Fix IBM Container Registry delete for staging

In case the staging endpoint of the registry is used, the IAM request to obtain an authentication token needs to be performed against another endpoint. Add check to decide which IAM endpoint is to be used.
Pinolo · Apr 25, 2022 · f32caff · f32caff
1 parent c2ed8d4
commit f32caff
Showing 1 changed file with 13 additions and 8 deletions.
diff --git a/cmd/bundle/main.go b/cmd/bundle/main.go
@@ -279,12 +279,7 @@ func Prune(ctx context.Context, ref name.Reference, auth authn.Authenticator) er
 			return err
 		}
 
-		// IBM Container Registry API calls will only work in case an API key is available
-		if authr.Username != "iamapikey" {
-			return fmt.Errorf("unable to delete image %q, the provided access credentials do not contain an IBM API key", ref.String())
-		}
-
-		token, accountID, err := icrLogin(authr.Password)
+		token, accountID, err := icrLogin(ref.Context().RegistryStr(), authr.Username, authr.Password)
 		if err != nil {
 			return err
 		}
@@ -388,13 +383,23 @@ func dockerHubRepoDelete(token string, ref name.Reference) error {
 	}
 }
 
-func icrLogin(apikey string) (string, string, error) {
+func icrLogin(registry, username, apikey string) (string, string, error) {
+	// IBM Container Registry API calls will only work in case an API key is available
+	if username != "iamapikey" {
+		return "", "", fmt.Errorf("provided access credentials for %q do not contain an IBM API key", registry)
+	}
+
+	iamEndpoint := "https://iam.cloud.ibm.com/identity/token"
+	if strings.Contains(registry, "stg.icr.io") {
+		iamEndpoint = "https://iam.test.cloud.ibm.com/identity/token"
+	}
+
 	data := fmt.Sprintf("grant_type=%s&apikey=%s",
 		url.QueryEscape("urn:ibm:params:oauth:grant-type:apikey"),
 		apikey,
 	)
 
-	req, err := http.NewRequest("POST", "https://iam.cloud.ibm.com/identity/token", strings.NewReader(data))
+	req, err := http.NewRequest("POST", iamEndpoint, strings.NewReader(data))
 	if err != nil {
 		return "", "", err
 	}