[Additional Layer Store] Enable Additional Layer Store to perform registry authentication #2417
Conversation
There was a problem hiding this comment.
Thanks!
This is plausible, assuming the system is single-purpose; otherwise all other registry operations, including manual skopeo commands, would also be sending credentials.
A possible alternative would be to capture the credentials in ImageSource, and provide a some kind of interface alongside TryReusingBlobOptions.SrcRef. That would only send “relevant” credentials to the helper, at the cost of some extra plumbing.
| Password string `json:"password,omitempty"` | ||
| IdentityToken string `json:"identitytoken,omitempty"` | ||
| }{ | ||
| physicalRef.ref.String(): { |
There was a problem hiding this comment.
Should this be .ref.Name()? Credentials are, for the most part, repo-scoped.
Admittedly the FUSE interface uses ref.String().
|
@ktock Skopeo test is failing and you need a rebase. |
|
Rebased. And skopeo error seems to be resolved. |
|
@mtrmac PTAL |
There was a problem hiding this comment.
Thanks! This looks good overall.
I am still conceptually a bit unsure whether capturing all credentials ever read is a good idea — or whether we should be restricting it to those relevant to LookupAdditionalLayer, at the cost of having to make the special case visible to the c/image/copy top level. I don’t have a good idea of where this is likely to be deployed.
Other than that, the option and the data format just need a man page update.
@giuseppe PTAL as well.
ktock
force-pushed
the
storeauth
branch
2 times, most recently
from
7cc7a9d
to
f5a3117
Compare
ktock
force-pushed
the
storeauth
branch
3 times, most recently
from
002cfce
to
55844d4
Compare
|
Added docs to |
|
Could we move this forward? |
docs/containers-registries.conf.5.md
Outdated
| @@ -19,6 +19,12 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it | |||
| `credential-helpers` | |||
| : An array of default credential helpers used as external credential stores. Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5). The credential helpers are set to `["containers-auth.json"]` if none are specified. | |||
|
|
|||
| `additional-layer-store-auth-helper` | |||
| : A string of helper name. This enables to pass registry credentials to | |||
There was a problem hiding this comment.
| : A string of helper name. This enables to pass registry credentials to | |
| : A string containing the helper binary name. This enables passing registry credentials to an |
docs/containers-registries.conf.5.md
Outdated
| `additional-layer-store-auth-helper` | ||
| : A string of helper name. This enables to pass registry credentials to | ||
| Additional Layer Store every time an image is read using the `docker://` | ||
| transport so that it can access private registries. See the later section for |
There was a problem hiding this comment.
| transport so that it can access private registries. See the later section for | |
| transport so that it can access private registries. See the 'Enabling Additional Layer Store to access to private registries' section below for |
docs/containers-registries.conf.5.md
Outdated
| @@ -254,6 +260,30 @@ in order, and use the first one that exists. | |||
|
|
|||
| Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered. | |||
|
|
|||
| ### Enabling Additional Layer Store to access to private registries | |||
|
|
|||
| The `additional-layer-store-auth-helper` option enables to pass registry | |||
There was a problem hiding this comment.
| The `additional-layer-store-auth-helper` option enables to pass registry | |
| The `additional-layer-store-auth-helper` option enables passing registry |
docs/containers-registries.conf.5.md
Outdated
| ### Enabling Additional Layer Store to access to private registries | ||
|
|
||
| The `additional-layer-store-auth-helper` option enables to pass registry | ||
| credentials to Additional Layer Store so that it can access private registries. |
There was a problem hiding this comment.
| credentials to Additional Layer Store so that it can access private registries. | |
| credentials to an Additional Layer Store so that it can access private registries. |
There was a problem hiding this comment.
However, here and above, you could use "the" instead of "an" if you prefer.
docs/containers-registries.conf.5.md
Outdated
| The `additional-layer-store-auth-helper` option enables to pass registry | ||
| credentials to Additional Layer Store so that it can access private registries. | ||
|
|
||
| Additional Layer Store needs to provide a helper binary. This helper binary is |
There was a problem hiding this comment.
I think this is what you're getting at
| Additional Layer Store needs to provide a helper binary. This helper binary is | |
| When accessing a private registry via an Additional Layer Store, a helper binary needs to be provided. This helper binary is |
docs/containers-registries.conf.5.md
Outdated
| credentials to Additional Layer Store so that it can access private registries. | ||
|
|
||
| Additional Layer Store needs to provide a helper binary. This helper binary is | ||
| registered to `additional-layer-store-auth-helper` option. Every time an image |
There was a problem hiding this comment.
| registered to `additional-layer-store-auth-helper` option. Every time an image | |
| registered via the `additional-layer-store-auth-helper` option. Every time an image |
docs/containers-registries.conf.5.md
Outdated
|
|
||
| The format of `$image_reference` is `$repo{:$tag|@$digest}`. | ||
|
|
||
| Additional Layer Store can use this for accessing to the registry. |
There was a problem hiding this comment.
| Additional Layer Store can use this for accessing to the registry. | |
| Additional Layer Stores can use this helper binary to access the private registry. |
ktock
force-pushed
the
storeauth
branch
2 times, most recently
from
f93b7a9
to
9d45ea6
Compare
|
@TomSweeneyRedHat Thanks for the review. FIxed and rebased the patch. |
|
@giuseppe PTAL |
Signed-off-by: Kohei Tokunaga <[email protected]>
Signed-off-by: Kohei Tokunaga <[email protected]>
|
Thanks again! |
Implements openshift/enhancements#1600 (comment)
Currently, c/image doesn't share creds to Additional Layer Store so it requires additional configurations for registry authentication. And the current means of registry authentication for Additional Layer Store doesn't seem to meet requirements for the platform: openshift/enhancements#1600 (review)
This commit fixes that issue by allowing c/image directly sharing creds to Additional Layer Store. Additional Layer Store doesn't need to have its own logic to fetch registry creds but it can receive them from c/image.
Additional Layer Store needs to provide a helper binary that is executed from c/image. This helper binary is registered to c/image using registries.conf with the following field (
store-helpercan be any command name of the helper binary). It receives registry creds via stdin and Additional Layer Store can use that creds for registry authentication.An example draft implementation of the helper binary is
store-helperof stargz-store: containerd/stargz-snapshotter#1674This binary is executed by c/image and receives the registry creds from stdin and shares them to stargz-store via the unix socket of stargz-store. Then stargz-store uses these creds for registry authentication.
c/image passes
DockerAuthConfigstructures with keying them with the image reference.{ "image-reference": { "username": "username", "password": "password", "identitytoken": "identitytoken" } }