSz9ppCFSVZbMh0X+0= +github.com/hashicorp/hc-install v0.5.1/go.mod h1:iDPCnzKo+SzToOh25R8OWpLdhhy7yBfJX3PmVWiYhrM= +github.com/hashicorp/terraform-exec v0.18.1 h1:LAbfDvNQU1l0NOQlTuudjczVhHj061fNX5H8XZxHlH4= +github.com/hashicorp/terraform-exec v0.18.1/go.mod h1:58wg4IeuAJ6LVsLUeD2DWZZoc/bYi6dzhLHzxM41980= +github.com/hashicorp/terraform-json v0.17.1 h1:eMfvh/uWggKmY7Pmb3T85u86E2EQg6EQHgyRwf3RkyA= +github.com/hashicorp/terraform-json v0.17.1/go.mod h1:Huy6zt6euxaY9knPAFKjUITn8QxUFIe9VuSzb4zn/0o= +github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= +github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= +github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI= +github.com/onsi/gomega v1.28.0 h1:i2rg/p9n/UqIDAMFUJ6qIUUMcsqOuUHgbpbu235Vr1c= +github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8= +github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= +github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/skeema/knownhosts v1.1.0 h1:Wvr9V0MxhjRbl3f9nMnKnFfiWTJmtECJ9Njkea3ysW0= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= +github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= +github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= +github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.13.2 h1:4GvrUxe/QUDYuJKAav4EYqdM47/kZa672LwmXFmEKT0= +github.com/zclconf/go-cty v1.13.2/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c= +go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= +k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY= +k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0= +k8s.io/apiextensions-apiserver v0.28.3 h1:Od7DEnhXHnHPZG+W9I97/fSQkVpVPQx2diy+2EtmY08= +k8s.io/apiextensions-apiserver v0.28.3/go.mod h1:NE1XJZ4On0hS11aWWJUTNkmVB03j9LM7gJSisbRt8Lc= +k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8= +k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg= +k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4= +k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo= +k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= +k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= +sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/auth/registry/tests/integration/repo_list_test.go b/auth/registry/tests/integration/repo_list_test.go new file mode 100644 index 00000000..4f8f037b --- /dev/null +++ b/auth/registry/tests/integration/repo_list_test.go @@ -0,0 +1,71 @@ +//go:build integration +// +build integration + +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package integration + +import ( + "context" + "fmt" + "testing" + + . "github.com/onsi/gomega" + batchv1 "k8s.io/api/batch/v1" + corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +func TestImageRepositoryListTags(t *testing.T) { + for name, repo := range testRepos { + t.Run(name, func(t *testing.T) { + args := []string{fmt.Sprintf("-repo=%s", repo), fmt.Sprintf("-provider=%s", *targetProvider)} + testImageRepositoryListTags(t, args) + }) + } +} + +func testImageRepositoryListTags(t *testing.T, args []string) { + g := NewWithT(t) + ctx := context.TODO() + + job := &batchv1.Job{} + job.Name = "test-job-" + randStringRunes(5) + job.Namespace = "default" + job.Spec.Template.Spec.Containers = []corev1.Container{ + { + Name: "test-app", + Image: testAppImage, + Args: args, + ImagePullPolicy: corev1.PullAlways, + }, + } + job.Spec.Template.Spec.RestartPolicy = corev1.RestartPolicyNever + + key := client.ObjectKeyFromObject(job) + + g.Expect(testEnv.Client.Create(ctx, job)).To(Succeed()) + defer func() { + g.Expect(testEnv.Client.Delete(ctx, job)).To(Succeed()) + }() + g.Eventually(func() bool { + if err := testEnv.Client.Get(ctx, key, job); err != nil { + return false + } + return job.Status.Succeeded == 1 && job.Status.Active == 0 + }, resultWaitTimeout).Should(BeTrue()) +} diff --git a/auth/registry/tests/integration/suite_test.go b/auth/registry/tests/integration/suite_test.go new file mode 100644 index 00000000..05effcf0 --- /dev/null +++ b/auth/registry/tests/integration/suite_test.go @@ -0,0 +1,256 @@ +//go:build integration +// +build integration + +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package integration + +import ( + "context" + "flag" + "fmt" + "log" + "math/rand" + "os" + "testing" + "time" + + tfjson "github.com/hashicorp/terraform-json" + batchv1 "k8s.io/api/batch/v1" + "k8s.io/apimachinery/pkg/runtime" + + "github.com/fluxcd/test-infra/tftestenv" +) + +const ( + // terraformPathAWS is the path to the terraform working directory + // containing the aws terraform configurations. + terraformPathAWS = "./terraform/aws" + // terraformPathAzure is the path to the terraform working directory + // containing the azure terraform configurations. + terraformPathAzure = "./terraform/azure" + // terraformPathGCP is the path to the terraform working directory + // containing the gcp terraform configurations. + terraformPathGCP = "./terraform/gcp" + // kubeconfigPath is the path where the cluster kubeconfig is written to and + // used from. + kubeconfigPath = "./build/kubeconfig" + + resultWaitTimeout = 30 * time.Second +) + +var ( + // supportedProviders are the providers supported by the test. + supportedProviders = []string{"aws", "azure", "gcp"} + + // targetProvider is the name of the kubernetes provider to test against. + targetProvider = flag.String("provider", "", fmt.Sprintf("name of the provider %v", supportedProviders)) + + // retain flag to prevent destroy and retaining the created infrastructure. + retain = flag.Bool("retain", false, "retain the infrastructure for debugging purposes") + + // existing flag to use existing infrastructure terraform state. + existing = flag.Bool("existing", false, "use existing infrastructure state for debugging purposes") + + // verbose flag to enable output of terraform execution. + verbose = flag.Bool("verbose", false, "verbose output of the environment setup") + + // testRepos is a map of registry common name and URL of the test + // repositories. This is used as the test cases to run the tests against. + // The registry common name need not be the actual registry address but an + // identifier to identify the test case without logging any sensitive + // account IDs in the subtest names. + // For example, map[string]string{"ecr", "xxxxx.dkr.ecr.xxxx.amazonaws.com/foo:v1"} + // would result in subtest name TestImageRepositoryScanAWS/ecr. + testRepos map[string]string + + // testEnv is the test environment. It contains test infrastructure and + // kubernetes client of the created cluster. + testEnv *tftestenv.Environment + + // testImageTags are the tags used in the test for the generated images. + testImageTags = []string{"v0.1.0", "v0.1.2", "v0.1.3", "v0.1.4"} + + testAppImage string +) + +// registryLoginFunc is used to perform registry login against a provider based +// on the terraform state output values. It returns a map of registry common +// name and test repositories to test against, read from the terraform state +// output. +type registryLoginFunc func(ctx context.Context, output map[string]*tfjson.StateOutput) (map[string]string, error) + +// pushTestImages is used to push local flux test images to a remote registry +// after logging in using registryLoginFunc. It takes a map of image name and +// local images and terraform state output. The local images are retagged and +// pushed to a corresponding registry repository for the image. +type pushTestImages func(ctx context.Context, localImgs map[string]string, output map[string]*tfjson.StateOutput) (map[string]string, error) + +// ProviderConfig is the test configuration of a supported cloud provider to run +// the tests against. +type ProviderConfig struct { + // terraformPath is the path to the directory containing the terraform + // configurations of the provider. + terraformPath string + // registryLogin is used to perform registry login. + registryLogin registryLoginFunc + // createKubeconfig is used to create kubeconfig of a cluster. + createKubeconfig tftestenv.CreateKubeconfig + // pushAppTestImages is used to push flux test images to a remote registry. + pushAppTestImages pushTestImages +} + +var letterRunes = []rune("abcdefghijklmnopqrstuvwxyz1234567890") + +func randStringRunes(n int) string { + b := make([]rune, n) + for i := range b { + b[i] = letterRunes[rand.Intn(len(letterRunes))] + } + return string(b) +} + +func TestMain(m *testing.M) { + flag.Parse() + ctx := context.TODO() + + appImg := os.Getenv("TEST_IMG") + if appImg == "" { + log.Fatal("TEST_IMG must be set to the test application image, cannot be empty") + } + + localImgs := map[string]string{ + "app": appImg, + } + + // Validate the provider. + if *targetProvider == "" { + log.Fatalf("-provider flag must be set to one of %v", supportedProviders) + } + var supported bool + for _, p := range supportedProviders { + if p == *targetProvider { + supported = true + } + } + if !supported { + log.Fatalf("Unsupported provider %q, must be one of %v", *targetProvider, supportedProviders) + } + + providerCfg := getProviderConfig(*targetProvider) + if providerCfg == nil { + log.Fatalf("Failed to get provider config for %q", *targetProvider) + } + + // Construct scheme to be added to the kubeclient. + scheme := runtime.NewScheme() + + err := batchv1.AddToScheme(scheme) + if err != nil { + panic(err) + } + + // Initialize with non-zero exit code to indicate failure by default unless + // set by a successful test run. + exitCode := 1 + + // Create environment. + envOpts := []tftestenv.EnvironmentOption{ + tftestenv.WithVerbose(*verbose), + tftestenv.WithRetain(*retain), + tftestenv.WithExisting(*existing), + tftestenv.WithCreateKubeconfig(providerCfg.createKubeconfig), + } + testEnv, err = tftestenv.New(ctx, scheme, providerCfg.terraformPath, kubeconfigPath, envOpts...) + if err != nil { + panic(fmt.Sprintf("Failed to provision the test infrastructure: %v", err)) + } + + // Stop the environment before exit. + defer func() { + if err := testEnv.Stop(ctx); err != nil { + log.Printf("Failed to stop environment: %v", err) + } + + // Log the panic error before exit to surface the cause of panic. + if err := recover(); err != nil { + log.Printf("panic: %v", err) + } + os.Exit(exitCode) + }() + + // Get terraform state output. + output, err := testEnv.StateOutput(ctx) + if err != nil { + panic(fmt.Sprintf("Failed to get the terraform state output: %v", err)) + } + + testRepos, err = providerCfg.registryLogin(ctx, output) + if err != nil { + panic(fmt.Sprintf("Failed to log into registry: %v", err)) + } + + pushedImages, err := providerCfg.pushAppTestImages(ctx, localImgs, output) + if err != nil { + panic(fmt.Sprintf("Failed to push test images: %v", err)) + } + + if len(pushedImages) != 1 { + panic(fmt.Sprintf("Unexpected number of app images pushed: %d", len(pushedImages))) + } + + if appImg, ok := pushedImages["app"]; !ok { + panic(fmt.Sprintf("Could not find pushed app image in %v", pushedImages)) + } else { + testAppImage = appImg + } + + // Create and push test images. + if err := tftestenv.CreateAndPushImages(testRepos, testImageTags); err != nil { + panic(fmt.Sprintf("Failed to create and push images: %v", err)) + } + + exitCode = m.Run() +} + +// getProviderConfig returns the test configuration of supported providers. +func getProviderConfig(provider string) *ProviderConfig { + switch provider { + case "aws": + return &ProviderConfig{ + terraformPath: terraformPathAWS, + registryLogin: registryLoginECR, + pushAppTestImages: pushAppTestImagesECR, + createKubeconfig: createKubeconfigEKS, + } + case "azure": + return &ProviderConfig{ + terraformPath: terraformPathAzure, + registryLogin: registryLoginACR, + pushAppTestImages: pushAppTestImagesACR, + createKubeconfig: createKubeConfigAKS, + } + case "gcp": + return &ProviderConfig{ + terraformPath: terraformPathGCP, + registryLogin: registryLoginGCR, + pushAppTestImages: pushAppTestImagesGCR, + createKubeconfig: createKubeconfigGKE, + } + } + return nil +} diff --git a/auth/registry/tests/integration/terraform/aws/main.tf b/auth/registry/tests/integration/terraform/aws/main.tf new file mode 100644 index 00000000..820f439c --- /dev/null +++ b/auth/registry/tests/integration/terraform/aws/main.tf @@ -0,0 +1,41 @@ +provider "aws" {} + +provider "aws" { + alias = "cross_region" + region = var.cross_region +} + +locals { + name = "flux-test-${var.rand}" +} + +module "eks" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/aws/eks" + + name = local.name + tags = var.tags +} + +module "test_ecr" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/aws/ecr" + + name = "test-repo-${local.name}" + tags = var.tags +} + +module "test_ecr_cross_reg" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/aws/ecr" + + name = "test-repo-${local.name}-cross-reg" + tags = var.tags + providers = { + aws = aws.cross_region + } +} + +module "test_app_ecr" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/aws/ecr" + + name = "test-app-${local.name}" + tags = var.tags +} diff --git a/auth/registry/tests/integration/terraform/aws/outputs.tf b/auth/registry/tests/integration/terraform/aws/outputs.tf new file mode 100644 index 00000000..e3655883 --- /dev/null +++ b/auth/registry/tests/integration/terraform/aws/outputs.tf @@ -0,0 +1,41 @@ +output "eks_cluster_name" { + value = module.eks.cluster_id +} + +output "eks_cluster_ca_certificate" { + value = module.eks.cluster_ca_data + sensitive = true +} + +output "eks_cluster_endpoint" { + value = module.eks.cluster_endpoint +} + +output "eks_cluster_arn" { + value = module.eks.cluster_arn +} + +output "region" { + value = module.eks.region +} + +output "cross_region" { + value = var.cross_region +} + + +output "ecr_repository_url" { + value = module.test_ecr.repository_url +} + +output "ecr_cross_region_repository_url" { + value = module.test_ecr_cross_reg.repository_url +} + +output "ecr_registry_id" { + value = module.test_ecr.registry_id +} + +output "ecr_test_app_repo_url" { + value = module.test_app_ecr.repository_url +} diff --git a/auth/registry/tests/integration/terraform/aws/variables.tf b/auth/registry/tests/integration/terraform/aws/variables.tf new file mode 100644 index 00000000..ccadb94e --- /dev/null +++ b/auth/registry/tests/integration/terraform/aws/variables.tf @@ -0,0 +1,13 @@ +variable "rand" { + type = string +} + +variable "tags" { + type = map(string) + default = {} +} + +variable "cross_region" { + type = string + description = "different region for testing cross region resources" +} diff --git a/auth/registry/tests/integration/terraform/azure/main.tf b/auth/registry/tests/integration/terraform/azure/main.tf new file mode 100644 index 00000000..6deb5674 --- /dev/null +++ b/auth/registry/tests/integration/terraform/azure/main.tf @@ -0,0 +1,34 @@ +provider "azurerm" { + features {} +} + +resource "random_pet" "suffix" { + // Since azurerm doesn't allow "-" in registry name, use an alphabet as a + // separator. + separator = "o" +} + +locals { + name = "fluxTest${random_pet.suffix.id}" +} + +module "aks" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/aks" + + name = local.name + location = var.azure_location + tags = var.tags +} + +module "acr" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/acr" + + name = local.name + location = var.azure_location + aks_principal_id = [module.aks.principal_id] + resource_group = module.aks.resource_group + admin_enabled = true + tags = var.tags + + depends_on = [module.aks] +} diff --git a/auth/registry/tests/integration/terraform/azure/outputs.tf b/auth/registry/tests/integration/terraform/azure/outputs.tf new file mode 100644 index 00000000..9289aa54 --- /dev/null +++ b/auth/registry/tests/integration/terraform/azure/outputs.tf @@ -0,0 +1,12 @@ +output "aks_kubeconfig" { + value = module.aks.kubeconfig + sensitive = true +} + +output "acr_registry_url" { + value = module.acr.registry_url +} + +output "acr_registry_id" { + value = module.acr.registry_id +} diff --git a/auth/registry/tests/integration/terraform/azure/variables.tf b/auth/registry/tests/integration/terraform/azure/variables.tf new file mode 100644 index 00000000..e661b704 --- /dev/null +++ b/auth/registry/tests/integration/terraform/azure/variables.tf @@ -0,0 +1,9 @@ +variable "azure_location" { + type = string + default = "eastus" +} + +variable "tags" { + type = map(string) + default = {} +} diff --git a/auth/registry/tests/integration/terraform/gcp/main.tf b/auth/registry/tests/integration/terraform/gcp/main.tf new file mode 100644 index 00000000..be2b4b9a --- /dev/null +++ b/auth/registry/tests/integration/terraform/gcp/main.tf @@ -0,0 +1,25 @@ +provider "google" { + project = var.gcp_project_id + region = var.gcp_region + zone = var.gcp_zone +} + +resource "random_pet" "suffix" {} + +locals { + name = "flux-test-${random_pet.suffix.id}" +} + +module "gke" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/gke" + + name = local.name + tags = var.tags +} + +module "gcr" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/gcr" + + name = local.name + tags = var.tags +} diff --git a/auth/registry/tests/integration/terraform/gcp/outputs.tf b/auth/registry/tests/integration/terraform/gcp/outputs.tf new file mode 100644 index 00000000..975800a4 --- /dev/null +++ b/auth/registry/tests/integration/terraform/gcp/outputs.tf @@ -0,0 +1,20 @@ +output "gcp_kubeconfig" { + value = module.gke.kubeconfig + sensitive = true +} + +output "gcp_project" { + value = module.gke.project +} + +output "gcp_region" { + value = module.gke.region +} + +output "gcr_repository_url" { + value = module.gcr.gcr_repository_url +} + +output "gcp_artifact_repository" { + value = module.gcr.artifact_repository_id +} diff --git a/auth/registry/tests/integration/terraform/gcp/variables.tf b/auth/registry/tests/integration/terraform/gcp/variables.tf new file mode 100644 index 00000000..6ccce9c0 --- /dev/null +++ b/auth/registry/tests/integration/terraform/gcp/variables.tf @@ -0,0 +1,23 @@ +variable "gcp_project_id" { + type = string +} + +variable "gcp_region" { + type = string + default = "us-central1" +} + +variable "gcp_zone" { + type = string + default = "us-central1-c" +} + +variable "gcr_region" { + type = string + default = "" // Empty default to use gcr.io. +} + +variable "tags" { + type = map(string) + default = {} +} diff --git a/auth/registry/tests/integration/testapp/main.go b/auth/registry/tests/integration/testapp/main.go new file mode 100644 index 00000000..f7cdbf4c --- /dev/null +++ b/auth/registry/tests/integration/testapp/main.go @@ -0,0 +1,83 @@ +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "context" + "flag" + "log" + "time" + + "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/name" + "github.com/google/go-containerregistry/pkg/v1/remote" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + registrypkg "github.com/fluxcd/pkg/auth/registry" +) + +// registry and repo flags are to facilitate testing of two login scenarios: +// - when the repository contains the full address, including registry host, +// e.g. foo.azurecr.io/bar. +// - when the repository contains only the repository name and registry name +// is provided separately, e.g. registry: foo.azurecr.io, repo: bar. +var ( + repo = flag.String("repo", "", "repository to list") + provider = flag.String("provider", "", "registry provider") +) + +func main() { + flag.Parse() + ctrl.SetLogger(zap.New(zap.UseDevMode(true))) + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() + + if *repo == "" { + panic("must provide -repo value") + } + + var auth authn.Authenticator + var ref name.Reference + var err error + + log.Printf("repository: %s\n", *repo) + ref, err = name.ParseReference(*repo) + if err != nil { + panic(err) + } + + auth, err = registrypkg.GetAuthenticator(ctx, *repo, *provider, nil) + if err != nil { + panic(err) + } + if auth == nil { + panic("received a nil authenticator") + } + + log.Printf("logged in using provider %s\n", *provider) + + var options []remote.Option + options = append(options, remote.WithAuth(auth)) + options = append(options, remote.WithContext(ctx)) + + tags, err := remote.List(ref.Context(), options...) + if err != nil { + panic(err) + } + log.Println("tags:", tags) +}