There are a lot of scenarios where an invalid .dockercfg file
will still contain secrets. This commit removes logging of the
contents to avoid any potential leaking and manages the actual error
by printing to the user the actual location of the invalid file.
Signed-off-by: Nikolaos Moraitis <nmoraiti@redhat.com>
base64 allows usage of new line characters and some tools use them.
As a result, the length of the encoded string cannot be used to
determine whether it's padded or not.
This patch fixes the regression after #82148.
docker-credential-desk does not pad anymore the auth field.
it is then possible to have unpadded auth field.
field might be encoded either with RawStdEncoding or StdEncoding
we now determine if it is correctly padded in order to handle
both cases.
rename the variable
make parameter more flexible
handle docker config file path
use a single set of paths
delete debug print
gofmt
delete the empty line
comment is not correct
move the comment to the correct place
keep original signature
godoc
This change refactors the way Kubelet's DockerPuller handles the docker config credentials to utilize a new credentialprovider library.
The credentialprovider library is based on several of the files from the Kubelet's dockertools directory, but supports a new pluggable model for retrieving a .dockercfg-compatible JSON blob with credentials.
With this change, the Kubelet will lazily ask for the docker config from a set of DockerConfigProvider extensions each time it needs a credential.
This change provides common implementations of DockerConfigProvider for:
- "Default": load .dockercfg from disk
- "Caching": wraps another provider in a cache that expires after a pre-specified lifetime.
GCP-only:
- "google-dockercfg": reads a .dockercfg from a GCE instance's metadata
- "google-dockercfg-url": reads a .dockercfg from a URL specified in a GCE instance's metadata.
- "google-container-registry": reads an access token from GCE metadata into a password field.
