Skip to content

Commit e271071

Browse files
smarterclaytonsmarterclayton
committed
registry login should not encode service account name
system:serviceaccount:blah:blah is incorrectly encoded into base64 for authorization, causing the successive login to fail. Instead, encode it as system-serviceaccount-namespace-name which is ignored by the registry. Also add an insecure flag to skip-check that will bypass validating TLS certs during the skip-check.
1 parent aafc006 commit e271071

File tree

3 files changed

+13
-3
lines changed
  • contrib/completions
  • pkg/oc/cli/cmd/registry/login

3 files changed

+13
-3
lines changed

contrib/completions/bash/oc

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

contrib/completions/zsh/oc

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/oc/cli/cmd/registry/login/login.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ import (
1919
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2020
apirequest "k8s.io/apiserver/pkg/endpoints/request"
2121
clientset "k8s.io/client-go/kubernetes"
22+
"k8s.io/client-go/rest"
2223
"k8s.io/client-go/util/homedir"
2324
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
2425
kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
@@ -82,6 +83,7 @@ type LoginOptions struct {
8283
Credentials Credentials
8384
HostPort string
8485
SkipCheck bool
86+
Insecure bool
8587
CreateDirectory bool
8688

8789
Out io.Writer
@@ -114,6 +116,7 @@ func New(name string, f kcmdutil.Factory, out, errOut io.Writer) *cobra.Command
114116
flag.StringVarP(&o.ServiceAccount, "service-account", "z", o.ServiceAccount, "Log in as the specified service account name in the specified namespace.")
115117
flag.StringVar(&o.HostPort, "registry", o.HostPort, "An alternate domain name and port to use for the registry, defaults to the cluster's configured external hostname.")
116118
flag.BoolVar(&o.SkipCheck, "skip-check", o.SkipCheck, "Skip checking the credentials against the registry.")
119+
flag.BoolVar(&o.Insecure, "insecure", o.Insecure, "Bypass HTTPS certificate verification when checking the registry login.")
117120

118121
return cmd
119122
}
@@ -155,7 +158,7 @@ func (o *LoginOptions) Complete(f kcmdutil.Factory, args []string) error {
155158
if len(token) == 0 {
156159
continue
157160
}
158-
o.Credentials = newCredentials(fmt.Sprintf("system:serviceaccount:%s:%s", ns, o.ServiceAccount), string(token))
161+
o.Credentials = newCredentials(fmt.Sprintf("system-serviceaccount-%s-%s", ns, o.ServiceAccount), string(token))
159162
break
160163
}
161164
if o.Credentials.Empty() {
@@ -239,9 +242,12 @@ func (o *LoginOptions) Run() error {
239242
creds := registryclient.NewBasicCredentials()
240243
url := &url.URL{Host: o.HostPort}
241244
creds.Add(url, o.Credentials.Username, o.Credentials.Password)
242-
c := registryclient.NewContext(http.DefaultTransport, http.DefaultTransport).WithCredentials(creds)
243-
_, err := c.Repository(ctx, url, "does_not_exist", false)
245+
insecureRT, err := rest.TransportFor(&rest.Config{TLSClientConfig: rest.TLSClientConfig{Insecure: true}})
244246
if err != nil {
247+
return err
248+
}
249+
c := registryclient.NewContext(http.DefaultTransport, insecureRT).WithCredentials(creds)
250+
if _, err := c.Repository(ctx, url, "does_not_exist", o.Insecure); err != nil {
245251
return fmt.Errorf("unable to check your credentials - pass --skip-check to bypass this error: %v", err)
246252
}
247253
}

0 commit comments

Comments
 (0)