-oci_pull_rule(name, identifier, image, platform, repo_mapping) +oci_pull_rule(name, identifier, image, platform, repo_mapping, toolchain_name)@@ -78,6 +78,7 @@ oci_pull_rule(name, image | The name of the image we are fetching, e.g. gcr.io/distroless/static | String | required | | | platform | platform in
os/arch
format, for multi-arch images | String | optional | "" |
| repo_mapping | A dictionary from local repository name to global repository name. This allows controls over workspace dependency resolution for dependencies of this repository.<p>For example, an entry "@foo": "@bar"
declares that, for any time this repository depends on @foo
(such as a dependency on @foo//some:target
, it should actually resolve that dependency within globally-declared @bar
(@bar//some:target
). | Dictionary: String -> String | required | |
+| toolchain_name | Value of name attribute to the oci_register_toolchains call in the workspace. | String | optional | "oci" |
@@ -85,7 +86,7 @@ oci_pull_rule(name, name, image, repo_mapping, tag)
+pin_tag(name, image, repo_mapping, tag, toolchain_name)
@@ -99,6 +100,7 @@ pin_tag(name, image, image | The name of the image we are fetching, e.g. gcr.io/distroless/static
| String | required | |
| repo_mapping | A dictionary from local repository name to global repository name. This allows controls over workspace dependency resolution for dependencies of this repository.<p>For example, an entry "@foo": "@bar"
declares that, for any time this repository depends on @foo
(such as a dependency on @foo//some:target
, it should actually resolve that dependency within globally-declared @bar
(@bar//some:target
). | Dictionary: String -> String | required | |
| tag | The tag being used, e.g. latest
| String | required | |
+| toolchain_name | Value of name attribute to the oci_register_toolchains call in the workspace. | String | optional | "oci" |
@@ -106,7 +108,7 @@ pin_tag(name, image,
-oci_pull(name, image, platforms, digest, tag, reproducible)
+oci_pull(name, image, platforms, digest, tag, reproducible, toolchain_name)
Repository macro to fetch image manifest data from a remote docker registry.
@@ -122,5 +124,6 @@ Repository macro to fetch image manifest data from a remote docker registry.
| digest | the digest string, starting with "sha256:", "sha512:", etc. If omitted, instructions for pinning are provided. | None
|
| tag | a tag to choose an image from the registry. Exactly one of tag
and digest
must be set. Since tags are mutable, this is not reproducible, so a warning is printed. | None
|
| reproducible | Set to False to silence the warning about reproducibility when using tag
. | True
|
+| toolchain_name | Value of name attribute to the oci_register_toolchains call in the workspace. | "oci"
|
diff --git a/e2e/custom_registry/BUILD.bazel b/e2e/custom_registry/BUILD.bazel
index 6e6234ee..4cf81d5d 100644
--- a/e2e/custom_registry/BUILD.bazel
+++ b/e2e/custom_registry/BUILD.bazel
@@ -6,7 +6,7 @@ oci_image(
"@platforms//cpu:arm64": "arm64",
"@platforms//cpu:x86_64": "amd64",
}),
- base = "@distroless_static",
+ base = "@debian",
cmd = [
"--arg1",
"--arg2",
diff --git a/e2e/custom_registry/WORKSPACE b/e2e/custom_registry/WORKSPACE
index a9d4d84b..b1fe8997 100644
--- a/e2e/custom_registry/WORKSPACE
+++ b/e2e/custom_registry/WORKSPACE
@@ -26,13 +26,15 @@ oci_register_toolchains(
load("@rules_oci//oci:pull.bzl", "oci_pull")
oci_pull(
- name = "distroless_static",
- digest = "sha256:c3c3d0230d487c0ad3a0d87ad03ee02ea2ff0b3dcce91ca06a1019e07de05f12",
- image = "gcr.io/distroless/static",
+ name = "debian",
+ image = "index.docker.io/library/debian",
platforms = [
- "linux/amd64",
"linux/arm64",
+ "linux/amd64",
],
+ # Don't make a debian_unpinned repo and print a warning about the tag
+ reproducible = False,
+ tag = "latest",
)
############################################
diff --git a/oci/BUILD.bazel b/oci/BUILD.bazel
index aa818644..27d39306 100644
--- a/oci/BUILD.bazel
+++ b/oci/BUILD.bazel
@@ -39,7 +39,11 @@ bzl_library(
name = "pull",
srcs = ["pull.bzl"],
visibility = ["//visibility:public"],
- deps = ["@aspect_bazel_lib//lib:paths"],
+ deps = [
+ "@aspect_bazel_lib//lib:base64",
+ "@aspect_bazel_lib//lib:paths",
+ "@aspect_bazel_lib//lib:repo_utils",
+ ],
)
bzl_library(
diff --git a/oci/pull.bzl b/oci/pull.bzl
index af11281e..657230d8 100644
--- a/oci/pull.bzl
+++ b/oci/pull.bzl
@@ -37,24 +37,171 @@ oci_image(
"""
load("@aspect_bazel_lib//lib:paths.bzl", "BASH_RLOCATION_FUNCTION")
+load("@aspect_bazel_lib//lib:base64.bzl", "base64")
+load("@aspect_bazel_lib//lib:repo_utils.bzl", "repo_utils")
+
+def _strip_host(url):
+ # TODO: a principled way of doing this
+ return url.replace("http://", "").replace("https://", "").replace("/v1/", "")
+
+def _file_exists(rctx, path):
+ result = rctx.execute(["stat", path])
+ return result.return_code == 0
+
+# Path of the auth file is determined by the order described here;
+# https://github.com/google/go-containerregistry/tree/main/pkg/authn#tldr-for-consumers-of-this-package
+def _get_auth_file_path(rctx):
+ # this is the standard path where registry credentials are stored
+ config_path = "{}/.docker/config.json".format(rctx.os.environ["HOME"])
+
+ # set config path to DOCKER_CONFIG env if present
+ if "DOCKER_CONFIG" in rctx.os.environ:
+ config_path = rctx.os.environ["DOCKER_CONFIG"]
+
+ if _file_exists(rctx, config_path):
+ return config_path
+
+ # https://docs.podman.io/en/latest/markdown/podman-login.1.html#authfile-path
+ XDG_RUNTIME_DIR = "{}/.config".format(rctx.os.environ["HOME"])
+ if "XDG_RUNTIME_DIR" in rctx.os.environ:
+ XDG_RUNTIME_DIR = rctx.os.environ["XDG_RUNTIME_DIR"]
+
+ config_path = "{}/containers/auth.json".format(XDG_RUNTIME_DIR)
+
+ # podman support overriding the standard path for the auth file via this special environment variable.
+ # https://docs.podman.io/en/latest/markdown/podman-login.1.html#authfile-path
+ if "REGISTRY_AUTH_FILE" in rctx.os.environ:
+ config_path = rctx.os.environ["REGISTRY_AUTH_FILE"]
+
+ if _file_exists(rctx, config_path):
+ return config_path
+
+ return None
+
+def _auth_anonymous(rctx, registry, repository, identifier):
+ """A function that performs anonymous auth for docker registry.
+
+ Args:
+ rctx: repository context
+ registry: registry url
+ repository: image repository
+ identifier: tag or digest
+
+ Returns:
+ A dict for rctx.download#auth
+ """
+ pattern = {}
+ if registry == "index.docker.io":
+ scope = "repository:{}:pull".format(repository)
+ rctx.download(
+ url = ["https://auth.docker.io/token?scope={}&service=registry.docker.io".format(scope)],
+ output = "auth_anonymous.json",
+ )
+ auth_raw = rctx.read("auth_anonymous.json")
+ auth = json.decode(auth_raw)
+ pattern = {
+ "type": "pattern",
+ "pattern": "Bearer