cleanup: breakup the pkg/credentials into writer and matcher

The credentials package contains the a matcher and a writer which out of
which only the writer is used in cmd/entrypoint. In an effort to isolate
usage and not indirectly import the corev1 api which the matcher uses
for MatchingAnnotations, we are breaking up the credentials builder interface
into two builders for writer and matcher.

This ensures that the entrypoint only uses the writer and not the matcher,
and we are only using either the writer or the matcher functionality
as necessary and not importing unnecessary deps.

Author: waveywaves

cmd/entrypoint/main.go

@@ -33,9 +33,9 @@ import (
 	featureFlags "github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
-	"github.com/tektoncd/pipeline/pkg/credentials"
 	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
 	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
+	credwriter "github.com/tektoncd/pipeline/pkg/credentials/writer"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
 	"github.com/tektoncd/pipeline/pkg/spire"
 	"github.com/tektoncd/pipeline/pkg/spire/config"
@@ -96,7 +96,7 @@ func main() {
 	// from secret volume mounts to /tekton/creds. This is done to support the expansion
 	// of a variable, $(credentials.path), that resolves to a single place with all the
 	// stored credentials.
-	builders := []credentials.Builder{dockercreds.NewBuilder(), gitcreds.NewBuilder()}
+	builders := []credwriter.Builder{dockercreds.NewBuilder(), gitcreds.NewBuilder()}
 	for _, c := range builders {
 		if err := c.Write(pipeline.CredsDir); err != nil {
 			log.Printf("Error initializing credentials: %s", err)
@@ -164,7 +164,7 @@ func main() {
 
 	// Copy any creds injected by the controller into the $HOME directory of the current
 	// user so that they're discoverable by git / ssh.
-	if err := credentials.CopyCredsToHome(credentials.CredsInitCredentials); err != nil {
+	if err := credwriter.CopyCredsToHome(credwriter.CredsInitCredentials); err != nil {
 		log.Printf("non-fatal error copying credentials: %q", err)
 	}
 

pkg/credentials/dockercreds/creds.go

@@ -25,7 +25,8 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/tektoncd/pipeline/pkg/credentials"
+	credmatcher "github.com/tektoncd/pipeline/pkg/credentials/matcher"
+	credwriter "github.com/tektoncd/pipeline/pkg/credentials/writer"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -117,7 +118,7 @@ type entry struct {
 }
 
 func newEntry(secret string) (*entry, error) {
-	secretPath := credentials.VolumeName(secret)
+	secretPath := credmatcher.VolumeName(secret)
 
 	ub, err := os.ReadFile(filepath.Join(secretPath, corev1.BasicAuthUsernameKey))
 	if err != nil {
@@ -143,7 +144,12 @@ func newEntry(secret string) (*entry, error) {
 type basicDockerBuilder struct{}
 
 // NewBuilder returns a new builder for Docker credentials.
-func NewBuilder() credentials.Builder { return &basicDockerBuilder{} }
+func NewBuilder() interface {
+	credmatcher.Builder
+	credwriter.Builder
+} {
+	return &basicDockerBuilder{}
+}
 
 // MatchingAnnotations extracts flags for the credential helper
 // from the supplied secret and returns a slice (of length 0 or
@@ -152,7 +158,7 @@ func (*basicDockerBuilder) MatchingAnnotations(secret *corev1.Secret) []string {
 	var flags []string
 	switch secret.Type {
 	case corev1.SecretTypeBasicAuth:
-		for _, v := range credentials.SortAnnotations(secret.Annotations, annotationPrefix) {
+		for _, v := range credwriter.SortAnnotations(secret.Annotations, annotationPrefix) {
 			flags = append(flags, fmt.Sprintf("-basic-docker=%s=%s", secret.Name, v))
 		}
 	case corev1.SecretTypeDockerConfigJson:
@@ -218,7 +224,7 @@ func (*basicDockerBuilder) Write(directory string) error {
 }
 
 func authsFromDockerCfg(secret string) (map[string]entry, error) {
-	secretPath := credentials.VolumeName(secret)
+	secretPath := credmatcher.VolumeName(secret)
 	m := make(map[string]entry)
 	data, err := os.ReadFile(filepath.Join(secretPath, corev1.DockerConfigKey))
 	if err != nil {
@@ -229,7 +235,7 @@ func authsFromDockerCfg(secret string) (map[string]entry, error) {
 }
 
 func authsFromDockerConfig(secret string) (map[string]entry, error) {
-	secretPath := credentials.VolumeName(secret)
+	secretPath := credmatcher.VolumeName(secret)
 	m := make(map[string]entry)
 	c := configFile{}
 	data, err := os.ReadFile(filepath.Join(secretPath, corev1.DockerConfigJsonKey))

pkg/credentials/dockercreds/creds_test.go

@@ -23,14 +23,14 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/tektoncd/pipeline/pkg/credentials"
+	credmatcher "github.com/tektoncd/pipeline/pkg/credentials/matcher"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestFlagHandling(t *testing.T) {
-	credentials.VolumePath = t.TempDir()
-	dir := credentials.VolumeName("foo")
+	credmatcher.VolumePath = t.TempDir()
+	dir := credmatcher.VolumeName("foo")
 	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", dir, err)
 	}
@@ -50,12 +50,12 @@ func TestFlagHandling(t *testing.T) {
 		t.Fatalf("flag.CommandLine.Parse() = %v", err)
 	}
 
-	t.Setenv("HOME", credentials.VolumePath)
-	if err := NewBuilder().Write(credentials.VolumePath); err != nil {
+	t.Setenv("HOME", credmatcher.VolumePath)
+	if err := NewBuilder().Write(credmatcher.VolumePath); err != nil {
 		t.Fatalf("Write() = %v", err)
 	}
 
-	b, err := os.ReadFile(filepath.Join(credentials.VolumePath, ".docker", "config.json"))
+	b, err := os.ReadFile(filepath.Join(credmatcher.VolumePath, ".docker", "config.json"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(.docker/config.json) = %v", err)
 	}
@@ -68,8 +68,8 @@ func TestFlagHandling(t *testing.T) {
 }
 
 func TestFlagHandlingTwice(t *testing.T) {
-	credentials.VolumePath = t.TempDir()
-	fooDir := credentials.VolumeName("foo")
+	credmatcher.VolumePath = t.TempDir()
+	fooDir := credmatcher.VolumeName("foo")
 	if err := os.MkdirAll(fooDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", fooDir, err)
 	}
@@ -79,7 +79,7 @@ func TestFlagHandlingTwice(t *testing.T) {
 	if err := os.WriteFile(filepath.Join(fooDir, corev1.BasicAuthPasswordKey), []byte("blah"), 0o777); err != nil {
 		t.Fatalf("os.WriteFile(password) = %v", err)
 	}
-	barDir := credentials.VolumeName("bar")
+	barDir := credmatcher.VolumeName("bar")
 	if err := os.MkdirAll(barDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", barDir, err)
 	}
@@ -100,12 +100,12 @@ func TestFlagHandlingTwice(t *testing.T) {
 		t.Fatalf("flag.CommandLine.Parse() = %v", err)
 	}
 
-	t.Setenv("HOME", credentials.VolumePath)
-	if err := NewBuilder().Write(credentials.VolumePath); err != nil {
+	t.Setenv("HOME", credmatcher.VolumePath)
+	if err := NewBuilder().Write(credmatcher.VolumePath); err != nil {
 		t.Fatalf("Write() = %v", err)
 	}
 
-	b, err := os.ReadFile(filepath.Join(credentials.VolumePath, ".docker", "config.json"))
+	b, err := os.ReadFile(filepath.Join(credmatcher.VolumePath, ".docker", "config.json"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(.docker/config.json) = %v", err)
 	}
@@ -118,8 +118,8 @@ func TestFlagHandlingTwice(t *testing.T) {
 }
 
 func TestFlagHandlingMissingFiles(t *testing.T) {
-	credentials.VolumePath = t.TempDir()
-	dir := credentials.VolumeName("not-found")
+	credmatcher.VolumePath = t.TempDir()
+	dir := credmatcher.VolumeName("not-found")
 	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", dir, err)
 	}
@@ -132,8 +132,8 @@ func TestFlagHandlingMissingFiles(t *testing.T) {
 }
 
 func TestFlagHandlingURLCollision(t *testing.T) {
-	credentials.VolumePath = t.TempDir()
-	dir := credentials.VolumeName("foo")
+	credmatcher.VolumePath = t.TempDir()
+	dir := credmatcher.VolumeName("foo")
 	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", dir, err)
 	}
@@ -244,8 +244,8 @@ func TestMatchingAnnotations(t *testing.T) {
 }
 
 func TestMultipleFlagHandling(t *testing.T) {
-	credentials.VolumePath = t.TempDir()
-	fooDir := credentials.VolumeName("foo")
+	credmatcher.VolumePath = t.TempDir()
+	fooDir := credmatcher.VolumeName("foo")
 	if err := os.MkdirAll(fooDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", fooDir, err)
 	}
@@ -256,31 +256,31 @@ func TestMultipleFlagHandling(t *testing.T) {
 		t.Fatalf("os.WriteFile(password) = %v", err)
 	}
 
-	barDir := credentials.VolumeName("bar")
+	barDir := credmatcher.VolumeName("bar")
 	if err := os.MkdirAll(barDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", barDir, err)
 	}
 	if err := os.WriteFile(filepath.Join(barDir, corev1.DockerConfigJsonKey), []byte(`{"auths":{"https://index.docker.io/v1":{"auth":"fooisbar"}}}`), 0o777); err != nil {
 		t.Fatalf("os.WriteFile(username) = %v", err)
 	}
 
-	blubbDir := credentials.VolumeName("blubb")
+	blubbDir := credmatcher.VolumeName("blubb")
 	if err := os.MkdirAll(blubbDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", blubbDir, err)
 	}
 	if err := os.WriteFile(filepath.Join(blubbDir, corev1.DockerConfigJsonKey), []byte(`{"auths":{"us.icr.io":{"auth":"fooisblubb"}}}`), 0o777); err != nil {
 		t.Fatalf("os.WriteFile(username) = %v", err)
 	}
 
-	bazDir := credentials.VolumeName("baz")
+	bazDir := credmatcher.VolumeName("baz")
 	if err := os.MkdirAll(bazDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", bazDir, err)
 	}
 	if err := os.WriteFile(filepath.Join(bazDir, corev1.DockerConfigKey), []byte(`{"https://my.registry/v1":{"auth":"fooisbaz"}}`), 0o777); err != nil {
 		t.Fatalf("os.WriteFile(username) = %v", err)
 	}
 
-	blaDir := credentials.VolumeName("bla")
+	blaDir := credmatcher.VolumeName("bla")
 	if err := os.MkdirAll(blaDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", blaDir, err)
 	}
@@ -301,12 +301,12 @@ func TestMultipleFlagHandling(t *testing.T) {
 		t.Fatalf("flag.CommandLine.Parse() = %v", err)
 	}
 
-	t.Setenv("HOME", credentials.VolumePath)
-	if err := NewBuilder().Write(credentials.VolumePath); err != nil {
+	t.Setenv("HOME", credmatcher.VolumePath)
+	if err := NewBuilder().Write(credmatcher.VolumePath); err != nil {
 		t.Fatalf("Write() = %v", err)
 	}
 
-	b, err := os.ReadFile(filepath.Join(credentials.VolumePath, ".docker", "config.json"))
+	b, err := os.ReadFile(filepath.Join(credmatcher.VolumePath, ".docker", "config.json"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(.docker/config.json) = %v", err)
 	}
@@ -321,8 +321,8 @@ func TestMultipleFlagHandling(t *testing.T) {
 // TestNoAuthProvided confirms that providing zero secrets results in no docker
 // credential file being written to disk.
 func TestNoAuthProvided(t *testing.T) {
-	credentials.VolumePath = t.TempDir()
-	fooDir := credentials.VolumeName("foo")
+	credmatcher.VolumePath = t.TempDir()
+	fooDir := credmatcher.VolumeName("foo")
 	if err := os.MkdirAll(fooDir, os.ModePerm); err != nil {
 		t.Fatalf("os.MkdirAll(%s) = %v", fooDir, err)
 	}
@@ -333,11 +333,11 @@ func TestNoAuthProvided(t *testing.T) {
 	if err != nil {
 		t.Fatalf("flag.CommandLine.Parse() = %v", err)
 	}
-	t.Setenv("HOME", credentials.VolumePath)
-	if err := NewBuilder().Write(credentials.VolumePath); err != nil {
+	t.Setenv("HOME", credmatcher.VolumePath)
+	if err := NewBuilder().Write(credmatcher.VolumePath); err != nil {
 		t.Fatalf("Write() = %v", err)
 	}
-	_, err = os.ReadFile(filepath.Join(credentials.VolumePath, ".docker", "config.json"))
+	_, err = os.ReadFile(filepath.Join(credmatcher.VolumePath, ".docker", "config.json"))
 	if err == nil || !os.IsNotExist(err) {
 		t.Errorf("expected does not exist error but received: %v", err)
 	}

pkg/credentials/gitcreds/basic.go

@@ -23,7 +23,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/tektoncd/pipeline/pkg/credentials"
+	credmatcher "github.com/tektoncd/pipeline/pkg/credentials/matcher"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -121,7 +121,7 @@ func (be *basicEntry) escapedUsername() string {
 }
 
 func newBasicEntry(u, secret string) (*basicEntry, error) {
-	secretPath := credentials.VolumeName(secret)
+	secretPath := credmatcher.VolumeName(secret)
 
 	ub, err := os.ReadFile(filepath.Join(secretPath, corev1.BasicAuthUsernameKey))
 	if err != nil {

pkg/credentials/gitcreds/creds.go

@@ -20,7 +20,8 @@ import (
 	"flag"
 	"fmt"
 
-	"github.com/tektoncd/pipeline/pkg/credentials"
+	credmatcher "github.com/tektoncd/pipeline/pkg/credentials/matcher"
+	credwriter "github.com/tektoncd/pipeline/pkg/credentials/writer"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -48,38 +49,42 @@ func flags(fs *flag.FlagSet) {
 	fs.Var(&sshConfig, sshFlag, "List of secret=url pairs.")
 }
 
-type gitConfigBuilder struct{}
+type gitBuilder struct{}
 
 // NewBuilder returns a new builder for Git credentials.
-func NewBuilder() credentials.Builder { return &gitConfigBuilder{} }
+func NewBuilder() interface {
+	credmatcher.Builder
+	credwriter.Builder
+} {
+	return &gitBuilder{}
+}
 
 // MatchingAnnotations extracts flags for the credential helper
 // from the supplied secret and returns a slice (of length 0 or
 // greater) of applicable domains.
-func (*gitConfigBuilder) MatchingAnnotations(secret *corev1.Secret) []string {
-	var flagName string
+func (*gitBuilder) MatchingAnnotations(secret *corev1.Secret) []string {
 	var flags []string
 	switch secret.Type {
 	case corev1.SecretTypeBasicAuth:
-		flagName = basicAuthFlag
+		for _, v := range credwriter.SortAnnotations(secret.Annotations, annotationPrefix) {
+			flags = append(flags, fmt.Sprintf("-%s=%s=%s", basicAuthFlag, secret.Name, v))
+		}
 
 	case corev1.SecretTypeSSHAuth:
-		flagName = sshFlag
+		for _, v := range credwriter.SortAnnotations(secret.Annotations, annotationPrefix) {
+			flags = append(flags, fmt.Sprintf("-%s=%s=%s", sshFlag, secret.Name, v))
+		}
 
 	case corev1.SecretTypeOpaque, corev1.SecretTypeServiceAccountToken, corev1.SecretTypeDockercfg, corev1.SecretTypeDockerConfigJson, corev1.SecretTypeTLS, corev1.SecretTypeBootstrapToken:
 		return flags
 
 	default:
 		return flags
 	}
-
-	for _, v := range credentials.SortAnnotations(secret.Annotations, annotationPrefix) {
-		flags = append(flags, fmt.Sprintf("-%s=%s=%s", flagName, secret.Name, v))
-	}
 	return flags
 }
 
-func (*gitConfigBuilder) Write(directory string) error {
+func (*gitBuilder) Write(directory string) error {
 	if err := basicConfig.Write(directory); err != nil {
 		return err
 	}