Add external Docker registry authentication support via arguments/YAML

Signed-off-by: Nenad Ilic <[email protected]>
Signed-off-by: Burton Rheutan <[email protected]>

Author: nenadilic84

commands/deploy.go

@@ -4,13 +4,19 @@
 package commands
 
 import (
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"gopkg.in/yaml.v2"
 
+	"github.com/docker/docker-credential-helpers/client"
+	homedir "github.com/mitchellh/go-homedir"
 	"github.com/openfaas/faas-cli/proxy"
 	"github.com/openfaas/faas-cli/stack"
 	"github.com/spf13/cobra"
@@ -72,7 +78,7 @@ var deployCmd = &cobra.Command{
                   [--constraint PLACEMENT_CONSTRAINT ...]
                   [--regex "REGEX"]
                   [--filter "WILDCARD"]
-				  [--secret "SECRET_NAME"]`,
+                  [--secret "SECRET_NAME"]`,
 
 	Short: "Deploy OpenFaaS functions",
 	Long: `Deploys OpenFaaS function containers either via the supplied YAML config using
@@ -112,6 +118,12 @@ func runDeployCommand(args []string, image string, fprocess string, functionName
 		return fmt.Errorf("cannot specify --update and --replace at the same time")
 	}
 
+	dockerConfig := configFile{}
+	err := readDockerConfig(&dockerConfig)
+	if err != nil {
+		log.Println("Unable to read the docker config - %v", err.Error())
+	}
+
 	var services stack.Services
 	if len(yamlFile) > 0 {
 		parsedServices, err := stack.ParseYAMLFile(yamlFile, regex, filter)
@@ -153,6 +165,8 @@ func runDeployCommand(args []string, image string, fprocess string, functionName
 				deployFlags.secrets = mergeSlice(function.Secrets, deployFlags.secrets)
 			}
 
+			function.RegistryAuth = getRegistryAuth(&dockerConfig, function.Image)
+
 			fileEnvironment, err := readFiles(function.EnvironmentFile)
 			if err != nil {
 				return err
@@ -191,16 +205,17 @@ Error: %s`, fprocessErr.Error())
 				Requests: function.Requests,
 			}
 
-			proxy.DeployFunction(function.FProcess, services.Provider.GatewayURL, function.Name, function.Image, function.Language, deployFlags.replace, allEnvironment, services.Provider.Network, functionConstraints, deployFlags.update, deployFlags.secrets, allLabels, functionResourceRequest1)
+			proxy.DeployFunction(function.FProcess, services.Provider.GatewayURL, function.Name, function.Image, function.RegistryAuth, function.Language, deployFlags.replace, allEnvironment, services.Provider.Network, functionConstraints, deployFlags.update, deployFlags.secrets, allLabels, functionResourceRequest1)
 		}
 	} else {
 		if len(image) == 0 || len(functionName) == 0 {
 			return fmt.Errorf("To deploy a function give --yaml/-f or a --image flag")
 		}
 
 		gateway = getGatewayURL(gateway, defaultGateway, gateway, os.Getenv(openFaaSURLEnvironment))
+		registryAuth := getRegistryAuth(&dockerConfig, image)
 
-		if err := deployImage(image, fprocess, functionName, deployFlags); err != nil {
+		if err := deployImage(image, fprocess, functionName, registryAuth, deployFlags); err != nil {
 			return err
 		}
 	}
@@ -213,6 +228,7 @@ func deployImage(
 	image string,
 	fprocess string,
 	functionName string,
+	registryAuth string,
 	deployFlags DeployFlags,
 ) error {
 	envvars, err := parseMap(deployFlags.envvarOpts, "env")
@@ -226,7 +242,7 @@ func deployImage(
 	}
 
 	functionResourceRequest1 := proxy.FunctionResourceRequest{}
-	proxy.DeployFunction(fprocess, gateway, functionName, image, language, deployFlags.replace, envvars, network, deployFlags.constraints, deployFlags.update, deployFlags.secrets, labelMap, functionResourceRequest1)
+	proxy.DeployFunction(fprocess, gateway, functionName, registryAuth, image, language, deployFlags.replace, envvars, network, deployFlags.constraints, deployFlags.update, deployFlags.secrets, labelMap, functionResourceRequest1)
 
 	return nil
 }
@@ -340,3 +356,91 @@ func deriveFprocess(function stack.Function) (string, error) {
 func languageExistsNotDockerfile(language string) bool {
 	return len(language) > 0 && strings.ToLower(language) != "dockerfile"
 }
+
+type authConfig struct {
+	Auth string `json:"auth,omitempty"`
+}
+
+type configFile struct {
+	AuthConfigs      map[string]authConfig `json:"auths"`
+	CredentialsStore string                `json:"credsStore,omitempty"`
+}
+
+const (
+	// docker default settings
+	configFileName        = "config.json"
+	configFileDir         = ".docker"
+	defaultDockerRegistry = "https://index.docker.io/v1/"
+)
+
+var (
+	configDir = os.Getenv("DOCKER_CONFIG")
+)
+
+func readDockerConfig(config *configFile) error {
+
+	if configDir == "" {
+		home, err := homedir.Dir()
+		if err != nil {
+			return err
+		}
+		configDir = filepath.Join(home, configFileDir)
+	}
+	filename := filepath.Join(configDir, configFileName)
+
+	file, err := os.Open(filename)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	content, err := ioutil.ReadAll(file)
+	if err != nil {
+		return err
+	}
+
+	err = json.Unmarshal(content, config)
+	if err != nil {
+		return err
+	}
+
+	if config.CredentialsStore != "" {
+		p := client.NewShellProgramFunc("docker-credential-" + config.CredentialsStore)
+
+		for k := range config.AuthConfigs {
+			creds, err := client.Get(p, k)
+			if err != nil {
+				return err
+			}
+
+			if config.AuthConfigs[k].Auth == "" {
+				// apend base64 encoded "auth": "dGVzdDpQdXFxR3E2THZDYzhGQUwyUWtLcA==" (user:pass)
+				registryAuth := creds.Username + ":" + creds.Secret
+				registryAuth = base64.StdEncoding.EncodeToString([]byte(registryAuth))
+
+				var tmp = config.AuthConfigs[k]
+				tmp.Auth = registryAuth
+				config.AuthConfigs[k] = tmp
+			}
+		}
+	}
+	return nil
+}
+
+func getRegistryAuth(config *configFile, image string) string {
+
+	if len(config.AuthConfigs) == 0 {
+		return ""
+	}
+
+	// image format is: <docker registry>/<user>/<image>
+	// so we trim <user>/<image>
+	regS := strings.Split(image, "/")
+	registry := strings.Join(regS[:len(regS)-2], ", ")
+
+	if registry != "" {
+		return config.AuthConfigs[registry].Auth
+	} else if (registry == "") && (config.AuthConfigs[defaultDockerRegistry].Auth != "") {
+		return config.AuthConfigs[defaultDockerRegistry].Auth
+	}
+	return ""
+}

commands/store_deploy.go

@@ -87,5 +87,5 @@ func runStoreDeploy(cmd *cobra.Command, args []string) error {
 
 	gateway = getGatewayURL(gateway, defaultGateway, "", os.Getenv(openFaaSURLEnvironment))
 
-	return deployImage(item.Image, item.Fprocess, item.Name, storeDeployFlags)
+	return deployImage(item.Image, item.Fprocess, item.Name, "", storeDeployFlags)
 }

proxy/deploy.go

@@ -23,16 +23,16 @@ type FunctionResourceRequest struct {
 }
 
 func DeployFunction(fprocess string, gateway string, functionName string, image string,
-	language string, replace bool, envVars map[string]string, network string,
-	constraints []string, update bool, secrets []string, labels map[string]string,
-	functionResourceRequest1 FunctionResourceRequest) {
+	registryAuth string, language string, replace bool, envVars map[string]string,
+	network string, constraints []string, update bool, secrets []string,
+	labels map[string]string, functionResourceRequest1 FunctionResourceRequest) {
 
 	rollingUpdateInfo := fmt.Sprintf("Function %s already exists, attempting rolling-update.", functionName)
-	statusCode, deployOutput := Deploy(fprocess, gateway, functionName, image, language, replace, envVars, network, constraints, update, secrets, labels, functionResourceRequest1)
+	statusCode, deployOutput := Deploy(fprocess, gateway, functionName, image, registryAuth, language, replace, envVars, network, constraints, update, secrets, labels, functionResourceRequest1)
 
 	if update == true && statusCode == http.StatusNotFound {
 		// Re-run the function with update=false
-		_, deployOutput = Deploy(fprocess, gateway, functionName, image, language, replace, envVars, network, constraints, false, secrets, labels, functionResourceRequest1)
+		_, deployOutput = Deploy(fprocess, gateway, functionName, image, registryAuth, language, replace, envVars, network, constraints, false, secrets, labels, functionResourceRequest1)
 	} else if statusCode == http.StatusOK {
 		fmt.Println(rollingUpdateInfo)
 	}
@@ -41,9 +41,9 @@ func DeployFunction(fprocess string, gateway string, functionName string, image
 }
 
 func Deploy(fprocess string, gateway string, functionName string, image string,
-	language string, replace bool, envVars map[string]string, network string,
-	constraints []string, update bool, secrets []string, labels map[string]string,
-	functionResourceRequest1 FunctionResourceRequest) (int, string) {
+	registryAuth string, language string, replace bool, envVars map[string]string,
+	network string, constraints []string, update bool, secrets []string,
+	labels map[string]string, functionResourceRequest1 FunctionResourceRequest) (int, string) {
 
 	var deployOutput string
 	// Need to alter Gateway to allow nil/empty string as fprocess, to avoid this repetition.
@@ -52,21 +52,26 @@ func Deploy(fprocess string, gateway string, functionName string, image string,
 		fprocessTemplate = fprocess
 	}
 
+	if (registryAuth != "") && !strings.HasPrefix(gateway, "https") {
+		fmt.Println("WARNING! Communication is not secure, please consider using HTTPS. Letsencrypt.org offers free SSL/TLS certificates.")
+	}
+
 	gateway = strings.TrimRight(gateway, "/")
 
 	if replace {
 		DeleteFunction(gateway, functionName)
 	}
 
 	req := requests.CreateFunctionRequest{
-		EnvProcess:  fprocessTemplate,
-		Image:       image,
-		Network:     network,
-		Service:     functionName,
-		EnvVars:     envVars,
-		Constraints: constraints,
-		Secrets:     secrets, // TODO: allow registry auth to be specified or read from local Docker credentials store
-		Labels:      &labels,
+		EnvProcess:   fprocessTemplate,
+		Image:        image,
+		RegistryAuth: registryAuth,
+		Network:      network,
+		Service:      functionName,
+		EnvVars:      envVars,
+		Constraints:  constraints,
+		Secrets:      secrets,
+		Labels:       &labels,
 	}
 
 	hasLimits := false

proxy/deploy_test.go

@@ -35,6 +35,7 @@ func runDeployProxyTest(t *testing.T, deployTest deployProxyTest) {
 			s.URL,
 			"function",
 			"image",
+			"dXNlcjpwYXNzd29yZA==",
 			"language",
 			deployTest.replace,
 			nil,
@@ -93,6 +94,7 @@ func Test_DeployFunction_MissingURLPrefix(t *testing.T) {
 			url,
 			"function",
 			"image",
+			"dXNlcjpwYXNzd29yZA==",
 			"language",
 			false,
 			nil,

stack/schema.go

@@ -22,6 +22,9 @@ type Function struct {
 	// Image Docker image name
 	Image string `yaml:"image"`
 
+	// Docker registry Authorization
+	RegistryAuth string `yaml:"registry_auth,omitempty"`
+
 	FProcess string `yaml:"fprocess"`
 
 	Environment map[string]string `yaml:"environment"`