Add authentication to utility registry (#144)

Signed-off-by: Jeff McCoy <[email protected]>

Author: RothAndrew

assets/manifests/registry/registry.yaml

@@ -38,6 +38,8 @@ spec:
     image:
       repository: registry1.dso.mil/ironbank/opensource/docker/registry-v2
       pullPolicy: Never
+    secrets:
+      htpasswd: ###ZARF_HTPASSWD###
     resources:
       requests:
         cpu: "100m"

assets/misc/registries.yaml

@@ -11,3 +11,9 @@ mirrors:
   registry-1.docker.io:
     endpoint:
       - "https://127.0.0.1"
+  ghcr.io:
+    endpoint:
+      - "https://127.0.0.1"
+  registry.opensource.zalan.do:
+    endpoint:
+      - "https://127.0.0.1"

cli/internal/k3s/install.go

@@ -37,6 +37,13 @@ func Install(options InstallOptions) {
 
 	gitSecret := git.GetOrCreateZarfSecret()
 
+	// Now that we have what the password will be, we should add the login entry to the system's registry config
+	err := utils.Login(config.ZarfLocalIP, config.ZarfGitUser, gitSecret)
+	if err != nil {
+		logrus.Debug(err)
+		logrus.Fatal("Unable to add login credentials for the utility registry")
+	}
+
 	logrus.Info("Installation complete.  You can run \"/usr/local/bin/k9s\" to monitor the status of the deployment.")
 	logrus.WithFields(logrus.Fields{
 		"Gitea Username (if installed)": config.ZarfGitUser,

cli/internal/packager/deploy.go

@@ -2,7 +2,9 @@ package packager
 
 import (
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/hex"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -168,10 +170,17 @@ func deployComponents(tempPath componentPaths, assets config.ZarfComponent) {
 		// Get a list of all the k3s manifest files
 		manifests := utils.RecursiveFileList(tempPath.manifests)
 
-		// Iterate through all the manifests and replace any ZARF_SECRET values
+		// Iterate through all the manifests and replace any ZARF_SECRET, ZARF_HTPASSWD, or ZARF_DOCKERAUTH values
 		for _, manifest := range manifests {
 			logrus.WithField("path", manifest).Info("Processing manifest file")
 			utils.ReplaceText(manifest, "###ZARF_SECRET###", gitSecret)
+			htpasswd, err := utils.GetHtpasswdString(config.ZarfGitUser, gitSecret)
+			if err != nil {
+				logrus.Debug(err)
+				logrus.Fatal("Unable to define `htpasswd` string for the Zarf user")
+			}
+			utils.ReplaceText(manifest, "###ZARF_HTPASSWD###", htpasswd)
+			utils.ReplaceText(manifest, "###ZARF_DOCKERAUTH###", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", config.ZarfGitUser, gitSecret))))
 		}
 
 		utils.CreatePathAndCopy(tempPath.manifests, config.K3sManifestPath)

cli/internal/utils/auth.go

@@ -0,0 +1,36 @@
+package utils
+
+import (
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/types"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
+	"log"
+	"os"
+)
+// Login adds the given creds to the user's Docker config, usually located at $HOME/.docker/config.yaml. It does not try
+// to connect to the given registry, it just simply adds another entry to the config file.
+// This function was mostly adapted from https://github.com/google/go-containerregistry/blob/5c9c442d5d68cd96787559ebf6e984c7eb084913/cmd/crane/cmd/auth.go
+func Login(serverAddress string, user string, password string) error {
+	cf, err := config.Load(os.Getenv("DOCKER_CONFIG"))
+	if err != nil {
+		return err
+	}
+	creds := cf.GetCredentialsStore(serverAddress)
+	if serverAddress == name.DefaultRegistry {
+		serverAddress = authn.DefaultAuthKey
+	}
+	if err := creds.Store(types.AuthConfig{
+		ServerAddress: serverAddress,
+		Username:      user,
+		Password:      password,
+	}); err != nil {
+		return err
+	}
+
+	if err := cf.Save(); err != nil {
+		return err
+	}
+	log.Printf("logged in via %s", cf.Filename)
+	return nil
+}

cli/internal/utils/htpasswd.go

@@ -0,0 +1,15 @@
+package utils
+
+import (
+	"fmt"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// GetHtpasswdString converts a username and password to a properly formatted and hashed format for `htpasswd`
+func GetHtpasswdString(username string, password string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%s:%s", username, hash), nil
+}

examples/Makefile

@@ -54,16 +54,12 @@ vm-destroy: ## Cleanup plz
 	@vagrant destroy -f
 
 .PHONY: package-examples
-package-examples: package-example-big-bang package-example-appliance package-example-data-injection package-example-game package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples
+package-examples: package-example-big-bang package-example-data-injection package-example-game package-example-gitops-data package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples
 
 .PHONY: package-example-big-bang
 package-example-big-bang: ## Create the Big Bang Core example
 	cd big-bang && kustomize build template/bigbang > manifests/bigbang_generated.yaml && kustomize build template/flux > manifests/flux_generated.yaml && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
 
-.PHONY: package-example-appliance
-package-example-appliance: ## Create the Podinfo example
-	cd appliance && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
-
 .PHONY: package-example-data-injection
 package-example-data-injection: ## Create the Data Injection example
 	cd data-injection && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
@@ -72,6 +68,10 @@ package-example-data-injection: ## Create the Data Injection example
 package-example-game: ## Create the Doom example
 	cd game && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
 
+.PHONY: package-example-gitops-data
+package-example-gitops-data: ## Create the gitops-data example
+	cd gitops-data && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
+
 .PHONY: package-example-single-big-bang-package
 package-example-single-big-bang-package: ## Create the Single Big Bang Package example
 	cd single-big-bang-package && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

examples/Vagrantfile

@@ -30,6 +30,6 @@ Vagrant.configure("2") do |config|
     sysctl -w vm.max_map_count=262144
 
     # Airgap images please
-    echo "0.0.0.0 registry.hub.docker.com hub.docker.com charts.helm.sh repo1.dso.mil github.com registry.dso.mil registry1.dso.mil docker.io index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com" >> /etc/hosts
+    echo "0.0.0.0 registry.opensource.zalan.do ghcr.io registry.hub.docker.com hub.docker.com charts.helm.sh repo1.dso.mil github.com registry.dso.mil registry1.dso.mil docker.io index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com" >> /etc/hosts
   SHELL
 end

examples/appliance/README.md

@@ -7,3 +7,31 @@ metadata:
 stringData:
   username: "zarf-git-user"
   password: "###ZARF_SECRET###"
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: private-registry
+  namespace: flux-system
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "registry.dso.mil": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "registry1.dso.mil": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "docker.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "registry-1.docker.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "ghcr.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        }
+      }
+    }

examples/appliance/manifests/podinfo.yaml

@@ -1,5 +1,10 @@
 domain: bigbang.dev
 
+registryCredentials:
+  registry: "registry1.dso.mil"
+  username: "zarf-git-user"
+  password: "###ZARF_SECRET###"
+
 git:
   existingSecret: "zarf-git-secret"
 

examples/appliance/zarf.yaml

@@ -16,3 +16,5 @@ spec:
     - name: data-injection
       image: registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.4
       command: ["/bin/sh", "-ec", "mkdir -p /test && while :; do ls -lah /test; sleep 5 ; done"]
+  imagePullSecrets:
+    - name: private-registry

examples/big-bang/manifests/other_manifests.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: private-registry
+  namespace: demo
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "registry.dso.mil": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "registry1.dso.mil": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "docker.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "registry-1.docker.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "ghcr.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        }
+      }
+    }

examples/big-bang/template/bigbang/values.yaml

@@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: demo-ingress
+  namespace: default
   annotations:
     kubernetes.io/ingress.class: "traefik"
     traefik.ingress.kubernetes.io/router.middlewares: kube-system-ssl-redirect@kubernetescrd
@@ -21,6 +22,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: game
+  namespace: default
 spec:
   selector:
     matchLabels:
@@ -37,11 +39,14 @@ spec:
         - name: http
           containerPort: 8000
           protocol: TCP
+      imagePullSecrets:
+        - name: private-registry
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: game
+  namespace: default
 spec:
   type: ClusterIP
   selector:

examples/data-injection/manifests/data-injection.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: private-registry
+  namespace: default
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "registry.dso.mil": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "registry1.dso.mil": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "docker.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "registry-1.docker.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        },
+        "ghcr.io": {
+          "auth":"###ZARF_DOCKERAUTH###"
+        }
+      }
+    }