Set AuthConfig for image pull if credentials supplier is set

5 files changed, 71 insertions, 6 deletions

diff --git a/docker-api/pom.xml b/docker-api/pom.xml
index fc3407d08be..e2ddd8dbcc9 100644
--- a/docker-api/pom.xml
+++ b/docker-api/pom.xml
@@ -69,7 +69,6 @@
                     <groupId>org.apache.httpcomponents</groupId>
                     <artifactId>httpcore</artifactId>
                 </exclusion>
-
                 <exclusion>
                     <groupId>org.apache.httpcomponents</groupId>
                     <artifactId>httpclient</artifactId>
@@ -77,22 +76,28 @@
             </exclusions>
         </dependency>
         <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.10</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
             <groupId>net.jpountz.lz4</groupId>
             <artifactId>lz4</artifactId>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpcore</artifactId>
-            <!-- We explicitly specify the version of httpcore to be used by 
-            docker-java so the dependency is declared closer to the root of maven and 
+            <!-- We explicitly specify the version of httpcore to be used by
+            docker-java so the dependency is declared closer to the root of maven and
             more likely be the version that is finally being used. -->
             <version>4.4.1</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
-             <!-- We explicitly specify the version of httpclient to be used by 
-            docker-java so the dependency is declared closer to the root of maven and 
+             <!-- We explicitly specify the version of httpclient to be used by
+            docker-java so the dependency is declared closer to the root of maven and
             more likely be the version that is finally being used. -->
             <version>4.5</version>
         </dependency>
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java
index 331779fb81c..2039d0adfc9 100644
--- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java
+++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java
@@ -115,4 +115,10 @@ public interface Docker {
     ProcessResult executeInContainerAsRoot(ContainerName containerName, Long timeoutSeconds, String... command);
 
     String getGlobalIPv6Address(ContainerName name);
+
+    /**
+     * If set, the supplier will we called every time before a pull/push request is made to get the credentials
+     */
+    void setDockerRegistryCredentialsSupplier(DockerRegistryCredentialsSupplier dockerRegistryCredentialsSupplier);
+
 }
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerImpl.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerImpl.java
index 5facbc7104e..f6588512e2d 100644
--- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerImpl.java
+++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerImpl.java
@@ -8,9 +8,11 @@ import com.github.dockerjava.api.command.InspectContainerCmd;
 import com.github.dockerjava.api.command.InspectContainerResponse;
 import com.github.dockerjava.api.command.InspectExecResponse;
 import com.github.dockerjava.api.command.InspectImageResponse;
+import com.github.dockerjava.api.command.PullImageCmd;
 import com.github.dockerjava.api.exception.DockerClientException;
 import com.github.dockerjava.api.exception.NotFoundException;
 import com.github.dockerjava.api.exception.NotModifiedException;
+import com.github.dockerjava.api.model.AuthConfig;
 import com.github.dockerjava.api.model.Image;
 import com.github.dockerjava.api.model.Network;
 import com.github.dockerjava.api.model.Statistics;
@@ -67,6 +69,8 @@ public class DockerImpl implements Docker {
     @GuardedBy("monitor")
     private final Set<DockerImage> scheduledPulls = new HashSet<>();
 
+    private volatile Optional<DockerRegistryCredentialsSupplier> dockerRegistryCredentialsSupplier = Optional.empty();
+
     private DockerClient dockerClient;
 
     @Inject
@@ -150,7 +154,17 @@ public class DockerImpl implements Docker {
                 if (imageIsDownloaded(image)) return false;
 
                 scheduledPulls.add(image);
-                dockerClient.pullImageCmd(image.asString()).exec(new ImagePullCallback(image));
+                PullImageCmd pullImageCmd = dockerClient.pullImageCmd(image.asString());
+
+                dockerRegistryCredentialsSupplier
+                        .flatMap(credentialsSupplier -> credentialsSupplier.getCredentials(image))
+                        .map(credentials -> new AuthConfig()
+                                .withRegistryAddress(credentials.registry.toString())
+                                .withUsername(credentials.username)
+                                .withPassword(credentials.password))
+                        .ifPresent(pullImageCmd::withAuthConfig);
+
+                pullImageCmd.exec(new ImagePullCallback(image));
                 return true;
             }
         } catch (RuntimeException e) {
@@ -364,6 +378,11 @@ public class DockerImpl implements Docker {
         return cmd.exec().getNetworkSettings().getGlobalIPv6Address();
     }
 
+    @Override
+    public void setDockerRegistryCredentialsSupplier(DockerRegistryCredentialsSupplier dockerRegistryCredentialsSupplier) {
+        this.dockerRegistryCredentialsSupplier = Optional.of(dockerRegistryCredentialsSupplier);
+    }
+
     private Stream<Container> asContainer(String container) {
         return inspectContainerCmd(container)
                 .map(response ->
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerRegistryCredentials.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerRegistryCredentials.java
new file mode 100644
index 00000000000..c9603e9e53a
--- /dev/null
+++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerRegistryCredentials.java
@@ -0,0 +1,19 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.dockerapi;
+
+import java.net.URI;
+
+/**
+ * @author freva
+ */
+public class DockerRegistryCredentials {
+    public final URI registry;
+    public final String username;
+    public final String password;
+
+    public DockerRegistryCredentials(URI registry, String username, String password) {
+        this.registry = registry;
+        this.username = username;
+        this.password = password;
+    }
+}
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerRegistryCredentialsSupplier.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerRegistryCredentialsSupplier.java
new file mode 100644
index 00000000000..6f16a6cd545
--- /dev/null
+++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/DockerRegistryCredentialsSupplier.java
@@ -0,0 +1,16 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.dockerapi;
+
+import java.util.Optional;
+
+/**
+ * @author freva
+ */
+public interface DockerRegistryCredentialsSupplier {
+
+    /**
+     * Returns credentials to docker registry needed to be able to pull/push given
+     * docker image.
+     */
+    Optional<DockerRegistryCredentials> getCredentials(DockerImage dockerImage);
+}