feat: change image pull auth args (#2780)

feat: change image pull auth args feat: change image pull auth args feat: change image pull auth args feat: change image pull auth args feat: feat ssh connect exec sudo error with non-root user feat: feat ssh connect exec sudo error with non-root user feat: change image pull auth args Signed-off-by: xuesongzuo@yunify.com <xuesongzuo@yunify.com>
2025-12-25 17:12:50 +00:00 · 2025-09-29 10:59:06 +08:00 · 2025-09-29 10:59:06 +08:00 · c66b9d0b7a
parent ea70663492
commit c66b9d0b7a
4 changed files with 80 additions and 11 deletions
--- a/builtin/core/playbooks/artifact_images.yaml
+++ b/builtin/core/playbooks/artifact_images.yaml
@ -14,6 +14,7 @@
      tags: ["pull","image_registry"]
      image:
        pull:
+          auths: "{{ .cri.registry.auths | toJson }}"
          images_dir: >-
            {{ .binary_dir }}/images/
          manifests: "{{ .image_manifests | toJson }}"
--- a/docs/zh/modules/image.md
+++ b/docs/zh/modules/image.md
@ -9,8 +9,10 @@ image模块允许用户下载镜像到本地目录或上传镜像到远程目录
 | pull | 把镜像从远程仓库中拉取到本地目录 | map | 否 | - |
 | pull.images_dir | 镜像存放的本地目录 | 字符串 | 否 | - |
 | pull.manifests | 需要拉取的镜像列表 | 字符串数组 | 是 | - |
-| pull.username | 用于认证远程仓库的用户 | 字符串 | 否 | - |
-| pull.password | 用于认证远程仓库的密码 | 字符串 | 否 | - |
+| pull.auths | 远程仓库的认证信息 | Object数组 | 否 | - |
+| pull.auths.repo | 用于认证远程仓库的地址 | 字符串 | 否 | - |
+| pull.auths.username | 用于认证远程仓库的用户名 | 字符串 | 否 | - |
+| pull.auths.password | 用于认证远程仓库的密码 | 字符串 | 否 | - |
 | pull.platform | 镜像的架构信息 | 字符串 | 否 | - |
 | pull.skip_tls_verify | 是否跳过远程仓库的tls认证 | bool | 否 | - |
 | push | 从本地目录中推送镜像到远程仓库 | map | 否 | - |
--- a/pkg/modules/image.go
+++ b/pkg/modules/image.go
@ -59,6 +59,10 @@ image:
    manifests: []string    # required: list of image manifests to pull
    images_dir: string     # required: directory to store pulled images
    skipTLSVerify: bool    # optional: skip TLS verification
+    autus:                 # optional: target image repo access information, slice type
+      - repo: string       # optional: target image repo
+        username: string   # optional: target image repo access username
+        password: string   # optional: target image repo access password
  push:                    # optional: push configuration
    username: string       # optional: registry username
    password: string       # optional: registry password
@ -77,6 +81,13 @@ Usage Examples in Playbook Tasks:
           - nginx:latest
           - prometheus:v2.45.0
         images_dir: /path/to/images
+         auths:
+           - repo: docker.io
+             username: MyDockerAccount
+             password: my_password
+           - repo: my.dockerhub.local
+             username: MyHubAccount
+             password: my_password
     register: pull_result
   ```

@ -109,9 +120,14 @@ type imagePullArgs struct {
 	imagesDir     string
 	manifests     []string
 	skipTLSVerify *bool
-	username      string
-	password      string
 	platform      string
+	auths         []imagePullAuth
+}
+
+type imagePullAuth struct {
+	Repo     string `json:"repo"`
+	Username string `json:"username"`
+	Password string `json:"password"`
 }

 // pull retrieves images from a remote registry and stores them locally
@ -129,11 +145,8 @@ func (i imagePullArgs) pull(ctx context.Context, platform string) error {
 					},
 				},
 			},
-			Cache: auth.NewCache(),
-			Credential: auth.StaticCredential(src.Reference.Registry, auth.Credential{
-				Username: i.username,
-				Password: i.password,
-			}),
+			Cache:      auth.NewCache(),
+			Credential: i.pullAuthFunc(),
 		}

 		dst, err := newLocalRepository(filepath.Join(src.Reference.Registry, src.Reference.Repository)+":"+src.Reference.Reference, i.imagesDir)
@ -159,6 +172,30 @@ func (i imagePullArgs) pull(ctx context.Context, platform string) error {
 	return nil
 }

+func (i imagePullArgs) pullAuthFunc() func(ctx context.Context, hostport string) (auth.Credential, error) {
+	var creds = make(map[string]auth.Credential)
+	for _, inputAuth := range i.auths {
+		var rp = inputAuth.Repo
+		if rp == "docker.io" {
+			rp = "registry-1.docker.io"
+		}
+		if rp == "" {
+			continue
+		}
+		creds[rp] = auth.Credential{
+			Username: inputAuth.Username,
+			Password: inputAuth.Password,
+		}
+	}
+	return func(_ context.Context, hostport string) (auth.Credential, error) {
+		cred, ok := creds[hostport]
+		if !ok {
+			cred = auth.EmptyCredential
+		}
+		return cred, nil
+	}
+}
+
 // parse platform string to ocispec.Platform
 func parsePlatform(platformStr string) (imagev1.Platform, error) {
 	parts := strings.Split(platformStr, "/")
@ -259,8 +296,13 @@ func newImageArgs(_ context.Context, raw runtime.RawExtension, vars map[string]a
 		}
 		ipl := &imagePullArgs{}
 		ipl.manifests, _ = variable.StringSliceVar(vars, pull, "manifests")
-		ipl.username, _ = variable.StringVar(vars, pull, "username")
-		ipl.password, _ = variable.StringVar(vars, pull, "password")
+		ipl.auths = make([]imagePullAuth, 0)
+		_ = variable.AnyVar(vars, &ipl.auths, "cri", "registry", "auths")
+		for _, a := range ipl.auths {
+			a.Repo, _ = tmpl.ParseFunc(vars, a.Repo, func(b []byte) string { return string(b) })
+			a.Username, _ = tmpl.ParseFunc(vars, a.Username, func(b []byte) string { return string(b) })
+			a.Password, _ = tmpl.ParseFunc(vars, a.Password, func(b []byte) string { return string(b) })
+		}
 		ipl.imagesDir, _ = variable.StringVar(vars, pull, "images_dir")
 		ipl.skipTLSVerify, _ = variable.BoolVar(vars, pull, "skip_tls_verify")
 		if ipl.skipTLSVerify == nil {
--- a/pkg/variable/helper.go
+++ b/pkg/variable/helper.go
@ -343,6 +343,30 @@ func DurationVar(ctx map[string]any, args map[string]any, key string) (time.Dura
 	return time.ParseDuration(stringVar)
 }

+// AnyVar get data from input args and keys,unmarshal data into dest
+func AnyVar(args map[string]any, dest any, keys ...string) error {
+	val, found, err := unstructured.NestedFieldNoCopy(args, keys...)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+	if !found {
+		return errors.Errorf("cannot find variable %q", strings.Join(keys, "."))
+	}
+	valBytes, err := json.Marshal(val)
+	if err != nil {
+		return errors.Wrapf(err, "failed to marshal variable %q", strings.Join(keys, "."))
+	}
+	valBytes, err = tmpl.Parse(args, string(valBytes))
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(valBytes, dest)
+	if err != nil {
+		return errors.Wrapf(err, "failed to unmarshal variable %q to dest", strings.Join(keys, "."))
+	}
+	return nil
+}
+
 // Extension2Variables convert runtime.RawExtension to variables
 func Extension2Variables(ext runtime.RawExtension) map[string]any {
 	if len(ext.Raw) == 0 {