Merge pull request #15807 from miminar/registry-extended-test-fixes

Automatic merge from submit-queue.

extended: fixed registry tests 

The extended test suite now secures the registry. This patch allows for
secure connection to the registry.

Resolves #15763

test/extended/imageapis/limitrange_admission.go

@@ -21,7 +21,7 @@ import (
 
 const limitRangeName = "limits"
 
-var _ = g.Describe("[Feature:ImageQuota] Image limit range", func() {
+var _ = g.Describe("[Feature:ImageQuota][Serial] Image limit range", func() {
 	defer g.GinkgoRecover()
 	var oc = exutil.NewCLI("limitrange-admission", exutil.KubeConfigPath())
 
@@ -40,7 +40,8 @@ var _ = g.Describe("[Feature:ImageQuota] Image limit range", func() {
 		deleteTestImagesAndStreams(oc)
 	}
 
-	g.It(fmt.Sprintf("should deny a push of built image exceeding %s limit", imageapi.LimitTypeImage), func() {
+	g.It(fmt.Sprintf("[Skipped] should deny a push of built image exceeding %s limit", imageapi.LimitTypeImage), func() {
+		g.Skip("FIXME: fill image metadata for schema1 in the registry")
 		oc.SetOutputDir(exutil.TestContext.OutputDir)
 		defer tearDown(oc)
 

test/extended/imageapis/quota_admission.go

@@ -26,7 +26,7 @@ const (
 	waitTimeout = time.Second * 30
 )
 
-var _ = g.Describe("[Feature:ImageQuota] Image resource quota", func() {
+var _ = g.Describe("[Feature:ImageQuota][Serial] Image resource quota", func() {
 	defer g.GinkgoRecover()
 	var oc = exutil.NewCLI("resourcequota-admission", exutil.KubeConfigPath())
 

test/extended/images/helper.go

@@ -3,6 +3,7 @@ package images
 import (
 	"bytes"
 	cryptorand "crypto/rand"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -21,6 +22,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
+	knet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/kubernetes/pkg/client/retry"
@@ -517,20 +519,41 @@ func MirrorBlobInRegistry(oc *exutil.CLI, dgst digest.Digest, repository string,
 	if err != nil {
 		return err
 	}
-	req, err := http.NewRequest("GET", fmt.Sprintf("http://%s/v2/%s/blobs/%s", registryURL, repository, dgst.String()), nil)
-	if err != nil {
-		return err
-	}
 	token, err := oc.Run("whoami").Args("-t").Output()
 	if err != nil {
 		return err
 	}
-	req.Header.Set("range", "bytes=0-1")
-	req.Header.Set("Authorization", "Bearer "+token)
-	c := http.Client{}
-	resp, err := c.Do(req)
-	if err != nil {
-		return err
+
+	c := http.Client{
+		Transport: knet.SetTransportDefaults(&http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}),
+	}
+
+	peekAtBlob := func(schema string) (*http.Request, *http.Response, error) {
+		req, err := http.NewRequest("GET", fmt.Sprintf("%s://%s/v2/%s/blobs/%s", schema, registryURL, repository, dgst.String()), nil)
+		if err != nil {
+			return nil, nil, err
+		}
+		req.Header.Set("range", "bytes=0-1")
+		req.Header.Set("Authorization", "Bearer "+token)
+		resp, err := c.Do(req)
+		if err != nil {
+			fmt.Fprintf(g.GinkgoWriter, "failed to %s %s: %v (%#+v)\n", req.Method, req.URL, err, err)
+			return nil, nil, err
+		}
+		return req, resp, nil
+	}
+
+	var (
+		req    *http.Request
+		resp   *http.Response
+		getErr error
+	)
+	if req, resp, getErr = peekAtBlob("https"); getErr != nil {
+		if req, resp, getErr = peekAtBlob("http"); getErr != nil {
+			return getErr
+		}
 	}
 	defer resp.Body.Close()
 

test/extended/registry/registry.go

@@ -25,7 +25,7 @@ const (
 	imageSize = 1024
 )
 
-var _ = g.Describe("[Conformance][registry][migration] manifest migration from etcd to registry storage", func() {
+var _ = g.Describe("[Conformance][registry][migration][Serial] manifest migration from etcd to registry storage", func() {
 	defer g.GinkgoRecover()
 	var oc = exutil.NewCLI("registry-migration", exutil.KubeConfigPath())
 

test/extended/registry/signature.go

@@ -12,7 +12,8 @@ import (
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 )
 
-var _ = g.Describe("[imageapis][registry] image signature workflow", func() {
+var _ = g.Describe("[imageapis][registry][Skipped] image signature workflow", func() {
+
 	defer g.GinkgoRecover()
 
 	var (
@@ -21,6 +22,7 @@ var _ = g.Describe("[imageapis][registry] image signature workflow", func() {
 	)
 
 	g.It("can push a signed image to openshift registry and verify it", func() {
+		g.Skip("FIXME: fix oadm verify-image-signature to work with secured registry")
 		g.By("building a signer image that knows how to sign images")
 		output, err := oc.Run("create").Args("-f", signerBuildFixture).Output()
 		if err != nil {

test/extended/registry/util/util.go

@@ -120,6 +120,19 @@ func GetRegistryPod(podsGetter kcoreclient.PodsGetter) (*kapiv1.Pod, error) {
 	return &podList.Items[0], nil
 }
 
+// LogRegistryPod attempts to write registry log to a file to recent test's output directory.
+func LogRegistryPod(oc *exutil.CLI) error {
+	pod, err := GetRegistryPod(oc.KubeClient().Core())
+	if err != nil {
+		return fmt.Errorf("failed to get registry pod: %v", err)
+	}
+	path, err := oc.Run("logs").Args("dc/docker-registry").OutputToFile("pod-" + pod.Name + ".log")
+	if err == nil {
+		fmt.Fprintf(g.GinkgoWriter, "written registry pod log to %s\n", path)
+	}
+	return err
+}
+
 // ConfigureRegistry re-deploys the registry pod if its configuration doesn't match the desiredState. The
 // function blocks until the registry is ready.
 func ConfigureRegistry(oc *exutil.CLI, desiredState RegistryConfiguration) error {
@@ -154,7 +167,12 @@ func ConfigureRegistry(oc *exutil.CLI, desiredState RegistryConfiguration) error
 	if err != nil {
 		return err
 	}
+
+	// log docker-registry pod output before re-deploying
 	waitForVersion := dc.Status.LatestVersion + 1
+	if err = LogRegistryPod(oc); err != nil {
+		fmt.Fprintf(g.GinkgoWriter, "failed to log registry pod: %v\n", err)
+	}
 
 	err = oc.Run("env").Args(append([]string{"dc/docker-registry"}, envOverrides...)...).Execute()
 	if err != nil {

test/extended/util/cli.go

@@ -139,9 +139,9 @@ func (c *CLI) SetNamespace(ns string) *CLI {
 }
 
 // WithoutNamespace instructs the command should be invoked without adding --namespace parameter
-func (c *CLI) WithoutNamespace() *CLI {
+func (c CLI) WithoutNamespace() *CLI {
 	c.withoutNamespace = true
-	return c
+	return &c
 }
 
 // SetOutputDir change the default output directory for temporary files