all bake targets should share the same AuthProvider

[nicks]

Description

Currently, when you build N targets, each target creates its own AuthProvider. So if each target needs to pull from index.docker.io, they need to make N round trips to the credential helper.

buildx/bake/bake.go

Line 1251 in d537b9e

bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(dockerConfig, nil))

It would be better if all N targets used the same AuthProvider, so they only need to fetch credentials once.

[crazy-max]

It seems slightly related to moby/buildkit#1432 where we would need a shared session with auth attachable for invoked targets. Found @tonistiigi had an implementation for bake: tonistiigi/buildx@bake...bake-shared-session. Would need some cleanup and also handle named contexts.

[tonistiigi]

@crazy-max We can't just put all bake targets behind same session as only some configurations are safe. Eg. targets may use different contexts/secrets that need to be kept separate and can't overwrite each other.

The interesting aspect about this specific case is why should it matter that all authproviders are different. The pull is still synchronized between all targets and happens only once and only one pull means only one authentication as well. This can also not be used for combining multiple pulls of different images under same credentials as all tokens are scoped by a specific repository and action.

[nicks]

Ah, there are two tokens at play.

You're right that the auth.docker.io tokens are scoped per registry.

I'm talking about the docker-credential-helper tokens, which are scoped by host. They're cached here : https://github.com/moby/buildkit/blob/5997099827e676c4b6ce5774c98ade2483e0afe7/session/auth/authprovider/authprovider.go#L247