[test] Import from registry using credentials - tier 1 test (#1281)

Signed-off-by: Tomasz Baranski <tbaransk@redhat.com>

manifests/templates/registry-host.yaml.in

@@ -30,6 +30,7 @@ spec:
       containers:
       - name: registry
         image: {{ .DockerRepo }}/cdi-func-test-registry:{{ .DockerTag }}
+        command: ["/start-registry.sh", "/etc/docker/registry/registry-config.yml"]
         imagePullPolicy: {{ .PullPolicy }}
         ports:
           - name: sec-docker-reg
@@ -40,6 +41,8 @@ spec:
           mountPath: "/tmp/health"
         - name: "images"
           mountPath: "/tmp/shared"
+        - name: "registry-storage"
+          mountPath: "/var/lib/registry"
         readinessProbe:
           exec:
             command:
@@ -47,6 +50,28 @@ spec:
              - /tmp/health/ready
           initialDelaySeconds: 20
           periodSeconds: 20
+      - name: registry-auth
+        image: {{ .DockerRepo }}/cdi-func-test-registry:{{ .DockerTag }}
+        command: ["/start-registry.sh", "/etc/docker/registry/registry-auth-config.yml"]
+        imagePullPolicy: {{ .PullPolicy }}
+        ports:
+          - name: auth-docker-reg
+            containerPort: 1443
+        resources: {}
+        volumeMounts:
+        - name: "health"
+          mountPath: "/tmp/health"
+        - name: "images"
+          mountPath: "/tmp/shared"
+        - name: "registry-storage"
+          mountPath: "/var/lib/registry"
+        readinessProbe:
+          exec:
+            command:
+              - cat
+              - /tmp/health/ready
+          initialDelaySeconds: 20
+          periodSeconds: 20
       - name: registry-populate
         image: {{ .DockerRepo }}/cdi-func-test-registry-populate:{{ .DockerTag }}
         imagePullPolicy: {{ .PullPolicy }}
@@ -75,6 +100,8 @@ spec:
         emptyDir: {}
       - name: "health"
         emptyDir: {}
+      - name: "registry-storage"
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
@@ -93,3 +120,6 @@ spec:
   - name: alt-sec-docker-reg
     port: 5000
     targetPort: 443
+  - name: auth-docker-reg
+    port: 1443
+    targetPort: 1443

tests/transport_test.go

@@ -125,6 +125,7 @@ var _ = Describe("Transport Tests", func() {
 	httpsNoAuthEp := fmt.Sprintf("https://%s:%d", utils.FileHostName+"."+f.CdiInstallNs, utils.HTTPSNoAuthPort)
 	httpAuthEp := fmt.Sprintf("http://%s:%d", utils.FileHostName+"."+f.CdiInstallNs, utils.HTTPAuthPort)
 	registryNoAuthEp := fmt.Sprintf("docker://%s", utils.RegistryHostName+"."+f.CdiInstallNs)
+	registryAuthEp := fmt.Sprintf("docker://%s.%s:%d", utils.RegistryHostName, f.CdiInstallNs, 1443)
 	altRegistryNoAuthEp := fmt.Sprintf("docker://%s.%s:%d", utils.RegistryHostName, f.CdiInstallNs, 5000)
 	DescribeTable("Transport Test Table", it,
 		Entry("should connect to http endpoint without credentials", httpNoAuthEp, targetFile, "", "", controller.SourceHTTP, "", false, true),
@@ -133,6 +134,8 @@ var _ = Describe("Transport Tests", func() {
 		Entry("should connect to QCOW http endpoint without credentials", httpNoAuthEp, targetQCOWFile, "", "", controller.SourceHTTP, "", false, true),
 		Entry("should connect to QCOW http endpoint with credentials", httpAuthEp, targetQCOWFile, utils.AccessKeyValue, utils.SecretKeyValue, controller.SourceHTTP, "", false, true),
 		Entry("should succeed to import from registry when image contains valid qcow file, custom cert", registryNoAuthEp, targetQCOWImage, "", "", controller.SourceRegistry, "cdi-docker-registry-host-certs", false, true),
+		Entry("should fail to import from registry when image contains valid qcow file, custom cert+auth, invalid credentials", registryAuthEp, targetQCOWImage, "invalid", "invalid", controller.SourceRegistry, "cdi-docker-registry-host-certs", true, false),
+		Entry("should succeed to import from registry when image contains valid qcow file, custom cert+auth, valid credentials", registryAuthEp, targetQCOWImage, utils.AccessKeyValue, utils.SecretKeyValue, controller.SourceRegistry, "cdi-docker-registry-host-certs", true, true),
 		Entry("should succeed to import from registry when image contains valid qcow file, no auth", registryNoAuthEp, targetQCOWImage, "", "", controller.SourceRegistry, "", true, true),
 		Entry("should succeed to import from registry when image contains valid qcow file, auth", altRegistryNoAuthEp, targetQCOWImage, "", "", controller.SourceRegistry, "", true, true),
 		Entry("should fail no certs", registryNoAuthEp, targetQCOWImage, "", "", controller.SourceRegistry, "", false, false),

tools/cdi-func-test-registry-init/BUILD.bazel

@@ -119,6 +119,8 @@ filegroup(
     name = "registry-config",
     srcs = [
         ":registry-config.yml",
+        ":registry-auth-config.yml",
+        ":htpasswd",
     ],
 )
 

tools/cdi-func-test-registry-init/htpasswd

@@ -0,0 +1 @@
+admin:$2y$05$MxYjtuvQODD2Rq36.PD3KOZzPGbqvLJ1gPFa6b.rTOPxCVYXmF3sy

tools/cdi-func-test-registry-init/populate-registry.sh

@@ -87,12 +87,12 @@ function error {
 
 #Iterate over all images build them and push them into cdi registry
 function pushImages {
-   images=$1 
+   images=$1
    registry_host=$2
    registry_port=$3
    registry_tls=$4
    registry=$registry_host":"$registry_port
-   
+
    shopt -s nullglob
    for IMAGEDIR in *$DIR; do
         cd $IMAGEDIR
@@ -101,15 +101,15 @@ function pushImages {
         IMAGENAME=${FILE//.}
         echo "building image "$IMAGENAME
         buildah bud -t $IMAGENAME":latest" $images"/"$IMAGEDIR"/"
-	error $?	
+        error $?
         echo "pushing image "$IMAGENAME" to registry-service: "$registry
         buildah push $registry_tls  $IMAGENAME":latest" "docker://"$registry"/"$IMAGENAME
-	error $?
+	    error $?
         cd ../
    done
 }
 
-#remove storage.conf if exists 
+#remove storage.conf if exists
 rm -rf /etc/containers/storage.conf
 
 #start health beat
@@ -117,7 +117,7 @@ health $HEALTH_PATH $HEALTH_PERIOD &
 
 #prepare and poush images
 prepareImages $IMAGES_SRC $IMAGES_CTR
-pushImages  $IMAGES_CTR $REGISTRY_HOST $REGISTRY_PORT $REGISTRY_TLS
+pushImages $IMAGES_CTR $REGISTRY_HOST $REGISTRY_PORT $REGISTRY_TLS
 
 #mark container as ready
 ready $READYNESS_PATH $READYNESS_PERIOD &

tools/cdi-func-test-registry-init/registry-auth-config.yml

@@ -0,0 +1,28 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry
+  maintenance:
+    readonly:
+      enabled: true
+auth:
+  htpasswd:
+    realm: basic-realm
+    path: /etc/docker/registry/htpasswd
+http:
+  addr: :1443
+  tls:
+    certificate: /tmp/shared/certs/domain.crt
+    key: /tmp/shared/certs/domain.key
+  headers:
+    X-Content-Type-Options: [nosniff]
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3

tools/cdi-func-test-registry-init/start-registry.sh

@@ -1,2 +1,3 @@
 #!/bin/sh
-registry serve /etc/docker/registry/registry-config.yml
+CONFIG_FILE=${1:-/etc/docker/registry/registry-config.yml}
+registry serve ${CONFIG_FILE}