Login to Docker Hub

Bitnami moved to Docker Hub [1] which forces us to login to
Docker Hub (the workflow pulls too much Bitnami helm charts
for the anon pull request limit).

Please note the Docker Hub secrets are accessible only via
project branches. So PR from fork would no longer work.

It also updates and simplifies the Docker Hub account logics
as we have a single Docker Hub account now. It also debugs
ratelimit both with registered account and anon to track
incorrect Docker Hub calls by cnf-testsuite.

[1] bitnami/containers#75671

Signed-off-by: Cédric Ollivier <[email protected]>

.github/workflows/actions.yml

@@ -1,11 +1,10 @@
 name: Crystal Specs
 on:
   push:
-    paths:
+    branches:
+      - main
+    tags:
       - '**'
-      - '!**.md'
-      - '!docs/*'
-      - '!doc-lint/*'
   pull_request:
     paths:
       - '**'
@@ -61,6 +60,11 @@ jobs:
       fail-fast: false
       matrix: ${{fromJson(needs.tests.outputs.matrix)}}
     steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
     - name: Cleanup Tmp DIR
       run: |
         sudo rm -rf /tmp/*
@@ -153,26 +157,23 @@ jobs:
     - name: Run Crystal Spec
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        DOCKERHUB_USERNAMES: ${{ secrets.DOCKERHUB_USERNAMES }}
-        DOCKERHUB_PASSWORDS: ${{ secrets.DOCKERHUB_PASSWORDS }}
+        DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+        DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
         DOCKERHUB_EMAIL: ${{ secrets.DOCKERHUB_EMAIL }}
         IMAGE_REPO: ${{ secrets.IMAGE_REPO }}
       run: |
-        USERNAME_ARRAY=($DOCKERHUB_USERNAMES)
-        PASSWORD_ARRAY=($DOCKERHUB_PASSWORDS)
         EMAIL_ARRAY=($DOCKERHUB_EMAIL)
         IMAGE_ARRAY=($IMAGE_REPO)
-        
         RANDOMIZER=$(( 0 + $RANDOM % 3 ))
-
-        export DOCKERHUB_USERNAME=${USERNAME_ARRAY[$RANDOMIZER]}
-        export DOCKERHUB_PASSWORD=${PASSWORD_ARRAY[$RANDOMIZER]}
-        
         export PROTECTED_DOCKERHUB_USERNAME=$DOCKERHUB_USERNAME
         export PROTECTED_DOCKERHUB_PASSWORD=$DOCKERHUB_PASSWORD
         export PROTECTED_DOCKERHUB_EMAIL=${EMAIL_ARRAY[$RANDOMIZER]}
         export PROTECTED_IMAGE_REPO=${IMAGE_ARRAY[$RANDOMIZER]}
 
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
+
         source cluster.env
         export KUBECONFIG=$(pwd)/$CLUSTER.conf
         until [[ $(kubectl get pods -l app=local-path-provisioner --namespace=local-path-storage -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') == "True" ]]; do
@@ -186,10 +187,13 @@ jobs:
         #done
         crystal build src/cnf-testsuite.cr 
         ./cnf-testsuite setup 
-
         LOG_LEVEL=info crystal spec --warnings none --tag ${{ matrix.spec }} -v
-
-
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
+        echo get ratelimit with a user account $DOCKERHUB_USERNAME
+        TOKEN=$(curl --user "$DOCKERHUB_USERNAME:$DOCKERHUB_PASSWORD" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
     - name: Delete Cluster
       if: ${{ always() }}
       run: |
@@ -200,6 +204,7 @@ jobs:
         kubectl get all -A || true
         kind delete cluster --name $CLUSTER --verbosity 1
       continue-on-error: true
+
     - name: upload artifact
       if: ${{ always() }}
       uses: actions/upload-artifact@v4
@@ -216,6 +221,11 @@ jobs:
       matrix:
         tag: ["pod_delete", "pod_io_stress", "pod_memory_hog", "pod_network_latency", "disk_fill", "pod_network_corruption", "pod_network_duplication", "zombie", "oran"]
     steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
     - name: Checkout code
       uses: actions/checkout@v4
       with:
@@ -274,14 +284,20 @@ jobs:
         echo "RUNNER: $RUNNER_NAME"
     - name: Run Crystal Spec
       run: |
-        echo "Current path: $(echo pwd)"
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
+
         source cluster.env
         export KUBECONFIG=$(pwd)/$CLUSTER.conf
         until [[ $(kubectl get pods -l app=kindnet --namespace=kube-system -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') == "True" ]]; do
             echo "Waiting for kindnet"
             sleep 1
         done
         LOG_LEVEL=info crystal spec --warnings none --tag ${{ matrix.tag }} -v
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
     - name: Delete Cluster
       if: ${{ always() }}
       run: |
@@ -304,7 +320,12 @@ jobs:
     runs-on: ubuntu-24.04
     env:
       CRYSTAL_IMAGE: "conformance/crystal:1.6.2-alpine"
-    steps: 
+    steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
     - name: Checkout code
       uses: actions/checkout@v4
       with:
@@ -332,7 +353,12 @@ jobs:
   test_binary_configuration_lifecycle:
     name: Test Binary Without Source(config_lifecycle)
     runs-on: [v1.0.0]
-    steps: 
+    steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
     - name: Cleanup Tmp DIR
       run: |
         sudo rm -rf /tmp/*
@@ -383,6 +409,10 @@ jobs:
         kubectl get nodes 
     - name: Run Test Suite without source(config_lifecycle)
       run: |
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
+
         source cluster.env
         echo "SHARDS_INSTALL_PATH: $SHARDS_INSTALL_PATH"
         export KUBECONFIG=/tmp/$CLUSTER.conf
@@ -396,6 +426,9 @@ jobs:
         wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/${GITHUB_SHA}/example-cnfs/coredns/cnf-testsuite.yml
         ./cnf-testsuite cnf_install cnf-config=./cnf-testsuite.yml
         LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
     - name: Delete Cluster
       if: ${{ always() }}
       run: |
@@ -416,7 +449,12 @@ jobs:
   test_binary_microservice:
     name: Test Binary Without Source(microservice)
     runs-on: [v1.0.0]
-    steps: 
+    steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
     - name: Cleanup Tmp DIR
       run: |
         sudo rm -rf /tmp/*
@@ -464,6 +502,10 @@ jobs:
         kubectl get nodes 
     - name: Run Test Suite without source(microservice)
       run: |
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
+
         source cluster.env
         export KUBECONFIG=/tmp/$CLUSTER.conf
         helm repo add stable https://cncf.gitlab.io/stable
@@ -476,6 +518,9 @@ jobs:
         wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/${GITHUB_SHA}/example-cnfs/coredns/cnf-testsuite.yml
         ./cnf-testsuite cnf_install cnf-config=./cnf-testsuite.yml
         LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~increase_capacity ~decrease_capacity ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
     - name: Delete Cluster
       if: ${{ always() }}
       run: |
@@ -496,7 +541,12 @@ jobs:
   test_binary_all:
     name: Test Binary Without Source(all)
     runs-on: [v1.0.0]
-    steps: 
+    steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
     - name: Cleanup Tmp DIR
       run: |
         sudo rm -rf /tmp/*
@@ -544,6 +594,10 @@ jobs:
         kubectl get nodes 
     - name: Run Test Suite without source(all)
       run: |
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
+
         source cluster.env
         export KUBECONFIG=/tmp/$CLUSTER.conf
         helm repo add stable https://cncf.gitlab.io/stable
@@ -556,6 +610,9 @@ jobs:
         wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/${GITHUB_SHA}/example-cnfs/coredns/cnf-testsuite.yml
         ./cnf-testsuite cnf_install cnf-config=./cnf-testsuite.yml
         LOG_LEVEL=info ./cnf-testsuite all ~resilience ~platform ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~rollback ~secrets_used ~immutable_configmap ~reasonable_startup_time ~reasonable_image_size verbose
+        echo get ratelimit anonymously
+        TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+        curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
     - name: Delete Cluster
       if: ${{ always() }}
       run: |
@@ -577,7 +634,7 @@ jobs:
     name: Publish Release
     needs: [spec, build]
     runs-on: ubuntu-24.04
-    steps: 
+    steps:
     - name: Checkout code
       uses: actions/checkout@v4
       with: