mirror of
https://github.com/drone/drone-kaniko.git
synced 2026-06-04 18:23:49 +08:00
Compare commits
4 Commits
1.8.7
...
ecr_assume_role
| Author | SHA1 | Date | |
|---|---|---|---|
 Shubham Agrawal
|
a42a4d9d45 | ||
|
Shubham Agrawal
|
795f4da84a | ||
|
Shubham Agrawal
|
9533aa1f81 | ||
|
Shubham Agrawal
|
43e08c331c |
+77
-5
@@ -2,6 +2,7 @@ package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
@@ -12,14 +13,19 @@ import (
|
||||
"github.com/aws/aws-sdk-go-v2/config"
|
||||
"github.com/aws/aws-sdk-go-v2/service/ecr"
|
||||
"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
|
||||
"github.com/aws/smithy-go"
|
||||
kaniko "github.com/drone/drone-kaniko"
|
||||
"github.com/drone/drone-kaniko/pkg/artifact"
|
||||
"github.com/drone/drone-kaniko/pkg/docker"
|
||||
awsv1 "github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
|
||||
"github.com/aws/smithy-go"
|
||||
"github.com/joho/godotenv"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/urfave/cli"
|
||||
|
||||
kaniko "github.com/drone/drone-kaniko"
|
||||
"github.com/drone/drone-kaniko/pkg/artifact"
|
||||
"github.com/drone/drone-kaniko/pkg/docker"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -154,6 +160,16 @@ func main() {
|
||||
Usage: "ECR secret key",
|
||||
EnvVar: "PLUGIN_SECRET_KEY",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "assume-role",
|
||||
Usage: "Assume a role",
|
||||
EnvVar: "PLUGIN_ASSUME_ROLE",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "external-id",
|
||||
Usage: "Used along with assume role to assume a role",
|
||||
EnvVar: "PLUGIN_EXTERNAL_ID",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "snapshot-mode",
|
||||
Usage: "Specify one of full, redo or time as snapshot mode",
|
||||
@@ -228,6 +244,9 @@ func run(c *cli.Context) error {
|
||||
c.String("access-key"),
|
||||
c.String("secret-key"),
|
||||
registry,
|
||||
c.String("assume-role"),
|
||||
c.String("external-id"),
|
||||
region,
|
||||
noPush,
|
||||
)
|
||||
if err != nil {
|
||||
@@ -306,13 +325,22 @@ func run(c *cli.Context) error {
|
||||
return plugin.Exec()
|
||||
}
|
||||
|
||||
func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey, registry string, noPush bool) (*docker.Config, error) {
|
||||
func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey,
|
||||
registry, assumeRole, externalId, region string, noPush bool) (*docker.Config, error) {
|
||||
dockerConfig := docker.NewConfig()
|
||||
|
||||
if dockerUsername != "" {
|
||||
dockerConfig.SetAuth(docker.RegistryV1, dockerUsername, dockerPassword)
|
||||
}
|
||||
|
||||
if accessKey == "" && assumeRole != "" {
|
||||
var err error
|
||||
accessKey, secretKey, err = getAssumeRoleCreds(region, assumeRole, externalId, "")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
// only setup auth when pushing or credentials are defined
|
||||
if !noPush || accessKey != "" {
|
||||
if registry == "" {
|
||||
@@ -419,6 +447,50 @@ func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy string) (er
|
||||
return err
|
||||
}
|
||||
|
||||
func getAssumeRoleCreds(region, roleArn, externalId, roleSessionName string) (string, string, error) {
|
||||
sess, err := session.NewSession(&awsv1.Config{Region: ®ion})
|
||||
if err != nil {
|
||||
return "", "", errors.Wrap(err, "failed to create aws session")
|
||||
}
|
||||
|
||||
svc := ecrv1.New(sess, &awsv1.Config{
|
||||
Credentials: stscreds.NewCredentials(sess, roleArn, func(p *stscreds.AssumeRoleProvider) {
|
||||
if externalId != "" {
|
||||
p.ExternalID = &externalId
|
||||
}
|
||||
}),
|
||||
})
|
||||
|
||||
username, password, _, err := getAuthInfo(svc)
|
||||
if err != nil {
|
||||
return "", "", errors.Wrap(err, "failed to get ECR auth")
|
||||
}
|
||||
return username, password, nil
|
||||
}
|
||||
|
||||
func getAuthInfo(svc *ecrv1.ECR) (username, password, registry string, err error) {
|
||||
var result *ecrv1.GetAuthorizationTokenOutput
|
||||
var decoded []byte
|
||||
|
||||
result, err = svc.GetAuthorizationToken(&ecrv1.GetAuthorizationTokenInput{})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
auth := result.AuthorizationData[0]
|
||||
token := *auth.AuthorizationToken
|
||||
decoded, err = base64.StdEncoding.DecodeString(token)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
registry = strings.TrimPrefix(*auth.ProxyEndpoint, "https://")
|
||||
creds := strings.Split(string(decoded), ":")
|
||||
username = creds[0]
|
||||
password = creds[1]
|
||||
return
|
||||
}
|
||||
|
||||
func isRegistryPublic(registry string) bool {
|
||||
return strings.HasPrefix(registry, ecrPublicDomain)
|
||||
}
|
||||
|
||||
@@ -14,6 +14,9 @@ func TestCreateDockerConfig(t *testing.T) {
|
||||
"access-key",
|
||||
"secret-key",
|
||||
"ecr-registry",
|
||||
"",
|
||||
"",
|
||||
"",
|
||||
false,
|
||||
)
|
||||
if err != nil {
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
module github.com/drone/drone-kaniko
|
||||
|
||||
require (
|
||||
github.com/aws/aws-sdk-go v1.44.51
|
||||
github.com/aws/aws-sdk-go-v2 v1.8.1
|
||||
github.com/aws/aws-sdk-go-v2/config v1.6.1
|
||||
github.com/aws/aws-sdk-go-v2/service/ecr v1.4.3
|
||||
@@ -12,7 +13,7 @@ require (
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/sirupsen/logrus v1.3.0
|
||||
github.com/urfave/cli v1.22.2
|
||||
golang.org/x/mod v0.4.2
|
||||
golang.org/x/mod v0.5.1
|
||||
)
|
||||
|
||||
require (
|
||||
@@ -28,7 +29,7 @@ require (
|
||||
github.com/russross/blackfriday/v2 v2.0.1 // indirect
|
||||
github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d // indirect
|
||||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
|
||||
)
|
||||
|
||||
go 1.18
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/aws/aws-sdk-go v1.44.51 h1:jO9hoLynZOrMM4dj0KjeKIK+c6PA+HQbKoHOkAEye2Y=
|
||||
github.com/aws/aws-sdk-go v1.44.51/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
|
||||
github.com/aws/aws-sdk-go-v2 v1.8.1 h1:GcFgQl7MsBygmeeqXyV1ivrTEmsVz/rdFJaTcltG9ag=
|
||||
github.com/aws/aws-sdk-go-v2 v1.8.1/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0=
|
||||
github.com/aws/aws-sdk-go-v2/config v1.6.1 h1:qrZINaORyr78syO1zfD4l7r4tZjy0Z1l0sy4jiysyOM=
|
||||
@@ -59,19 +61,20 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
|
||||
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
|
||||
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
|
||||
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
|
||||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
|
||||
Reference in New Issue
Block a user