8000 Support narrowly scoped registry authentication · Issue #840 · oras-project/oras-go · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Support narrowly scoped registry authentication #840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
arewm opened this issue Nov 4, 2024 · 2 comments
Open

Support narrowly scoped registry authentication #840

arewm opened this issue Nov 4, 2024 · 2 comments
Labels
enhancement New feature or request v3 Things belongs to version 3.x
Milestone
future

Comments

@arewm
Copy link
arewm commented Nov 4, 2024

Global access might not be granted for an entire registry. Instead, multiple service accounts/robots may be used for narrowly scoped push/pull actions. Registry authentication should be done from most-specific to least-specific.

When checking for available credentials, the relevant repository is matched against available keys in its hierarchical order, going from most-specific to least-specific. For example, an image pull for my-registry.local/namespace/user/image:latest will result in a lookup in auth.json in the following order:

  • my-registry.local/namespace/user/image
  • my-registry.local/namespace/user
  • my-registry.local/namespace
  • my-registry.local

https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md#format

This is similar to the proposed change in google/go-containerregistry#1966.
@shizhMSFT shizhMSFT added enhancement New feature or request v3 Things belongs to version 3.x labels Nov 5, 2024
@shizhMSFT
Copy link
Contributor

Related to #836

@shizhMSFT
Copy link
Contributor

This requires a redesign of the auth module, which further requires a design revisit.

@shizhMSFT shizhMSFT added this to the future milestone Nov 5, 2024
@programmer04 programmer04 mentioned this issue Nov 27, 2024
Merged
@Wwwsylvia Wwwsylvia mentioned this issue Dec 20, 2024
Closed
1 task
@apparentlymart apparentlymart mentioned this issue Feb 28, 2025
Merged
@sabre1041 sabre1041 mentioned this issue Mar 7, 2025
Open
chmeliik added a commit to chmeliik/build-definitions that referenced this issue Apr 24, 2025
@chmeliik
appstudio-utils: add select-oci-auth script
e387a5b 
This script is already installed in the 'oras' and
'build-trusted-artifacts' container images to work around oras not
supporting containers-auth.json properly [1].

Add the script to the appstudio-utils image as well, which will enable
us to also use this workaround for cosign. Cosign uses the
go-containerregistry module for authentication, which works a bit better
than oras, but still not well enough [2].

The script was copied from the build-trusted-artifacts repo [3].

[1]: oras-project/oras-go#840
[2]: google/go-containerregistry#1966
[3]: https://github.com/konflux-ci/build-trusted-artifacts/blob/ddb050d092df562860fe2522d4de234ed49dabd3/select-oci-auth.sh

Signed-off-by: Adam Cmiel <acmiel@redhat.com>
@chmeliik chmeliik mentioned this issue Apr 24, 2025
Merged
github-merge-queue bot pushed a commit to konflux-ci/build-definitions that referenced this issue Apr 25, 2025
@chmeliik
appstudio-utils: add select-oci-auth script
8f9f933 
This script is already installed in the 'oras' and
'build-trusted-artifacts' container images to work around oras not
supporting containers-auth.json properly [1].

Add the script to the appstudio-utils image as well, which will enable
us to also use this workaround for cosign. Cosign uses the
go-containerregistry module for authentication, which works a bit better
than oras, but still not well enough [2].

The script was copied from the build-trusted-artifacts repo [3].

[1]: oras-project/oras-go#840
[2]: google/go-containerregistry#1966
[3]: https://github.com/konflux-ci/build-trusted-artifacts/blob/ddb050d092df562860fe2522d4de234ed49dabd3/select-oci-auth.sh

Signed-off-by: Adam Cmiel <acmiel@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request v3 Things belongs to version 3.x
Projects
None yet
Milestone
future
Development

No branches or pull requests
2 participants
@arewm @shizhMSFT
0