e2e: merge TLS test, generate certs dynamically

Address reviewer feedback on docker/cli PR docker#7007:
- Merge TestPullPushPrivateRepository and
  TestPullPushTlsRepository into one test with
  "insecure" and "tls" subtests
- Generate TLS certs at setup time instead of
  committing them
- Remove committed cert files from git

Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>

Author: lohitkolluri

e2e/.gitignore

@@ -0,0 +1,5 @@
+# Generated by gen-certs.sh at setup time
+testdata/registry/certs/ca.crt
+testdata/registry/certs/ca.key
+testdata/registry/certs/tlsregistry.crt
+testdata/registry/certs/tlsregistry.key

e2e/image/private_test.go

@@ -10,113 +10,70 @@ import (
 	"gotest.tools/v3/icmd"
 )
 
-const privateRegistryPrefix = "privateregistry:5001"
-
 // Regression test for https://github.com/docker/cli/issues/5963
 func TestPullPushPrivateRepository(t *testing.T) {
 	t.Parallel()
 
-	dir := fixtures.SetupConfigFile(t)
-	t.Cleanup(dir.Remove)
-	emptyConfigDir := t.TempDir()
-
-	sourceImage := fixtures.AlpineImage
-	privateImage := privateRegistryPrefix + "/private/alpine:test-private-pull-push"
-
-	runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "pull", sourceImage),
-	).Assert(t, icmd.Success)
-	t.Cleanup(func() {
-		icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
-	})
-
-	icmd.RunCommand("docker", "tag", sourceImage, privateImage).Assert(t, icmd.Success)
-
-	pushNoAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "push", privateImage),
-		fixtures.WithConfig(emptyConfigDir),
-	)
-	pushNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
-	assertAuthDenied(t, pushNoAuth)
-
-	pushWithAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "push", privateImage),
-		fixtures.WithConfig(dir.Path()),
-	)
-	pushWithAuth.Assert(t, icmd.Success)
-	// Docker omits the tag in the "push refers to repository" line; strip it before asserting.
-	privateRepo := privateImage[:strings.LastIndex(privateImage, ":")]
-	assert.Check(t, strings.Contains(pushWithAuth.Combined(), "The push refers to repository ["+privateRepo+"]"), pushWithAuth.Combined())
-
-	icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
-
-	pullNoAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "pull", privateImage),
-		fixtures.WithConfig(emptyConfigDir),
-	)
-	pullNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
-	assertAuthDenied(t, pullNoAuth)
-
-	pullWithAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "pull", privateImage),
-		fixtures.WithConfig(dir.Path()),
-	)
-	pullWithAuth.Assert(t, icmd.Success)
-	assert.Check(t, strings.Contains(pullWithAuth.Combined(), privateImage), pullWithAuth.Combined())
-}
-
-// TestPullPushTlsRepository verifies authenticated pull/push against a
-// TLS-enabled private registry (not behind --insecure-registry).
-func TestPullPushTlsRepository(t *testing.T) {
-	t.Parallel()
-
-	dir := fixtures.SetupConfigFile(t)
-	t.Cleanup(dir.Remove)
-	emptyConfigDir := t.TempDir()
-
-	const tlsRegistryPrefix = "tlsregistry:5003"
-	sourceImage := fixtures.AlpineImage
-	privateImage := tlsRegistryPrefix + "/private/alpine:test-tls-pull-push"
-
-	runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "pull", sourceImage),
-	).Assert(t, icmd.Success)
-	t.Cleanup(func() {
-		icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
-	})
-
-	icmd.RunCommand("docker", "tag", sourceImage, privateImage).Assert(t, icmd.Success)
-
-	pushNoAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "push", privateImage),
-		fixtures.WithConfig(emptyConfigDir),
-	)
-	pushNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
-	assertAuthDenied(t, pushNoAuth)
-
-	pushWithAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "push", privateImage),
-		fixtures.WithConfig(dir.Path()),
-	)
-	pushWithAuth.Assert(t, icmd.Success)
-	privateRepo := privateImage[:strings.LastIndex(privateImage, ":")]
-	assert.Check(t, strings.Contains(pushWithAuth.Combined(), "The push refers to repository ["+privateRepo+"]"), pushWithAuth.Combined())
-
-	icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
-
-	pullNoAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "pull", privateImage),
-		fixtures.WithConfig(emptyConfigDir),
-	)
-	pullNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
-	assertAuthDenied(t, pullNoAuth)
-
-	pullWithAuth := runWithPrivateRegistryRetry(t,
-		icmd.Command("docker", "pull", privateImage),
-		fixtures.WithConfig(dir.Path()),
-	)
-	pullWithAuth.Assert(t, icmd.Success)
-	assert.Check(t, strings.Contains(pullWithAuth.Combined(), privateImage), pullWithAuth.Combined())
+	for _, tc := range []struct {
+		name           string
+		registryPrefix string
+		tagSuffix      string
+	}{
+		{name: "insecure", registryPrefix: "privateregistry:5001", tagSuffix: "private"},
+		{name: "tls", registryPrefix: "tlsregistry:5003", tagSuffix: "tls"},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			dir := fixtures.SetupConfigFile(t)
+			t.Cleanup(dir.Remove)
+			emptyConfigDir := t.TempDir()
+
+			sourceImage := fixtures.AlpineImage
+			privateImage := tc.registryPrefix + "/private/alpine:test-" + tc.tagSuffix + "-pull-push"
+
+			runWithPrivateRegistryRetry(t,
+				icmd.Command("docker", "pull", sourceImage),
+			).Assert(t, icmd.Success)
+			t.Cleanup(func() {
+				icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
+			})
+
+			icmd.RunCommand("docker", "tag", sourceImage, privateImage).Assert(t, icmd.Success)
+
+			pushNoAuth := runWithPrivateRegistryRetry(t,
+				icmd.Command("docker", "push", privateImage),
+				fixtures.WithConfig(emptyConfigDir),
+			)
+			pushNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
+			assertAuthDenied(t, pushNoAuth)
+
+			pushWithAuth := runWithPrivateRegistryRetry(t,
+				icmd.Command("docker", "push", privateImage),
+				fixtures.WithConfig(dir.Path()),
+			)
+			pushWithAuth.Assert(t, icmd.Success)
+			// Docker omits the tag in the "push refers to repository" line; strip it before asserting.
+			privateRepo := privateImage[:strings.LastIndex(privateImage, ":")]
+			assert.Check(t, strings.Contains(pushWithAuth.Combined(), "The push refers to repository ["+privateRepo+"]"), pushWithAuth.Combined())
+
+			icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
+
+			pullNoAuth := runWithPrivateRegistryRetry(t,
+				icmd.Command("docker", "pull", privateImage),
+				fixtures.WithConfig(emptyConfigDir),
+			)
+			pullNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
+			assertAuthDenied(t, pullNoAuth)
+
+			pullWithAuth := runWithPrivateRegistryRetry(t,
+				icmd.Command("docker", "pull", privateImage),
+				fixtures.WithConfig(dir.Path()),
+			)
+			pullWithAuth.Assert(t, icmd.Success)
+			assert.Check(t, strings.Contains(pullWithAuth.Combined(), privateImage), pullWithAuth.Combined())
+		})
+	}
 }
 
 func assertAuthDenied(t *testing.T, result *icmd.Result) {

e2e/testdata/registry/certs/ca.crt

@@ -26,6 +26,14 @@ setup() {
         export TEST_CONNHELPER_SSH_ID_RSA_PUB
         file="${file}:./e2e/compose-env.connhelper-ssh.yaml"
     fi
+    # Generate TLS certificates for the TLS-enabled private registry.
+    # The certs are baked into the tlsregistry and engine container images,
+    # so they must exist on disk before docker compose up --build.
+    # gen-certs.sh handles its own directory navigation.
+    if [ ! -f e2e/testdata/registry/certs/ca.crt ]; then
+        sh e2e/testdata/registry/certs/gen-certs.sh
+    fi
+
     COMPOSE_PROJECT_NAME=$project COMPOSE_FILE=$file docker compose up --build -d >&2
 
     # Ensure supporting services exist before running tests. If one fails to start,