e2e: add private registry pull/push regression test#7007
Conversation
lohitkolluri
force-pushed
the
e2e/private-registry-pull-push-5965
branch
2 times, most recently
from
aa3a10d to
b2e3d39
Compare
lohitkolluri
changed the title
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
lohitkolluri
force-pushed
the
e2e/private-registry-pull-push-5965
branch
7 times, most recently
from
febb222 to
236b3d4
Compare
|
@vvoland @thaJeztah Codecov is reporting 0% patch coverage for Is this acceptable as-is, or would you prefer additional coverage changes here? |
|
Hey all the Ci seems to be passing i just need to change the commit body to remove closes #XXXX and stuff as mentioned by thaJeztah in one of my other PR sorry for the trouble. |
lohitkolluri
force-pushed
the
e2e/private-registry-pull-push-5965
branch
from
236b3d4 to
b5f226f
Compare
Add a privateregistry service (htpasswd auth, port 5001) to the e2e compose stack and a TestPullPushPrivateRepository test that verifies: - unauthenticated push/pull is rejected with an auth error - authenticated push/pull succeeds Fix private-registry flakiness by moving the registry debug listener off port 5001 (to avoid conflicting listeners) and fail fast during e2e setup if supporting services are not running. The volume path in compose-env.yaml is resolved relative to the compose file directory (e2e/), so use ./testdata/registry/auth, not ./e2e/testdata/registry/auth. Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>
lohitkolluri
force-pushed
the
e2e/private-registry-pull-push-5965
branch
from
b5f226f to
2fbbd74
Compare
Add a tlsregistry service (HTTPS on port 5003) to the e2e compose stack and a TestPullPushTlsRepository test that verifies the same auth flow works over TLS without --insecure-registry. The tlsregistry uses the same htpasswd credentials as the existing privateregistry and serves HTTPS with a self-signed CA cert. The engine container has the CA cert baked in via update-ca-certificates so dockerd trusts it automatically. This gives us coverage for the non-insecure-registry path that the existing privateregistry test doesn't cover. Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>
Address reviewer feedback on docker/cli PR docker#7007: - Merge TestPullPushPrivateRepository and TestPullPushTlsRepository into one test with "insecure" and "tls" subtests - Generate TLS certs at setup time instead of committing them - Remove committed cert files from git Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>
The connhelper-ssh variant uses a separate Dockerfile that was missing the CA certificate trust setup. Without it, dockerd cannot verify tlsregistry:5003 TLS certificates and all authenticated push/pull tests fail with x509 errors. Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>
Instead of only checking for ca.crt, verify that all generated certs exist on disk before running gen-certs.sh. This prevents a subtle failure where one missing cert causes TLS handshake errors during tests. Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>
|
I pushed two more commits to address the CI failures:
|
4 participants
This adds an e2e regression test for authenticated pull/push against a private registry, covering the auth regression reported in #5963.
What's included
New
privateregistryservice in the e2e Compose stack that runs a Docker registry with htpasswd authentication on port 5001, and a--insecure-registryflag for it in the engine container.TestPullPushPrivateRepositorytest that:Auth config entries for
privateregistry:5001in the e2e fixture config, with test credentials stored in a newe2e/testdata/registry/auth/htpasswdfile.90-second retry loop in the test that re-runs docker commands when the registry or DNS is not yet ready (covers the container startup race in CI). Transient errors are detected by matching known DNS/network failure strings; all other failures are returned immediately.
Service health wait loop in
scripts/test/e2e/runthat pollsdocker compose psfor all three services (registry,privateregistry,engine) before connecting the test runner to the Compose network. If any service fails to start within 120 seconds, it prints service logs and exits with a clear error instead of letting tests hang on DNS timeouts.About the earlier attempt (#6940)
The earlier version of this test failed in CI because the htpasswd volume mount in
compose-env.yamlused a path resolved relative to the project root (./e2e/testdata/registry/auth), but Compose resolves volume paths relative to the compose file's directory (e2e/). The auth file never mounted, the registry started without authentication, and every registry operation either succeeded unauthenticated (giving false negatives) or timed out with a DNS error when the registry failed to start entirely. This version uses./testdata/registry/authso the mount resolves correctly.Closes #5965.