opm render - Does not seem to allow multiple auth to the same registry

[tonyskapunk]

Currently opm render does not seem to allow multiple auth to the same registry in its auth file (~/.docker/config.json)

Say you have an auth file as this example:

{
  "auths": {
    "quay.io/telcoci/some-image": {
      "auth": "XXXXXX"
    },
    "quay.io/telcoci": {
      "auth": "YYYYYY"
    },
    "quay.io": {
      "auth": "ZZZZZZ"
    }
  }
}

Tools like podman, skopeo, buildah. Or even opm index will allow entries like the above, following the order from more-specific to less specific. [1]

This is quite useful when using multiple credentials to different namespaces/images in a registry.

The current output obtained through opm render using a file like the above is:

$ /opt/cache/4.11.0-0.nightly-2022-03-14-113722/opm render quay.io/telcoci/nfv-example-cnf-catalog:v0.2.9
2022/03/14 16:06:45 render reference "quay.io/telcoci/nfv-example-cnf-catalog:v0.2.9": error resolving name : unexpected status code [manifests v0.2.9]: 401 UNAUTHORIZED

While podman has no issues with it:

$ podman pull --authfile ~/.docker/config.json quay.io/telcoci/nfv-example-cnf-catalog:v0.2.9                                                                                                     Trying to pull quay.io/telcoci/nfv-example-cnf-catalog:v0.2.9...Getting image source signatures
Copying blob f79d5bcd4c1f skipped: already exists
Copying blob b42b5686cb3e skipped: already exists
Copying blob ffacc1afb1d2 skipped: already exists
Copying blob e31777b27d40 skipped: already exists
Copying blob 3c1327a89d61 skipped: already exists
Copying blob 31f649901324 skipped: already exists
Copying blob 0d7d70899875 skipped: already exists
Copying config baf8393628 done
Writing manifest to image destination
Storing signatures
baf8393628533b25865acc4ae837c65733c26744fb64b1043e9fec750c3ebea7

Please note that in the example above I'm using ~/.docker/config.json as currently there's no way to specify another file, but issue #919 has reported that.

[1] https://man.archlinux.org/man/community/containers-common/containers-auth.json.5.en#FORMAT

[joelanford]

It looks like the in-process registry client used by opm render is using docker libraries to parse the auth file and perform authorization, and it appears that docker does not support repo-specific credentials?

I wonder if we could use what containerd/skopeo/buildah/podman use to perform authorization?

This seems like the code that understands path-specific auth keys: https://github.com/containers/image/blob/main/pkg/docker/config/config.go

[exdx]

Hi @tonyskapunk,

This is a valid use case that the command should support. Potentially updating the code to use the path-specific keys @joelanford mentioned is the correct approach. Since this would change the existing behavior, it would be more of a feature than a bug. We would look to implement it.

The reason opm index command accept multiple paths in the auth config is because they shell out directly to container tools such as podman, which then handle auth and pulling of the image. opm render uses the docker/containerd libraries, so it has this issue.

[kaovilai]

+1 this is happening to me as well. Is there some workaround?

[tonyskapunk]

Hi @exdx, @joelanford , thanks both for looking into this.
Indeed, it would be nice to have this behavior added at some point, on our side the workaround is to use only the specific credential needed. The difficult part is that it's only taking what's in the ~/.docker/config.json, ideally with #919 it would be easier to point to different auth files.

[leifmadsen]

Seems I got bit by this as well. I was wondering why my authorization wasn't working, but it seems it's because of multiple auths in the same file and opm render doesn't know how to select the appropriate one.

[leifmadsen]

+1 this is happening to me as well. Is there some workaround?

#919 (comment) is a work around that works for me. I was even able to do it from within a BuildConfig and access the internal OpenShift registry to perform an index image build without polluting the host system.

[tonyskapunk]

Hello! It's been a while since this was created, and was wondering if this is still considered to be added as a feature. And if there's any effort around this so far. Thanks!

[joelanford]

This has not been prioritized to be done by any of the core contributors. We would happily accept a PR here if anyone is willing to work on it!

[joelanford]

@tonyskapunk I finally had some time to see if I could improve this. If you have a chance, would you be able to build opm from #1165 and see if it solves your problem?

[tonyskapunk]

👋 @joelanford Thanks for taking the time to implement this, I'll happily give it a test and provide some feedback.

[tonyskapunk]

@joelanford I tested the changes and it seems to cover what was reported in here 🎉

Here an example of the config and the diff levels used to test the test-image-bundle

{
    "auths": {
        "quay.io": {
            "auth": "some-valid-creds-here",
        },
        "quay.io/some-ns": {
            "auth": "some-valid-creds-for-ns-here"
        },
        "quay.io/test-ns/test-image-bundle": {
            "auth": "some-valid-creds-for-test-ns-image-bundle"
        },
        "quay.io/test-ns": {
            "auth": "some-valid-creds-for-test-ns"
        }
    }
}