Andreas/watchtower
1
0
Fork 0
mirror of https://github.com/containrrr/watchtower.git synced 2025-12-13 21:56:38 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

add http head based digest comparison to avoid dockerhub rate limits

Browse source
This commit is contained in:
Simon Aronsson 2020-12-06 13:21:04 +01:00 committed by GitHub
parent c8bd484b9e
commit cb62b16369
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
23 changed files with 1476 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

98
pkg/registry/digest/digest.go Normal file
View file

@ -0,0 +1,98 @@
package digest
import (
"crypto/tls"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"github.com/containrrr/watchtower/pkg/registry/auth"
"github.com/containrrr/watchtower/pkg/registry/manifest"
"github.com/containrrr/watchtower/pkg/types"
"github.com/sirupsen/logrus"
"net/http"
"strings"
)
// ContentDigestHeader is the key for the key-value pair containing the digest header
const ContentDigestHeader = "Docker-Content-Digest"
// CompareDigest ...
func CompareDigest(container types.Container, registryAuth string) (bool, error) {
var digest string
registryAuth = TransformAuth(registryAuth)
token, err := auth.GetToken(container, registryAuth)
if err != nil {
return false, err
}
digestURL, err := manifest.BuildManifestURL(container)
if err != nil {
return false, err
}
if digest, err = GetDigest(digestURL, token); err != nil {
return false, err
}
logrus.WithField("remote", digest).Debug("Found a remote digest to compare with")
for _, dig := range container.ImageInfo().RepoDigests {
localDigest := strings.Split(dig, "@")[1]
fields := logrus.Fields{"local": localDigest, "remote": digest}
logrus.WithFields(fields).Debug("Comparing")
if localDigest == digest {
logrus.Debug("Found a match")
return true, nil
}
}
return false, nil
}
// TransformAuth from a base64 encoded json object to base64 encoded string
func TransformAuth(registryAuth string) string {
b, _ := base64.StdEncoding.DecodeString(registryAuth)
credentials := &types.RegistryCredentials{}
_ = json.Unmarshal(b, credentials)
if credentials.Username != "" && credentials.Password != "" {
ba := []byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password))
registryAuth = base64.StdEncoding.EncodeToString(ba)
}
return registryAuth
}
// GetDigest from registry using a HEAD request to prevent rate limiting
func GetDigest(url string, token string) (string, error) {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
if token != "" {
logrus.WithField("token", token).Trace("Setting request token")
} else {
return "", errors.New("could not fetch token")
}
req, _ := http.NewRequest("HEAD", url, nil)
req.Header.Add("Authorization", token)
req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")
req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json")
req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v1+json")
logrus.WithField("url", url).Debug("Doing a HEAD request to fetch a digest")
res, err := client.Do(req)
if err != nil {
return "", err
}
if res.StatusCode != 200 {
return "", fmt.Errorf("registry responded to head request with %d", res.StatusCode)
}
return res.Header.Get(ContentDigestHeader), nil
}

87
pkg/registry/digest/digest_test.go Normal file
View file

@ -0,0 +1,87 @@
package digest_test
import (
"fmt"
"github.com/containrrr/watchtower/internal/actions/mocks"
"github.com/containrrr/watchtower/pkg/registry/digest"
wtTypes "github.com/containrrr/watchtower/pkg/types"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"os"
"testing"
"time"
)
func TestDigest(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(GinkgoT(), "Digest Suite")
}
var DockerHubCredentials = &wtTypes.RegistryCredentials{
Username: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_DH_USERNAME"),
Password: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_DH_PASSWORD"),
}
var GHCRCredentials = &wtTypes.RegistryCredentials{
Username: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_USERNAME"),
Password: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_PASSWORD"),
}
func SkipIfCredentialsEmpty(credentials *wtTypes.RegistryCredentials, fn func()) func() {
if credentials.Username == "" {
return func() {
Skip("Username missing. Skipping integration test")
}
} else if credentials.Password == "" {
return func() {
Skip("Password missing. Skipping integration test")
}
} else {
return fn
}
}
var _ = Describe("Digests", func() {
mockId := "mock-id"
mockName := "mock-container"
mockImage := "ghcr.io/k6io/operator:latest"
mockCreated := time.Now()
mockDigest := "ghcr.io/k6io/operator@sha256:d68e1e532088964195ad3a0a71526bc2f11a78de0def85629beb75e2265f0547"
mockContainer := mocks.CreateMockContainerWithDigest(
mockId,
mockName,
mockImage,
mockCreated,
mockDigest)
When("a digest comparison is done", func() {
It("should return true if digests match",
SkipIfCredentialsEmpty(GHCRCredentials, func() {
creds := fmt.Sprintf("%s:%s", GHCRCredentials.Username, GHCRCredentials.Password)
matches, err := digest.CompareDigest(mockContainer, creds)
Expect(err).NotTo(HaveOccurred())
Expect(matches).To(Equal(true))
}),
)
It("should return false if digests differ", func() {
})
It("should return an error if the registry isn't available", func() {
})
})
When("using different registries", func() {
It("should work with DockerHub",
SkipIfCredentialsEmpty(DockerHubCredentials, func() {
fmt.Println(DockerHubCredentials != nil) // to avoid crying linters
}),
)
It("should work with GitHub Container Registry",
SkipIfCredentialsEmpty(GHCRCredentials, func() {
fmt.Println(GHCRCredentials != nil) // to avoid crying linters
}),
)
})
})