From 9295a90eccce97bab15ec7f3a2129ece3e84b823 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Fri, 8 Mar 2019 12:57:53 +0100 Subject: [PATCH] additional authentication files Allow specifying additional authentication files passed through `types.SystemContext`. Those additional files are only used for reading credentials. The `AuthFilePath` remains the center of auth management and is the only authentication file used for storing new and removing old credentials. Having the ability to specify additional authentication files can come in handy to unify multiple entities that have dedicated auth files, for instance, the K8s kubelet. See the below bug for additional details. Also add debug logs to `findAuthentication()` to ease debugging potential future regressions. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1686556 Signed-off-by: Valentin Rothberg --- pkg/docker/config/config.go | 22 +++++++++++++++++++--- types/types.go | 5 +++++ 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/pkg/docker/config/config.go b/pkg/docker/config/config.go index 1f576253dc..7f15bbfbbe 100644 --- a/pkg/docker/config/config.go +++ b/pkg/docker/config/config.go @@ -51,6 +51,14 @@ func SetAuthentication(sys *types.SystemContext, registry, username, password st }) } +func additionalAuthFiles(sys *types.SystemContext) []string { + paths := []string{} + if sys != nil && sys.AdditionalAuthFiles != nil && len(sys.AdditionalAuthFiles) > 0 { + paths = append(paths, sys.AdditionalAuthFiles...) + } + return paths +} + // GetAuthentication returns the registry credentials stored in // either auth.json file or .docker/config.json // If an entry is not found empty strings are returned for the username and password @@ -70,6 +78,8 @@ func GetAuthentication(sys *types.SystemContext, registry string) (string, strin // Logging the error as a warning instead and moving on to pulling the image logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) } + + paths = append(paths, additionalAuthFiles(sys)...) paths = append(paths, filepath.Join(homedir.Get(), dockerHomePath), dockerLegacyPath) for _, path := range paths { @@ -93,9 +103,14 @@ func GetUserLoggedIn(sys *types.SystemContext, registry string) (string, error) if err != nil { return "", err } - username, _, _ := findAuthentication(registry, path, false) - if username != "" { - return username, nil + paths := []string{path} + paths = append(paths, additionalAuthFiles(sys)...) + + for _, path := range paths { + username, _, _ := findAuthentication(registry, path, false) + if username != "" { + return username, nil + } } return "", nil } @@ -253,6 +268,7 @@ func deleteAuthFromCredHelper(credHelper, registry string) error { // findAuthentication looks for auth of registry in path func findAuthentication(registry, path string, legacyFormat bool) (string, string, error) { + logrus.Debugf("authentication: trying authfile %q", path) auths, err := readJSONFile(path, legacyFormat) if err != nil { return "", "", errors.Wrapf(err, "error reading JSON file %q", path) diff --git a/types/types.go b/types/types.go index 9fdab2314a..078eabd8a7 100644 --- a/types/types.go +++ b/types/types.go @@ -453,6 +453,11 @@ type SystemContext struct { SystemRegistriesConfPath string // If not "", overrides the default path for the authentication file AuthFilePath string + // Allows to specify additional authentication files that can be used + // during credential lookup. Note that the additional authentication + // files are only used for reading. Only the AuthFilePath can be used + // for storing and removing credentials. + AdditionalAuthFiles []string // If not "", overrides the use of platform.GOARCH when choosing an image or verifying architecture match. ArchitectureChoice string // If not "", overrides the use of platform.GOOS when choosing an image or verifying OS match.