From 0c8b3c8b22adffe3324f7bd49969e4e6fd580c5c Mon Sep 17 00:00:00 2001 From: Petr Fedchenkov Date: Thu, 17 Nov 2022 15:23:59 +0300 Subject: [PATCH] Do not pass credentials into PushManifest Seems we should not use own credential extraction logic as it should be aligned with resolver internally to select correct information for the host we want to push manifest. I.e. we may want to push manifest onto ghcr.io, and in that case we will hit errors as we will extract credentials for docker.io instead. Signed-off-by: Petr Fedchenkov --- src/cmd/linuxkit/cache/push.go | 7 +------ src/cmd/linuxkit/pkglib/docker.go | 7 +------ src/cmd/linuxkit/pkglib/index.go | 8 ++------ src/cmd/linuxkit/registry/auth.go | 19 ------------------- src/cmd/linuxkit/registry/manifest.go | 9 +++++---- 5 files changed, 9 insertions(+), 41 deletions(-) delete mode 100644 src/cmd/linuxkit/registry/auth.go diff --git a/src/cmd/linuxkit/cache/push.go b/src/cmd/linuxkit/cache/push.go index c5f94c5a4..e37e2963f 100644 --- a/src/cmd/linuxkit/cache/push.go +++ b/src/cmd/linuxkit/cache/push.go @@ -118,13 +118,8 @@ func (p *Provider) Push(name string, withManifest bool) error { } // Even though we may have pushed the index, we want to be sure that we have an index that includes every architecture on the registry, // not just those that were in our local cache. So we use manifest-tool library to build a broad index - auth, err := registry.GetDockerAuth() - if err != nil { - return fmt.Errorf("failed to get auth: %v", err) - } - fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", name) - _, _, err = registry.PushManifest(name, auth) + _, _, err = registry.PushManifest(name) if err != nil { return err } diff --git a/src/cmd/linuxkit/pkglib/docker.go b/src/cmd/linuxkit/pkglib/docker.go index d8cd04a72..b14442b31 100644 --- a/src/cmd/linuxkit/pkglib/docker.go +++ b/src/cmd/linuxkit/pkglib/docker.go @@ -382,14 +382,9 @@ func (dr *dockerRunnerImpl) pushWithManifest(img, suffix string, pushImage, push fmt.Print("Image push disabled, skipping...\n") } - auth, err := registry.GetDockerAuth() - if err != nil { - return fmt.Errorf("failed to get auth: %v", err) - } - if pushManifest { fmt.Printf("Pushing %s to manifest %s\n", img+suffix, img) - _, _, err = registry.PushManifest(img, auth) + _, _, err = registry.PushManifest(img) if err != nil { return err } diff --git a/src/cmd/linuxkit/pkglib/index.go b/src/cmd/linuxkit/pkglib/index.go index 7c27c8339..e4f319f93 100644 --- a/src/cmd/linuxkit/pkglib/index.go +++ b/src/cmd/linuxkit/pkglib/index.go @@ -19,14 +19,10 @@ func (p Pkg) Index(bos ...BuildOpt) error { // Even though we may have pushed the index, we want to be sure that we have an index that includes every architecture on the registry, // not just those that were in our local cache. So we use manifest-tool library to build a broad index - auth, err := registry.GetDockerAuth() - if err != nil { - return fmt.Errorf("failed to get auth: %v", err) - } // push based on tag fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", name) - _, _, err = registry.PushManifest(name, auth) + _, _, err := registry.PushManifest(name) if err != nil { return err } @@ -40,7 +36,7 @@ func (p Pkg) Index(bos ...BuildOpt) error { fullRelTag := util.ReferenceExpand(relTag) fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", fullRelTag) - _, _, err = registry.PushManifest(fullRelTag, auth) + _, _, err = registry.PushManifest(fullRelTag) if err != nil { return err } diff --git a/src/cmd/linuxkit/registry/auth.go b/src/cmd/linuxkit/registry/auth.go deleted file mode 100644 index 1d90be9b4..000000000 --- a/src/cmd/linuxkit/registry/auth.go +++ /dev/null @@ -1,19 +0,0 @@ -package registry - -import ( - "os" - - "github.com/docker/cli/cli/config" - dockertypes "github.com/docker/docker/api/types" -) - -const ( - registryServer = "https://index.docker.io/v1/" -) - -// GetDockerAuth get an AuthConfig for the default registry server. -func GetDockerAuth() (dockertypes.AuthConfig, error) { - cfgFile := config.LoadDefaultConfigFile(os.Stderr) - authconfig, err := cfgFile.GetAuthConfig(registryServer) - return dockertypes.AuthConfig(authconfig), err -} diff --git a/src/cmd/linuxkit/registry/manifest.go b/src/cmd/linuxkit/registry/manifest.go index 0b342a55b..fe3355fc8 100644 --- a/src/cmd/linuxkit/registry/manifest.go +++ b/src/cmd/linuxkit/registry/manifest.go @@ -4,7 +4,6 @@ import ( "fmt" "strings" - dockertypes "github.com/docker/docker/api/types" "github.com/estesp/manifest-tool/v2/pkg/registry" "github.com/estesp/manifest-tool/v2/pkg/types" ocispec "github.com/opencontainers/image-spec/specs-go/v1" @@ -24,7 +23,7 @@ var platformsToSearchForIndex = []string{ } // PushManifest create a manifest that supports each of the provided platforms and push it out. -func PushManifest(img string, auth dockertypes.AuthConfig) (hash string, length int, err error) { +func PushManifest(img string) (hash string, length int, err error) { var srcImages []types.ManifestEntry for i, platform := range platformsToSearchForIndex { @@ -54,6 +53,8 @@ func PushManifest(img string, auth dockertypes.AuthConfig) (hash string, length log.Debugf("pushing manifest list for %s -> %#v", img, yamlInput) - // push the manifest list with the auth as given, ignore missing, do not allow insecure - return registry.PushManifestList(auth.Username, auth.Password, yamlInput, true, false, false, types.OCI, "") + // push the manifest list, ignore missing, do not allow insecure + // we do not provide auth credentials to force resolve them internally + // according to the hostname of image to push + return registry.PushManifestList("", "", yamlInput, true, false, false, types.OCI, "") }