This package has types for dealing with image registries (e.g.,, DockerHub, Google Container Registry, ..).



View Source
const (
	EKS_SYSTEM_ACCOUNT    = "602401143452"
	EKS_SYSTEM_ACCOUNT_CN = "918309763551"
View Source
const (
	LabelRequestKind    = "kind"
	RequestKindTags     = "tags"
	RequestKindMetadata = "metadata"


View Source
var (
	ErrNoImageData       = errors.New("image data not available")
	ErrImageScanDisabled = errors.New("cannot perfom operation, image scanning is disabled")


func GetGCPOauthToken

func GetGCPOauthToken(host string) (creds, error)

func ImageCredsWithAWSAuth

func ImageCredsWithAWSAuth(lookup func() ImageCreds, logger log.Logger, config AWSRegistryConfig) (func() error, func() ImageCreds)

ImageCredsWithAWSAuth wraps an image credentials func with another that adds two capabilities:

- it will include or exclude images from ECR accounts and regions
  according to the config given; and,

- if it can reach the AWS API, it will obtain credentials for ECR
  accounts from it, automatically refreshing them when necessary.

It also returns a "pre-flight check" that can be used to verify that the AWS API is available while starting up.

ECR registry URLs look like this:


i.e., they can differ in the account ID and in the region. It's possible to refer to any registry from any cluster (although, being AWS, there will be a cost incurred). The config supplied can restrict based on the region:

- if a region or regions are supplied, exactly those regions shall
  be included;
- if no region is supplied, but it can be detected, the detected
  region is included
- if no region is supplied _or_ detected, no region is included

.. and on the account ID:

- if account IDs to include are supplied, only those are included
  - otherwise, all account IDs are included
  - the supplied list may be empty
with the exception
- if account IDs to _exclude_ are supplied, those shall be not be

func ImageCredsWithDefaults

func ImageCredsWithDefaults(lookup func() ImageCreds, configPath string) (func() ImageCreds, error)


type AWSRegistryConfig

type AWSRegistryConfig struct {
	Regions    []string
	AccountIDs []string
	BlockIDs   []string

AWSRegistryConfig supplies constraints for scanning AWS (ECR) image registries. Fields may be left empty.

type Client

type Client interface {
	Tags(context.Context) ([]string, error)
	Manifest(ctx context.Context, ref string) (ImageEntry, error)

Client is a remote registry client for a particular image repository (e.g., for It is an interface so we can wrap it in instrumentation, write fake implementations, and so on.

func NewInstrumentedClient

func NewInstrumentedClient(next Client) Client

type ClientFactory

type ClientFactory interface {
	ClientFor(image.CanonicalName, Credentials) (Client, error)

ClientFactory supplies Client implementations for a given repo, with credentials. This is an interface so we can provide fake implementations.

type Credentials

type Credentials struct {
	// contains filtered or unexported fields

Credentials to a (Docker) registry.

func NoCredentials

func NoCredentials() Credentials

NoCredentials returns a usable but empty credentials object.

func ParseCredentials

func ParseCredentials(from string, b []byte) (Credentials, error)

func (Credentials) Hosts

func (cs Credentials) Hosts() []string

Hosts returns all of the hosts available in these credentials.

func (Credentials) Merge

func (cs Credentials) Merge(c Credentials)

func (Credentials) String

func (cs Credentials) String() string

type Excluded

type Excluded struct {
	ExcludedReason string `json:",omitempty"`

type ImageCreds

type ImageCreds map[image.Name]Credentials

ImageCreds is a record of which images need which credentials, which is supplied to us (probably by interrogating the cluster)

type ImageEntry

type ImageEntry struct {
	image.Info `json:",omitempty"`

ImageEntry represents a result from looking up an image ref in an image registry. It's an either-or: either you get an image.Info, or you get a reason that the image should be treated as unusable (e.g., it's for the wrong architecture).

func (ImageEntry) MarshalJSON

func (entry ImageEntry) MarshalJSON() ([]byte, error)

MarshalJSON does custom JSON marshalling for ImageEntry values. We need this because the struct embeds the image.Info type, which has its own custom marshaling, which would get used otherwise.

func (*ImageEntry) UnmarshalJSON

func (entry *ImageEntry) UnmarshalJSON(bytes []byte) error

UnmarshalJSON does custom JSON unmarshalling for ImageEntry values.

type ImageScanDisabledRegistry

type ImageScanDisabledRegistry struct{}

ImageScanDisabledRegistry is used when image scanning is disabled

func (ImageScanDisabledRegistry) GetImage

func (ImageScanDisabledRegistry) GetImageRepositoryMetadata

func (i ImageScanDisabledRegistry) GetImageRepositoryMetadata(image.Name) (image.RepositoryMetadata, error)

type Registry

type Registry interface {
	GetImageRepositoryMetadata(image.Name) (image.RepositoryMetadata, error)
	GetImage(image.Ref) (image.Info, error)

Registry is a store of image metadata.

func NewInstrumentedRegistry

func NewInstrumentedRegistry(next Registry) Registry

type Remote

type Remote struct {
	// contains filtered or unexported fields

func (*Remote) Manifest

func (a *Remote) Manifest(ctx context.Context, ref string) (ImageEntry, error)

Manifest fetches the metadata for an image reference; currently assumed to be in the same repo as that provided to `NewRemote(...)`

func (*Remote) Tags

func (a *Remote) Tags(ctx context.Context) ([]string, error)

Return the tags for this repository.

type RemoteClientFactory

type RemoteClientFactory struct {
	Logger   log.Logger
	Limiters *middleware.RateLimiters
	Trace    bool

	// hosts with which to tolerate insecure connections (e.g., with
	// TLS_INSECURE_SKIP_VERIFY, or as a fallback, using HTTP).
	InsecureHosts []string
	// contains filtered or unexported fields

func (*RemoteClientFactory) ClientFor

func (f *RemoteClientFactory) ClientFor(repo image.CanonicalName, creds Credentials) (Client, error)

func (*RemoteClientFactory) Succeed

func (f *RemoteClientFactory) Succeed(repo image.CanonicalName)

Succeed exists merely so that the user of the ClientFactory can bump rate limits up if a repo's metadata has successfully been fetched.


Path Synopsis
This package implements an image metadata cache given a backing k-v store.
This package implements an image metadata cache given a backing k-v store.
This package implements an image DB cache using memcached.
This package implements an image DB cache using memcached.