feat: add ability to override registry keychain #1666
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1666 +/- ##
==========================================
+ Coverage 28.96% 29.16% +0.19%
==========================================
Files 139 140 +1
Lines 8268 8342 +74
==========================================
+ Hits 2395 2433 +38
- Misses 5610 5643 +33
- Partials 263 266 +3
Continue to review full report at Codecov.
|
|
I noticed the linting failed. switch {
case o.Keychain != nil:
opts = append(opts, remote.WithAuthFromKeychain(o.Keychain))
case o.KubernetesKeychain:
kc := authn.NewMultiKeychain(
authn.DefaultKeychain,
google.Keychain,
authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
github.Keychain,
)
opts = append(opts, remote.WithAuthFromKeychain(kc))
default:
opts = append(opts, remote.WithAuthFromKeychain(authn.DefaultKeychain))
}but I was trying to make as few changes as possible. |
|
Seems right, it usually complains after 3 branches. |
|
Looks like you missed the DCO this time around :) |
When importing cosign as a library directly in code, it is convenient to have the option of providing the go-containerregistry keychain. This allows consumers of cosign to call functions such as sign.SignCmd and copy.CopyCmd and pass the registry creds in memory without having to write the creds to a docker/oci auth config file first. This commit adds a new type alias Keychain which maps to authn.Keychain. Resolves: sigstore#1665 Signed-off-by: Michael Kucinski <[email protected]>
eb17eaf
to
b391cab
Compare
Sorry about that! I'm not in the habit of signing off on commits. I ended up squashing the history as recommended in the contribution guide. Hopefully any future PRs of mine will be cleaner. |
|
No worries! The first one is always annoying because I have to keep clicking the GitHub button to allow CI to run in between, after this you'll be able to just rerun yourself! |
When importing cosign as a library directly in code, it is convenient to have the option of providing the go-containerregistry keychain. This allows consumers of cosign to call functions such as sign.SignCmd and copy.CopyCmd and pass the registry creds in memory without having to write the creds to a docker/oci auth config file first. This commit adds a new type alias Keychain which maps to authn.Keychain. Resolves: sigstore#1665 Signed-off-by: Michael Kucinski <[email protected]>
|
@noamichael Apologies to bring you back in time 😅 , I have found this PR and wondered how you go this to work in code? I'm using the |
It's been awhile! I don't have any working examples, but here is something I just wrote (basically pseudocode) to get the point across on how I expected this to be used. The key point is you need to implement package main
import (
"fmt"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
)
// Some struct to hold username and password
type userCredentials struct {
username string
password string
}
// A keychain that is able to return the creds based on the registry url
type InMemoryKeyChain struct {
// An in-memory map of username/passwords
credentials map[string]userCredentials
}
// Returns a function that is able to produce an AuthConfig struct. This is basically a factory factory
func (k *InMemoryKeyChain) Resolve(resource authn.Resource) (authn.Authenticator, error) {
// Ask for the registry URL
registryHost := resource.RegistryStr()
// Find the user credentials by the registry URL
userCreds, ok := k.credentials[registryHost]
if !ok {
return authn.Anonymous, fmt.Errorf("Unable to find credentials for host %s", registryHost)
}
// Return an authConfig that contains the username and password we looked up
return authn.FromConfig(authn.AuthConfig{
Username: userCreds.username,
Password: userCreds.password,
}), nil
}
func main() {
// Create a keychain which maps the registry URL to the
// username and password we use for that registry
keychain := &InMemoryKeyChain{
credentials: map[string]userCredentials{
"registry.example.com": {
username: "myusername",
password: "mypassword",
},
},
}
// OR, if you simply want to use your current host's Docker config,
// pass authn.DefaultKeychain
// Call the sign command with all the various flags you need
sign.SignCmd(
&options.RootOptions{},
options.KeyOpts{},
options.RegistryOptions{
Keychain: keychain,
},
make(map[string]interface{}),
[]string{"images to sign"},
"", // cert path
"", // cert chain path
true, // upload
"", // output signature
"", // outputCertificate
"", // payloadPath
true, // force
false, // recurisve
"", // attachment
false, // noTlogUpload
)
}Please let me know if this helps or if you have any more questions! |
|
@noamichael That worked perfectly! Thank you so much. You've saved me a fair few hours/days trying to figure what I needed to do 😄 I'm trying to take note of all of the things that we currently do that add that extra bit of code so we can make it easier by putting a lot of it in the |
Summary
Updates
options.RegistryOptionsto allow users to pass registry credentials via a new type aliasKeychainwhich maps toauthn.Keychain.Resolves: #1665
Ticket Link
Fixes #1665
Release Note
NONE