Merge branch 'main' into fix/ref-processing

2026-03-06 12:50:18 +01:00 · 2023-04-12 08:28:24 +02:00 · 2023-04-12 08:28:24 +02:00 · c5c37f8795
commit c5c37f8795
parent 6d64f81ad4 cfcbcac8b0
26 changed files with 945 additions and 189 deletions
--- a/pkg/container/client.go
+++ b/pkg/container/client.go
@ -260,7 +260,7 @@ func (client dockerClient) StartContainer(c Container) (t.ContainerID, error) {

 }

-func (client dockerClient) doStartContainer(bg context.Context, c Container, creation container.ContainerCreateCreatedBody) error {
+func (client dockerClient) doStartContainer(bg context.Context, c Container, creation container.CreateResponse) error {
 	name := c.Name()

 	log.Debugf("Starting container %s (%s)", name, t.ContainerID(creation.ID).ShortID())
@ -280,7 +280,7 @@ func (client dockerClient) RenameContainer(c Container, newName string) error {
 func (client dockerClient) IsContainerStale(container Container) (stale bool, latestImage t.ImageID, err error) {
 	ctx := context.Background()

-	if !client.PullImages {
+	if !client.PullImages || container.IsNoPull() {
 		log.Debugf("Skipping image pull.")
 	} else if err := client.PullImage(ctx, container); err != nil {
 		return false, container.SafeImageID(), err
--- a/pkg/container/container.go
+++ b/pkg/container/container.go
@ -125,6 +125,22 @@ func (c Container) IsMonitorOnly() bool {
 	return parsedBool
 }

+// IsNoPull returns the value of the no-pull label. If the label is not set
+// then false is returned.
+func (c Container) IsNoPull() bool {
+	rawBool, ok := c.getLabelValue(noPullLabel)
+	if !ok {
+		return false
+	}
+
+	parsedBool, err := strconv.ParseBool(rawBool)
+	if err != nil {
+		return false
+	}
+
+	return parsedBool
+}
+
 // Scope returns the value of the scope UID label and if the label
 // was set.
 func (c Container) Scope() (string, bool) {
@ -144,7 +160,14 @@ func (c Container) Links() []string {
 	dependsOnLabelValue := c.getLabelValueOrEmpty(dependsOnLabel)

 	if dependsOnLabelValue != "" {
-		links := strings.Split(dependsOnLabelValue, ",")
+		for _, link := range strings.Split(dependsOnLabelValue, ",") {
+			// Since the container names need to start with '/', let's prepend it if it's missing
+			if !strings.HasPrefix(link, "/") {
+				link = "/" + link
+			}
+			links = append(links, link)
+		}
+
 		return links
 	}

--- a/pkg/container/container_test.go
+++ b/pkg/container/container_test.go
@ -178,14 +178,21 @@ var _ = Describe("the container", func() {
 						"com.centurylinklabs.watchtower.depends-on": "postgres",
 					}))
 					links := c.Links()
-					Expect(links).To(SatisfyAll(ContainElement("postgres"), HaveLen(1)))
+					Expect(links).To(SatisfyAll(ContainElement("/postgres"), HaveLen(1)))
 				})
 				It("should fetch depending containers if there are many", func() {
 					c = MockContainer(WithLabels(map[string]string{
 						"com.centurylinklabs.watchtower.depends-on": "postgres,redis",
 					}))
 					links := c.Links()
-					Expect(links).To(SatisfyAll(ContainElement("postgres"), ContainElement("redis"), HaveLen(2)))
+					Expect(links).To(SatisfyAll(ContainElement("/postgres"), ContainElement("/redis"), HaveLen(2)))
+				})
+				It("should only add slashes to names when they are missing", func() {
+					c = MockContainer(WithLabels(map[string]string{
+						"com.centurylinklabs.watchtower.depends-on": "/postgres,redis",
+					}))
+					links := c.Links()
+					Expect(links).To(SatisfyAll(ContainElement("/postgres"), ContainElement("/redis")))
 				})
 				It("should fetch depending containers if label is blank", func() {
 					c = MockContainer(WithLabels(map[string]string{
@ -207,6 +214,39 @@ var _ = Describe("the container", func() {
 			})
 		})

+		When("checking no-pull label", func() {
+			When("no-pull label is true", func() {
+				c := MockContainer(WithLabels(map[string]string{
+					"com.centurylinklabs.watchtower.no-pull": "true",
+				}))
+				It("should return true", func() {
+					Expect(c.IsNoPull()).To(Equal(true))
+				})
+			})
+			When("no-pull label is false", func() {
+				c := MockContainer(WithLabels(map[string]string{
+					"com.centurylinklabs.watchtower.no-pull": "false",
+				}))
+				It("should return false", func() {
+					Expect(c.IsNoPull()).To(Equal(false))
+				})
+			})
+			When("no-pull label is set to an invalid value", func() {
+				c := MockContainer(WithLabels(map[string]string{
+					"com.centurylinklabs.watchtower.no-pull": "maybe",
+				}))
+				It("should return false", func() {
+					Expect(c.IsNoPull()).To(Equal(false))
+				})
+			})
+			When("no-pull label is unset", func() {
+				c = MockContainer(WithLabels(map[string]string{}))
+				It("should return false", func() {
+					Expect(c.IsNoPull()).To(Equal(false))
+				})
+			})
+		})
+
 		When("there is a pre or post update timeout", func() {
 			It("should return minute values", func() {
 				c = MockContainer(WithLabels(map[string]string{
--- a/pkg/container/metadata.go
+++ b/pkg/container/metadata.go
@ -1,18 +1,19 @@
 package container

 const (
-	watchtowerLabel       = "com.centurylinklabs.watchtower"
-	signalLabel           = "com.centurylinklabs.watchtower.stop-signal"
-	enableLabel           = "com.centurylinklabs.watchtower.enable"
-	monitorOnlyLabel      = "com.centurylinklabs.watchtower.monitor-only"
-	dependsOnLabel        = "com.centurylinklabs.watchtower.depends-on"
-	zodiacLabel           = "com.centurylinklabs.zodiac.original-image"
-	scope                 = "com.centurylinklabs.watchtower.scope"
-	preCheckLabel         = "com.centurylinklabs.watchtower.lifecycle.pre-check"
-	postCheckLabel        = "com.centurylinklabs.watchtower.lifecycle.post-check"
-	preUpdateLabel        = "com.centurylinklabs.watchtower.lifecycle.pre-update"
-	postUpdateLabel       = "com.centurylinklabs.watchtower.lifecycle.post-update"
-	preUpdateTimeoutLabel = "com.centurylinklabs.watchtower.lifecycle.pre-update-timeout"
+	watchtowerLabel        = "com.centurylinklabs.watchtower"
+	signalLabel            = "com.centurylinklabs.watchtower.stop-signal"
+	enableLabel            = "com.centurylinklabs.watchtower.enable"
+	monitorOnlyLabel       = "com.centurylinklabs.watchtower.monitor-only"
+	noPullLabel            = "com.centurylinklabs.watchtower.no-pull"
+	dependsOnLabel         = "com.centurylinklabs.watchtower.depends-on"
+	zodiacLabel            = "com.centurylinklabs.zodiac.original-image"
+	scope                  = "com.centurylinklabs.watchtower.scope"
+	preCheckLabel          = "com.centurylinklabs.watchtower.lifecycle.pre-check"
+	postCheckLabel         = "com.centurylinklabs.watchtower.lifecycle.post-check"
+	preUpdateLabel         = "com.centurylinklabs.watchtower.lifecycle.pre-update"
+	postUpdateLabel        = "com.centurylinklabs.watchtower.lifecycle.post-update"
+	preUpdateTimeoutLabel  = "com.centurylinklabs.watchtower.lifecycle.pre-update-timeout"
 	postUpdateTimeoutLabel = "com.centurylinklabs.watchtower.lifecycle.post-update-timeout"
 )

--- a/pkg/container/mocks/ApiServer.go
+++ b/pkg/container/mocks/ApiServer.go
@ -112,7 +112,6 @@ func ListContainersHandler(statuses ...string) http.HandlerFunc {
 	bytes, err := filterArgs.MarshalJSON()
 	O.ExpectWithOffset(1, err).ShouldNot(O.HaveOccurred())
 	query := url.Values{
-		"limit":   []string{"0"},
 		"filters": []string{string(bytes)},
 	}
 	return ghttp.CombineHandlers(
--- a/pkg/notifications/common_templates.go
+++ b/pkg/notifications/common_templates.go
@ -35,5 +35,6 @@ var commonTemplates = map[string]string{
    no containers matched filter
  {{- end -}}
 {{- end -}}`,
-}

+	`json.v1`: `{{ . | ToJSON }}`,
+}
--- a/pkg/notifications/email.go
+++ b/pkg/notifications/email.go
@ -63,6 +63,7 @@ func (e *emailTypeNotifier) GetURL(c *cobra.Command) (string, error) {
 		UseHTML:     false,
 		Encryption:  shoutrrrSmtp.EncMethods.Auto,
 		Auth:        shoutrrrSmtp.AuthTypes.None,
+		ClientHost:  "localhost",
 	}

 	if len(e.User) > 0 {
--- a/pkg/notifications/json.go
+++ b/pkg/notifications/json.go
@ -0,0 +1,71 @@
+package notifications
+
+import (
+	"encoding/json"
+
+	t "github.com/containrrr/watchtower/pkg/types"
+)
+
+type jsonMap = map[string]interface{}
+
+// MarshalJSON implements json.Marshaler
+func (d Data) MarshalJSON() ([]byte, error) {
+	var entries = make([]jsonMap, len(d.Entries))
+	for i, entry := range d.Entries {
+		entries[i] = jsonMap{
+			`level`:   entry.Level,
+			`message`: entry.Message,
+			`data`:    entry.Data,
+			`time`:    entry.Time,
+		}
+	}
+
+	var report jsonMap
+	if d.Report != nil {
+		report = jsonMap{
+			`scanned`: marshalReports(d.Report.Scanned()),
+			`updated`: marshalReports(d.Report.Updated()),
+			`failed`:  marshalReports(d.Report.Failed()),
+			`skipped`: marshalReports(d.Report.Skipped()),
+			`stale`:   marshalReports(d.Report.Stale()),
+			`fresh`:   marshalReports(d.Report.Fresh()),
+		}
+	}
+
+	return json.Marshal(jsonMap{
+		`report`:  report,
+		`title`:   d.Title,
+		`host`:    d.Host,
+		`entries`: entries,
+	})
+}
+
+func marshalReports(reports []t.ContainerReport) []jsonMap {
+	jsonReports := make([]jsonMap, len(reports))
+	for i, report := range reports {
+		jsonReports[i] = jsonMap{
+			`id`:             report.ID().ShortID(),
+			`name`:           report.Name(),
+			`currentImageId`: report.CurrentImageID().ShortID(),
+			`latestImageId`:  report.LatestImageID().ShortID(),
+			`imageName`:      report.ImageName(),
+			`state`:          report.State(),
+		}
+		if errorMessage := report.Error(); errorMessage != "" {
+			jsonReports[i][`error`] = errorMessage
+		}
+	}
+	return jsonReports
+}
+
+var _ json.Marshaler = &Data{}
+
+func toJSON(v interface{}) string {
+	var bytes []byte
+	var err error
+	if bytes, err = json.MarshalIndent(v, "", "  "); err != nil {
+		LocalLog.Errorf("failed to marshal JSON in notification template: %v", err)
+		return ""
+	}
+	return string(bytes)
+}
--- a/pkg/notifications/json_test.go
+++ b/pkg/notifications/json_test.go
@ -0,0 +1,118 @@
+package notifications
+
+import (
+	s "github.com/containrrr/watchtower/pkg/session"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("JSON template", func() {
+	When("using report templates", func() {
+		When("JSON template is used", func() {
+			It("should format the messages to the expected format", func() {
+				expected := `{
+	"entries": [
+			{
+				"data": null,
+				"level": "info",
+				"message": "foo Bar",
+				"time": "0001-01-01T00:00:00Z"
+			}
+		],
+		"host": "Mock",
+		"report": {
+		"failed": [
+			{
+				"currentImageId": "01d210000000",
+				"error": "accidentally the whole container",
+				"id": "c79210000000",
+				"imageName": "mock/fail1:latest",
+				"latestImageId": "d0a210000000",
+				"name": "fail1",
+				"state": "Failed"
+			}
+		],
+		"fresh": [
+			{
+				"currentImageId": "01d310000000",
+				"id": "c79310000000",
+				"imageName": "mock/frsh1:latest",
+				"latestImageId": "01d310000000",
+				"name": "frsh1",
+				"state": "Fresh"
+			}
+		],
+		"scanned": [
+			{
+				"currentImageId": "01d110000000",
+				"id": "c79110000000",
+				"imageName": "mock/updt1:latest",
+				"latestImageId": "d0a110000000",
+				"name": "updt1",
+				"state": "Updated"
+			},
+			{
+				"currentImageId": "01d120000000",
+				"id": "c79120000000",
+				"imageName": "mock/updt2:latest",
+				"latestImageId": "d0a120000000",
+				"name": "updt2",
+				"state": "Updated"
+			},
+			{
+				"currentImageId": "01d210000000",
+				"error": "accidentally the whole container",
+				"id": "c79210000000",
+				"imageName": "mock/fail1:latest",
+				"latestImageId": "d0a210000000",
+				"name": "fail1",
+				"state": "Failed"
+			},
+			{
+				"currentImageId": "01d310000000",
+				"id": "c79310000000",
+				"imageName": "mock/frsh1:latest",
+				"latestImageId": "01d310000000",
+				"name": "frsh1",
+				"state": "Fresh"
+			}
+		],
+		"skipped": [
+			{
+				"currentImageId": "01d410000000",
+				"error": "unpossible",
+				"id": "c79410000000",
+				"imageName": "mock/skip1:latest",
+				"latestImageId": "01d410000000",
+				"name": "skip1",
+				"state": "Skipped"
+			}
+		],
+		"stale": [],
+		"updated": [
+			{
+				"currentImageId": "01d110000000",
+				"id": "c79110000000",
+				"imageName": "mock/updt1:latest",
+				"latestImageId": "d0a110000000",
+				"name": "updt1",
+				"state": "Updated"
+			},
+			{
+				"currentImageId": "01d120000000",
+				"id": "c79120000000",
+				"imageName": "mock/updt2:latest",
+				"latestImageId": "d0a120000000",
+				"name": "updt2",
+				"state": "Updated"
+			}
+		]
+		},
+		"title": "Watchtower updates on Mock"
+}`
+				data := mockDataFromStates(s.UpdatedState, s.FreshState, s.FailedState, s.SkippedState, s.UpdatedState)
+				Expect(getTemplatedResult(`json.v1`, false, data)).To(MatchJSON(expected))
+			})
+		})
+	})
+})
--- a/pkg/notifications/model.go
+++ b/pkg/notifications/model.go
@ -0,0 +1,19 @@
+package notifications
+
+import (
+	t "github.com/containrrr/watchtower/pkg/types"
+	log "github.com/sirupsen/logrus"
+)
+
+// StaticData is the part of the notification template data model set upon initialization
+type StaticData struct {
+	Title string
+	Host  string
+}
+
+// Data is the notification template data model
+type Data struct {
+	StaticData
+	Entries []*log.Entry
+	Report  t.Report
+}
--- a/pkg/notifications/shoutrrr.go
+++ b/pkg/notifications/shoutrrr.go
@ -210,6 +210,7 @@ func getShoutrrrTemplate(tplString string, legacy bool) (tpl *template.Template,
 	funcs := template.FuncMap{
 		"ToUpper": strings.ToUpper,
 		"ToLower": strings.ToLower,
+		"ToJSON":  toJSON,
 		"Title":   cases.Title(language.AmericanEnglish).String,
 	}
 	tplBase := template.New("").Funcs(funcs)
@ -240,16 +241,3 @@ func getShoutrrrTemplate(tplString string, legacy bool) (tpl *template.Template,

 	return
 }
-
-// StaticData is the part of the notification template data model set upon initialization
-type StaticData struct {
-	Title string
-	Host  string
-}
-
-// Data is the notification template data model
-type Data struct {
-	StaticData
-	Entries []*log.Entry
-	Report  t.Report
-}
--- a/pkg/registry/auth/auth.go
+++ b/pkg/registry/auth/auth.go
@ -88,7 +88,8 @@ func GetBearerHeader(challenge string, imageRef ref.Named, registryAuth string)

 	if registryAuth != "" {
 		logrus.Debug("Credentials found.")
-		logrus.Tracef("Credentials: %v", registryAuth)
+		// CREDENTIAL: Uncomment to log registry credentials
+		// logrus.Tracef("Credentials: %v", registryAuth)
 		r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))
 	} else {
 		logrus.Debug("No credentials found.")
@ -120,10 +121,9 @@ func GetAuthURL(challenge string, imageRef ref.Named) (*url.URL, error) {

 	for _, pair := range pairs {
 		trimmed := strings.Trim(pair, " ")
-		kv := strings.Split(trimmed, "=")
-		key := kv[0]
-		val := strings.Trim(kv[1], "\"")
-		values[key] = val
+		if key, val, ok := strings.Cut(trimmed, "="); ok {
+			values[key] = strings.Trim(val, `"`)
+		}
 	}
 	logrus.WithFields(logrus.Fields{
 		"realm":   values["realm"],
--- a/pkg/registry/auth/auth_test.go
+++ b/pkg/registry/auth/auth_test.go
@ -10,6 +10,7 @@ import (

 	"github.com/containrrr/watchtower/internal/actions/mocks"
 	"github.com/containrrr/watchtower/pkg/registry/auth"
+
 	wtTypes "github.com/containrrr/watchtower/pkg/types"
 	ref "github.com/docker/distribution/reference"
 	. "github.com/onsi/ginkgo"
@ -109,6 +110,18 @@ var _ = Describe("the auth module", func() {
 				Expect(getScopeFromImageAuthURL("ghcr.io/containrrr/watchtower")).To(Equal("containrrr/watchtower"))
 			})
 		})
+		It("should not crash when an empty field is recieved", func() {
+			input := `bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull",`
+			res, err := auth.GetAuthURL(input, "containrrr/watchtower")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(res).NotTo(BeNil())
+		})
+		It("should not crash when a field without a value is recieved", func() {
+			input := `bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull",valuelesskey`
+			res, err := auth.GetAuthURL(input, "containrrr/watchtower")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(res).NotTo(BeNil())
+		})
 	})

 	Describe("GetChallengeURL", func() {
--- a/pkg/registry/digest/digest.go
+++ b/pkg/registry/digest/digest.go
@ -6,15 +6,16 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
 	"github.com/containrrr/watchtower/internal/meta"
 	"github.com/containrrr/watchtower/pkg/registry/auth"
 	"github.com/containrrr/watchtower/pkg/registry/manifest"
 	"github.com/containrrr/watchtower/pkg/types"
 	"github.com/sirupsen/logrus"
-	"net"
-	"net/http"
-	"strings"
-	"time"
 )

 // ContentDigestHeader is the key for the key-value pair containing the digest header
@ -25,7 +26,7 @@ func CompareDigest(container types.Container, registryAuth string) (bool, error)
 	if !container.HasImageInfo() {
 		return false, errors.New("container image info missing")
 	}
-	
+
 	var digest string

 	registryAuth = TransformAuth(registryAuth)
@ -93,16 +94,18 @@ func GetDigest(url string, token string) (string, error) {
 	req, _ := http.NewRequest("HEAD", url, nil)
 	req.Header.Set("User-Agent", meta.UserAgent)

-	if token != "" {
-		logrus.WithField("token", token).Trace("Setting request token")
-	} else {
+	if token == "" {
 		return "", errors.New("could not fetch token")
 	}

+	// CREDENTIAL: Uncomment to log the request token
+	// logrus.WithField("token", token).Trace("Setting request token")
+
 	req.Header.Add("Authorization", token)
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json")
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v1+json")
+	req.Header.Add("Accept", "application/vnd.oci.image.index.v1+json")

 	logrus.WithField("url", url).Debug("Doing a HEAD request to fetch a digest")

--- a/pkg/registry/registry.go
+++ b/pkg/registry/registry.go
@ -19,7 +19,9 @@ func GetPullOptions(imageName string) (types.ImagePullOptions, error) {
 	if auth == "" {
 		return types.ImagePullOptions{}, nil
 	}
-	log.Tracef("Got auth value: %s", auth)
+
+	// CREDENTIAL: Uncomment to log docker config auth
+	// log.Tracef("Got auth value: %s", auth)

 	return types.ImagePullOptions{
 		RegistryAuth:  auth,
--- a/pkg/registry/trust.go
+++ b/pkg/registry/trust.go
@ -36,8 +36,11 @@ func EncodedEnvAuth() (string, error) {
 			Username: username,
 			Password: password,
 		}
+    
 		log.Debugf("Loaded auth credentials for registry user %s from environment", auth.Username)
-		log.Tracef("Using auth password %s", auth.Password)
+		// CREDENTIAL: Uncomment to log REPO_PASS environment variable
+		// log.Tracef("Using auth password %s", auth.Password)
+
 		return EncodeAuth(auth)
 	}
 	return "", errors.New("registry auth environment variables (REPO_USER, REPO_PASS) not set")
@ -71,7 +74,8 @@ func EncodedConfigAuth(imageRef string) (string, error) {
 		return "", nil
 	}
 	log.Debugf("Loaded auth credentials for user %s, on registry %s, from file %s", auth.Username, server, configFile.Filename)
-	log.Tracef("Using auth password %s", auth.Password)
+	// CREDENTIAL: Uncomment to log docker config password
+	// log.Tracef("Using auth password %s", auth.Password)
 	return EncodeAuth(auth)
 }