Merge pull request #904 from kmala/regis

fest(registry):Add support for private registry

Author: kmala

rootfs/api/models/release.py

@@ -37,6 +37,8 @@ def __str__(self):
 
     @property
     def image(self):
+        if (settings.REGISTRY_LOCATION != 'on-cluster'):
+            return self.build.image
         # Builder pushes to internal registry, exclude SHA based images from being returned
         registry = self.config.registry
         if (
@@ -111,7 +113,7 @@ def publish(self):
             not self.build.sha and
             # hostname tells Builder where to push images
             not registry.get('hostname', None)
-        ):
+        ) or (settings.REGISTRY_LOCATION != 'on-cluster'):
             self.app.log('{} exists in the target registry. Using image for release {} of app {}'.format(self.build.image, self.version, self.app))  # noqa
             return
 
@@ -148,7 +150,7 @@ def get_port(self):
                 return 5000
 
             # application has registry auth - $PORT is required
-            if creds is not None:
+            if (creds is not None) or (settings.REGISTRY_LOCATION != 'on-cluster'):
                 if envs.get('PORT', None) is None:
                     self.app.log('Private registry detected but no $PORT defined. Defaulting to $PORT 5000', logging.WARNING)  # noqa
                     return 5000

rootfs/api/settings/production.py

@@ -283,6 +283,8 @@
 REGISTRY_HOST = os.environ.get('DEIS_REGISTRY_SERVICE_HOST', '127.0.0.1')
 REGISTRY_PORT = os.environ.get('DEIS_REGISTRY_SERVICE_PORT', 5000)
 REGISTRY_URL = '{}:{}'.format(REGISTRY_HOST, REGISTRY_PORT)
+REGISTRY_LOCATION = os.environ.get('DEIS_REGISTRY_LOCATION', 'on-cluster')
+REGISTRY_SECRET_PREFIX = os.environ.get('DEIS_REGISTRY_SECRET_PREFIX', 'private-registry')
 
 # logger settings
 LOGGER_HOST = os.environ.get('DEIS_LOGGER_SERVICE_HOST', '127.0.0.1')

rootfs/api/tests/test_release.py

@@ -10,6 +10,7 @@
 
 from django.contrib.auth.models import User
 from django.core.cache import cache
+from django.conf import settings
 from rest_framework.test import APITransactionTestCase
 from unittest import mock
 from rest_framework.authtoken.models import Token
@@ -391,3 +392,27 @@ def test_release_get_port(self, mock_requests):
         self.assertEqual(release.get_port(), 8080)
 
         # TODO(bacongobbler): test dockerfile ports
+
+    def test_release_external_registry(self, mock_requests):
+        """
+        Test that get_port always returns the proper value.
+        """
+        app_id = "test"
+        body = {'id': app_id}
+        response = self.client.post('/v2/apps', body,)
+        self.assertEqual(response.status_code, 201, response.data)
+        body = {'values': json.dumps({'PORT': '3000'})}
+        config_response = self.client.post('/v2/apps/test/config', body)
+        self.assertEqual(config_response.status_code, 201, config_response.data)
+
+        app = App.objects.get(id=app_id)
+        settings.REGISTRY_LOCATION = "off-cluster"
+        url = '/v2/apps/{app_id}/builds'.format(**locals())
+        body = {'image': 'test/autotest/example'}
+        response = self.client.post(url, body)
+        self.assertEqual(response.status_code, 201, response.data)
+        release = app.release_set.latest()
+
+        self.assertEqual(release.get_port(), 3000)
+
+        self.assertEqual(release.image, 'test/autotest/example')

rootfs/scheduler/__init__.py

@@ -643,15 +643,31 @@ def _set_container(self, namespace, container_name, data, **kwargs):  # noqa
             self._default_readiness_probe(data, kwargs.get('build_type'), env.get('PORT', None))
 
     def _get_private_registry_config(self, registry, image):
-        # try to get the hostname information
-        hostname = registry.get('hostname', None)
-        if not hostname:
-            hostname, _ = docker_auth.split_repo_name(image)
-        if hostname == docker_auth.INDEX_NAME:
-            hostname = "https://index.docker.io/v1/"
+        secret_name = settings.REGISTRY_SECRET_PREFIX
+        if registry:
+            # try to get the hostname information
+            hostname = registry.get('hostname', None)
+            if not hostname:
+                hostname, _ = docker_auth.split_repo_name(image)
+            if hostname == docker_auth.INDEX_NAME:
+                hostname = "https://index.docker.io/v1/"
+            username = registry.get('username')
+            password = registry.get('password')
+        elif settings.REGISTRY_LOCATION == 'off-cluster':
+            secret = self.get_secret('deis', 'registry-secret').json()
+            username = secret['data']['username']
+            password = secret['data']['password']
+            hostname = secret['data']['hostname']
+            if hostname == '':
+                hostname = "https://index.docker.io/v1/"
+            secret_name = secret_name+"-"+settings.REGISTRY_LOCATION
+        elif settings.REGISTRY_LOCATION in ['ecr', 'gcr']:
+            return None, secret_name+"-"+settings.REGISTRY_LOCATION, False
+        else:
+            return None, None, None
 
         # create / update private registry secret
-        auth = bytes('{}:{}'.format(registry.get('username'), registry.get('password')), 'UTF-8')
+        auth = bytes('{}:{}'.format(username, password), 'UTF-8')
         # value has to be a base64 encoded JSON
         docker_config = json.dumps({
             "auths": {
@@ -660,36 +676,34 @@ def _get_private_registry_config(self, registry, image):
                 }
             }
         })
-        return docker_config
+        return docker_config, secret_name, True
 
     def _set_image_secret(self, data, namespace, **kwargs):
         """
         Take registry information and set as an imagePullSecret for an RC / Deployment
         http://kubernetes.io/docs/user-guide/images/#specifying-imagepullsecrets-on-a-pod
         """
-        registry = kwargs.get('registry', {})
-        if not registry:
+        docker_config, secret_name, secret_create = self._get_private_registry_config(kwargs.get('registry', {}), kwargs.get('image'))  # noqa
+        if secret_create is None:
             return
-        docker_config = self._get_private_registry_config(registry, kwargs.get('image'))  # noqa
-        secret_data = {'.dockerconfigjson': docker_config}
-
-        secret_name = 'private-registry'
-        try:
-            self.get_secret(namespace, secret_name)
-        except KubeHTTPException:
-            self.create_secret(
-                namespace,
-                secret_name,
-                secret_data,
-                secret_type='kubernetes.io/dockerconfigjson'
-            )
-        else:
-            self.update_secret(
-                namespace,
-                secret_name,
-                secret_data,
-                secret_type='kubernetes.io/dockerconfigjson'
-            )
+        elif secret_create:
+            secret_data = {'.dockerconfigjson': docker_config}
+            try:
+                self.get_secret(namespace, secret_name)
+            except KubeHTTPException:
+                self.create_secret(
+                    namespace,
+                    secret_name,
+                    secret_data,
+                    secret_type='kubernetes.io/dockerconfigjson'
+                )
+            else:
+                self.update_secret(
+                    namespace,
+                    secret_name,
+                    secret_data,
+                    secret_type='kubernetes.io/dockerconfigjson'
+                )
 
         # apply image pull secret to a Pod spec
         data['imagePullSecrets'] = [{'name': secret_name}]
@@ -821,7 +835,10 @@ def create_namespace(self, namespace):
             "kind": "Namespace",
             "apiVersion": "v1",
             "metadata": {
-                "name": namespace
+                "name": namespace,
+                "labels": {
+                    'heritage': 'deis'
+                }
             }
         }
 

rootfs/scheduler/mock.py

@@ -707,6 +707,16 @@ def __init__(self):
             }
             self.create_secret('deis', 'objectstorage-keyfile', secrets)
 
+        try:
+            self.get_secret('deis', 'registry-secret')
+        except KubeHTTPException:
+            secrets = {
+                'username': 'test',
+                'password': 'test',
+                'hostname': ''
+            }
+            self.create_secret('deis', 'registry-secret', secrets)
+
         try:
             self.get_namespace('duplicate')
         except KubeHTTPException:

rootfs/scheduler/tests/test_scheduler.py

@@ -5,6 +5,7 @@
 """
 from django.core.cache import cache
 from django.test import TestCase
+from django.conf import settings
 
 from scheduler import mock
 import base64
@@ -75,18 +76,47 @@ def test_get_private_registry_config(self):
         encAuth = base64.b64encode(auth).decode(encoding='UTF-8')
         image = 'test/test'
 
-        dockerConfig = self.scheduler_client._get_private_registry_config(registry, image)
-        dockerConfig = json.loads(dockerConfig)
+        docker_config, secret_name, secret_create = self.scheduler_client._get_private_registry_config(registry, image)  # noqa
+        dockerConfig = json.loads(docker_config)
         expected = {"https://index.docker.io/v1/": {
             "auth": encAuth
         }}
         self.assertEqual(dockerConfig.get('auths'), expected)
+        self.assertEqual(secret_name, "private-registry")
+        self.assertEqual(secret_create, True)
 
         image = "quay.io/test/test"
 
-        dockerConfig = self.scheduler_client._get_private_registry_config(registry, image)
-        dockerConfig = json.loads(dockerConfig)
+        docker_config, secret_name, secret_create = self.scheduler_client._get_private_registry_config(registry, image)  # noqa
+        dockerConfig = json.loads(docker_config)
         expected = {"quay.io": {
             "auth": encAuth
         }}
         self.assertEqual(dockerConfig.get('auths'), expected)
+        self.assertEqual(secret_name, "private-registry")
+        self.assertEqual(secret_create, True)
+
+        settings.REGISTRY_LOCATION = "ecr"
+        registry = {}
+        image = "test.com/test/test"
+        docker_config, secret_name, secret_create = self.scheduler_client._get_private_registry_config(registry, image)  # noqa
+        self.assertEqual(docker_config, None)
+        self.assertEqual(secret_name, "private-registry-ecr")
+        self.assertEqual(secret_create, False)
+
+        settings.REGISTRY_LOCATION = "off-cluster"
+        docker_config, secret_name, secret_create = self.scheduler_client._get_private_registry_config(registry, image)  # noqa
+        dockerConfig = json.loads(docker_config)
+        expected = {"https://index.docker.io/v1/": {
+            "auth": encAuth
+        }}
+        self.assertEqual(dockerConfig.get('auths'), expected)
+        self.assertEqual(secret_name, "private-registry-off-cluster")
+        self.assertEqual(secret_create, True)
+
+        settings.REGISTRY_LOCATION = "ecra"
+        image = "test.com/test/test"
+        docker_config, secret_name, secret_create = self.scheduler_client._get_private_registry_config(registry, image)  # noqa
+        self.assertEqual(docker_config, None)
+        self.assertEqual(secret_name, None)
+        self.assertEqual(secret_create, None)