kpm caches OCI registry credentials when using a docker credentials helper #659
Description
Bug Report
1. Minimal reproduce step (Required)
When using kpm with AWS ECR credentials and a docker credentials helper like the docker-credential-env or amazon-ecr-credential-helper; there is an edge case: when the ECR password expires (typically after 12h), credentials aren't auto-renewed.
This can be done precisely because the docker credentials helper will provide newly generated credentials on demand. Instead we are seeing the following errors:
GET "https://****.dkr.ecr.eu-west-1.amazonaws.com/v2/****/tags/list": response status code 403: denied: Your authorization token has expired. Reauthenticate and try again.
This might not be a problem for kpm, but it is for other tooling built on top of it. We are seeing this problem in our crossplane deployment that leverages function-kcl to manage compositions. function-kcl relies on krm-kcl, which uses kpm to manage credentials for OCI registries.
2. What did you expect to see? (Required)
We expect that if proper AWS credentials are set up and we are using a docker credentials helper like docker-credential-env. Then, kpm:
- never asks for registry login
- all requests are properly authenticated
3. What did you see instead (Required)
Once the ECR token has expired, typically 12h after requesting it, kpm's requests keep being authenticated because it's not caching credentials between calls.
4. What is your KCL components version? (Required)
function-kcl v0.11.5 which ultimately relies on kcl-lang.io/kpm v0.11.3