github/skopeo
1
0
Fork 0
mirror of https://github.com/containers/skopeo.git synced 2025-06-26 14:52:36 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1047 from airadier/registry-token-cli-flag

Browse Source 
Add --registry-token flags to support Bearer token authentication
This commit is contained in:
Miloslav Trmač 2020-09-18 21:32:24 +02:00 committed by GitHub
commit 77293ff9c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 49 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/skopeo/utils.go
View File

@ -57,6 +57,7 @@ type dockerImageOptions struct {
shared *sharedImageOptions // May be shared across several imageOptions instances. shared *sharedImageOptions // May be shared across several imageOptions instances.
authFilePath optionalString // Path to a */containers/auth.json (prefixed version to override shared image option). authFilePath optionalString // Path to a */containers/auth.json (prefixed version to override shared image option).
credsOption optionalString // username[:password] for accessing a registry credsOption optionalString // username[:password] for accessing a registry
registryToken optionalString // token to be used directy as a Bearer token when accessing the registry
dockerCertPath string // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon dockerCertPath string // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon
tlsVerify optionalBool // Require HTTPS and verify certificates (for docker: and docker-daemon:) tlsVerify optionalBool // Require HTTPS and verify certificates (for docker: and docker-daemon:)
noCreds bool // Access the registry anonymously noCreds bool // Access the registry anonymously
@ -92,6 +93,7 @@ func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, flagPre
f := fs.VarPF(newOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry") f := fs.VarPF(newOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry")
f.Hidden = true f.Hidden = true
} }
fs.Var(newOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry")
fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon") fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon")
optionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)") optionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)")
fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously") fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously")
@ -150,6 +152,9 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
return nil, err return nil, err
} }
} }
if opts.registryToken.present {
ctx.DockerBearerRegistryToken = opts.registryToken.value
}
if opts.noCreds { if opts.noCreds {
ctx.DockerAuthConfig = &types.DockerAuthConfig{} ctx.DockerAuthConfig = &types.DockerAuthConfig{}
} }

4
cmd/skopeo/utils_test.go
View File

@ -54,6 +54,7 @@ func TestImageOptionsNewSystemContext(t *testing.T) {
"--dest-daemon-host", "daemon-host.example.com", "--dest-daemon-host", "daemon-host.example.com",
"--dest-tls-verify=false", "--dest-tls-verify=false",
"--dest-creds", "creds-user:creds-password", "--dest-creds", "creds-user:creds-password",
"--dest-registry-token", "faketoken",
}) })
res, err = opts.newSystemContext() res, err = opts.newSystemContext()
require.NoError(t, err) require.NoError(t, err)
@ -67,6 +68,7 @@ func TestImageOptionsNewSystemContext(t *testing.T) {
DockerCertPath: "/srv/cert-dir", DockerCertPath: "/srv/cert-dir",
DockerInsecureSkipTLSVerify: types.OptionalBoolTrue, DockerInsecureSkipTLSVerify: types.OptionalBoolTrue,
DockerAuthConfig: &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"}, DockerAuthConfig: &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
DockerBearerRegistryToken: "faketoken",
DockerDaemonCertPath: "/srv/cert-dir", DockerDaemonCertPath: "/srv/cert-dir",
DockerDaemonHost: "daemon-host.example.com", DockerDaemonHost: "daemon-host.example.com",
DockerDaemonInsecureSkipTLSVerify: true, DockerDaemonInsecureSkipTLSVerify: true,
@ -164,6 +166,7 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
"--dest-daemon-host", "daemon-host.example.com", "--dest-daemon-host", "daemon-host.example.com",
"--dest-tls-verify=false", "--dest-tls-verify=false",
"--dest-creds", "creds-user:creds-password", "--dest-creds", "creds-user:creds-password",
"--dest-registry-token", "faketoken",
}) })
res, err = opts.newSystemContext() res, err = opts.newSystemContext()
require.NoError(t, err) require.NoError(t, err)
@ -177,6 +180,7 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
DockerCertPath: "/srv/cert-dir", DockerCertPath: "/srv/cert-dir",
DockerInsecureSkipTLSVerify: types.OptionalBoolTrue, DockerInsecureSkipTLSVerify: types.OptionalBoolTrue,
DockerAuthConfig: &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"}, DockerAuthConfig: &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
DockerBearerRegistryToken: "faketoken",
DockerDaemonCertPath: "/srv/cert-dir", DockerDaemonCertPath: "/srv/cert-dir",
DockerDaemonHost: "daemon-host.example.com", DockerDaemonHost: "daemon-host.example.com",
DockerDaemonInsecureSkipTLSVerify: true, DockerDaemonInsecureSkipTLSVerify: true,

8
completions/bash/skopeo
View File

@ -49,6 +49,8 @@ _skopeo_copy() {
--dest-tls-verify --dest-tls-verify
--src-daemon-host --src-daemon-host
--dest-daemon-host --dest-daemon-host
--src-registry-token
--dest-registry-token
" "
local boolean_options=" local boolean_options="
@ -74,6 +76,7 @@ _skopeo_inspect() {
--creds --creds
--cert-dir --cert-dir
--retry-times --retry-times
--registry-token
" "
local boolean_options=" local boolean_options="
--config --config
@ -120,6 +123,7 @@ _skopeo_delete() {
--authfile --authfile
--creds --creds
--cert-dir --cert-dir
--registry-token
" "
local boolean_options=" local boolean_options="
--tls-verify --tls-verify
@ -136,11 +140,14 @@ _skopeo_delete() {
_skopeo_layers() { _skopeo_layers() {
local options_with_args=" local options_with_args="
--authfile
--creds --creds
--cert-dir --cert-dir
--registry-token
" "
local boolean_options=" local boolean_options="
--tls-verify --tls-verify
--no-creds
" "
_complete_ "$options_with_args" "$boolean_options" _complete_ "$options_with_args" "$boolean_options"
} }
@ -150,6 +157,7 @@ _skopeo_list_repository_tags() {
--authfile --authfile
--creds --creds
--cert-dir --cert-dir
--registry-token
" "
local boolean_options=" local boolean_options="

20
docs/skopeo-copy.1.md
View File

@ -54,25 +54,25 @@ Path of the authentication file for the destination registry. Uses path given by
**--decryption-key** _key[:passphrase]_ to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise. **--decryption-key** _key[:passphrase]_ to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise.
**--src-creds** _username[:password]_ for accessing the source registry **--src-creds** _username[:password]_ for accessing the source registry.
**--dest-compress** _bool-value_ Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source) **--dest-compress** _bool-value_ Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).
**--dest-oci-accept-uncompressed-layers** _bool-value_ Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed) **--dest-oci-accept-uncompressed-layers** _bool-value_ Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed).
**--dest-creds** _username[:password]_ for accessing the destination registry **--dest-creds** _username[:password]_ for accessing the destination registry.
**--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon **--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon.
**--src-no-creds** _bool-value_ Access the registry anonymously. **--src-no-creds** _bool-value_ Access the registry anonymously.
**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true) **--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true).
**--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon **--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon.
**--dest-no-creds** _bool-value_ Access the registry anonymously. **--dest-no-creds** _bool-value_ Access the registry anonymously.
**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true) **--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true).
**--src-daemon-host** _host_ Copy from docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`). **--src-daemon-host** _host_ Copy from docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
@ -84,6 +84,10 @@ Existing signatures, if any, are preserved as well.
**--dest-compress-level** _format_ Specifies the compression level to use. The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive). **--dest-compress-level** _format_ Specifies the compression level to use. The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
**--src-registry-token** _Bearer token_ for accessing the source registry.
**--dest-registry-token** _Bearer token_ for accessing the destination registry.
## EXAMPLES ## EXAMPLES
To just copy an image from one registry to another: To just copy an image from one registry to another:

8
docs/skopeo-delete.1.md
View File

@ -24,16 +24,18 @@ $ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distrib
Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`. Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
**--creds** _username[:password]_ for accessing the registry **--creds** _username[:password]_ for accessing the registry.
**--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry **--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry.
**--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true) **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true).
**--no-creds** _bool-value_ Access the registry anonymously. **--no-creds** _bool-value_ Access the registry anonymously.
Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon. Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon.
**--registry-token** _Bearer token_ for accessing the registry.
## EXAMPLES ## EXAMPLES
Mark image example/pause for deletion from the registry.example.com registry: Mark image example/pause for deletion from the registry.example.com registry:

10
docs/skopeo-inspect.1.md
View File

@ -25,16 +25,18 @@ Return low-level information about _image-name_ in a registry
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`. Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
**--creds** _username[:password]_ for accessing the registry **--creds** _username[:password]_ for accessing the registry.
**--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry.
**--retry-times** the number of times to retry, retry wait time will be exponentially increased based on the number of failed attempts **--retry-times** the number of times to retry, retry wait time will be exponentially increased based on the number of failed attempts.
**--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true) **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true).
**--no-creds** _bool-value_ Access the registry anonymously. **--no-creds** _bool-value_ Access the registry anonymously.
**--registry-token** _Bearer token_ for accessing the registry.
## EXAMPLES ## EXAMPLES
To review information for the image fedora from the docker.io registry: To review information for the image fedora from the docker.io registry:

8
docs/skopeo-list-tags.1.md
View File

@ -15,14 +15,16 @@ Return a list of tags from _repository-name_ in a registry.
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`. Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
**--creds** _username[:password]_ for accessing the registry **--creds** _username[:password]_ for accessing the registry.
**--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry.
**--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true) **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true).
**--no-creds** _bool-value_ Access the registry anonymously. **--no-creds** _bool-value_ Access the registry anonymously.
**--registry-token** _Bearer token_ for accessing the registry.
## REPOSITORY NAMES ## REPOSITORY NAMES
Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported. Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported.

4
docs/skopeo-sync.1.md
View File

@ -71,6 +71,10 @@ Path of the authentication file for the destination registry. Uses path given by
**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true). **--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true).
**--src-registry-token** _Bearer token_ for accessing the source registry.
**--dest-registry-token** _Bearer token_ for accessing the destination registry.
## EXAMPLES ## EXAMPLES
### Synchronizing to a local directory ### Synchronizing to a local directory