Documentation
¶
Overview ¶
This package has types for dealing with image registries (e.g., quay.io, DockerHub, Google Container Registry, ..).
Index ¶
- Constants
- Variables
- func GetGCPOauthToken(host string) (creds, error)
- func ImageCredsWithAWSAuth(lookup func() ImageCreds, logger log.Logger, config AWSRegistryConfig) (func() error, func() ImageCreds)
- func ImageCredsWithDefaults(lookup func() ImageCreds, configPath string) (func() ImageCreds, error)
- type AWSRegistryConfig
- type Client
- type ClientFactory
- type Credentials
- type Excluded
- type ImageCreds
- type ImageEntry
- type Registry
- type Remote
- type RemoteClientFactory
Constants ¶
const ( LabelRequestKind = "kind" RequestKindTags = "tags" RequestKindMetadata = "metadata" )
const (
EKS_SYSTEM_ACCOUNT = "602401143452"
)
Variables ¶
var (
ErrNoImageData = errors.New("image data not available")
)
Functions ¶
func GetGCPOauthToken ¶
func ImageCredsWithAWSAuth ¶
func ImageCredsWithAWSAuth(lookup func() ImageCreds, logger log.Logger, config AWSRegistryConfig) (func() error, func() ImageCreds)
ImageCredsWithAWSAuth wraps an image credentials func with another that adds two capabilities:
it will include or exclude images from ECR accounts and regions according to the config given; and,
if it can reach the AWS API, it will obtain credentials for ECR accounts from it, automatically refreshing them when necessary.
It also returns a "pre-flight check" that can be used to verify that the AWS API is available while starting up.
ECR registry URLs look like this:
<account-id>.dkr.ecr.<region>.amazonaws.com
i.e., they can differ in the account ID and in the region. It's possible to refer to any registry from any cluster (although, being AWS, there will be a cost incurred). The config supplied can restrict based on the region:
if a region or regions are supplied, exactly those regions shall be included;
if no region is supplied, but it can be detected, the detected region is included
if no region is supplied _or_ detected, no region is included
.. and on the account ID:
if account IDs to include are supplied, only those are included
otherwise, all account IDs are included
the supplied list may be empty with the exception
if account IDs to _exclude_ are supplied, those shall be not be included
func ImageCredsWithDefaults ¶
func ImageCredsWithDefaults(lookup func() ImageCreds, configPath string) (func() ImageCreds, error)
Types ¶
type AWSRegistryConfig ¶
AWSRegistryConfig supplies constraints for scanning AWS (ECR) image registries. Fields may be left empty.
type Client ¶
type Client interface {
Tags(context.Context) ([]string, error)
Manifest(ctx context.Context, ref string) (ImageEntry, error)
}
Client is a remote registry client for a particular image repository (e.g., for docker.io/fluxcd/flux). It is an interface so we can wrap it in instrumentation, write fake implementations, and so on.
func NewInstrumentedClient ¶
type ClientFactory ¶
type ClientFactory interface {
ClientFor(image.CanonicalName, Credentials) (Client, error)
Succeed(image.CanonicalName)
}
ClientFactory supplies Client implementations for a given repo, with credentials. This is an interface so we can provide fake implementations.
type Credentials ¶
type Credentials struct {
// contains filtered or unexported fields
}
Credentials to a (Docker) registry.
func NoCredentials ¶
func NoCredentials() Credentials
NoCredentials returns a usable but empty credentials object.
func ParseCredentials ¶
func ParseCredentials(from string, b []byte) (Credentials, error)
func (Credentials) Hosts ¶
func (cs Credentials) Hosts() []string
Hosts returns all of the hosts available in these credentials.
func (Credentials) Merge ¶
func (cs Credentials) Merge(c Credentials)
func (Credentials) String ¶
func (cs Credentials) String() string
type ImageCreds ¶
type ImageCreds map[image.Name]Credentials
ImageCreds is a record of which images need which credentials, which is supplied to us (probably by interrogating the cluster)
type ImageEntry ¶
ImageEntry represents a result from looking up an image ref in an image registry. It's an either-or: either you get an image.Info, or you get a reason that the image should be treated as unusable (e.g., it's for the wrong architecture).
func (ImageEntry) MarshalJSON ¶
func (entry ImageEntry) MarshalJSON() ([]byte, error)
MarshalJSON does custom JSON marshalling for ImageEntry values. We need this because the struct embeds the image.Info type, which has its own custom marshaling, which would get used otherwise.
func (*ImageEntry) UnmarshalJSON ¶
func (entry *ImageEntry) UnmarshalJSON(bytes []byte) error
UnmarshalJSON does custom JSON unmarshalling for ImageEntry values.
type Registry ¶
type Registry interface {
GetImageRepositoryMetadata(image.Name) (image.RepositoryMetadata, error)
GetImage(image.Ref) (image.Info, error)
}
Registry is a store of image metadata.
func NewInstrumentedRegistry ¶
type Remote ¶
type Remote struct {
// contains filtered or unexported fields
}
type RemoteClientFactory ¶
type RemoteClientFactory struct {
Logger log.Logger
Limiters *middleware.RateLimiters
Trace bool
// hosts with which to tolerate insecure connections (e.g., with
// TLS_INSECURE_SKIP_VERIFY, or as a fallback, using HTTP).
InsecureHosts []string
// contains filtered or unexported fields
}
func (*RemoteClientFactory) ClientFor ¶
func (f *RemoteClientFactory) ClientFor(repo image.CanonicalName, creds Credentials) (Client, error)
func (*RemoteClientFactory) Succeed ¶
func (f *RemoteClientFactory) Succeed(repo image.CanonicalName)
Succeed exists merely so that the user of the ClientFactory can bump rate limits up if a repo's metadata has successfully been fetched.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
This package implements an image metadata cache given a backing k-v store.
|
This package implements an image metadata cache given a backing k-v store. |
|
memcached
This package implements an image DB cache using memcached.
|
This package implements an image DB cache using memcached. |