types,docker: add DockerAuthConfig #113
Conversation
runcom
force-pushed
the
authConfig
branch
4 times, most recently
from
681a6d9 to
d99691d
Compare
|
LGTM |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Nice, something like this is clearly needed.
types/types.go
Outdated
| DockerCertPath string // If not "", a directory containing "cert.pem" and "key.pem" used when talking to a Docker Registry | ||
| DockerInsecureSkipTLSVerify bool // Allow contacting docker registries over HTTP, or HTTPS with failed TLS verification. Note that this does not affect other TLS connections. | ||
| // if nil, the library tries to parse ~/.docker/config.json to retrieve credentials | ||
| // FIXME: the automatic credentials retrieval doesn't play with external stores also, see containers/image#111 |
There was a problem hiding this comment.
This is unrelated to this field AFAICS; if we are already tracking this as an issue, no need to add a FIXME here.
| if ctx.DockerAuthConfig.Auth != "" { | ||
| return decodeDockerAuth(ctx.DockerAuthConfig.Auth) | ||
| } | ||
| return ctx.DockerAuthConfig.Username, ctx.DockerAuthConfig.Password, nil |
There was a problem hiding this comment.
Why support both Auth and Username/Password here? Do we already have real users for both which would benefit? Then we need to document which overrides what, it just seems like unnecessary API complexity.
I’d like to have only the more explicit and type-safe username/password pair, if there were no other reason to prefer the Auth one or to supply both.
There was a problem hiding this comment.
(It is not completely certain that we can always ignore the hostname here, but it is likely enough to be the common case; we can always add a DockerAuthConfigMap later, so this is fine.)
There was a problem hiding this comment.
Ocid can provide username/password from k8s or skopeo can. K8s and OpenShift can just provide Auth.
There was a problem hiding this comment.
K8s and OpenShift can just provide Auth.
AFAICT for access to the Docker endpoint for OpenShift, one would set {Username:"unused",Password:openShiftTokenString}, at least based on what ~/.kube/config is storing. Does the API really give the user the Docker base64 blob somewhere?
There was a problem hiding this comment.
Alright, not sure about origin then, but that struct is exactly the same in k8s so it might happen k8s sends it that way
types/types.go
Outdated
| IdentityToken string | ||
| // RegistryToken is a bearer token to be sent to a registry | ||
| // FIXME: currently not used | ||
| RegistryToken string |
There was a problem hiding this comment.
I guess, drop the unused fields if we don’t know how we would be using them?
Especially the ServerAddress makes no sense to me considering the way getAuth is called.
There was a problem hiding this comment.
(Do we even need an extra struct, or just more members in SystemContext?
There was a problem hiding this comment.
Ocid is going to be an user of this whole struct as soon as containers/image is plumbed there.. This is somehow copied from that..
There was a problem hiding this comment.
Then we need to also implement all of that?
There was a problem hiding this comment.
I guess so, but we're far from fully doing that so this whole PR is just unblocking projectatomic/docker#200 while adding this struct witch is the same in docker and k8s api
There was a problem hiding this comment.
So, grepping docker/docker:
RegistryTokenis set nowhere in the code (but could be provided by a third-party client using the Remote API)IdentityTokenisrefresh_tokenfrom https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md , something we neither use nor generate (but we could, I suppose)ServerAddressseems to be a data structure artifact (look howcliconfig/configfile/file.go:LoadFromReaderoverrides the value in the unmarshaled struct) and/or a semantic mix-up (registry/service.gousesAuthConfig.ServerAddressto look up registry hostnames)Authalso an artifact of reusing the same structure for internal data and config storage, it is not really used anywhere, exceptcliconfig/configfile/file.go, which decodes the field and zeroes it.
Grepping openshift/origin:
- No use of
ReghistryToken,IdentityToken - AFAICS from a very imprecise grep the only real use is in
vendor/k8s.io/kubernetes/pkg/credentialprovider/keyring.go, which only setsUsername,Password,Email; I might have missed something.
types/types.go
Outdated
| type DockerAuthConfig struct { | ||
| Username string | ||
| Password string | ||
| Auth string |
There was a problem hiding this comment.
Auth, if we have it at all (see elsewhere) should be documented.
docker/docker_client.go
Outdated
|
|
||
| func getAuth(hostname string) (string, string, error) { | ||
| func getAuth(ctx *types.SystemContext, hostname string) (string, string, error) { | ||
| if ctx.DockerAuthConfig != nil { |
There was a problem hiding this comment.
This needs a ctx != nil &&
|
@mtrmac not sure where we're on this one. Would you have anything changed? I'd love to keep that struct as is right now since it reflects what's in k8s and since we didn't make any API stability promise we can always change it later. |
|
I’d rather have a struct which contains only the fields we are implementing; and to add other fields later if and when we implement them, and only those which make sense. That way, we actually benefit from our ability to change the API later, not by adding fields just in case we might possibly use some of them in the future. |
ack, User, Password and Auth right? I'll remove the others |
|
Not … actually, one thing I forgot: apparently the Docker Remote API allows sending an arbitrary struct (see the |
|
Shall we leave that to docker/docker then? |
|
I think so, that’s the API server. Unless k8s happens to do exactly the same thing which would be shared? (Another minor point: If we are declaring a new |
right, I will take care of that. |
Signed-off-by: Antonio Murdaca <[email protected]>
|
@mtrmac PTAL |
|
Yeah, but tests are still broken after #115. |
|
Fixing those |
tests fixed over there containers/skopeo#226 |
|
I'll make a skopeo PR for this change after I merge #115. Then I'll merge this one if you LGTM this as is (as I think you did?) |
|
I've restarted the travis build here meanwhile.. |
|
tests green here |
|
👍 |
2 participants
The automatic credentials retrieval built into containers/image doesn't play at all with external credentials store. Furthermore, we need a way to pass credentials to containers/image from docker/docker (projectatomic/docker#200). This also fixes a bunch of docker's integration tests in projectatomic/docker#200.
This patch just gives precedence to any
ctx.DockerAuthConfigfield before diving deep into the system to lookup credentials into~/.docker/config.json. So no real behavior change in skopeo so far. We'll need to tackle containers/container-libs#278, at which point we'll made the automatic retrieval optional as per #41 (comment).Close #41
Close containers/skopeo#106
This is also needed by cri-o/cri-o#8 since there it's k8s itself to provide those credentials and we need to honor that (instead of looking on the system).
@mtrmac PTAL this is blocking projectatomic/docker#200 as said also.
Signed-off-by: Antonio Murdaca [email protected]