Merge pull request #3878 from giggsoff/manifest-issues

Do not pass credentials into PushManifest
2025-07-20 09:39:08 +00:00 · 2022-11-17 15:56:02 +02:00 · 2022-11-17 15:56:02 +02:00 · dee4c37648
commit dee4c37648
parent a9c7a126cf 0c8b3c8b22
5 changed files with 9 additions and 41 deletions
--- a/src/cmd/linuxkit/cache/push.go
+++ b/src/cmd/linuxkit/cache/push.go
@ -118,13 +118,8 @@ func (p *Provider) Push(name string, withManifest bool) error {
 	}
 	// Even though we may have pushed the index, we want to be sure that we have an index that includes every architecture on the registry,
 	// not just those that were in our local cache. So we use manifest-tool library to build a broad index
-	auth, err := registry.GetDockerAuth()
-	if err != nil {
-		return fmt.Errorf("failed to get auth: %v", err)
-	}
-
 	fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", name)
-	_, _, err = registry.PushManifest(name, auth)
+	_, _, err = registry.PushManifest(name)
 	if err != nil {
 		return err
 	}
--- a/src/cmd/linuxkit/pkglib/docker.go
+++ b/src/cmd/linuxkit/pkglib/docker.go
@ -382,14 +382,9 @@ func (dr *dockerRunnerImpl) pushWithManifest(img, suffix string, pushImage, push
 		fmt.Print("Image push disabled, skipping...\n")
 	}

-	auth, err := registry.GetDockerAuth()
-	if err != nil {
-		return fmt.Errorf("failed to get auth: %v", err)
-	}
-
 	if pushManifest {
 		fmt.Printf("Pushing %s to manifest %s\n", img+suffix, img)
-		_, _, err = registry.PushManifest(img, auth)
+		_, _, err = registry.PushManifest(img)
 		if err != nil {
 			return err
 		}
--- a/src/cmd/linuxkit/pkglib/index.go
+++ b/src/cmd/linuxkit/pkglib/index.go
@ -19,14 +19,10 @@ func (p Pkg) Index(bos ...BuildOpt) error {

 	// Even though we may have pushed the index, we want to be sure that we have an index that includes every architecture on the registry,
 	// not just those that were in our local cache. So we use manifest-tool library to build a broad index
-	auth, err := registry.GetDockerAuth()
-	if err != nil {
-		return fmt.Errorf("failed to get auth: %v", err)
-	}

 	// push based on tag
 	fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", name)
-	_, _, err = registry.PushManifest(name, auth)
+	_, _, err := registry.PushManifest(name)
 	if err != nil {
 		return err
 	}
@ -40,7 +36,7 @@ func (p Pkg) Index(bos ...BuildOpt) error {
 		fullRelTag := util.ReferenceExpand(relTag)

 		fmt.Printf("Pushing index based on all arch-specific images in registry %s\n", fullRelTag)
-		_, _, err = registry.PushManifest(fullRelTag, auth)
+		_, _, err = registry.PushManifest(fullRelTag)
 		if err != nil {
 			return err
 		}
--- a/src/cmd/linuxkit/registry/auth.go
+++ b/src/cmd/linuxkit/registry/auth.go
@ -1,19 +0,0 @@
-package registry
-
-import (
-	"os"
-
-	"github.com/docker/cli/cli/config"
-	dockertypes "github.com/docker/docker/api/types"
-)
-
-const (
-	registryServer = "https://index.docker.io/v1/"
-)
-
-// GetDockerAuth get an AuthConfig for the default registry server.
-func GetDockerAuth() (dockertypes.AuthConfig, error) {
-	cfgFile := config.LoadDefaultConfigFile(os.Stderr)
-	authconfig, err := cfgFile.GetAuthConfig(registryServer)
-	return dockertypes.AuthConfig(authconfig), err
-}
--- a/src/cmd/linuxkit/registry/manifest.go
+++ b/src/cmd/linuxkit/registry/manifest.go
@ -4,7 +4,6 @@ import (
 	"fmt"
 	"strings"

-	dockertypes "github.com/docker/docker/api/types"
 	"github.com/estesp/manifest-tool/v2/pkg/registry"
 	"github.com/estesp/manifest-tool/v2/pkg/types"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@ -24,7 +23,7 @@ var platformsToSearchForIndex = []string{
 }

 // PushManifest create a manifest that supports each of the provided platforms and push it out.
-func PushManifest(img string, auth dockertypes.AuthConfig) (hash string, length int, err error) {
+func PushManifest(img string) (hash string, length int, err error) {
 	var srcImages []types.ManifestEntry

 	for i, platform := range platformsToSearchForIndex {
@ -54,6 +53,8 @@ func PushManifest(img string, auth dockertypes.AuthConfig) (hash string, length

 	log.Debugf("pushing manifest list for %s -> %#v", img, yamlInput)

-	// push the manifest list with the auth as given, ignore missing, do not allow insecure
-	return registry.PushManifestList(auth.Username, auth.Password, yamlInput, true, false, false, types.OCI, "")
+	// push the manifest list, ignore missing, do not allow insecure
+	// we do not provide auth credentials to force resolve them internally
+	// according to the hostname of image to push
+	return registry.PushManifestList("", "", yamlInput, true, false, false, types.OCI, "")
 }