Fix support for RegistryToken

[sztwiorok]

This Fix is related to issue #2749
I have tested this change and confirmed it resolves the issue

[crazy-max]

That looks fine to support a statically configured bearer token. I was wondering how this relates to #2749 but we are using the imagetools package to merge manifests during build:

buildx/build/build.go

Lines 631 to 690 in e3c6618

	if len(descs) > 0 {
	var imageopt imagetools.Opt
	for _, dp := range dps {
	imageopt = dp.Node().ImageOpt
	break
	}
	names := strings.Split(pushNames, ",")
	if insecurePush {
	insecureTrue := true
	httpTrue := true
	nn, err := reference.ParseNormalizedNamed(names[0])
	if err != nil {
	return err
	}
	imageopt.RegistryConfig = map[string]resolver.RegistryConfig{
	reference.Domain(nn): {
	Insecure: &insecureTrue,
	PlainHTTP: &httpTrue,
	},
	}
	}
	itpull := imagetools.New(imageopt)
	ref, err := reference.ParseNormalizedNamed(names[0])
	if err != nil {
	return err
	}
	ref = reference.TagNameOnly(ref)
	srcs := make([]*imagetools.Source, len(descs))
	for i, desc := range descs {
	srcs[i] = &imagetools.Source{
	Desc: desc,
	Ref: ref,
	}
	}
	indexAnnotations, err := extractIndexAnnotations(opt.Exports)
	if err != nil {
	return err
	}
	dt, desc, err := itpull.Combine(ctx, srcs, indexAnnotations, false)
	if err != nil {
	return err
	}
	itpush := imagetools.New(imageopt)
	for _, n := range names {
	nn, err := reference.ParseNormalizedNamed(n)
	if err != nil {
	return err
	}
	if err := itpush.Push(ctx, nn, desc, dt); err != nil {
	return err
	}
	}

I just don't see in repro from #2749 this happening during merge manifests. Can you show logs from your repro if possible?

[tonistiigi]

I don't think this is correct. iiuc RegistryToken means the token sent directly to registry, so if it would be supported then it would be used in the implementation of FetchToken. As these tokens would already be specific to repository and scope (for oauth) then it is unlikely that they would be very useful for build as builder pulls lots of images and would need separate tokens for different images and separate tokens for pull and push. If the current PR works for you then you should be defining your token as IdentityToken instead of RegistryToken.

[tonistiigi]

Looking at it more, we do seem to support RegistryToken in buildkit side https://github.com/moby/buildkit/blob/master/session/auth/authprovider/authprovider.go#L109-L112 inside FetchToken as I suggested. But in here (imagetools) we use containerd authorizer directly and that doesn't seem to have support for it afaics. https://github.com/moby/buildkit/blob/master/session/auth/authprovider/authprovider.go#L109-L112 . If you do need RegistryToken and not IdentityToken then looks like https://github.com/containerd/containerd/blob/main/core/remotes/docker/authorizer.go#L277 needs to have a way to return that token directly without trying to fetch it.

[tonistiigi]

Look at this wrapper implementation https://github.com/moby/moby/blob/master/daemon/containerd/resolver.go#L62 . We can do smth similar for imagetools.

[tonistiigi]

^