Skip to content

[image-builder-mk3] log errors for auth #18611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 30, 2023
Merged

[image-builder-mk3] log errors for auth #18611

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8c5ee96
[image-builder-mk3] improve error logging for auth
kylos101 Aug 28, 2023
466994c
Warn when empty
kylos101 Aug 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 26 additions & 4 deletions components/image-builder-mk3/pkg/auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ func NewDockerConfigFileAuth(fn string) (*DockerConfigFileAuth, error) {
res.loadFromFile(fn)
})
if err != nil {
log.WithError(err).WithField("path", fn).Error("error watching file")
return nil, err
}

Expand All @@ -64,6 +65,7 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
defer func() {
if err != nil {
err = fmt.Errorf("error loading Docker config from %s: %w", fn, err)
log.WithError(err).WithField("path", fn).Error("failed loading from file")
}
}()

Expand All @@ -75,6 +77,7 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
_, _ = hash.Write(cntnt)
newHash := fmt.Sprintf("%x", hash.Sum(nil))
if a.hash == newHash {
log.Infof("nothing has changed: %s", fn)
return nil
}

Expand All @@ -91,13 +94,15 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
a.C = cfg
a.hash = newHash

log.Infof("file has changed: %s", fn)
return nil
}

// Authenticate attempts to provide an encoded authentication string for Docker registry access
func (a *DockerConfigFileAuth) Authenticate(ctx context.Context, registry string) (auth *Authentication, err error) {
ac, err := a.C.GetAuthConfig(registry)
if err != nil {
log.WithError(err).WithField("registry", registry).Error("failed DockerConfigFileAuth Authenticate")
return nil, err
}

Expand All @@ -119,10 +124,13 @@ func (ca CompositeAuth) Authenticate(ctx context.Context, registry string) (auth
for _, ath := range ca {
res, err := ath.Authenticate(ctx, registry)
if err != nil {
log.WithError(err).WithField("registry", registry).Errorf("failed CompositeAuth Authenticate")
return nil, err
}
if !res.Empty() {
return res, nil
} else {
log.WithField("registry", registry).Warn("response was empty for CompositeAuth authenticate")
}
}
return &Authentication{}, nil
Expand Down Expand Up @@ -154,6 +162,13 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
return nil, nil
}

defer func() {
if err != nil {
err = fmt.Errorf("error with ECR authenticate: %w", err)
log.WithError(err).WithField("registry", registry).Error("failed ECR authenticate")
}
}()
Comment on lines +165 to +170
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few errors in func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string), which this could help surface.


ath.ecrAuthLock.Lock()
defer ath.ecrAuthLock.Unlock()
if time.Since(ath.ecrAuthLastRefreshTime) > ecrTokenRefreshTime {
Expand All @@ -162,7 +177,8 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
return nil, err
}
if len(tknout.AuthorizationData) == 0 {
return nil, fmt.Errorf("no ECR authorization data received")
err = fmt.Errorf("no ECR authorization data received")
return nil, err
}

pwd, err := base64.StdEncoding.DecodeString(aws.ToString(tknout.AuthorizationData[0].AuthorizationToken))
Expand All @@ -172,12 +188,15 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)

ath.ecrAuth = string(pwd)
ath.ecrAuthLastRefreshTime = time.Now()
log.Debug("refreshed ECR token")
log.Info("refreshed ECR token")
} else {
log.Info("no ECR token refresh necessary")
}

segs := strings.Split(ath.ecrAuth, ":")
if len(segs) != 2 {
return nil, fmt.Errorf("cannot understand ECR token. Expected 2 segments, got %d", len(segs))
err = fmt.Errorf("cannot understand ECR token. Expected 2 segments, got %d", len(segs))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By setting err here, it's value will be included in the above defer.

return nil, err
}
return &Authentication{
Username: segs[0],
Expand Down Expand Up @@ -299,6 +318,7 @@ func (a AllowedAuthFor) GetAuthFor(ctx context.Context, auth RegistryAuthenticat

ref, err := reference.ParseNormalizedNamed(refstr)
if err != nil {
log.WithError(err).Errorf("failed parsing normalized name")
return nil, xerrors.Errorf("cannot parse image ref: %v", err)
}
reg := reference.Domain(ref)
Expand Down Expand Up @@ -359,6 +379,8 @@ func (a AllowedAuthFor) additionalAuth(domain string) *Authentication {
res.Username = segs[0]
res.Password = strings.Join(segs[1:], ":")
}
} else {
log.Errorf("failed getting additional auth")
}
return res
}
Expand Down Expand Up @@ -386,7 +408,7 @@ func (a AllowedAuthFor) GetImageBuildAuthFor(ctx context.Context, auth RegistryA
for _, reg := range additionalRegistries {
ath, err := auth.Authenticate(ctx, reg)
if err != nil {
log.WithError(err).WithField("registry", reg).Warn("cannot get authentication for additioanl registry for image build")
log.WithError(err).WithField("registry", reg).Warn("cannot get authentication for additional registry for image build")
continue
}
if ath.Empty() {
Expand Down