proxy registry: offline mode

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "trow"
-version = "0.5.2"
+version = "0.6.0"
 authors = []
 edition = "2021"
 

charts/trow/Chart.yaml

@@ -3,5 +3,5 @@ name: trow
 description: Helm chart for Trow registry
 
 type: application
-version: 0.5.3
-appVersion: 0.5.2
+version: 0.6.0
+appVersion: 0.6.0

charts/trow/values.yaml

@@ -32,14 +32,16 @@ trow:
     ## Ignore or Fail
     onWebhookFailure: Ignore
     config:
-      - alias: docker
-        host: registry-1.docker.io
-      - alias: nvcr
-        host: https://nvcr.io
-      - alias: quay
-        host: quay.io
-      # - alias: toto
-      #  host: http://toto.land
+      offline: false
+      registries:
+        - alias: docker
+          host: registry-1.docker.io
+        - alias: nvcr
+          host: https://nvcr.io
+        - alias: quay
+          host: quay.io
+        # - alias: toto
+        #  host: http://toto.land
   ## For more info on log levels see https://docs.rs/tracing-subscriber/0.3.17/tracing_subscriber/filter/struct.EnvFilter.html
   logLevel: info
 
@@ -60,19 +62,21 @@ service:
 ingress:
   enabled: false
   gke: false
-  annotations: {}
+  annotations:
+    {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
-    - paths: ['/']
+    - paths: ["/"]
       # use "none" to not set a host (otherwise defaults to trow.domain)
       host:
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - chart-example.local
 
-resources: {}
+resources:
+  {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -91,7 +95,7 @@ tolerations: []
 affinity: {}
 
 volumeClaim:
-  accessModes: [ "ReadWriteOnce" ]
+  accessModes: ["ReadWriteOnce"]
   resources:
     requests:
       storage: 20Gi

src/lib.rs

@@ -21,7 +21,7 @@ use client_interface::ClientInterface;
 use futures::Future;
 use thiserror::Error;
 use tracing::{event, Level};
-use trow_server::{ImageValidationConfig, RegistryProxyConfig};
+use trow_server::{ImageValidationConfig, RegistryProxiesConfig};
 use uuid::Uuid;
 
 //TODO: Make this take a cause or description
@@ -58,7 +58,7 @@ pub struct TrowConfig {
     tls: Option<TlsConfig>,
     grpc: GrpcConfig,
     service_name: String,
-    proxy_registry_config: Vec<RegistryProxyConfig>,
+    proxy_registry_config: Option<RegistryProxiesConfig>,
     image_validation_config: Option<ImageValidationConfig>,
     dry_run: bool,
     token_secret: String,
@@ -128,7 +128,7 @@ impl TrowBuilder {
             tls: None,
             grpc: GrpcConfig { listen },
             service_name,
-            proxy_registry_config: Vec::new(),
+            proxy_registry_config: None,
             image_validation_config: None,
             dry_run,
             token_secret: Uuid::new_v4().to_string(),
@@ -142,9 +142,9 @@ impl TrowBuilder {
         let config_file = config_file.as_ref();
         let config_str = fs::read_to_string(config_file)
             .with_context(|| format!("Could not read file `{}`", config_file))?;
-        let config = serde_yaml::from_str::<Vec<RegistryProxyConfig>>(&config_str)
+        let config = serde_yaml::from_str::<RegistryProxiesConfig>(&config_str)
             .with_context(|| format!("Could not parse file `{}`", config_file))?;
-        self.config.proxy_registry_config = config;
+        self.config.proxy_registry_config = Some(config);
         Ok(self)
     }
 
@@ -197,9 +197,9 @@ impl TrowBuilder {
             }
             None => println!("Image validation webhook not configured"),
         }
-        if !self.config.proxy_registry_config.is_empty() {
+        if let Some(proxy_config) = &self.config.proxy_registry_config {
             println!("Proxy registries configured:");
-            for config in &self.config.proxy_registry_config {
+            for config in &proxy_config.registries {
                 println!("  - {}: {}", config.alias, config.host);
             }
         } else {

tests/admission_mutation.rs

@@ -14,7 +14,7 @@ mod admission_mutation_tests {
     use k8s_openapi::api::core::v1::Pod;
     use kube::core::admission::AdmissionReview;
     use reqwest::StatusCode;
-    use trow_server::RegistryProxyConfig;
+    use trow_server::{RegistryProxiesConfig, SingleRegistryProxyConfig};
 
     use crate::common;
 
@@ -29,20 +29,23 @@ mod admission_mutation_tests {
     /// Call out to cargo to start trow.
     /// Seriously considering moving to docker run.
     async fn start_trow() -> TrowInstance {
-        let config_file = common::get_file(vec![
-            RegistryProxyConfig {
-                alias: "docker".to_string(),
-                host: "registry-1.docker.io".to_string(),
-                username: None,
-                password: None,
-            },
-            RegistryProxyConfig {
-                alias: "ecr".to_string(),
-                host: "1234.dkr.ecr.saturn-5.amazonaws.com".to_string(),
-                username: Some("AWS".to_string()),
-                password: None,
-            },
-        ]);
+        let config_file = common::get_file(RegistryProxiesConfig {
+            offline: false,
+            registries: vec![
+                SingleRegistryProxyConfig {
+                    alias: "docker".to_string(),
+                    host: "registry-1.docker.io".to_string(),
+                    username: None,
+                    password: None,
+                },
+                SingleRegistryProxyConfig {
+                    alias: "ecr".to_string(),
+                    host: "1234.dkr.ecr.saturn-5.amazonaws.com".to_string(),
+                    username: Some("AWS".to_string()),
+                    password: None,
+                },
+            ],
+        });
 
         let mut child = Command::new("cargo")
             .arg("run")

tests/cli.rs

@@ -4,7 +4,7 @@ mod common;
 #[cfg(test)]
 mod cli {
     use predicates::prelude::*;
-    use trow_server::{ImageValidationConfig, RegistryProxyConfig};
+    use trow_server::{ImageValidationConfig, RegistryProxiesConfig, SingleRegistryProxyConfig};
 
     use crate::common::get_file;
 
@@ -101,20 +101,23 @@ mod cli {
                 "Image validation webhook not configured",
             ));
 
-        let file = get_file::<Vec<RegistryProxyConfig>>(vec![
-            RegistryProxyConfig {
-                alias: "lovni".to_string(),
-                host: "jul.example.com".to_string(),
-                username: Some("robert".to_string()),
-                password: Some("1234".to_string()),
-            },
-            RegistryProxyConfig {
-                alias: "trow".to_string(),
-                host: "127.0.0.1".to_string(),
-                username: None,
-                password: None,
-            },
-        ]);
+        let file = get_file(RegistryProxiesConfig {
+            offline: true,
+            registries: vec![
+                SingleRegistryProxyConfig {
+                    alias: "lovni".to_string(),
+                    host: "jul.example.com".to_string(),
+                    username: Some("robert".to_string()),
+                    password: Some("1234".to_string()),
+                },
+                SingleRegistryProxyConfig {
+                    alias: "trow".to_string(),
+                    host: "127.0.0.1".to_string(),
+                    username: None,
+                    password: None,
+                },
+            ],
+        });
 
         get_command()
             .args([

tests/proxy.rs

@@ -10,7 +10,7 @@ mod interface_tests {
 
     use environment::Environment;
     use reqwest::StatusCode;
-    use trow_server::{manifest, RegistryProxyConfig};
+    use trow_server::{manifest, RegistryProxiesConfig, SingleRegistryProxyConfig};
 
     use crate::common;
 
@@ -22,26 +22,29 @@ mod interface_tests {
     }
 
     async fn start_trow() -> TrowInstance {
-        let config_file = common::get_file(vec![
-            RegistryProxyConfig {
-                alias: "docker".to_string(),
-                host: "registry-1.docker.io".to_string(),
-                username: None,
-                password: None,
-            },
-            RegistryProxyConfig {
-                alias: "nvcr".to_string(),
-                host: "nvcr.io".to_string(),
-                username: None,
-                password: None,
-            },
-            RegistryProxyConfig {
-                alias: "quay".to_string(),
-                host: "quay.io".to_string(),
-                username: None,
-                password: None,
-            },
-        ]);
+        let config_file = common::get_file(RegistryProxiesConfig {
+            offline: false,
+            registries: vec![
+                SingleRegistryProxyConfig {
+                    alias: "docker".to_string(),
+                    host: "registry-1.docker.io".to_string(),
+                    username: None,
+                    password: None,
+                },
+                SingleRegistryProxyConfig {
+                    alias: "nvcr".to_string(),
+                    host: "nvcr.io".to_string(),
+                    username: None,
+                    password: None,
+                },
+                SingleRegistryProxyConfig {
+                    alias: "quay".to_string(),
+                    host: "quay.io".to_string(),
+                    username: None,
+                    password: None,
+                },
+            ],
+        });
 
         let mut child = Command::new("cargo")
             .arg("run")

trow-server/src/admission.rs

@@ -97,14 +97,22 @@ impl AdmissionController for TrowServer {
     ) -> Result<Response<AdmissionResponse>, Status> {
         let ar = ar.into_inner();
         let mut patch_operations = Vec::<PatchOperation>::new();
+        let proxy_config = match self.proxy_registry_config.as_ref() {
+            Some(s) => s,
+            None => {
+                return Err(Status::internal(
+                    "Proxy registry config not set, cannot mutate image references",
+                ))
+            }
+        };
 
         for (raw_image, image_path) in ar.images.iter().zip(ar.image_paths.iter()) {
             let image = match RemoteImage::try_from_str(raw_image) {
                 Ok(image) => image,
                 Err(_) => continue,
             };
 
-            for cfg in self.proxy_registry_config.iter() {
+            for cfg in proxy_config.registries.iter() {
                 if image.get_host() == cfg.host {
                     event!(
                         Level::INFO,

trow-server/src/lib.rs

@@ -10,7 +10,7 @@ mod temporary_file;
 use std::future::Future;
 
 pub use admission::ImageValidationConfig;
-pub use proxy_auth::RegistryProxyConfig;
+pub use proxy_auth::{RegistryProxiesConfig, SingleRegistryProxyConfig};
 use server::trow_server::admission_controller_server::AdmissionControllerServer;
 use server::trow_server::registry_server::RegistryServer;
 use server::TrowServer;
@@ -19,7 +19,7 @@ use tonic::transport::Server;
 pub struct TrowServerBuilder {
     data_path: String,
     listen_addr: std::net::SocketAddr,
-    proxy_registry_config: Vec<RegistryProxyConfig>,
+    proxy_registry_config: Option<RegistryProxiesConfig>,
     image_validation_config: Option<ImageValidationConfig>,
     tls_cert: Option<Vec<u8>>,
     tls_key: Option<Vec<u8>>,
@@ -29,7 +29,7 @@ pub struct TrowServerBuilder {
 pub fn build_server(
     data_path: &str,
     listen_addr: std::net::SocketAddr,
-    proxy_registry_config: Vec<RegistryProxyConfig>,
+    proxy_registry_config: Option<RegistryProxiesConfig>,
     image_validation_config: Option<ImageValidationConfig>,
 ) -> TrowServerBuilder {
     TrowServerBuilder {