Whitelisting *.pkg.dev for the GCP credential provider

2025-10-31 02:08:13 +00:00 · 2020-01-21 16:00:32 -08:00
parent c9b4cf3d25
commit f641ecd6f8
2 changed files with 76 additions and 72 deletions
--- a/pkg/credentialprovider/gcp/metadata.go
+++ b/pkg/credentialprovider/gcp/metadata.go
@@ -50,7 +50,7 @@ var gceProductNameFile = "/sys/class/dmi/id/product_name"

 // For these urls, the parts of the host name can be glob, for example '*.gcr.io" will match
 // "foo.gcr.io" and "bar.gcr.io".
-var containerRegistryUrls = []string{"container.cloud.google.com", "gcr.io", "*.gcr.io"}
+var containerRegistryUrls = []string{"container.cloud.google.com", "gcr.io", "*.gcr.io", "*.pkg.dev"}

 var metadataHeader = &http.Header{
 	"Metadata-Flavor": []string{"Google"},
--- a/pkg/credentialprovider/gcp/metadata_test.go
+++ b/pkg/credentialprovider/gcp/metadata_test.go
@@ -193,7 +193,9 @@ func TestDockerKeyringFromGoogleDockerConfigMetadataUrl(t *testing.T) {
 }

 func TestContainerRegistryBasics(t *testing.T) {
-	registryURL := "container.cloud.google.com"
+	registryURLs := []string{"container.cloud.google.com", "eu.gcr.io", "us-west2-docker.pkg.dev"}
+	for _, registryURL := range registryURLs {
+		t.Run(registryURL, func(t *testing.T) {
 			email := "1234@project.gserviceaccount.com"
 			token := &tokenBlob{AccessToken: "ya26.lots-of-indiscernible-garbage"}

@@ -274,6 +276,8 @@ func TestContainerRegistryBasics(t *testing.T) {
 			if email != val.Email {
 				t.Errorf("Unexpected email value, want: %s, got: %s", email, val.Email)
 			}
+		})
+	}
 }

 func TestContainerRegistryNoServiceAccount(t *testing.T) {