Do not pass credentials into PushManifest

Seems we should not use own credential extraction logic as it should be aligned with resolver internally to select correct information for the host we want to push manifest. I.e. we may want to push manifest onto ghcr.io, and in that case we will hit errors as we will extract credentials for docker.io instead. Signed-off-by: Petr Fedchenkov <giggsoff@gmail.com>
2025-07-19 09:16:29 +00:00 · 2022-11-17 15:23:59 +03:00 · 2022-11-17 15:23:59 +03:00 · 0c8b3c8b22
commit 0c8b3c8b22
parent a9c7a126cf
5 changed files with 9 additions and 41 deletions
--- a/src/cmd/linuxkit/cache/push.go
+++ b/src/cmd/linuxkit/cache/push.go
@ -118,13 +118,8 @@ func (p *Provider) Push(name string, withManifest bool) error {
 	}
 	// Even though we may have pushed the index, we want to be sure that we have an index that includes every architecture on the registry,
 	// not just those that were in our local cache. So we use manifest-tool library to build a broad index
-	auth, err := registry.GetDockerAuth()
-	if err != nil {
-		return fmt.Errorf("failed to get auth: %v", err)
-	}
-
 	fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", name)
-	_, _, err = registry.PushManifest(name, auth)
+	_, _, err = registry.PushManifest(name)
 	if err != nil {
 		return err
 	}
--- a/src/cmd/linuxkit/pkglib/docker.go
+++ b/src/cmd/linuxkit/pkglib/docker.go
@ -382,14 +382,9 @@ func (dr *dockerRunnerImpl) pushWithManifest(img, suffix string, pushImage, push
 		fmt.Print("Image push disabled, skipping...\n")
 	}

-	auth, err := registry.GetDockerAuth()
-	if err != nil {
-		return fmt.Errorf("failed to get auth: %v", err)
-	}
-
 	if pushManifest {
 		fmt.Printf("Pushing %s to manifest %s\n", img+suffix, img)
-		_, _, err = registry.PushManifest(img, auth)
+		_, _, err = registry.PushManifest(img)
 		if err != nil {
 			return err
 		}
--- a/src/cmd/linuxkit/pkglib/index.go
+++ b/src/cmd/linuxkit/pkglib/index.go
@ -19,14 +19,10 @@ func (p Pkg) Index(bos ...BuildOpt) error {

 	// Even though we may have pushed the index, we want to be sure that we have an index that includes every architecture on the registry,
 	// not just those that were in our local cache. So we use manifest-tool library to build a broad index
-	auth, err := registry.GetDockerAuth()
-	if err != nil {
-		return fmt.Errorf("failed to get auth: %v", err)
-	}

 	// push based on tag
 	fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", name)
-	_, _, err = registry.PushManifest(name, auth)
+	_, _, err := registry.PushManifest(name)
 	if err != nil {
 		return err
 	}
@ -40,7 +36,7 @@ func (p Pkg) Index(bos ...BuildOpt) error {
 		fullRelTag := util.ReferenceExpand(relTag)

 		fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", fullRelTag)
-		_, _, err = registry.PushManifest(fullRelTag, auth)
+		_, _, err = registry.PushManifest(fullRelTag)
 		if err != nil {
 			return err
 		}
--- a/src/cmd/linuxkit/registry/auth.go
+++ b/src/cmd/linuxkit/registry/auth.go
@ -1,19 +0,0 @@
-package registry
-
-import (
-	"os"
-
-	"github.com/docker/cli/cli/config"
-	dockertypes "github.com/docker/docker/api/types"
-)
-
-const (
-	registryServer = "https://index.docker.io/v1/"
-)
-
-// GetDockerAuth get an AuthConfig for the default registry server.
-func GetDockerAuth() (dockertypes.AuthConfig, error) {
-	cfgFile := config.LoadDefaultConfigFile(os.Stderr)
-	authconfig, err := cfgFile.GetAuthConfig(registryServer)
-	return dockertypes.AuthConfig(authconfig), err
-}
--- a/src/cmd/linuxkit/registry/manifest.go
+++ b/src/cmd/linuxkit/registry/manifest.go
@ -4,7 +4,6 @@ import (
 	"fmt"
 	"strings"

-	dockertypes "github.com/docker/docker/api/types"
 	"github.com/estesp/manifest-tool/v2/pkg/registry"
 	"github.com/estesp/manifest-tool/v2/pkg/types"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@ -24,7 +23,7 @@ var platformsToSearchForIndex = []string{
 }

 // PushManifest create a manifest that supports each of the provided platforms and push it out.
-func PushManifest(img string, auth dockertypes.AuthConfig) (hash string, length int, err error) {
+func PushManifest(img string) (hash string, length int, err error) {
 	var srcImages []types.ManifestEntry

 	for i, platform := range platformsToSearchForIndex {
@ -54,6 +53,8 @@ func PushManifest(img string, auth dockertypes.AuthConfig) (hash string, length

 	log.Debugf("pushing manifest list for %s -> %#v", img, yamlInput)

-	// push the manifest list with the auth as given, ignore missing, do not allow insecure
-	return registry.PushManifestList(auth.Username, auth.Password, yamlInput, true, false, false, types.OCI, "")
+	// push the manifest list, ignore missing, do not allow insecure
+	// we do not provide auth credentials to force resolve them internally
+	// according to the hostname of image to push
+	return registry.PushManifestList("", "", yamlInput, true, false, false, types.OCI, "")
 }