feat add cli option to add credentials files

[Shubhranshu153]

Description

Add a cli option to pass in credential config file path. This will override DOCKER_CONFIG path used to fetch credential. You can pass a file path or a file descriptor("fd://") or a pipe("pipe://")

Use case:

This will allow clients to configure the cred config location of the buildctl and pass in credentials via file descriptors and pipes as well if they dont want to write it to disk.

Related to issue: #5860

[Shubhranshu153]

@tonistiigi @AkihiroSuda
When you get a chance take a look.
Thanks.

[pendo324]

Does go throw an error here if the file descriptor is above the OS limit (e.g. /proc/sys/fs/file-max or ulimit on Linux)?

[Shubhranshu153]

I think the open call will fail if it is more than the limit. The newfile itself doesnt throw error.

[tonistiigi]

There is no open if it is a fd. read(2) would fail.

[Shubhranshu153]

fd is from a open file that is getting inherrited as a child process. if the fd is not inherited it would fail from what i tested which makes sense to me for the use case i am trying.
Do you suggest i check if the fd is valid and open already? @tonistiigi

[pendo324]

Should this work with Windows pipes? I think they start with \\.\pipe\ typically, but I'm not sure if they're opened like a regular file.

[Shubhranshu153]

i am not very familiar with using windows pipe, if there is a specific requirement we can implement but at the moment i dont know if we do require it.

[tonistiigi]

@profnandaa

[AkihiroSuda]

On Linux, pipe:// is probably unneeded and can be just treated in the same way as a regular file

[Shubhranshu153]

it was more of a logical entry to differentiate, can remove it.

[tonistiigi]

This is a bit scary. There are functions like configFile.Save() that would now write out actual file to this path.

Maybe it would make sense for DockerAuthProviderConfig to take a limited interface that just implements GetAuthConfig(registry) instead? @AkihiroSuda

[Shubhranshu153]

Does buildkit write back credentials to this file? or its more of a concern with it is possible to write back to the path and as such is a risk itself.

[tonistiigi]

It's more of a concern that we pass full configfile to another component, so we can't really control what methods it is allowed to call. We are passing configfile, but it isn't actually a valid file.

[Shubhranshu153]

in that case when the further component call it to write it would fail i suppose which is not ideal but is it a risk though as the config file if its a fd then it needs to be called as a child process or else it wont be valid. For pipes it is more tricky i suppose as they can be passed independently.
@tonistiigi @AkihiroSuda

[tonistiigi]

There is no open if it is a fd. read(2) would fail.

[tonistiigi]

@profnandaa

[Shubhranshu153]

@tonistiigi
There is no open if it is a fd. read(2) would fail -> Open file descriptor needs to be passed along when a os.exec call is made

[tonistiigi]

Linter is failing, and I would still prefer to not pass the whole (fake) configfile.

[Shubhranshu153]

@tonistiigi

 I would still prefer to not pass the whole (fake) configfile.

When we say pass the whole configfile are we stating the whole configfile struct into DockerAuthProvider and any component that uses DockerAuthProviderConfig has access to this configfile and we cannot control the use of it?

[Shubhranshu153]

@tonistiigi @AkihiroSuda
Added interface implementing GetAuthConfig(registry) as per suggestion to circumnavigate configfile.Save(). Let me know if this solution works. To safegaurd behaviour may be i can add all the implementation and override Save() if its required.

[tonistiigi]

AuthConfigProvider

[tonistiigi]

This should return the interface type

[Shubhranshu153]

Thanks changed it.