entrypoint image lookup: change auth order

The google.Keychain will fail hard in case of `gcloud` command missing (which can be the case in minikube and other kubernetes cluster). This means it will fail before trying to contact the registry anonymously — even if the images are publically available. This add an ad-hoc anonymous keychain, and set it as the first keychaien to check. That way, it will first try to get images config anonymously and then try other authentications. Signed-off-by: Vincent Demeester <[email protected]>
tektoncd · Mar 14, 2019 · 2aaeb30 · 2aaeb30
1 parent 3a5a1e8
commit 2aaeb30
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/pkg/reconciler/v1alpha1/taskrun/entrypoint/entrypoint.go b/pkg/reconciler/v1alpha1/taskrun/entrypoint/entrypoint.go
@@ -195,14 +195,26 @@ func getRemoteImage(image string, kubeclient kubernetes.Interface, build *buildv
  return nil, fmt.Errorf("Failed to create k8schain: %v", err)
  }
 
- // this will first try to authenticate using the k8schain,
- // then fall back to the google keychain,
- // then fall back to anonymous
- mkc := authn.NewMultiKeychain(kc, google.Keychain)
+ // this will first try to anonymous
+ // the fall back to authenticate using the k8schain,
+ // then fall back to the google keychain
+ mkc := authn.NewMultiKeychain(&anonymousKeychain{}, kc, google.Keychain)
  img, err := remote.Image(ref, remote.WithAuthFromKeychain(mkc))
  if err != nil {
  return nil, fmt.Errorf("Failed to get container image info from registry %s: %v", image, err)
  }
 
  return img, nil
 }
+
+type anonymousKeychain struct{}
+
+func (a *anonymousKeychain) Resolve(_ name.Registry) (authn.Authenticator, error) {
+ return &anonymous{}, nil
+}
+
+type anonymous struct{}
+
+func (a *anonymous) Authorization() (string, error) {
+ return "", nil
+}