spgreenberg
diff --git a/‎api/repositories/dockercfg/json.go
-35 b/‎api/repositories/dockercfg/json.go
-35
diff --git a/‎api/repositories/dockercfg/json_test.go
-58 b/‎api/repositories/dockercfg/json_test.go
-58
diff --git a/‎api/repositories/package_repository.go
+13-15 b/‎api/repositories/package_repository.go
+13-15
diff --git a/‎go.mod
+2 b/‎go.mod
+2
diff --git a/‎go.sum
+5 b/‎go.sum
+5
diff --git a/‎tests/helpers/oci/registry.go
+121 b/‎tests/helpers/oci/registry.go
+121
diff --git a/‎api/repositories/dockercfg/dockercfg_suite_test.go ‎tools/dockercfg/dockercfg_suite_test.go b/‎api/repositories/dockercfg/dockercfg_suite_test.go ‎tools/dockercfg/dockercfg_suite_test.go
diff --git a/‎tools/dockercfg/secret.go
+71 b/‎tools/dockercfg/secret.go
+71
@@ -8,10 +8,10 @@ import (
 	"code.cloudfoundry.org/korifi/api/authorization"
 	apierrors "code.cloudfoundry.org/korifi/api/errors"
 	"code.cloudfoundry.org/korifi/api/repositories/conditions"
-	"code.cloudfoundry.org/korifi/api/repositories/dockercfg"
 	korifiv1alpha1 "code.cloudfoundry.org/korifi/controllers/api/v1alpha1"
 	"code.cloudfoundry.org/korifi/controllers/controllers/shared"
 	"code.cloudfoundry.org/korifi/controllers/controllers/workloads"
+	"code.cloudfoundry.org/korifi/tools/dockercfg"
 	"code.cloudfoundry.org/korifi/tools/k8s"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/uuid"
@@ -180,28 +180,26 @@ func createImagePullSecret(ctx context.Context, userClient client.Client, cfPack
 	if err != nil {
 		return fmt.Errorf("failed to parse image ref: %w", err)
 	}
-	dockerCfg, err := dockercfg.GenerateDockerCfgSecretData(*message.Data.Username, *message.Data.Password, ref.Context().RegistryStr())
-	if err != nil {
-		return fmt.Errorf("failed to generate dockercfgjson: %w", err)
-	}
 
-	imgPullSecret := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: cfPackage.Namespace,
-			Name:      cfPackage.Name,
+	imgPullSecret, err := dockercfg.CreateDockerConfigSecret(
+		cfPackage.Namespace,
+		cfPackage.Name,
+		dockercfg.DockerServerConfig{
+			Server:   ref.Context().RegistryStr(),
+			Username: *message.Data.Username,
+			Password: *message.Data.Password,
 		},
-		Data: map[string][]byte{
-			corev1.DockerConfigJsonKey: dockerCfg,
-		},
-		Type: corev1.SecretTypeDockerConfigJson,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to generate image pull secret: %w", err)
 	}
 
-	err = controllerutil.SetOwnerReference(cfPackage, &imgPullSecret, scheme.Scheme)
+	err = controllerutil.SetOwnerReference(cfPackage, imgPullSecret, scheme.Scheme)
 	if err != nil {
 		return fmt.Errorf("failed to set ownership from the package to the image pull secret: %w", err)
 	}
 
-	err = userClient.Create(ctx, &imgPullSecret)
+	err = userClient.Create(ctx, imgPullSecret)
 	if err != nil {
 		return fmt.Errorf("failed create the image pull secret: %w", err)
 	}
 
@@ -14,6 +14,7 @@ require (
 	github.com/buildpacks/pack v0.30.0
 	github.com/cloudfoundry/cf-test-helpers v1.0.1-0.20220603211108-d498b915ef74
 	github.com/distribution/distribution/v3 v3.0.0-20230223072852-e5d5810851d1
+	github.com/foomo/htpasswd v0.0.0-20200116085101-e3a90e78da9c
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-logr/logr v1.2.4
 	github.com/go-resty/resty/v2 v2.7.0
@@ -44,6 +45,7 @@ require (
 )
 
 require (
+	github.com/GehirnInc/crypt v0.0.0-20190301055215-6c0105aabd46 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/vmware-labs/reconciler-runtime v0.12.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
 
@@ -39,6 +39,8 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/GehirnInc/crypt v0.0.0-20190301055215-6c0105aabd46 h1:rs0kDBt2zF4/CM9rO5/iH+U22jnTygPlqWgX55Ufcxg=
+github.com/GehirnInc/crypt v0.0.0-20190301055215-6c0105aabd46/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
@@ -175,6 +177,8 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/foomo/htpasswd v0.0.0-20200116085101-e3a90e78da9c h1:DBGU7zCwrrPPDsD6+gqKG8UfMxenWg9BOJE/Nmfph+4=
+github.com/foomo/htpasswd v0.0.0-20200116085101-e3a90e78da9c/go.mod h1:SHawtolbB0ZOFoRWgDwakX5WpwuIWAK88bUXVZqK0Ss=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
@@ -470,6 +474,7 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20181127143415-eb0de9b17e85/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200115085410-6d4e4cb37c7d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 
@@ -0,0 +1,121 @@
+package oci
+
+import (
+	"context"
+	"fmt"
+	"net/http/httptest"
+	"net/url"
+	"os"
+
+	"github.com/distribution/distribution/v3/configuration"
+	dcontext "github.com/distribution/distribution/v3/context"
+	_ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
+	"github.com/distribution/distribution/v3/registry/handlers"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
+	"github.com/foomo/htpasswd"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
+	"github.com/google/go-containerregistry/pkg/v1/mutate"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	. "github.com/onsi/ginkgo/v2" //lint:ignore ST1001 this is a test file
+	. "github.com/onsi/gomega"    //lint:ignore ST1001 this is a test file
+	"github.com/sirupsen/logrus"
+)
+
+func init() {
+	logger := logrus.New()
+	logger.SetLevel(logrus.DebugLevel)
+	logger.SetOutput(GinkgoWriter)
+	dcontext.SetDefaultLogger(logrus.NewEntry(logger))
+}
+
+type Registry struct {
+	server   *httptest.Server
+	username string
+	password string
+}
+
+func (r *Registry) URL() string {
+	return r.server.URL
+}
+
+func (r *Registry) ImageRef(relativeImageRef string) string {
+	serverURL, err := url.Parse(r.URL())
+	Expect(err).NotTo(HaveOccurred())
+	return fmt.Sprintf("%s/%s", serverURL.Host, relativeImageRef)
+}
+
+func (r *Registry) PushImage(repoRef string, imageConfig *v1.ConfigFile) {
+	image, err := mutate.ConfigFile(empty.Image, imageConfig)
+	Expect(err).NotTo(HaveOccurred())
+
+	ref, err := name.ParseReference(repoRef)
+	Expect(err).NotTo(HaveOccurred())
+
+	pushOpts := []remote.Option{}
+	if r.username != "" && r.password != "" {
+		pushOpts = append(pushOpts, remote.WithAuth(&authn.Basic{
+			Username: r.username,
+			Password: r.password,
+		}))
+	}
+	Expect(remote.Write(ref, image, pushOpts...)).To(Succeed())
+}
+
+func NewContainerRegistry(username, password string) *Registry {
+	htpasswdFile := generateHtpasswdFile(username, password)
+
+	registry := &Registry{
+		server: httptest.NewServer(handlers.NewApp(context.Background(), &configuration.Configuration{
+			Auth: configuration.Auth{
+				"htpasswd": configuration.Parameters{
+					"realm": "Registry Realm",
+					"path":  htpasswdFile,
+				},
+			},
+			Storage: configuration.Storage{
+				"inmemory": configuration.Parameters{},
+				"delete":   configuration.Parameters{"enabled": true},
+			},
+			Loglevel: "debug",
+		})),
+		username: username,
+		password: password,
+	}
+
+	DeferCleanup(func() {
+		registry.server.Close()
+		Expect(os.RemoveAll(htpasswdFile)).To(Succeed())
+	})
+
+	return registry
+}
+
+func NewNoAuthContainerRegistry() *Registry {
+	registry := &Registry{
+		server: httptest.NewServer(handlers.NewApp(context.Background(), &configuration.Configuration{
+			Storage: configuration.Storage{
+				"inmemory": configuration.Parameters{},
+				"delete":   configuration.Parameters{"enabled": true},
+			},
+			Loglevel: "debug",
+		})),
+	}
+
+	DeferCleanup(func() {
+		registry.server.Close()
+	})
+
+	return registry
+}
+
+func generateHtpasswdFile(username, password string) string {
+	htpasswdFile, err := os.CreateTemp("", "")
+	Expect(err).NotTo(HaveOccurred())
+
+	Expect(htpasswd.SetPassword(htpasswdFile.Name(), username, password, htpasswd.HashBCrypt)).To(Succeed())
+
+	return htpasswdFile.Name()
+}
@@ -0,0 +1,71 @@
+package dockercfg
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func CreateDockerConfigSecret(
+	secretNamespace string,
+	secretName string,
+	dockerConfigs ...DockerServerConfig,
+) (*corev1.Secret, error) {
+	dockerCfg, err := generateDockerCfgSecretData(dockerConfigs...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate docker config secret data: %w", err)
+	}
+
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: secretNamespace,
+			Name:      secretName,
+		},
+		Data: map[string][]byte{
+			corev1.DockerConfigJsonKey: dockerCfg,
+		},
+		Type: corev1.SecretTypeDockerConfigJson,
+	}, nil
+}
+
+type dockerConfigJSON struct {
+	Auths map[string]dockerConfigEntry `json:"auths" datapolicy:"token"`
+}
+
+type dockerConfigEntry struct {
+	Auth string `json:"auth,omitempty"`
+}
+
+type DockerServerConfig struct {
+	Server   string
+	Username string
+	Password string
+}
+
+func generateDockerCfgSecretData(entries ...DockerServerConfig) ([]byte, error) {
+	result := dockerConfigJSON{
+		Auths: map[string]dockerConfigEntry{},
+	}
+
+	for _, config := range entries {
+		server := config.Server
+		if server == "" || server == "index.docker.io" {
+			server = "https://index.docker.io/v1/"
+		}
+
+		result.Auths[server] = dockerConfigEntry{
+			Auth: encodeDockerConfigFieldAuth(config.Username, config.Password),
+		}
+
+	}
+
+	return json.Marshal(result)
+}
+
+func encodeDockerConfigFieldAuth(username, password string) string {
+	fieldValue := username + ":" + password
+	return base64.StdEncoding.EncodeToString([]byte(fieldValue))
+}