-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Additional Layer Store] Enable Additional Layer Store to perform registry authentication #2417
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
This is plausible, assuming the system is single-purpose; otherwise all other registry operations, including manual skopeo
commands, would also be sending credentials.
A possible alternative would be to capture the credentials in ImageSource
, and provide a some kind of interface alongside TryReusingBlobOptions.SrcRef
. That would only send “relevant” credentials to the helper, at the cost of some extra plumbing.
Password string `json:"password,omitempty"` | ||
IdentityToken string `json:"identitytoken,omitempty"` | ||
}{ | ||
physicalRef.ref.String(): { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be .ref.Name()
? Credentials are, for the most part, repo-scoped.
Admittedly the FUSE interface uses ref.String()
.
@ktock Skopeo test is failing and you need a rebase. |
Rebased. And skopeo error seems to be resolved. |
@mtrmac PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! This looks good overall.
I am still conceptually a bit unsure whether capturing all credentials ever read is a good idea — or whether we should be restricting it to those relevant to LookupAdditionalLayer
, at the cost of having to make the special case visible to the c/image/copy
top level. I don’t have a good idea of where this is likely to be deployed.
Other than that, the option and the data format just need a man page update.
@giuseppe PTAL as well.
7cc7a9d
to
f5a3117
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Implementation LGTM, this is just missing man page updates. But I’d like to hear what @giuseppe thinks.
002cfce
to
55844d4
Compare
Added docs to |
Could we move this forward? |
docs/containers-registries.conf.5.md
Outdated
@@ -19,6 +19,12 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it | |||
`credential-helpers` | |||
: An array of default credential helpers used as external credential stores. Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5). The credential helpers are set to `["containers-auth.json"]` if none are specified. | |||
|
|||
`additional-layer-store-auth-helper` | |||
: A string of helper name. This enables to pass registry credentials to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
: A string of helper name. This enables to pass registry credentials to | |
: A string containing the helper binary name. This enables passing registry credentials to an |
docs/containers-registries.conf.5.md
Outdated
`additional-layer-store-auth-helper` | ||
: A string of helper name. This enables to pass registry credentials to | ||
Additional Layer Store every time an image is read using the `docker://` | ||
transport so that it can access private registries. See the later section for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
transport so that it can access private registries. See the later section for | |
transport so that it can access private registries. See the 'Enabling Additional Layer Store to access to private registries' section below for |
docs/containers-registries.conf.5.md
Outdated
@@ -254,6 +260,30 @@ in order, and use the first one that exists. | |||
|
|||
Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered. | |||
|
|||
### Enabling Additional Layer Store to access to private registries | |||
|
|||
The `additional-layer-store-auth-helper` option enables to pass registry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The `additional-layer-store-auth-helper` option enables to pass registry | |
The `additional-layer-store-auth-helper` option enables passing registry |
docs/containers-registries.conf.5.md
Outdated
### Enabling Additional Layer Store to access to private registries | ||
|
||
The `additional-layer-store-auth-helper` option enables to pass registry | ||
credentials to Additional Layer Store so that it can access private registries. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
credentials to Additional Layer Store so that it can access private registries. | |
credentials to an Additional Layer Store so that it can access private registries. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, here and above, you could use "the" instead of "an" if you prefer.
docs/containers-registries.conf.5.md
Outdated
The `additional-layer-store-auth-helper` option enables to pass registry | ||
credentials to Additional Layer Store so that it can access private registries. | ||
|
||
Additional Layer Store needs to provide a helper binary. This helper binary is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is what you're getting at
Additional Layer Store needs to provide a helper binary. This helper binary is | |
When accessing a private registry via an Additional Layer Store, a helper binary needs to be provided. This helper binary is |
docs/containers-registries.conf.5.md
Outdated
credentials to Additional Layer Store so that it can access private registries. | ||
|
||
Additional Layer Store needs to provide a helper binary. This helper binary is | ||
registered to `additional-layer-store-auth-helper` option. Every time an image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
registered to `additional-layer-store-auth-helper` option. Every time an image | |
registered via the `additional-layer-store-auth-helper` option. Every time an image |
docs/containers-registries.conf.5.md
Outdated
|
||
The format of `$image_reference` is `$repo{:$tag|@$digest}`. | ||
|
||
Additional Layer Store can use this for accessing to the registry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additional Layer Store can use this for accessing to the registry. | |
Additional Layer Stores can use this helper binary to access the private registry. |
f93b7a9
to
9d45ea6
Compare
@TomSweeneyRedHat Thanks for the review. FIxed and rebased the patch. |
@giuseppe PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Thanks again! |
Implements openshift/enhancements#1600 (comment)
Currently, c/image doesn't share creds to Additional Layer Store so it requires additional configurations for registry authentication. And the current means of registry authentication for Additional Layer Store doesn't seem to meet requirements for the platform: openshift/enhancements#1600 (review)
This commit fixes that issue by allowing c/image directly sharing creds to Additional Layer Store. Additional Layer Store doesn't need to have its own logic to fetch registry creds but it can receive them from c/image.
Additional Layer Store needs to provide a helper binary that is executed from c/image. This helper binary is registered to c/image using registries.conf with the following field (
store-helper
can be any command name of the helper binary). It receives registry creds via stdin and Additional Layer Store can use that creds for registry authentication.An example draft implementation of the helper binary is
store-helper
of stargz-store: containerd/stargz-snapshotter#1674This binary is executed by c/image and receives the registry creds from stdin and shares them to stargz-store via the unix socket of stargz-store. Then stargz-store uses these creds for registry authentication.
c/image passes
DockerAuthConfig
structures with keying them with the image reference.